Raising the Grade

In late 2003, The House Government Reform Subcommittee on Government Efficiency, Financial Management and Governmental Relations issued its third annual report card, grading computer security efforts at 24 major executive branch agencies with the grade of “D.” The Office of Management and Budget reports that a significant part of the computer security problem remains with senior managers who have failed to focus sufficient attention on computer security.

If Washington is going to implement the vast inter-agency communications initiatives touted during the past years, it is vital that security get better marks. Here is a quick list of five best practices that can help raise the grade:

1. Encrypt data while it is in transit and at rest

   Encryption is a fundamental building block for protecting data. Sensitive data should be encrypted end-to-end, while in transit in the application and while resting on a device such as a server, where it is most vulnerable. Applying encryption from the point of data entry to its final repository protects data from corruption and exposure.

2. Set up an administrative password change policy

   Mismanagement of administrative passwords is a major cause for security breaches and one of the top reasons for long recovery processes from IT failures. At the same time, systems and network managers need fast access to routers, servers and other infrastructure building blocks to resolve problems quickly. It is important to look closely at how passwords are saved and how network/security management controls them.

3. Think in terms of multiple layers of security

   Just as it’s best to dress in layers to keep warm in the winter, it’s best to have a layered approach to security. Security architects must design a multilayered security infrastructure in order to address the strengths and limitations of each type of security product. Layers should include standard perimeter security and security technologies in front of data, such as authentication, access control and file encryption.

4. Monitor and audit regularly

   Continually monitoring information enables one to react in real-time to suspicious activity. Maintain audit logs to complement monitoring as they contain historical information for further scrutiny.

5. Enable more transparent access

   Don’t burden end-users with hard-to-understand security tasks. Use products that are secure by default and employ transparent security measures that do not make a product more difficult to use.

Ronen Zoran is director of technical services for Cyber-Ark Software Inc., a vaulting solutions provider for secure information repositories and instant enterprise connections. He can be reached at [email protected].