Friday, December 9, 2011
Cloud Security and GRC: Internal Controls
The enormous data set produced by monitoring and management tools delivers useless information if the data isn't comprehensive of the its environment. Several years ago I worked for a Network Access Control (NAC) company. During Proof of Concept demonstrations we often found more devices on the network than the organization thought was possible. It wasn't uncommon to discover 15-20% more than a company thought they had on the network. One particular example found - not kidding - 20,000+ devices more than their estimated 40,000 devices the company thought they had worldwide. Yes, this is extreme. But it's also those experiences that drive my belief you have to know what you have before you can secure it.
Here is how I summarize action items during discussions around this topic.