I’ll come back to secure email at a later date, I’m interested to see if our business processes will come up with the same conclusions as I have. I’m prepared to admit that this is a two-sided argument, there may be a requirement for secure email, or it may be that email was never meant to be secure, so no-one will ever use it as such. Comparing it to terrestrial mail services doesn’t really help, because to a large extent, email has replaced snail mail, and even phone calls. The ‘more secure’ version of land mail was email, so the more secure version of email is…?
Personally I think it will be as the banks are finding – directing people to portals to download (NOT giving links in the mail, but asking them to log into their account – beware of phishing attacks).
So I now have 3 new Security Projects (note the capital letters) to get on with:
1. Endpoint Security – not DLP, we don’t have any data classification on our network, and it was identified specifically to stop CD burners being used on our network, so DLP is deemed too much.
2. Firewall Monitoring – thrilling stuff, we need to know if our firewall rules are sensible.
3. Web Application Scanning – Third party web app provider, variable quality of code, our problem.
I keep going backwards and forwards, depending on who I talk to about these. The higher up the chain I go, the less I want 1 and the more I want 3. When I come back to the security team, I want 2 to help them, and 1 to protect them.
I’m not sure there is a good way to justify endpoint security, not until the market has settled down a bit anyway. Maybe then we’ll be ready for DLP?
Firewall monitoring seems to be something that’s been put in to make someone’s job easier, so again, hard to justify.
Web Application Scanning on the other hand seems to be vitally important. As I’ve been brought in to secure the e-commerce rollout, I think this is the one I will be most behind.
WebInspect seems to be the best (only) option at present. I’ll talk more about how I get on with it once I’ve found the best way to justify it.
*** This is a Security Bloggers Network syndicated blog from IT Security: The view from here authored by Rob. Read the original post at: http://robnewby.blogspot.com/2008/09/more-e-projects.html