The No. 1 complaint that I hear from organizations when discussing IT security is that they don’t have enough resources to do everything they need to.
It’s no mystery why: Take an ever-increasing body of regulations and laws we need to comply with, add to it demands of customers and the business, mix in risky scenarios like home users using unmanaged equipment, and top it all off with the requirement to support every type of mobile device from BlackBerries to iPhones to Android. Let’s face it, there are a lot of items that demand our time.
So I don’t think it’s unreasonable when organizations tell me that they don’t have enough time to do everything that they feel they ought to be from a security perspective. What does surprise me, however, are the large number of organizations that have very real, very painful resource constraints on the one hand but that on the other waste time and energy supporting broken processes that add little value. I’ve seen organizations spend (literally) orders of magnitude more to support broken processes when deploying something better (like a tool or a less-broken process) would cost comparatively little.
In cases where you have a bottle-neck or resource sink in one area, being blind to it is actually costing you more than you might think: Not only do you have the upkeep costs associated with maintaining what you already have, but you also have the opportunity costs associated with what you could be doing with those resources if you deployed them somewhere else. There’s also the cost in terms of morale and employee satisfaction that comes from employees working day-in day-out on a task that never ends and that contributes relatively little value to the organization (trust me, they know it’s inefficient).
So that being said, here are the top few challenge areas that I’ve observed where organizations can usually benefit from a little management TLC. Now maybe these areas aren’t broken in your organization — or maybe they are but you just can’t do anything about it at the moment. But if some of these sound familiar, and if you have some dollars to apply to making things better, maybe now’s the time to shake things up a little bit.
#1: User Provisioning
Many organizations, if asked, will tell you they have user provisioning “under control” — but this can be deceptive. For many organizations, user provisioning is a “stealth” issue: Quite a few resources go into it, but they don’t realize it because the cost of maintenance of those things doesn’t hit IT square in the face.
For example, in many organizations, provisioning is distributed across a number of different departments. Access to “centralized” resources like email, file system resources, and a few centralized applications (e.g. SharePoint, Notes) might be provisioned through IT, while “departmental” resources (for example, applications specific to a given business unit, department, or area) might be allocated by the application owner or a knowledgeable subject matter expert in the department.
This might be fine for an organization that has one or two specialized applications, but how often is that the case? Most of us have hundreds of applications that we need to provision access to. If so, the sum total of the provisioning effort is staggering — both in the aggregate time spent allocating users, but also in subsequently removing user access when they leave or change jobs. Not only is this an expensive way to do things, but it’s also error-prone. If some percentage of application specialists forget to remove an employee from their rosters, it creates a security issue where terminated personnel have access to resources — this can rise up to bite the organization later such as in an audit or (worst case) a breach.
A useful exercise for organizations in this boat is for IT to play the hero: Calculate the total costs of provisioning across the board and systematically compare what you’re spending today to what you could be spending if you were to automate the process. Maybe you can’t automate it all, but in most cases you’ll find that an automated tool not only saves money and increases security, but it also helps re-establish ownership of technical resources in IT’s hands.
#2 Patching and Configuration Management
Just like provisioning, if you ask most organizations about patch management, many will tell you that they have this under control too. They’ll tell you about how they have a golden OS image to start from and how they’ve deployed OS patch management services like WSUS or other OS-specific update tools. However, when you start to dig a little bit and start asking about the hundreds or thousands of applications, middleware components, supporting utilities, virtual systems, vendor-supported platforms, etc. — that’s when the story starts to fall apart fast.
The truth is, configuring the various systems and applications in even a modest-size shop is a huge undertaking — maintaining that configuration even more so. Many vendors have restrictions about applying security patches to “their” devices, applications can have their own requirements for how (and if) they auto-update, and patching failures can go unnoticed. Making sure that everything stays current can be a nightmare — when it goes “right” it’s time intensive, when it goes “wrong” it’s a security nightmare.
The good news is that there are a number of products out there that help streamline these aspects of operations. Sure there are the OS-supplied tools, but thinking more broadly and looking for solutions that address other areas (such as application maintenance) can significantly decrease efforts associated with rolling out patches.
#3 Log Management
Most of us realize by now that log management isn’t something that we can just ignore. Prescriptive regulatory requirements like PCI specifically require that we review logs of access to cardholder data and we all know that review of access logs is the right thing to do from a security perspective. But how many of us actually have log aggregation, management, and archival systems in place to help us do this? If you answered “not many,” you’re spot on.
In many organizations, the expectation is that technical personnel will manually review log file information on a periodic (in some cases, like what’s required by PCI, daily) basis. Given that a typical organization might produce gigabytes of log file data per day, how reasonable is it to expect staffers to weed through it by hand? Best case, it gets done at Herculean effort and expense — worst case, folks don’t have the time to do it and it falls by the wayside. Not only is it hard (some would say impossible) to do this right without automation, can you imagine a more boring and unfulfilling job for a technical staffer than reading through gigabytes of log files on a daily basis? It’s inefficient at best and a sure path to “flight risk” resources at worst.
Now, these three are by no means the only areas of inefficiency that exist. They’re just a few common ones. Maybe you don’t have these problems in your environment, but if any of these areas sound familiar, dealing with them is an opportunity — an opportunity to procure more budget for you, less hassle for your staff, and overall cost savings for the firm.
Ed Moyle is currently a manager withCTG’s information security solutions practice, providing strategy, consulting and solutions to clients worldwide, as well as a founding partner ofSecurity Curve. His extensive background in computer security includes experience in forensics, application penetration testing, information security audit and secure solutions development.