Physical Security and Business Processes

One of the things that distinguishes security from other IT disciplines is its massive scope.

In simple terms, if you own the corporate network, you care about switches, routers, and traffic going from Point A to Point B. If you own security, you have to look up and down the old "technology stack" while keeping an eye of physical security and cross-company business processes. Little wonder why so many companies experience so many data breaches.

For years, the security industry seemed to disregard the broad scope of problems faced by enterprise organizations. Instead, even the biggest security firms like Check Point and McAfee simply offered the threat management widget du jour. This is like your local This is like your local tire store saying that it is in the business of selling automobiles. Something had to give which is why big enterprise-savvy companies like EMC, Hewlett-Packard, and IBM entered the market.

During a RSA Conference in San Francisco, Rather than talk about threat management products from ISS or identity management software from Tivoli, IBM presented a few interesting things:
• A comprehensive security framework based upon enterprise user security requirements rather than its portfolio of products.
• Integration between security and business processes.
• IBM now has a single person, Chris Lovejoy, who is responsible for coordinating security activities across IBM product and business units.
• An aggressive partnering program to enhance its homegrown offerings.

No, IBM doesn't have all the answers. And there are probably lots of areas where others have better products. That said, IBM has organized its security portfolio in a way that meets enterprise requirements at the board level--and not just in the security products test lab.

NIST recommendation for RSA 1024 bit keys

EMC's Interpretation - “At most companies today, security projects are being driven by compliance and audit, so what a surprise that they don’t have alignment with the business! Security practitioners are not working on business problems; they are working on regulatory issues.”Now I’m not going to suggest that all regulation is unjustified and that businesses can’t profit from the level playing field that regulation can create.

While effective attacks against 1024-bit RSA keys appear unlikely to emerge in the near term, the community has for some years suggested the prudence of a movement away from 1024-bit key lengths by the end of 2010. The U.S. National Institute of Standards (NIST) recommends in its special publication 800-57, "Recommendation for Key Management--Part I: General http://csrc.nist.gov/publications/nistpubs/800-57/SP800-57-Part1.pdf " (p. 66), that 1024-bit RSA be used to confer data protection only through 2010. Similarly, in May 2003, RSA Labs published key-size recommendations deprecating the use of 1024-bit RSA keys for protection of data with a lifetime beyond 2010. The general consensus is that 1024-bit RSA keys are roughly equivalent in strength to 80-bit symmetric keys, and that advances in computing power and incremental algorithmic advances could bring such keys within the reach of intensive computational attack in the next decade. It is worth noting, however, that many view the NIST date of 2010 as a conservative "best by" date, selected in part in anticipation of delayed industry adherence to NIST guidelines.

However, any regulation can be interpreted to the extreme and when it comes to security, materiality and RISK are NOT often given their proper weighting.

Finally vendors must build and implement “Thinking Security” systems collaborating with practitioners and each other.The rise of thinking security will mean that information-centric security is a reality, a reality that will catapult security to a new plane where it is widely seen as an accelerator of innovation.