This article can also be found in the Premium Editorial Download "Information Security magazine: How security pros can benefit from information sharing."
Download it now to read this article plus other related content.
Reliable Security Statistics and Metrics
Statistics and metrics will be the buzzwords of 2005 and beyond. Security managers need to quantify risk and measure effectiveness to refine their security programs and prove they're working.
But how do you measure security and risk, and how do you compare your enterprise's security performance and risk mitigation to other enterprises'? How do you demonstrate compliance requirements? Readers express a need for different kinds of metrics, baselines and guidelines across the board. Here's a sampling of what they wish for:
- Accurate baseline statistics on security incidents. Enterprises and law enforcement hold this information too close to the vest. Security managers want reliable numbers of breaches for different sized enterprises and verticals, the level of sophistication of attackers (script-kiddies vs. skilled hackers), and the cost of damages and recovery.
- Risk analysis and forecasting models. Security managers want an effective way to translate security intelligence gleaned from internal and external sources to predict future threats. This would help enterprises prepare and respond to attacks, and develop new mitigation strategies.
- Proof security policies work. You deploy all sorts of technologies and policies; you need metrics that demonstrate that the precautions and restrictions imposed by security are both necessary and beneficial.
Identity Management Tracking
Enterprise databases and directories hold an extensive amount of data on users' profiles and roles. What they don't have is a tool that normalizes that information across different identity management systems, and tracks how identity information changes over time.
Readers wish for a utility that culls this information at the time an identity is created and can compare the current profile to previous versions. They want an audit trail of what changes were made, by whom, when and why. Readers say this is essential for justifying the cost of identity management and ensuring regulatory compliance.
By setting up standards for what a user profile should look like and having mechanisms on how profiles change over time, enterprises could better ensure the integrity of their identity management scheme. Tie this concept to a certification scheme, and you'll have single sign-on, validated e-mail and other useful security measures.
Wishes Do Come True
Surprisingly, we got a lot of submissions for things that already exist, and perhaps some solutions are already in product development projects. Which of these wishes will come true? That will likely depend on necessity.
Security wizards are dreaming up new approaches and technologies all the time. They'll come up with new uses of existing technologies, such as using security information management solutions as forensics tools, or combine new technologies with existing product sets, such as adding SSL VPNs to firewalls. But real innovation will come those who devise the next revolutionary idea, just as Whit Diffie and Martin Hellman did when they devised the first public key exchange.
What affect change and innovation are consumers--the enterprise security managers--conveying their needs to vendors, and startups companies acting as the incubators of new technology. We'll be watching to see if any of these wishes do come true and what other necessities arise.
This was first published in January 2005