Talking about Security Pt 1
In a world full of remote systems, interfaces and unlimited risk for internet connected systems, we are in most cases helpless to defend ourselves. You can only imagine how much experienced computer people want to keep everything under the grasp of control, but that’s not always the best move, or the best solution.
In some cases, that frame of mind means you produce less options, and only a partial solution to the problem at hand.
As an example, you shouldn’t avoid “hybrid” cloud solutions, or look at risk as an “all or nothing” type of engagement. Standing one leg up in the cloud can give you a foothold in the risk department. For example, some providers will leverage a hosted service to offset the risk of bringing it in-house. This doesn’t necessarily mean the entire platform, but just that single component itself.
It sounds fragmented, but its all about how you unify it to the end-user anyways.
A few useful and dominant players in the hosted Platform-as-a-service space space are Incapsula and CloudFlare. Both of these providers offer a hosted protection platform for websites. It is possible to obscure the true location by using web name redirect; putting them directly in-front of the oncoming traffic.
The service scrubs it clean, and send if off to you to serve up content. This is an ordinary cost and very much a solution for those sites where you don’t need to explore security in the corporate cloud. Just on the edge, something that complements the existing infrastructure, transfers risk, and stands as an operating cost.. no big Capex or installation woes here.
But, what should you do when IT threatens that precarious sense of control you have?
What if you don’t have complete control over the system?
Sometimes, you just need to talk about security.
Here’s an example… About 6 months ago, I had a discussion with my bank and a local rep (on-site) about capabilities with regards to protecting accounts. This was purely for my own research as I had a specific concern about commercial accounts. The Bank was open to the talk, but didn’t have much to promise me in terms of what could be done.
This has been my primary location of banking for a number of years, so I figured it was worth a try to approach it the logical way. At least to stay where I was at, minimal discomfort and pain in migrating. All I had to do is send a message afterall. I’d be forced to call if I were to cancel the account!
What was missing?
No picture/object/secrets scheme available at log-on
Lack of email notifications for specific types of events
Inability to restrict ACH/EFT transfers (in any way, to any place)
No multi-factor authentication using phone, text, app available
None of my 100s of random internet purchases or vacations had tripped a fraud system.
Gave it another 6 months and they rolled out almost all of these features. The bank developed a road-map, and advanced mobile/two-factor authentication for all of its users. Wooho!
As a disclaimer, I have worked in environments with thousands of banks as clients. It helps to know where it hurts, but I used only a basic analytic approach and potentially 30 minutes of my time.
Did I do that? One can never know… but that message alone may have gone right to the decision makers. I spoke a lot about the capabilities of the organizations closest competitors. These rules of business are universal and eternal, and if you haven’t recently, trying talking about security some time.
It might be up to the IT department to have that conversation in the end, but it still helps to egg them on…