Skip to main content

Posts

Showing posts from December, 2011

InfoSec End of Year Review - 2011 into 2012

The end of the year is coming - the goose is getting fat, the gritters are ready (some maybe even with salt...) and the supermarket 2-for-1 offers on mince pies are overwhelming.  As such, I thought it would be a good time to reflect on what have been the main interest areas of 2011 from an information security perspective and what might become of 2012 - the 'new' threats or the possible realisation of the old ones - all before we lose ourself in the midst of Christmas parties, over-eating and the warmth of a log fire.

Everyone is Aiming for the Sky (or at least the clouds) - Now beyond the hype point of deployment, many organisations are dipping their corporate toes into outsourced on-line provisioning of infrastructure, applications and services.  This emphasis on outsourced components will lead to many questions surrounding data privacy in multi-tenanted environments, supplier auditing, 'Chinese wall' considerations and SLA management.  Any organisations considering …

Securing Information - An Ideology not a Tool

Keeping stuff secure - it's a funny old business.  I've been fortunate to work at several different ends of that process.  Firstly within industry working alongside business as usual processes and policies, through to vendors making tools to help automate security processes through to implementation at various sized companies requiring business and technical consulting.

At all stages, the main focus was technology.  Configuring a piece of technology so it was more secure: password management, ACL management, encryption standards, service disabling, policy lock downs and so on.

Whilst working at numerous vendors, the main focus was on selling an idea that a tool could automate many of the manual tasks associated with keeping data secure - access certification processes, creating roles to manage ACL, creating audit reports and so on.

One of the big areas missing, was that of focusing on the human involvement in the security process. Whilst undoubtedly tooling has a huge part to …