Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


Security, IT Operations, Compliance & Privacy Converge in Data Center

Formerly disconnected disciplines find themselves working together

Not long ago, they didn't talk to each other. Security folks and network administrators worked in their own silos, sharing little except log information. Compliance people worked with finance and accounting. Privacy people were mostly in the legal department.

As security breaches and compliance issues come to the fore, however, those silos are rapidly breaking down. Last week at the RSA 2008 conference in San Francisco, security experts and vendor executives were not only talking about communication between these formerly-separate functions, but about the convergence of security-related disciplines.

"It's a bit like watching people groping around in the dark," said Rena Mears, partner and head of the Security Services Group at Deloitte & Touche LLP. "We see compliance people moving in an IT direction in response to a legal requirement. We see security people developing privacy policy with no understanding of the business process. And in most cases, there's no strategic view of the data anywhere in the enterprise -- they don't know where the sensitive data is, and they don't know who's using it."

John Worrall, vice president and general manager of the Information and Event Management Group at RSA, agreed. "As companies see the breaches around them and the impact they can make, they're asking how they can be sure they're secure," he said. "Compliance is part of it, but compliance with regulatory policy might only address 40 percent of your security issues. To truly answer the question, you need to define what security is, you need to look at your internal security policy and see if it matches what you've set out to do as a business."

Many security vendors -- and some enterprises -- hope to achieve convergence of security and privacy efforts by launching an array of technologies and disciplines built around the concept of IT governance, risk, and compliance (GRC). But some critics have complained that GRC is too broad to be useful as a tactical solution. (See Too Much Access.)

In the shorter term, what's really needed are ways to improve communications among the various silos that have a stake in enterprise security, experts say. The networking people should be talking to the security people; the security people should be talking to the privacy people; and everybody should be talking to the compliance managers.

Some vendors and experts suggest that this communication will occur naturally as companies attempt to identify and secure their sensitive data and move toward a data-centric security model.

"What we need is a fundamental shift," said John Thompson, chairman of Symantec. "We need a risk-based approach that addresses data at rest and in motion. I need to know what sensitive information do I have, how is it stored, and how is it used. I need to set rules for archiving and encryption, and those policies must be aligned across the business."

Thompson's ideas were demonstrated in products at the show. RSA's new Data Loss Prevention (DLP) Suite, which will be co-marketed by Cisco, offers the means to analyze data, identify sensitive information, and apply policies for protecting it. (See RSA Takes Suite Approach to Data Leak Prevention.)

Other vendors suggest that the links between the silos can be made by integrating tools and processes bilaterally, without necessarily making a wholesale shift in the way that the enterprise handles data. For example, many vendors and IT departments are finding ways to integrate IT security and IT operations, two disciplines that formerly operated independently.

"When I first took over as CIO, our security people and our IT operations people were in separate groups," said Dave Hansen, former CIO at Computer Associates and currently senior vice president and general manager of CA's Security Management business unit. "Now, as we put in new operations teams, there are security people integrated into them."

CA, like other vendors that make both security management and network/systems management tools, is working to integrate the data from those applications so that operations people and security people can work together to locate the sources of potential problems. In interviews at the show, executives from Cisco, IBM, McAfee, and others all said they are working on the integration of security management and traditional enterprise management tools.

"We see a natural integration point between what we're doing with security information and event management (SIEM) and Tivoli [enterprise management products]," said Joe Anthony, program director for identity and compliance management at IBM's Tivoli unit. "There's a need for them to share information -- it probably won't be the same person operating both applications, but they both need to be able to pull information about user activity from the system."

A similar type of integration is taking place between tools that collect security event information and tools designed to track and manage regulatory compliance, noted George Kurtz, senior vice president and general manager for McAfee's Risk and Compliance business unit.

"In the last six months, we've built a partner program that helps us to partner with SIEM vendors so that we can share data," said Kurtz. "It takes a lot of time and heavy lifting to do SIEM, so it doesn't make sense for us to reinvent the wheel when there are a lot of vendors out there who do it well." SIEM tools can help companies collect the data they need to prove that that they are in compliance with regulatory and industry guidelines, he observed.

Like the enterprise management vendors, McAfee is also seeing a growing need for integration between security operations and IT operations, Kurtz said. "The systems and networks have to be up and running for the security people to do their job, and security incidents can affect operations," he said. "There are different views for different roles in the organization, but they all need to share some data."

New rules requiring disclosure of security breaches and the growing market for stolen personal information also necessitates a closer relationship between two other groups that previously didn't speak much: the IT security team and the corporate privacy team, experts say.

"Now when there's a breach, it's not just an issue of IT pulling the plug," noted Deloitte's Mears. "There are legal issues with disclosure. There are privacy issues if personally identifiable information is involved. There are brand issues if the breach is public. The question of how I respond to a breach has changed, and it involves cooperation by a whole group of people."

So how long will it take for all of these different enterprise groups to get together in some sort of "converged" model? "It depends on the organization," said an attorney who has worked with enterprises on privacy and security law. "If they don't have a problem, it might never happen. But if there's a breach, all of those people could end up in a room together pretty quick."

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

  • CA Inc. (NYSE: CA)
  • Cisco Systems Inc. (Nasdaq: CSCO)
  • Deloitte & Touche USA LLP
  • IBM Tivoli
  • McAfee Inc. (NYSE: MFE)
  • RSA Security Inc. (Nasdaq: EMC)
  • Symantec Corp. (Nasdaq: SYMC) Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Oldest First  |  Newest First  |  Threaded View
    COVID-19: Latest Security News & Commentary
    Dark Reading Staff 4/7/2020
    The Coronavirus & Cybersecurity: 3 Areas of Exploitation
    Robert R. Ackerman Jr., Founder & Managing Director, Allegis Capital,  4/7/2020
    'Unkillable' Android Malware App Continues to Infect Devices Worldwide
    Jai Vijayan, Contributing Writer,  4/8/2020
    Register for Dark Reading Newsletters
    White Papers
    Cartoon Contest
    Write a Caption, Win a Starbucks Card! Click Here
    Latest Comment: Digitized COVID-19 Prevention
    Current Issue
    6 Emerging Cyber Threats That Enterprises Face in 2020
    This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
    Flash Poll
    State of Cybersecurity Incident Response
    State of Cybersecurity Incident Response
    Data breaches and regulations have forced organizations to pay closer attention to the security incident response function. However, security leaders may be overestimating their ability to detect and respond to security incidents. Read this report to find out more.
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    PUBLISHED: 2020-04-09
    Some Dahua products have buffer overflow vulnerabilities. After the successful login of the legal account, the attacker sends a specific DDNS test command, which may cause the device to go down.
    PUBLISHED: 2020-04-09
    Some products of Dahua have Denial of Service vulnerabilities. After the successful login of the legal account, the attacker sends a specific log query command, which may cause the device to go down.
    PUBLISHED: 2020-04-09
    WebAccess/NMS (versions prior to 3.0.2) does not properly sanitize user input and may allow an attacker to inject system commands remotely.
    PUBLISHED: 2020-04-09
    There are multiple ways an unauthenticated attacker could perform SQL injection on WebAccess/NMS (versions prior to 3.0.2) to gain access to sensitive information.
    PUBLISHED: 2020-04-09
    An attacker could use a specially crafted URL to delete files outside the WebAccess/NMS's (versions prior to 3.0.2) control.