Laying a New Year’s Course for Security

It’s time for a fresh start. What better opportunity to decide which projects will get attention in coming months?

December was a complete blur for me. After being away for training and a vacation, I’m having a difficult time getting my head into what needs to be done at work in this new year. Things aren’t much better at home, where the Christmas tree stands almost bare, waiting to be put out of its misery, and unwrapped presents are still scattered about. At least I cleaned my office before I went away.

But my orderly desk disguises the fact that all the things that were not completed last year are awaiting my attention. Managing both IT and security gives me a lot of infrastructure components to think about, but I like it that way. I can take a more holistic approach.

Let’s see: I have to prepare the IT spending plan for the state agency, complete the employee reviews, decide on a document management vendor, define a comprehensive encryption initiative, bring the virtual private network online among our branch offices, prepare another security-awareness training module, decide whether dual-core technology has a place on the desktop, prepare for Vista (or not) and consider whether NAC (Cisco’s Network Admission Control technology) is worth pursuing, as well as how NAP (Microsoft’s Network Access Protection) fits into the picture. Oh, and this is the month the state auditors will peek into our infrastructure.

I need to prioritize, but that isn’t easy when everything seems equally important. Some people get stuck in the details, but I seem to get stuck on the big picture. Making decisions about information and security technologies is similar to solving a riddle or a puzzle. The clues have to be examined and the pieces have to fit together to find the best solution possible. Even then, the rate of technology change can invalidate carefully made decisions.

But I’ve learned that there always comes a point when you have to say, “All right, I’ve reviewed as much information as is reasonable. Now I have to make some decisions, right or wrong.” So, right or wrong, here’s what I see for us this year:

  • We are not going to upgrade to Vista.
  • We are going to upgrade to dual-core technology.
  • We are going to encrypt network traffic, file systems and databases.
  • We are going to find a document management system that is secure and easy to use.
  • We are going to get a handle on log file management.
  • We are going to investigate unified threat management systems.
  • We are going to provide security awareness training in a fun, informative and consistent way.
  • We are going to understand NAC vs. NAP and evaluate our choices.
A Closer Look

I don’t know yet exactly how we are going to accomplish these things. And it’s not clear which technologies we will choose. There are dozens of vendors out there whose products promise to solve our problems.

For instance, do we go with AMD or Intel for dual-core technology? We’ve standardized on AMD processors, but Intel seems to be storming ahead. Will any of our current applications make use of dual-core technology, or are we just preparing for a future that may actually include quad- and even eight-core processors?

Vista is at least a year away for us. We hope this isn’t a mistake. With Microsoft, it has always been better to wait and see how things go before jumping to a new operating system. And we will have to understand Microsoft’s licensing agreements. From what I’ve heard, Microsoft is making it difficult to not upgrade to Vista. We shall see.

We want to better secure our network and access to it, so do we follow along with Cisco or prepare ourselves for Microsoft’s NAP? From what I can tell, NAP isn’t ready for prime time, since it requires Vista and the new “Longhorn” Windows server, which hasn’t been released.

Cisco’s NAC seems closer at hand, but it would require us to add server hardware and client software — a Cisco Secure ACS server and a desktop agent (Cisco Trust Agent) — in addition to making router configuration changes and integrating the system with antivirus and software distribution servers.

The good news is that Cisco and Microsoft have collaborated and cross-licensed their technologies. This will make migrating to a network access technology doable in the future.

Grasping what needs to be done in the encryption arena is like grabbing a tiger by the tail. Since our agency handles electronic protected health information, we must tame this tiger. We currently protect data using access controls, but they can be circumvented by a sophisticated hacker, and encryption provides another layer of defense for data at rest and in transit.

Then there are log files. We store system logs on a secured file server. If we’re going to be cognizant of suspicious events, the logs have to be manually inspected on a daily basis, but we are far from doing that. And that brings us to threat management.

When I say “unified threat management,” I mean a method of bringing together all the data our systems write to log files and correlating the information so that we can spot potential threats to the infrastructure in a timely manner. That’s a mouthful and a challenge. We plan to look at what Cisco can do for us in this area.

So, that’s my list. Drawing it up gets my engine going. The next step is to pull the team together and share my vision. Then I’ll shut my mouth and listen for a long time. Sure, I have been thinking all year about what our next steps are going to be, but so has the team. We need to arrive at a consensus about what can and can’t be done with our available time and resources. Ready? Go.

What Do You Think?

This week’s journal is written by a real security manager, “C.J. Kelly,” whose name and employer have been disguised for obvious reasons. Contact her at, or join the discussions in our security blogs: To find a complete archive of our Security Manager’s Journals, go online to

Copyright © 2007 IDG Communications, Inc.

Shop Tech Products at Amazon