Horse Sense #116

Intel and Security

Anytime, Anywhere, Any Device--Safely

Intel is an enormous organization. It has almost 100,000 employees, 60 data centers, and 150,000+ devices under management worldwide. Their internal IT organization has an "anytime, anywhere, any device" enablement mentality. They want to allow people to work at home, at work, on the road, and around their personal lives. Since 2009, Intel has allowed the use of personal devices at work. The linchpin in their bring your own device (BYOD) strategy is not a technology, but a document all users must sign that spells out what they are expected to do and what they must allow Intel to do. This "rules of the road" document and set of associated procedures took over a year to craft. Once users agree to the terms and managers sign off on access, users can go to IT and get set up to use corporate resources with their personal devices.


7 Billion Security Events Per Day!

Intel logs over 7 billion security events per day! Using various techniques, they whittle that down to 10-20 events that need to be manually examined. They watch for bad guys "both outside and inside." But...."outside" is no longer outside the firewall any more. [It never was.] Instead, Intel views the security perimeter being at the application, the data, the device, and, most of all, the person. Because of this thinking, Intel has been buying application and network security companies. It has been integrating information from security devices and programs so it can deal with billions of events each day to find the ones that really matter. It is building applications from the ground up to be secure. It is watching traffic both into and out of its networks. And, it regularly trains and instructs its people to help keep them safe. It even goes as far as helping them set up things at home and trains people in safe e mail handling. [I wish everyone would do this....] Intel IT people are pretty thorough at getting the word out. IT security is simply part of the every day work world and employees need to stay informed.


Yeah, But What Do I Get Out of It?

As Intel develops the technologies it needs, it also makes them available to us directly and indirectly through products it provides to other vendors, like its processor chips. It is developing both hardware and software to make high performance security usable, transparent, and capable. Security demands have driven a lot of hardware development. For example, Intel has built processors that are better able to perform encryption tasks and recognize and block malware.


How Do You Justify Security on a Budget?

Security is a difficult idea for budget minded organizations, even Intel. Most organizations see security as being a cost with zero return on investment. But.... management, accounting, insurance agreements and other necessary business tasks also tend not to have a return on investment. That is why I coined the term "Return on Grief." (tm) I think ROG is a much better way to look at business activity of all types. Non-revenue generating tasks do have value and ROG tends to put the often "all powerful" budget more in its rightful place. The budget is only one hurdle to a successful implementation. Minimizing all other factors relative to a budget almost guarantees that you will have a non-optimal result. In other words, the question above is the wrong question. It assumes that the budget rules. Instead, the mission should rule and the budget, which is only one of your resources, is there to serve the mission. Security is not something you do separately. It is an integral part of your business.


The Truly Paranoid Know They Will Lose!--Why You Should Be Paranoid Too....

Intel is committed to making necessary information available anytime, anywhere, and on any device, but they know that security depends on prevention, detection, and response. In their view, security requires "you will get breached" thinking. They know that no matter how good they think their prevention technologies are, they will have to respond to breaches and keep their defenses strong and updated over time. So, the only truly secure organization must be resilient and recognize it will lose an occasional fight. Detection and response mechanisms are invaluable because you know you cannot prevent everything and you must be ready respond to a failure in your security. For example, "you need to look at incoming AND OUTGOING connections on your firewall" to help detect and respond to a breach. Assume that you will eventually fail and prepare for it and you will be much better off than assuming you will not or can not be beaten.


But....People Do Not Think They Are At Risk

Intel gave out some miserable industry statistics. Only 30% of the servers out there are running antivirus. And, while most servers are running only a single application, they tend to be wide open to any type of inbound or outbound communication. Having any security or reliability checks on a database is quite rare. In the end, good security is not about products, but about people. If people do not think security is important, they will resist buying security products. They probably should resist, as in my experience, security only works when people support it. Or, as the Intel security lecturer said, "Culture is the strongest form of control [security]."


Yipe! What Do I Do?

Simple. Educate yourself. Educate your people. And, call us. We are here to help.


©2014 Tony tirk, Iron Horse tstirk@ih-online.com