Quest CEO Blog | Authentication

 

Quest CEO Blog

Thoughts on Technology, Business and the Management of Both.

 

#7 and #8 of Quest’s 10 ways to boost business IT security in 2012

by Tim Burke
Thursday, January 26, 2012
Computer folder with lock to symbolize data security.

Did I mention that when it comes to IT security and defense in depth, the more layers the better?

 

One of the weakest points in many organizations is #7 on our list:

 

#7 Authenticate

You need to think in terms of both user authentication and information authentication. When it comes to user authentication, before allowing users access to your data, apps, systems, or networks authenticate them with at least two factors (something they know, something they are, something they have). Also …

  • Make sure passwords are unique. The same password should not be shared among users nor used on different systems.
  • CHANGE DEFAULT CREDENTIALS!  When your system/network admins deploy a new system or service, change the password.
  • Consider using an identity/access management system with single sign-on capability to reduce the complexity, risk, and cost of managing employee authentication and access.

 

More...

Tags: , , , , , , , ,


Categories: Authentication | Information Security | Managed Services | Security


Permalink | Comments (0)

6 security questions to ask about your data and who gets access to it

by Tim Burke
Tuesday, September 20, 2011

 

It’s easy to tumble backwards into information security, to let yourself get sidetracked into arcane, hard-to-follow discussions about the innards of technologies and products when in fact you need to be thinking through higher-level strategy and policy.

 

If, for instance, you don’t actually know yet whether your business would benefit from using encryption, listening to the sales pitches of competing encryption product vendors is a waste of time.

 

So start with straightforward non-technical questions that your IT people should answer in a straightforward, non-technical way. When they backslide into techno-babble make them translate (they can use the practice).

 

  1. What data is business critical? What data is sensitive? Who ‘owns’ or has access to our business-critical data? Our sensitive data?
  2. What sort of assurances of confidentiality and integrity do we need to provide for each type of data?
  3. How long do we want to retain data?
  4. How do we want to control data access and permissions?
  5. How do we want to authenticate users?
  6. What kind of security training should we provide employees?

 

You’ll also want to pose questions about the security of your information infrastructure as well as how to cope with cloud computing and social networks. Check my next post for those 9 questions.

 

Tags: , , , , , , ,


Categories: Business Continuity | Business Resumption | CEO to CEO | Disaster Recovery | Managed Services | Security | Encryption | Information Security | Business-critical Data | Data Access | Authentication


Permalink | Comments (0)