Clear up some of the confusion over endpoint security. How does AFLAC define it?
Ray: A lot of people relate endpoint security to one particular technology component, one solution to solve all your issues. The approach we've taken is a multilayered one. Endpoint security is not defined as antivirus, or a desktop firewall or patching. It's a combination of all of those, plus the policies and procedures in place in an organization. A lot of people lose sight of that.
I have a government background, so I believe that having policies and a framework is key. We define a role-based access strategy first, then look at what technology is used to protect a system. At that point, we start looking at what are the different risks, what kind of information we're protecting, what applications are running and who gets access to them.
So it's about more than integrity checks on workstations and devices?
Ray: That's a very proactive step. For a lot of incidents, companies have to worry about them after the fact, and it sucks up a lot of resources to clean up a virus attack, for example. Integrity checks are great solutions; it helps quite a bit to do these up front.
What does AFLAC do beyond integrity checks?
Ray: A lot of it is configuration management around servers and how to manage that. VPN access and managing how people come in to our network remotely is important as well. A lot of boundaries are blurred for what defines the perimeter. How do you control B2B partners, and the devices they connect to? It's a big issue with many companies, and the layers start increasing there because you have to worry about network access controls and enforcing VPN controls. Up-to-date virus scanning and patching are important to endpoint security, and a lot of that is built into software packages. Host-based firewalls IPS, IDS are critical. Then, there's the big issue of endpoint encryption, which helps protect you from physical theft, but doesn't protect you against Internet-based threats. A lot of people call it endpoint security, but it's one more layer, not a solution.
How much of an impact has the spate of data breaches had on your endpoint security strategy?
Ray: It's something we're definitely aware of, and make sure we're ahead of ballgame. You'll see a lot of companies responding that they weren't prepared or addressing security in layers. They had one component and considered it their protection.
Have the headline breaches facilitated communication for you with senior management?
Ray: I don't like running a security program based on FUD. A lot of these endpoint problems have existed for a while, but they're just going mainstream now. If anything, the most significant issue out of the recent headlines, has been the turnaround in which the states have enacted privacy laws, and are now looking at federal privacy laws. That has an impact on our company, especially because we operate on a national scale, we have to meet many different requirements.
How does AFLAC address removable storage media--iPods, USB drives?
Ray: If there's a list of things that keeps me up at night, that's definitely on the list. Everyone has an iPod or a free USB drive. It's interesting, but is it really new? No, it's been going on since the 5 ¼ inch diskette. We don't take the stance of trying to block these devices; we find it unrealistic, at least on workstation levels. I've been in sensitive government areas where that position is not taken. It's up to us to enforce adequate security, and still enable business. We have to monitor activity and enforce policy.
What kind of problems do contractors pose when connecting to your network?
Ray: We don't allow people to connect to the network. If they need to connect for a demo or presentation, they can connect to an external DSL line we've set up. My goal is to have it where we can be more of an enabler, and do the integrity checks on their systems, and put them on a separate network if they don't' meet our standards. But there are obstacles surrounding that, it's not so easy to implement that.
This was first published in September 2006