Tag Archives: enterprise

Webinar on securing IT assets

02 Monday May 2016

Posted by in Uncategorized

Leave a comment

Tags

, , ,

Having secure IT assets should enhance the overall user experience by ensuring security is more effectively and more seamlessly embedded into everyday IT and IT services provisioning activities. But IT assets have a lifecycle, and they need to be protected differently during this lifecycle. Automation of the protection process allows the core competencies of the staff to be focused on more strategic aspects of asset security than patch management or stolen passwords.

I recently shared a webinar with Dell and Markit on IT asset management and information security, which you can listen to on InfoSecurity Magazine here.

Some of the points I was making in my presentation on IT asset management were:

  • The lifecycle cost of an IT asset begins with planning and design and continues through procurement, adoption, operations, maintenance, rehabilitation/renewal, and disposal/replacement.
  • IT asset management (ITAM) seeks to optimize costs through each stage of this lifecycle, while meeting established levels of service, reliability, and risk. In today’s enterprise, ITAM plays a dual role of asset management and risk protection.
  • Protection levels can be performance-related (critical value to the business), or customer/regulatory related (impacting response times, complaints, information availability, etc.).
  • Risk is the exposure and uncertainty assumed due to the opportunity for significant damages. And data from IDC had previously forecasted that by this year, 25% of large enterprises will make security-related spending decisions based on analytical determinations of risk.

But what kind of IT assets bring the most concern to the enterprise today? Half the world’s population will be on mobile Internet by 2020. And the key drivers behind the growth in the mobile worker population include the increasing affordability of smartphones and tablets combined with the growing acceptance of corporate bring your own device (BYOD) programs. In addition, innovations in mobile technology such as biometric readers, wearables, voice control, near-field communications (NFC), and augmented reality are enabling workers in completely new ways, increasing productivity by enhancing communications and business workflows.  And these devices need to be secured to protect the enterprise.  But it is not just about endpoints, but also the network and the physical assets of the enterprise that are impacted by IT asset management not being automated and hardwired into the organization.

So one of the key points I made was that the key to a successful IT asset management program is the legwork performed before selecting solutions, including evaluating your existing IT environment, gaining executive sponsorship, setting program goals, committing the appropriate human resources, and designing strong processes that support your organization’s business objectives. Before getting started with your asset management security program, it is important to achieve the following milestones to ensure not only that the right solution is selected, but that the processes are formally established, understood, and documented.

One of the discussion points between myself and my fellow presenters was the fact that older IT assets are not as well documented as the newer ones.  I mentioned in the conversation that I had a 10 year old Dell from previous employment that was still able to access that domain. ( I am not sure which was the more startling statement, then 10 year old Dell still worked or that it could still log on to the systems of my previous employer!)   We discussed the concept of good practices (ISF Standard of Good Practice) and the importance, not only from a risk perspective but also from a compliance agenda, to be able to reduce the risk of information security being compromised by weaknesses in hardware / software and protect assets against loss, as well as support development of contracts and meet compliance requirements for licensing.

One other point I made in the presentation was around encryption. It is necessary that an IT department have an encryption plan to provide reasonable assurance that all enterprise owned devices, such as laptops, can be identified and encrypted. Encryption is at the heart of a complete endpoint security solution. When you safeguard the data, you reduce the risk of compromising sensitive customer or employee information, confidential files, and your company’s reputation.  So you need to make it easier to identify and activate new devices as they come on the network for their usage of encryption.  And to find the older devices as they log back in for software updates into the network.

The CISO on our panel from Markit talked about the convergence of IT asset management (ITAM) and security.  His point was the security professional had a very different point of view in the past on what an asset is because their focus is information risk. IT managers focused instead on where physical hardware was at any time; from a software standpoint, the focus was on consolidating license negotiations.  Now this is coming together, not only due to cyber threats but for protection of the rest of the assets (data or otherwise) of the enterprise.  Another point he made was that decisions regarding procurement, deployment and management of technology are not made centrally and then there is a disconnect. There is no point in putting into place sophisticated network forensic tools (from the network team) if there is no basic patch management from the desktop team.

Our main point: There needs to be a holistic view of IT asset management throughout the lifecycle of the object in question, and throughout the entire IT team as to how to address the risk profile of the assets.

Enterprise IT and the ever shifting focal point

13 Tuesday Oct 2015

Posted by in Uncategorized

Leave a comment

Tags

, ,

Dell’s planned acquisition of EMC, combined with the upcoming split of HP, highlights a problem that has faced enterprise IT since the beginning of the computing era.

The problem is the shifting focal point of the enterprise portfolio.  In the beginning, we had the centralized resources (mainframe, supercomputer, VAX, CDC, etc).  And the workflow, purchasing, manpower, etc were all centered around it.   Then we hit decentralized computing (minicomputers), distributed computing (UNIX), open source computing, mobile computing, and so forth. We have gone from proprietary OS to more standard OS to open source OS to mobile platforms and so forth.

Here is my point: we no longer have a central focal point, and the enterprise portfolio is now more diverse, more disseminated and from that point, harder to predict or protect. With cloud models and subscription pricing, we even go further down the decentralized path.

IT purchasing has been about decision making at a central point in the organization. And as computing has disseminated into the organization, the ability to sell and create profit as in the previous times has stumped the more centrally oriented IT salesforce. IT vendors need to reorganize themselves to look more like the portfolio of the enterprises they serve.

Just my humble opinion. #backseatdriver

 

Wearables in the Enterprise – more than watches and glasses

05 Saturday Sep 2015

Posted by in Uncategorized

Leave a comment

Tags

, , , , ,

When you hear the term “wearables”, you think of smart watches, fitbits and other consumer oriented devices. But the real market for wearables will be in the enterprise, such as on the shop floor, warehouses and in the conference rooms. This is the research I am working on right now.

Initial deployments should be industrial applications that have use cases that are specific with clear efficiency metrics and goals. Although some believe the “killer app” is the ability to work hands-free, the real level of personalization is the ability for the environment to recognize the user and his/her needs via their role in the organization. Entry/physical access, two factor authentication, personal preferences for heating and lighting, all of these can come from user recognition.

Another aspect of wearables is worker protection. For example, integrating intelligent textiles into clothing provides the possibility of changing color when exposed to damaging chemicals and/or radiation, warning the user of exposure in a way more immediately noticed than gauges or readings. Shape memory fabrics/garments can potentially be manufactured as novel fabrics which respond to the temperature stimulation, protecting workers by telling them when they might be in danger of cold or heat. And shear thickening fluid can be used for use in protective clothing as liquid body armour as it behaves as a liquid until it is exposed to mechanical stress. At that point, within a matter of milliseconds, it hardens into a solid. So when there is no threat to the wearer’s safety, he or she experiences little impairment in flexibility or range of motion, which is excellent for a warehouse or dock worker.

The eventual use of wearables among knowledge workers will be more of a generalized phenomenon, particularly when the devices become as multifunctional as their smart phones are. As many wear company badges for access to facilities, these could be become not only more fashionable but multifunctional as RFID and other technologies could be added to adapt the functionality to the role of the wearer.

Interested?  Get in touch with me.