Articles for February 2015

EA and Information Security are now joined at the hip (or they should be)

Are you paying attention to all the scary things happening in the cyberspace these days? I’ve commented on the Target data breach. Since then we’ve had reported breaches at Home Depot, JPMorganChase, Sony Entertainment, Anthem, and now Intuit. And there are more, only the victim doesn’t know it yet or they just aren’t talking yet.  Everyone has been or will be hacked!

If your enterprise treats information security as an add-on or after thought rather than an intrinsic part of your enterprise architecture, you are compounding your risk. You want your CEO to be able to stand up in front of the cameras and say:

“Yes, someone got in. But everything they took was encrypted using the most difficult algorithm and they don’t have the decryption key. They were unable to view any data flowing on our network because it was encrypted using the same algorithm. They couldn’t access any of the applications or servers because they didn’t have enough credentials to log in. We have and enforce policies that prohibit our employees from creating unsecured data stores. They must store such data stores on file systems encrypted using that same algorithm.

Basically, what they got, they can’t use unless they spend unrealistic effort trying to crack the encryption on those files and are successful. They’ll steal from someone less prepared than we are before they try that because it will be easier.”

For most enterprises, this is a pipe dream.  You have to be prepared and have all those things in place before the intruders hit.  Most enterprises will be thinking about “what if” after it happens.

You have to bake this type of preparation into your information systems very early in the process. This means you must have a defined, detailed information security plan and include its requirements anytime you create, modify, or maintain a system or network. This means your information security professionals need to be at the table when you’re talking about any changes to your process or systems environment. It means that information security must be an important partner of the enterprise architect.