Sydney Harris quote

“In every field of inquiry, it is true that all things should be made as simple as possible – but no simpler. (And for every problem that is muddled by over-complexity, a dozen are muddled by over-simplifying).”

Architecture, E-mail, Enterprise Security Architecture, Risk, Security, Technology, Trust

Domain name security – part one

Purchasing a domain name has never been easier but maintaining control and ownership over the long term are often overlooked.

While inexpensive purchase costs are very enticing if you’re serious about the long term you need to look beyond the initial cost and consider your on-going requirements. Thinking holistically about the service may cost you a little extra, but pays dividends in terms of peace of mind.

Owners can take measures to protect their domain names against theft and loss, but many measures are not generally known.

Why should I really care about this?

Losing control of your domain name is not an obvious danger when compared to malware, spam or botnets, but it can be just as disruptive, if not more so; in extreme cases the impact can be permanent and fatal for your online presence.

You might think it implausible that the damage could be so severe, but if you’ve purchased a domain then you’ll attribute value to that name, both tangible and intangible. Tangible value increases when people associate brand with a domain name. Intangible value increases in proportion to the reputation of a domain name. The threats are very real, and can include denial and theft of service, identity or brand theft, loss of revenue and even irrecoverable loss of online business operations.

Still think it doesn’t happen?

Imagine this scenario… your incoming email suddenly grinds to a halt. You discover someone’s transferred your domain name to another registrar without your notice or approval. Your DNS configuration has been modified and your email is being delivered to someone else’s mail server. Days later, your registration is restored, but only after an exhausting, frustrating, uncoordinated and costly incident response effort. Preposterous? It happened to PANIX.COM on 17 January 2005.

Architecture, Change, Communication, Enterprise Security Architecture, Risk, Security

Enterprise Security Architect – the start of a meaningful security conversation

One way an Enterprise Security Architect can add real value is by having a more meaningful conversation about security and it’s role and purpose. More often than not securing an enterprise is not discussed in a meaningful way with those senior executives who can choose to commission and invest in security transformation.

It seems to me that we’ve forgotten that a meaningful conversation starts with a focus on what ultimately we’re trying to achieve. In the context of Enterprise Security effective security risk management happens when relevant security objectives are continually and consistently with their agreed tolerances even in the face of threats within an enterprises’ operating environment.

With this as a foundational view progress towards a mature security posture becomes measurable in terms of increasing the predictability of consistently achieving the agreed security objectives. Success then becomes defined as the on-going achievement of the security target relating to that objective, and not whether an incident has or has not occurred.

In setting contextual security objectives there’s the introduction of the recognition that security is not total invulnerability to all attacks, but rather is a consciously risk managed and economically efficient level of vulnerability given competing claims upon business resources. In this sense security objectives show what the enterprise expects for its information security investment. Or, put a different way, the act of defining security targets also specifies the risk appetite, or the variance tolerance against the objectives.

As a result of such an approach the enterprise security strategy is then driven by a desired set of outcomes, rather than being driven by the latest technologies, most recent incidents or media hyped attacks.

Architecture, Enterprise Security Architecture, Security, Technology

Enterprise Security Architects are not über techies

There’s one view that Enterprise Security Architects have somehow reached the zenith of their subject matter domains. They’re wise folk who know a subject vertically, from top to bottom, in excruciating detail. I believe that there is a popular misconception that Enterprise Architects are the über techies.

I respectfully disagree with this particular view. I believe that the misconception comes from the perceived hierarchy and misunderstanding of the purpose and intent of an Architect working horizontally across an enterprise.

Instead an Enterprise Security Architect has a fundamentally different focus and outlook, looking to achieve a different set of objectives, than say a Solution Architect, Technical Architect or Infrastructure Architect.

In particular an Enterprise Architect works across an organisation in order to cut across silos in order to achieve common approaches and work towards organisation-wide goals for the good of the entire enterprise. This requires a different set of skills, most of which are not technical, in order to fulfil a different set of responsibilities.

I think this is really important to keep in mind when trying to place an Enterprise Security Architect in the right context.