| By Mary Ann Davidson | Article Rating: |
|
| May 6, 2004 12:00 AM EDT | Reads: |
13,664 |
A recent report from PricewaterhouseCoopers confirmed that most security breaches occur in stored data. Exponential growth in storage capacity, coupled with emerging regulatory requirements, has led to an even greater increase in storage network vulnerabilities. Today, organizations are forced to recognize the critical importance of securing all types of data - from corporate confidential documents to enterprise instant messages to global personnel records. To meet these challenges, organizations must deploy a smarter, more cost-effective approach to security and veer from the prevalent method of developing and implementing patches only after problems are discovered. This article outlines a step-by-step process for organizations to use as they evaluate technology products.
Internal Perspective
Organizations can make better decisions about security products and reduce the potential back-end costs by researching a few key vendor practices; examining the vendor's corporate culture, specifically the security of their development process; insisting on a response plan for times when vulnerabilities are found; and demanding third-party assessments.
When researching information-technology products, organizations must investigate the vendor's security practices and determine the true cost of the product. A product's true cost is often not just the licensing costs, but also the time and money invested in patching a product once a vulnerability is discovered. Organizations need to make educated purchasing decisions rather than dedicate resources to applying patches after procuring a product, a process that can prove more costly in the long run. An educated purchase can prove less costly down the road. For example, the estimated cost to deploy a patch for a recognized software flaw runs on average $900 per server and $700 per client. If an organization misses a patch and gets hit by a virus, the cost will be magnified.
Vendors must demonstrate that security is a priority at each step of product development and delivery. Some software vendors provide training in secure coding practice and compensation tied to secure coding objectives, thereby strengthening the company's security culture. Organizations with a chief security officer and a team that analyzes product development for weaknesses, or hacks its own products, are clearly dedicated to security. It is better that the vendor notice product weaknesses before the flaw causes problems. The vendor should also run its own enterprise on its products; if a company doesn't trust its own products to secure secrets, why should you?
Patch Management
Before signing on the dotted line, organizations should be convinced of two important elements: the vendor has an aggressive plan to handle problems that may arise; and the vendor has a strictly adhered-to incident-response policy to determine the severity level of a vulnerability. These two elements help to mitigate security vulnerabilities should they arise.
Subsequently, the vendor should finish all relevant patches before announcing a security alert. Information distributed randomly to a handful of customers will exasperate rather than calm the situation. Further, the vendor's security policy should treat all customers equally by providing the same level of notice to all customers, regardless of their size or industry.
Validating Security Claims
Third-party validation represents a critical step in purchasing secure products. Vendors that are serious about security will submit their products for rigorous security evaluations conducted by independent authorities. These evaluations are recognized globally by various governing bodies and provide organizations with a level of assurance about the product's features and security claims. Sometimes, evaluators find product weaknesses and vulnerabilities that are corrected before the evaluation is completed or the product is released.
These evaluations are not without a price. However, reputable vendors know that remedying vulnerabilities found during an evaluation is cheaper than fixing a product already in use. For example, while the cost of an evaluation can reach $1 million, the cost to create and issue a patch for multiple versions of a product that is available on 20 different operating systems can easily cost that much, not including the cost of patch application. Clearly, creating secure products is in the best interest of the vendor and buyer.
Although this due diligence adds a step to the product procurement process, it raises the bar for security across the board. If the industry fails to follow these guidelines, it risks government agencies regulating the process. The U.S. government has already instituted compliance regulations such as Sarbanes-Oxley and the Health Insurance Portability Accountability Act (HIPAA) to govern the way the financial and healthcare industries guard their stored data.
Security as a De-facto Purchasing Criteria
"IT" now stands for "infrastructure technology," and needs to be as robust, secure, and reliable as physical infrastructure. We never worry about bridges failing, nor should we worry about some of our most critical IT systems - such as SANs, NAS, DAS, and backup environments - going down because of design defects.
Adhering to these security guidelines and choosing more robust products are prudent moves that will cut costs and improve business in the short and long term.
Published May 6, 2004 Reads 13,664
Copyright © 2004 SYS-CON Media, Inc. — All Rights Reserved.
Syndicated stories and blog feeds, all rights reserved by the author.
More Stories By Mary Ann Davidson
Mary Ann Davidson is the chief security officer at Oracle, and is responsible for security evaluations, assessments, and incident handling. She represents Oracle on the Board of Directors of the Information Technology Information Security Analysis Center (IT-ISAC), and is on the editorial review board of the Secure Business Quarterly. Ms. Davidson has a B.S.M.E. from the University of Virginia and an M.B.A. from the Wharton School of the University of Pennsylvania. She has also served as a commissioned officer in the U.S. Navy Civil Engineer Corps, where she was awarded the Navy Achievement Medal.
- Cloud People: A Who's Who of Cloud Computing
- Cloud Expo New York: Cloud Is Changing the Economics of Business
- Windows Azure IaaS Reaches General Availability
- AMD and Adobe Collaborate on Upcoming Version of Adobe Premiere Pro Software to Enable Breakthrough Video Editing Performance Through Open Standards
- State and Local Governments Adopt Microsoft Dynamics CRM to Improve Citizen Service Delivery
- Enterasys Spotlights SDN's Impact on Traditional Networking in Upcoming Webinar
- New Relic Q1 2013 Blazes Past Growth Targets and Reaches 40,000 Active Customer Accounts
- Cloud Expo New York: Deploying Hybrid Cloud for Performance and Uptime
- Cloud Expo New York: Delivering Digital Marketing on the Cloud
- Big Data Isn’t About the Database, It’s About the Application
- Gravitant Supports General Dynamics Information Technology in Offering New Cloud Brokerage Services to Government Entities
- Cloud Expo New York: Rethink IT and Reinvent Business with IBM SmartCloud
- Cloud People: A Who's Who of Cloud Computing
- Cloud Expo New York: Best CIO Practices Shared from SHI’s Customers
- Cloud Expo New York: Cloud Is Changing the Economics of Business
- Cloud Expo New York: How to Use Google Apps Script
- Windows Azure IaaS Reaches General Availability
- AMD and Adobe Collaborate on Upcoming Version of Adobe Premiere Pro Software to Enable Breakthrough Video Editing Performance Through Open Standards
- Cloud Computing Bootcamp at Cloud Expo New York
- State and Local Governments Adopt Microsoft Dynamics CRM to Improve Citizen Service Delivery
- Enterasys Spotlights SDN's Impact on Traditional Networking in Upcoming Webinar
- New Relic Q1 2013 Blazes Past Growth Targets and Reaches 40,000 Active Customer Accounts
- Salesforce.com Executives to Participate in Upcoming Investor Events
- Scripps Networks Interactive’s Popular Lifestyle Shows from HGTV, DIY Network, Food Network, Cooking Channel and Travel Channel Coming to Prime Instant Video and Amazon Instant Video
- The Top 150 Players in Cloud Computing
- Six Benefits of Cloud Computing
- Where Are RIA Technologies Headed in 2008?
- FullArmor GPAnywhere Secures Microsoft Application Virtualization Applications Through Group Policy
- SYS-CON's Virtualization Conference & Expo: Themes & Topics
- SYS-CON's Virtualization Journal Opens Its "Readers' Choice Awards" Nominations
- "Virtualization Is Now a Key Strategic Theme," Says Citrix CTO
- Application Virtualization: Instant Migration to Vista, Fast Delivery, Secure Access, Side-by-Side Deployments
- Application Virtualization
- Integration with Windows Vista, Microsoft Excel, and Microsoft Application Virtualization
- The Top 250 Players in the Cloud Computing Ecosystem
- What's the Difference Between Cloud Computing and SaaS?


























