« Great Internet Firewall of China | Main | Big Jump in Crimeware for 2007 »

Listen to or download the entire 7:56 podcast below:

Download file

The following is a summary of my podcast with Alex Bakeman, Chairman and Founder of Ecora.

Current data security compliance laws.

Sarbanes-Oxley, which is for public companies; GLBA, which primarily affects financial companies; PCIDSS (Payment Card Industry Data Security Standard) that has come out of major credit card brands and primarily effects every organization that processes credit cards; FISMA (Federal Information Security Management Act of 2002) in the federal government, so it’s a long and growing list of regulations and security standards.

Are companies currently meeting the standards of protecting sensitive information?

Unfortunately not. Just about every day we’re hearing about a new security breach. Most companies are taking a very reactive approach instead of being proactive.

The problem is people’s personal information is at risk. Identity theft is at an all time high and that is the reason so many new regulations are coming forth.

How would Ecora have helped the recent highly publicized security breach at TJX, which owns TJ Maxx stores?

If TJX took security seriously they would have been compliant with the PCIDSS security standard which has been around since 2005. As part of the compliance process they would have used Ecora Auditor to scan their IT infrastructure as well as their databases and operating systems and discovered points of vulnerability.

Explain the “insider” threat problem with sensitive information.

Companies have done a really good job for the most part building perimeter security: putting firewalls in place, creating intrusion detection, creating antivirus protection. But what has been really missing is a focus on people inside the company, many whom have high access, very privileged access to critical data, i.e. system administrators, people in the financial group; unless organizations take steps to secure critical data systems that these people have access to, the internal risk for someone being unhappy with a company then taking advantage of exploiting that information, stealing that information, selling that information is very high.

If you look at some of the most publicized and very expensive security breaches, almost in all of them, there was an insider who was crucial to that event take place.

How does visualizing and automation solve the problem of the growing security threat of system complexity?

The fundamental problem is we’re dealing with very complex IT systems. Compare just 10 or 20 years ago what a typical IT system looks like to what it looks like today – there are many more devices, complex network connections, databases, applications, application enablers – just the amount of technology has expanded dramatically. Each piece of technology comes with configuration settings which controls much of the security, which controls who has access to what system and data.

Essentially, you have people dealing with an exponential number of configuration settings, and unless they are able to quickly and proactively monitor them on a daily basis, identify changes, and review changes (critical changes), they are really not being secure.

For example, say there was a change in access control and you find out a new person has been added to the system administration group. It would be a very good idea for someone in the organization to review the access and make sure it is a valid person with valid access.

Explain Ecora’s approach to password compliance.

Many of the compliance requirements and regulations focus on password compliance management. Policies such as every employee should change passwords every 30 days, or passwords should be at least 8 characters long and have alpha numeric sets. There are examples of the type of organizational policies to improve security compliance.

Ecora auditor enables security professionals and IT auditors to very quickly audit compliance to that policy and find noncompliant IDs and take action.

What is the future for compliance?

Many more regulations are on the way and the regulations themselves are going to get stringent. The primary driver is consumer safety and consumer information protection and data protection. As long as it remains an issue, and I believe we’ve only seen the tip of the iceberg, and as long as the public remains at risk, the number of regulations is only going to increase. We’re seeing more and more regulations within various industries, for example in the energy sector, NERC. Japanese are adopting Sarbanes-Oxley, which they're calling JSOX.

It’s a worldwide phenomenon. We’re dealing with sensitive data that needs to be protected and unless organizations proactively take steps to become compliant and protect the sensitive data, the government is inevitably going to step in and ratchet it up.

Posted by pschooff in |Digg This|Add to del.icio.us

Trackback Pings

TrackBack URL for this entry:
http://www.ebizq.net/mt/mt-tb.cgi/1582