Monday, November 04, 2013

Gain RELIEF with future proof security

I wrote an article for SCMagazine that was published in late October. Unfortunately, since more than 7 days have passed, it now sits behind a registration wall (which I believe is free, but still requires effort on your part). It was originally titled: "Holistic security heals your cloud and mobility symptoms", but the editor decided the current one worked better.

For those that don't feel like registering to read the article, the RELIEF acronym in the title spells out:

  • Resources – What are you trying to protect? This is almost always going to be information. Often, IT departments classify the applications housing information as resources, but without the information, applications do not need to be protected. The classification of data needs to be considered here as this has a bearing on access control policies.
  • Entry – How is each resource accessed? Through an application? Database? As a text file on a file server? Do the access control policies and enforcement mechanisms cover all the combinations and can they be easily managed? Where are the blind spots? Where is access not enforced?
  • Locations and time – Where are these resources located? On-premise? In the cloud? Where are resources accessed from? Can people access a resource when they are outside the office? When can they access these resources?
  • Identity – Who is accessing corporate resources? Can access be tied back to a single individual or is the audit trail ambiguous? Can you enforce access based on who the person is? Are the monitoring mechanisms able to understand identities?
  • Exit – How can information leave the organisation? What are the allowable circumstances and combinations where this can happen? Can this be enforced or at the very least monitored? Are there blind spots?
  • Flow – How does information move between entry and exit points? What about all the points inbetween? Is the flow of information completely auditable and enforceable at all touch points?

1 comment:

Travis Spencer said...

That acronym is great. Thanks for sharing.