What is Security all about?

In today’s world one can claim that nearly any organization to operate needs an IT infrastructure. It can be a simple system such as a basic point of sale for a small corner shop to a full fledged IT infrastructure working across continents joining international organizations into one cohesive structure. All systems, be it the smallest up to the largest have one thing in common, they all want to simply get the job done.

What does one need to get the job done? This is really the core question. For starters one needs the availability of the system at all time. If the person(s) who need to use the system can’t access it then the system is as good as not having the system at all. One also needs integrity, if the data stored in the system can or worst is manipulated in any way in an unauthorized way then all the work put in that system is wasted. Confidentiality is also a must. One might have the best system,  always works and ensures data is not manipulated in any way whatsoever without proper authorization but what would happen if that same system is not able protect the confidentiality of the data, what would happen if the credit card details or any other customer data were to be leaked? Customers would consider shopping at that shop/company a risk for them, a risk they will mitigate simply by going some where else. As such Confidentiality is essentials as much as Availability and Integrity as having an IT infrastructure operational will mean nothing without the customers generating use for such System.

Security - integrity, availability and confidentialitySo what do Confidentiality, Integrity and Availability have in common? They are what any IT infrastructure needs to be successful but they’re also something else and no I am not referring to the acronym of a certain world famous organization, No, they are also the words which Define the meaning of the word Security. Security is ultimately all about ensuring Confidentiality, Integrity and Availability.

Some people consider security to be an unnecessary cost, others invest only the bare minimum or only enough to satisfy any government regulations in their sector. Such people generally like to focus on having an Effective, Reliable IT infrastructure that can satisfy their business needs and fail to see a very important point… Security and what they’re trying to achieve are one and the same!

Why to spend time and energy on Security?

Focusing on Security for your IT Infrastructure is not a Fad, its not a fashion statement or about trying to be the coolest kid at a party its about ensuring that your Infrastructure works, doesn’t get manipulated by unauthorized people for any reason and that only the people intended to have access to the data it holds do get access to that data. It can go further then that too. Security can also be about having contingencies and plans in place that if something does go wrong it will not be about deciding what to do next and how to fix the situation, instead with a proper disaster recovery plan in place it would be about implementing a set of defined steps that in the end will bring the system back up in the least time possible and with a fully functional IT System as it was very close to the event that brought it down.

Security is also a proactive exercise which is why it is sometimes disregarded. When investing in an IT infrastructure putting the security infrastructure in place can seem as an extra unnecessary cost and can be a hard sell for Administrators to convince management for the need to spend money on it. Truth is it will not bring in more value to our infrastructure. It will not increase our output right? It will not allow us to work faster and more efficiently right? No, that’s actually wrong in fact it will! Don’t believe it? Read on…graph

Security brings value to an IT Infrastructure mostly in the long term that is true but it also brings immediate value as soon as it is in place. If no security is put in place on one’s IT infrastructure it doesn’t mean one will ignore security, one simply cannot do that in case. What it will mean is that the necessary tasks will need to be done manually disrupting Administrators and Users alike. Updating machine will still need to happen. Dealing with issues will still need to be done. Investigating security issues cannot be always swept under the carpet

Examples:

If a credit card company calls reporting that stolen credit cards where used to pay at one retail and wants the owner to investigate… does that mean they can be ignored as there is no security infrastructure in place? No it means it will need to be investigated manually taking multiple times the time it would take if the infrastructure were to be in place. If a worm / virus is introduced in the system through one of countless possible attack vectors, does that mean it can be ignored since there was no investment in security? Well that’s a time bomb waiting to bring one’s business down and only way to be sure that one is safe again is to re-install a new clean environment, this alone means days of downtime which a security infrastructure could have avoided from happening altogether.

moneyIf a botnet is installed on a network or a hacker gets inside a computer of an organization and uses it to attack someone else and that someone traces the attack to that  organization and Sues does that mean that compromised organization can ignore the lawsuit cause they had  no security infrastructure in place? Again no, again its more time and money that will need to be wasted to manually investigate something that could have been prevented or at least would have allowed the administrator to query and analyze the event automatically as opposed to having to do it manually saving both time and money.

A thought at this point might be that outside is a scary place and maybe if one is connected to the outside world then maybe security is a good idea, but with a small organization, one with an enclosed system with no outside access, surely security is not something for such a scenario right? Unfortunately even in such a seemingly safe place security is also paramount. Even when a system is not connected to the outside world it is still subject to a number of security risks.

Examples:

Measures must be in place to prevent the disgruntled employee from planting an E-bomb1 before leaving/being fired or maybe even from simply deleting all the data from the company database which he helped build and that in his mind he might think that he wasn’t properly compensated for. One need measures to prevent the soon to be leaving sales man from taking out with him confidential client lists and contact details for him to start his new business competing with the organization he used to work for. One needs to protect against the engineering that might walk out on his last day with trade secrets thinking it might maybe give him an advantage when he applies for a job at a major competitor. Additionally one needs to protect from the naïve employee who thought that he was doing nothing wrong when he got his music compilation on a USB disk from home to listen to at work not realizing that in doing so he was also getting a virus from his infected laptop at home into the company network at the same time.

security-threatsThe truth is there are so many attack vectors, so many risks to an IT Infrastructure that the natural question shouldn’t be “Do I really need a Security infrastructure?”  It really should be “But how can I protect myself against all these threats?” Luckily the hard part is really deciding to invest in a security infrastructure. Once that step is taken there are so many options that the next step would be to decide how deep one will go.

What to do next?

One can opt to invest as little money as possible and still have some security in place that will greatly reduce threads to his network. One could also opt to invest as much money as possible and really reduce threads to their network to such a small amount that it will be unlikely that they would experience any issues at all and if they do their impact would be negligible. But Mostly will opt to take the efficient way, investing a small amount of money in a set of application designed to provide as much security coverage as possible within a reasonable budget.

No matter the choice the hard part is deciding to take Security seriously, once that is done it’s a matter to see what would work best to protect your network and the infrastructure you have. Every step taken from then on is a step in the right direction that will help ensure your system is Available all the time, that its data Integrity is kept at all times and that the Confidentiality of that Data is ensured and this is exactly what we all hope to achieve from our IT Infrastructure.

1. E-Bomb is a term describing a malicious code / Script set to run at a particular time or after a certain amount of time which is set to cause damage such as deleting data. Generally E-Bombs are designed to make it look like an accident and to at least make the attacker look innocent by being set to trigger long after the person who planted it had access to the system.