In order to protect your assets, you must first know what they are, where they are, and how they are tracked and managed. Are they secured? Who has access to them? Who tracks and manages them? Do you have functional procedures in place to respond and recover from a security breach quickly? Do you have a process improvement cycle to prevent re-occurrence?
These are all important issues related to assets. It’s also important to remember what an asset is: anything used in a business task. Generally, asset protection involves identifying assets, assessing an asset’s value, and determining the technologies needed to provide sufficient security for that asset. There are many facets to the job of asset security, such as cloud computing, virtualization, secure coding, identity management, information assurance, and public key infrastructure.
The cloud offers computing services as a commodity involving a wide range of capabilities including online storage and backup, virtual/remote desktop, collaboration services, software as a service, platform as a service, and infrastructure as a service. Popular services include: online office productivity (such as Google Docs or Office 365), computing services for custom applications (such as Engine Yard or Windows Azure), or complete back-end scalable datacenters (such as GoGrid or Rackspace).
Virtualization is the creation and/or support of the simulated copy of a real machine or environment. It has several advantages and disadvantages:
- Provides virtual hardware platforms, operating systems/platforms, storage capacity, network resources, and applications
- Hosts applications on a different OS than they were originally designed or allows a single set of server hardware to host several server operating systems in memory simultaneously
- Offers benefits of lower hardware costs, reduced operating costs, efficient backups/restoration, high availability, portability of services, faster deployment, expandable/scalable, and more
- Adds security to the computing environment by permitting servers to be logically separated from each other
- Can cause problems with licensing, patch management, and regulation compliance, which may cause slower performance of services, greater potential of single point of failure, and potential security concerns due to hardware re-use or sharing
Secure coding includes the consideration of appropriate controls at the onset of development, proper consideration given to design, robust code and error routines, minimizing verbose error messages, eliminating programmer back doors, bounds checking, input validation, separation of duties, and comprehensive change management. Failure to use secure coding practices leads to software that is susceptible to buffer overflow attacks, DoS attacks, and malicious code injection attacks. Non-robust code can also provide a path for database and command injection attacks.
Identity management involves protecting data a company collects from its customers and employees; that is, personally identifiable information (PII). This protection includes proper classification of information, delineation of the lines of communication, and strict policies and procedures for access control. Accountability is a key requirement to hold all information requestors (“subjects”, both internal users and outside attackers) liable for their actions.
Credentials are a popular form of PII subject to attack. All repositories of personal information, access channels to those repositories, and exchange of information with those repositories must be protected with strong authentication and encryption.
Information assurance satisfies management’s desire for a given security profile, indicating that all data is properly protected and able to be accepted as accurate and readily available. The set of processes needed to support this assurance requires the establishment of a reliable means to lock down assets and track their usage. Specifically, information assurance is focused on the security of data or information typically as stored in files. It is important to properly manage the risk of using, processing, transmitting, and storing these data files. Secure data management addresses not just electronic or digital issues, but also physical storage media (especially portable media).
Public Key Infrastructure
Public key infrastructure (PKI) is a security framework generally comprised of four main components:
- symmetric encryption – used for bulk encryption for storage or transmission of information
- asymmetric encryption (often public key cryptography) – used for digital signatures and digital envelopes (i.e., secure exchange of symmetric keys)
- hashing – used to check and verify integrity
- a reliable method of authentication
Customers’ belief in the credibility of certificates, and therefore security of transactions with your website, depends on the reputation and reliability of the CA. As with any protection measure, companies need to understand what PKI technology affords us in terms of protection, as well as to be cognizant of the technology’s limitations and vulnerabilities.