In recent years, the human resource and financial impact of trying to document internal controls and comply with regulatory security laws such as HIPAA, Graham-Leach-Bliley, and most recently Sarbanes Oxley are top priorities in most businesses. A major area of internal security controls associated with regulatory compliance issues is the “bread and butter” area of identity and access control management, in past years just simply referred to as “access control”. Accurately identifying users, their privileges or entitlements, and having an accurate record of what they did while using computerized resources is no longer just a “best practice” but a legal issue with serious non-compliance consequences to the senior management of all publicly owned businesses. All that, is in addition to dealing on a day-to-day basis with frequent software patches to address the major online threats we mentioned in response to the previous question.

Wireless insecurity is also a widespread concern, but can be more easily addressed by treating a wireless connection the same as an Internet connection by applying firewalls, intrusion detection, virtual private networks, and strong authentication.

The CSO is becoming increasingly aware of the dangers posed by mobile devices that contain confidential information and that are subject to theft or loss. What can they do to mitigate those risks? Is the education of end users within a company the only way to go?


There are three areas of security attention related to mobile devices which can range from handheld intelligent cell phones and PDAs to more robust notebook computers: protecting the information content on the mobile device, securing the interaction of that device with other computers across a network, and making sure that additional “backdoor” entry points are not introduced to accommodate “convenient” network access for mobile devices. Effective control of mobile devices begins with intelligent policies and vibrant security awareness and training. From a technical perspective, security for mobile devices includes the use of strong encryption and authentication based on a well-managed public key infrastructure. Remote access gateways, which continually convert “full size” web applications to miniature versions that can operate on the limited size and powered handhelds, must also be protected by strong physical and technical security safeguards. The major issue with theft or loss is not the device, but rather its contents; strong encryption and authentication make the device useless other than its face resale value in the black market.

What's your take on the open source vs. closed source security debate? In your opinion, what operating system is better, when taking a look from the security perspective?