I've always wanted to be responsible for physical security. I never understood why the <a href="http://www.computerworld.com/s/topic/17/Security">security</a> of computers, networks and data is managed by a different department than the security of doors, windows and cameras. The same principles apply in both worlds. And let's face it: Physical security is actually run on computers. So I think it's perfectly natural for information security to own it.
The end of the year was busy for me and my team. Already swamped with <a href="http://www.computerworld.com/s/article/94956/IT_Managers_Brace_to_Meet_Ongoing_Sarbanes_Oxley_Compliance_Demands">Sarbanes-Oxley audit activities</a> and end-of-year project deadlines, even more <a href="http://www.computerworld.com/s/topic/17/Security">security</a> work came our way after a new round of <a href="http://www.computerworld.com/s/article/9126955/IT_Layoff_Tracker">layoffs</a>.
Cadillac or Kia? How much <a href="http://www.computerworld.com/s/topic/17/Security">security</a> is enough, and how much is too much? Can you even have too much security?
With only a skeleton crew, and no budget for consultants, I've been borrowing IT staff from other departments to get things done. That's been helpful, but none of them has the specific skills to analyze complex firewall and NAT rules.
If you've been watching the stock market this month, you know that, economically speaking, things are going the wrong way. We seemed to be in a period of economic recovery, but now, whatever recovery we might have been having seems to have fallen right through, like piping-hot coffee melting the bottom of a cheap cup. Whether or not you consider stock market activity as a representation of the overall economy, I can tell you that my company seems to be falling on hard times as well.
Can you believe it? As I sat down this morning to write this column, I got hit by a drive-by download of FakeAV.
This week I found out that my company is developing software in-house. Until now I hadn't known that we were a software development shop, but I guess I shouldn't be surprised. Most companies that I've been with have developed their own software for one purpose or another. I only learned about this software development project when one of the programmers approached me to ask about the best way to store usernames and passwords in the application's database. Yes, that's right -- they built the authentication right inside the application, instead of calling out to an external authentication source.
I was on the road last week, attending the RSA security conference in San Francisco, which is a great place to run into colleagues. Afterwards, I visited Disneyland, which, despite being in the same state, is surprisingly far away. What do these places have in common? Security.
In a recent column, my Security Manager's Journal counterpart, Mathias Thurman, wrote about securing virtual desktop environments. My company is going through the same exercise of evaluating VDI as a replacement for traditional desktops. As Mathias pointed out, the concept of virtualizing the applications that run on the system does not substantially change the threat landscape, nor does it modify the countermeasures we put in place to protect against those threats.
Our Web sites are under attack! And my company's firewall and intrusion-detection systems seem to have been giving a lot of people around here a false sense of security.