What better time to talk about worst practices than Friday the 13th? Back in January, we published research (and a blog) on the 12 network security worst practices. These “dirty dozen” include:
- Shiny new object syndrome
- Culture of no
- Insufficient focus on users and business requirements
- Defense with inadequate depth
- Organizational misalignment
- Suboptimal branch architecture
- Security blind spots
- Uncoordinated policy management
- Noncompetitive vendor selections
- Hazardous network segmentation
- Inadequate end user education
- Inadequate security event management
For each “worst practice”, we provide a definition and real-world examples, identify their impact, and provide specific guidance to avoid them. Here’s an example (a snippet from the published research):
Security Blind Spots (AKA “Not my job” and “my hardware can’t handle SSL decryption”)
Gartner observes that specific functional areas within an organization’s infrastructure have significant security gaps. In particular, IT security tends to focus strictly on IP security, not the more holistic IT security. Common examples where security is too thin include:
- Fiber channel storage area networks (SANs)
- Time division multiplexing (TDM) voice infrastructure
- Secure Sockets Layer (SSL)-based traffic (see “Security Leaders Must Address Threats From Rising SSL Traffic” )
- Application security, including both application development and third-party security solutions (see“Web Application Firewalls Are Worth the Investment for Enterprises” )
- Security tools with limited feature capability for IPv6 (in comparison to IPv4)
- External cloud-based services including SaaS, PaaS and IaaS
- Mobile security (i.e., allowing mobile devices to connect to the email server, which provides access to email, contacts, calendar and attachments)
Most security gaps are already known by the security team, but have not been addressed because of other priorities. This problem has played a major role in some well-publicized and high-impact breaches.
Action: Perform regular penetration tests to uncover gaps and highlight the risks associated with attacks caused by security blind spots. Update existing security metrics to include risks related to security gaps. Create specific metrics for security coverage that highlights insufficient visibility in order to defend the business case for specific funding. Consider detection and response as well as preventative controls when architecting security solutions. See “Agenda Overview for Information Security Technologies and Services, 2015” and “A Guide to Security and Risk-Related Hype Cycles, 2014.”
Note: We will be publishing a new “worst networking practices” note within the next month or two also…
Read Complimentary Relevant Research
100 Data and Analytics Predictions Through 2021
Over the next few years, data and analytics programs will become even more mission-critical throughout the business and across industries....
View Relevant Webinars
Data Center Modernization and Infrastructure Agility Trends
IT infrastructure professionals must plan for business transformation by leveraging modern data center technologies such as flash-based...
Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.