What is Enterprise Security?

enterprise-cybersecurityWhile I know that some practitioners are going to scoff when I ask the question “What is enterprise security?,” I’m going to ask it anyway.

You see, great leaps forward very often start with questioned assumptions. Ptolemy assumed (based on a set of perfectly logical assumptions) that the sun rotated around the earth. It was only when subsequent thinkers questioned his universally held theory (in many cases at great personal cost to themselves) that a cataclysmic advance in humankind’s understanding of the solar system became possible.

The point is, if we don’t stop every once in a while to question what we believe, we can hold on to outmoded assumptions way past their “sell by” date. And when it comes to the security of the information we steward in our organizations, outmoded assumptions create risk. In other words, if you assume things about your environment that (maybe) were true once – but aren’t now – you put yourself in a situation where conclusions you base on those assumptions may very well be false.

Take an assumption like this one: “Two devices on the same isolated network segment communicate more-or-less privately.” Maybe that’s true. But if you’re wrong – like if the segment doesn’t stay isolated or someone moves one of the devices off that segment? Risk.

The answer to the question “What is enterprise security?” is neither static nor a given. And while many organizations on the edge of change are rethinking and embracing what “enterprise security” means and adjusting accordingly, just as many are clinging to outmoded definitions about what’s “inside” vs. “outside” the enterprise and what’s “security’s job” vs. not. These boundaries just aren’t as meaningful as they used to be.

“Enterprise” and “security” are borderless

First, it’s important for security practitioners in today’s IT shops to realize that the definition of “enterprise” is changing. A few years ago we in security talked casually about the “disappearing perimeter” (remember that?), but for today’s security practitioner an appropriate question might be, “What perimeter?”

If it wasn’t true before, it’s certainly true now: Enterprise security and location of resources are unrelated. From a location-of-access standpoint, take the trend of mobility to its ultimate conclusion: Users employ an array of mobile platforms to send email, modify documents and close deals – or they access critical applications from home machines not provisioned by the organization. But the data we hold needs to be protected just the same. Just because devices accessing critical resources aren’t coming from some arbitrarily drawn geographical border doesn’t mean that the security of those resources is any less relevant.

On the other hand, “enterprise” isn’t defined by location of computing resources either. This time, take cloud to its conclusion: Critical business applications sit on dormant virtual machine images in redundant, geographically distributed data centers. These images and are spun-up on demand in response to user requests, live just long enough to service the request, and then are spun down to conserve energy, bandwidth and CPU cycles. Enterprises reallocate storage and processor resources on the fly across the globe in response to user demand, business volume, time of day or any number of other factors specific to their business. Are you free from the need to care about security because your data is hosted outside your data centers? No.

In both cases, security is still a critical factor of supporting the organizational mission. But the temptation – particularly when we’re strapped for resources or under the gun to deliver a critical task – can be to draw a line in the sand and decide that certain technologies are outside the boundary of our security plan because they’re implemented by a vendor or because they leverage devices we didn’t provision. But nothing could be further from the truth. In fact, this just makes security more important rather than less.

“Enterprise” is defined by data; “security” by relationship

So if geographic location doesn’t define what’s in the enterprise, what does? In my opinion, it has to be the data. When geographical boundaries no longer define what’s “inside” vs. “outside” and security isn’t tethered to particular systems or applications, the answer has to be to focus on what we’re ultimately trying to protect: the mission of the organization. And the embodiment of the organizational mission is the data the organization creates, processes and stores.

Said another way, information systems used by an organization process and store data for a particular purpose; so the data those systems operate on are the raw materials that the organization uses to complete that purpose. Everything that goes into the processing and storage of that data – no matter where it’s located or at what third party – is in scope from a security standpoint and therefore must be included “enterprise security.”

This is true even when the data is outside of your organization’s direct control. Say for example your hospital outsources storage of your medical records. If your medical records get exposed inappropriately, do you honestly care whether it was the hospital that accidentally lost them or whether it was a service provider? I don’t. I have a relationship with the entity that I trusted with my data. And I trust them to only share that data with trustworthy organizations. So when someone violates that trust and puts users at risk, users are going to hold accountable the entity they trusted in the first place.

Just like the data defines what the enterprise is, so also is “security” defined by the chain of relationships along which that data travels. If the data is compromised, the responsibility for failure to protect that data rests with the organization with the relationship to the data owner. If confidentiality, integrity or availability of that data are keys to supporting the organizational mission, the organization is the one that takes the hit. If the organization is acting as a steward of that data on behalf of someone else, they are the ones with the relationship to the data owner and are therefore the one to take the hit when security fails to protect it.

Click on the link to learn more about Enterprise Security.

Ed Moyle is senior security strategist at CenturyLink.

Comments (0)

Back to Basics: Seven Steps for Data Security

Here at ThinkGig, we recently covered some of the lesser-known IT risks you might face.

Still, traditional data security is an ever-present concern. So let’s take a step back and go over a few of the basics for guarding against common viruses, worms, phishing attacks and spyware. These everyday threats could not only cost you the loss of sensitive business information and staff productivity; they can cause the loss of customer confidence.

Comments (0)

IT’s Coming: Interop New York

We love October here at ThinkGig. Not just because the temps start to cool down and we get closer to enjoying our Halloween candy, but because we get to go to the Big Apple for Interop New York! We look forward to this event with great anticipation, not only because we provide the gargantuan portable network, but because we get a firsthand look at what’s hot in the world of IT and get to rub elbows with our fellow network geeks.

Comments (0)

Judgment Call: Is Your IT Strategic?

We’ve all had those moments: A time when we take a hard look at ourselves and we suddenly see ourselves in a new light – as others see us – and it doesn’t match up with our ideal vision.

Have you taken a hard look at your IT department? From an outsider’s perspective?  Maybe from your CIO’s eyes? When we talk to our customers, we are starting to hear more complaints from the forward-looking CIOs. They go something like this: “I need my IT staff to stop thinking about keeping the lights on and computers running and instead figuring out how they can help advance our top line goals….or impact bottom-line.”

Comments (1)

Considering Going to the Dark Side? The Hidden Costs of Dark Fiber

Remember “dark fiber?” Well it’s back.

Quick history lesson for those not familiar with this telecom buzz word. Dark fiber was a hot topic during the dot-com days of the late 1990’s. Telecoms, railroads and other large utilities planned for growth and increased demand of their optical fiber networks by laying down extra, unlit fiber cables. When the bubble burst and advancements such as Wavelength Division Multiplexing (WDM) allowed carriers to get more out of their existing lit cables, network owners began selling off their unused optical networks – thus the term “dark” fiber.

Comments (7)

Beyond Viruses and Bots: Real Risks You Might Be Missing

We are all aware of the slew of network security issues facing organizations today. It seems like every other day there’s a new security breach in the news – take the recent hackers breaking into Sony’s PlayStation site and the Epsilon phishing campaign.

But while things like bots, viruses and hackers are well-known, we are starting to see less obvious risks come up that have a significant impact on an enterprise’s or a school’s information systems.

Comments (0)

CenturyLink Acquires Savvis

You may recall back in April we announced that CenturyLink would be acquiring Savvis. Today, we are pleased to announce the acquisition is official and represents a strong strategic combination for our business customers.

Savvis is a well-respected name in the enterprise space and this move makes sense in a lot of ways. Because we have minimal customer overlap, this marriage has many benefits for businesses including:

Comments (0)

Looking Ahead: Cloud

If you are a regular ThinkGig reader, you know we love to talk cloud. Since there is so much discussion around the players in the cloud market and how service providers like us will fit in, we thought it might be interesting to share where we see ourselves headed.

Andrew Higginbotham is the chief architect of our plans for cloud services. He recently sat down with Lisa Pierce of Strategic Networks Group for an interview that appeared in No Jitter.

Comments (0)