John PescatoreSay your boss came to you and said:
We’ve been hit by an upsy-daisium ray. Every single security product we have has been vaporized. The suits say they will replace our existing security budget, so we do not have any additional money to spend but we are starting from a clean slate. We can’t change anything IT or the business units or management have done or are doing – we can only change the security products and architecture we will deploy.
So, did I constrain it enough? This is not security nirvana – we can’t say “let’s go to full lockdown” or “let’s use thin client” or other “yea! – back to the mainframe!” kinda strategies. You really can’t address the process issues. You were basically just given a technology mulligan – you are not constrained by any switching costs from old, bad security deployment decisions.
Now, one strategy might be to spend the entire security budget on education and then the users (and administrators) will never make mistakes or do bad things. Good luck with that.
I think what I would do is abandon the traditional desktop AV-centric platform with one of the more agressive host based intrusion/application control approaches and use the Windows firewall and disk encryption. I’d go with a security as a service model for email and web gateway security, and choose the cheapest Next Generation Firewall (fw plus IPS) that would meet my perimeter needs and the cheapest VPN approach to meet remote access needs. If I needed 24×7 coverage, I would outsource that to a MSSP. A lot of the routine stuff I’d probably just do the same.
That should generate some savings – I would plow those into making sure all software was vulnerability tested before going on product systems (during development if possible) and into deploying network DLP to get a handle on where information was really flowing in my organization. With any luck, I’d have enough to afford some form of NAC. With any pennies left over, I’d throw up a few security posters in the lunchroom.
But then the little boy woke up, realized it was only a dream and started to scream….
Category: Uncategorized Tags:
1 response so far ↓
1 If Life is Like a Box of Chocolates, What is Security Like? October 15, 2008 at 5:55 pm
[...] few of us will ever really have the opportunity to start with a blank slate. What we can achieve in security is really about what we can add over time and what we can make [...]
Leave a Comment