How often do you hear, "We have some extra money to spend, so tell me what you'd like to purchase"?
Those words are certainly rare in my company, so when my CIO asked his direct reports to draft wish lists, I was quick to spin up Microsoft PowerPoint and put together a set of slides. This wasn't a free-for-all, of course; it was a one-time windfall. The money had to be spent quickly, so there was no point in requesting the deployment of new infrastructure, which would require a dedicated project manager and tons of resources. I kept my list short, focusing on things that could be rolled out quickly and yet add value. Here's my list, and some of my rationale.
Secure FTP. Currently, we're using an old Solaris server that's sitting in our DMZ and running an old version of WU-FTP. Neither the server nor the operating system is supported any longer. It's far from a secure setup (all data is passed in cleartext), so it's solely for internal use. We need something that we can let our customers and partners use and that would be acceptable to use during mergers, acquisitions and joint ventures. I'd like to be able to accommodate various methods of FTP, including Web-based uploads and downloads. And I want encryption on the hard drive and for all transmissions and credentials.
SecurID two-factor authentication for Microsoft Outlook Web Access (OWA). It would cost us nothing to enable SecurID for our OWA servers, and it's a trivial configuration. But we would have to issue US$75 tokens to almost every employee. With 7,000 workers, that could be an expensive proposition. And then there's the overhead of additional head count to manage the deployment and take help desk calls.
A security policy compliance and confirmation tool. We have lots of security policies but no way to ensure that employees have read them. We place our policies on the corporate Web site, which is an improvement on three-ring binders only in that they don't collect dust on the bookshelf. The policies are available to all, but people don't know about them and aren't strongly encouraged to read them. Policies that no one knows about don't accomplish anything, but there's another really good reason to be able to track employees' awareness. As regular readers will recall, earlier this year we discovered by chance that one of our employees was forwarding source code algorithms to his personal e-mail account. The U.S. attorney was involved in the case, but in the end, we couldn't prove that the employee knew that what he had done was against our policy.
A comprehensive vulnerability assessment. Things have been moving too fast around here for someone as busy as I am to do all the vulnerability assessments that would seem prudent. I am particularly concerned right now about our recent IP telephony and SAP Basis deployments. IP telephony was deployed on a fast track and in a limited fashion about a year ago, and we plan to expand the technology's use. Before we do that, I want some professional reassurance that we have thoroughly mitigated the risks that IP telephony and all its bells and whistles can bring. We use SAP for financials and recently installed Basis as the middleware for providing security controls around access and administration of the data and components. The project had security at its heart, but I've learned that just because you purchase "security," that doesn't mean it will be deployed in a secure manner. I want to hire some experts to audit our implementation.
So, that's my list. I think it's all reasonable, and I expect we will get the needed funding and support.
This week's journal is written by a real security manager, "Mathias Thurman," whose name and employer have been disguised for obvious reasons. Contact him at firstname.lastname@example.org.