Wednesday 18 September 2013

2000 to 2013: The Moving Sands of Information Security

I am been in the information security game for a very long time, many of the fundamental security controls haven’t really changed a great deal, and continue to remain best practice, such as deploying anti-virus, patch management and decent firewall management, the business environment where these security controls are applied has radically shifted, especially over the course of the last decade.
 
So lets take a trip down memory lane back to the year the 2000, the world has just found out that the Y2K bug was a complete none starter, aside from making IT contractors a bob or two. Meanwhile the Internet is starting to find its way into mainstream business, even so secretaries were still being asked if they had any experience in using the Internet during job interviews. And if you had a job title with the word “Cyber” in it, people assumed you were some sort of a Dr.Who extra.

Policies
Starting with the cornerstone of all good information security management, the information security policy, what’s changed? 

Back in the year 2000 the responsibility of information security within a typical UK business sat within the mystic realm of the IT department. The policy document would be called the “IT” Security policy, and it tended to be a single document, only a few pages in length and only understandable by the techno geek who wrote it. Today information Security policies are typically spilt into an array different documents, often breaking down into frameworks of standards and guidance, 100s of pages in length, and they are no longer owned by the IT department, rather they are used to instruct IT. Well this is true in many UK businesses that are serious about their InfoSec. Indeed risk and information security has finally become a separate business governance function, sitting at the very top of many businesses. But there is still a way to go with the InfoSec revolution in the UK, as still too many businesses are lacking decent information security management, and as result struggle deliver airtight security best practices.

Personal Device Usage in the Workplace
In the year 2000 a typical policy would warn employees against using the company's 128K Internet access for personal usage, and not to connect their own devices to the network, a rule insisted upon by the business management not based on rational risk or a threat, but based on concerns about staff productivity and hogging the limited bandwidth. There wasn't the proliferation of personal devices we see today, although I recall there was the odd Palm Pilot around. In 2013 users are permitted to use the Internet for personal usage, and are actively encouraged to bring their own devices into the workplace in many businesses in the UK. The business cost saving Bring Your Own Device (BYOD) culture has risen from nowhere in recent years, and has taken a grip up and down the land as business desire to cash in on the benefit of not having to provide expensive smart phones and laptops to their staff.

Laptops
In 2000 the idea of encrypting a laptop’s hard drive would be considered a crazy notion from the realm of a James Bond plot. Laptops of the day tended to really struggle performance wise, and yet even though laptop theft by shell suit clad spotty teenagers was just as common as it is today, businesses were not over concerned about the loss of data via laptop theft. The business was more concerned about the cost of replacing the laptop, meanwhile employees were only concerned about the cost of fixing their smashed car windows. 
Today most UK businesses are no longer over concerned about the laptop replacement cost, but are more anxious about the potential regulatory fines and the media embarrassment that awaits with any loss of a laptop that is not encrypted. The Nationwide fine of £1,000,000+ in 2007 by the FCA (then FSA) marked a sea change in laptop encryption adoption in the UK, and after which many businesses decided to take no chances and increasingly adopted an enforced mandatory hard disk encryption across their entire laptop estate.

Storage Media
Back in the year 2000 the storage media everyone had floating around their desks was CD-Rs, the idea of encrypting them was pretty much unheard of in most UK offices. Main stream business got a wake call when one day in 2007, the HMRC lost a couple of unencrypted CD-Rs which held millions of UK citizen’s personal data, a huge media storm ensued highlighting the government’s bad security practices, and to this day those HMRC CD-R have never been recovered. But the HMRC breach served to wise up many UK businesses to the huge potential reputational damage that losing those circle pieces of silicon could generate. MDs in boardrooms quaffed “look how stupid the government (HMRC) are” then asked their executives “we encrypt all our CDs, don’t we?”
Just like with laptop encryption, businesses took a “take no chances” approach and most now enforce encryption on all media, including USB storage devices, which had exploded onto the scene in mid 0s.

Automated Security Management
IT Security controls have become easier to implement since 2000, no longer is applying anti-virus and software patches a manual 'walking on eggshells' task, but can be done with confidence, centrally managed and fully automated. It doesn’t stop there either, system monitoring and alerting has improved leaps and bounds, with security managers now having access to a NASA style mission control suite of screens brimming with real time stats and turnkey reporting metrics.

The Crown Jewels that doesn't tour, now on tour
The security doctrine of 2000 was all about protecting the important data within the onsite network, a castle and moat approach to security was taken. Great care was taken with remote access, securing perimeter firewalls and with any connectivity to third parties who you dared to share your network and sensitive data with. Those were the security battlefields, with firewalls rule-sets and VPNs the weapons of the day. 

Although perimeter security is still equally as important today, a momentous shift has occurred, in that the crown jewels of the important data has moved to the outside of the business physical site fortress, and can be found in often blindly trusted third party data centres and unvetted cloud service providers. In 2000 placing trust in a third party would have seemed a dubious idea at best, if it had to be done, great care and checks was taken. I think this is one area where a backward step has occurred.

One of the reasons marketing use the word ‘Cloud’ so much, is it makes something that is in reality highly complex, sound very simple to the service user. However businesses need to take a good look under the bonnet of the simple ‘cloud’ front, properly assess and vet the security of third party service provider, applications and infrastructure, ensuring their third parties are aligned to their business risk appetite, and have at the very least the same appropriate level of security controls as their business's internal infrastructure and systems.


Security Awareness
I think it is fair to say there hasn't been a vast improvement in staff security awareness in since 2000. Of course we seen some changes with the introduction of Computer Based Training Courses and employees signing declaration forms, but nothing ground breaking has really happened. Security awareness still tends to be a flash in pan campaign and a tick box assurance, and is often a poorly done afterthought rather than a sustained process. Yet for me it would appear we are coming full circle, and we are placing security control and trust firmly back into the hands of employees, with personal cloud solutions and personal device usage making it more easier than ever for employees and contractors to bypass the once clever endpoint castle moat extending security controls.

The Biggest in the last Decade
Finally, and perhaps the biggest evolution over the years has been with the humble information security professional. Back in the day I remember it being a struggle to be even recognised as a information security profession in the UK, hence why this blog which I started in 2007 is called “IT Security Expert” not “Information Security Expert”. 
Not only is there an ever increasing army of information security professionals, but the quality of how these professionals practise their trade has much evolved for the better. We have seen security professionals go from a ‘health and safety’ mentality of blurting “No” all the time to the businesses they serve, to a business conscious “can do” attitude, having the knowledge and expertise to devise solutions to fit their business needs and risk appetite, well the successful information security professionals are doing this.

5 comments:

Anonymous said...

I can talk about a lot of people think, RFMD is going to look like, not just next-generation, but even
generations agen penjualan pulsa beyond. I think
we're probably, clearly in the first half of this year and then first
device is coming out in Q1. We wanted to make sure that we've got to continue to invest internationally.


Feel free to visit my weblog: grosiran pulsa - -

Nicole said...

It is amazing to think how much technology has changed in the past couple of years and then when you look at this the difference is just astounding.

Anonymous said...

I'm not sure where you are getting your info, but
great topic. I needs to spend some time learning much more or understanding more.
Thanks for excellent information I was looking for this info for my mission.


Here is my page best identity theft protection - ,

Anonymous said...

Very good post! We are linking to this particularly great article on our website.
Keep up the great writing.

Also visit my web blog: Smartphone Checker UK

Anonymous said...

Article writing is also a fun, if you be familiar with after that you can write otherwise
it is difficult to write.

my site ... permaculture design training