Security in a Web 2.0+ World
Information security has matured significantly since it was developed as an ad-hoc solution by large enterprises and the military; from the initial art of security it has become a science with structured standards and more certainty expected from its activities.
Security in a Web 2.0 world has become extremely necessary and there's a need for qualified material, since companies (especially driven by the new laws) have a greater need of specialized professionals to implement appropriate information security controls, risk management, business continuity guaranties, transparency, traceability of electronic operations, non repudiation of operations and several other factors. There is limited information available on the importance of a consistent model for security supported by international standards; the business value is usually ignored and the topic tends to be managed as a technical issue instead of an organizational model.
Carlos Solari and his team present much needed information and a broader view on why and how to use and deploy standards. They set the stage for a standards-based approach to design in security, driven by various factors that include the complexity in securing complex information-communications systems, the need to drive security less after-market and more in product development, the need to better apply security funds to get a better return on investment.
Security for complex systems once deployed is at best patchwork fix. The authors are concerned with what can be done now using the methods at our disposal and the technologies already available to set in place the idea that security can be designed in to the complex networks that will exist in the near future. Web 2.0 is still the next great promise of ICT - we still have a chance to correct our path, or better said to design in a more secure path.
Solari et al. propose the security triad of prevent-detect-respond as the context for all security functions as well as a framework that measures security, identifies gaps, designs remedies in with consistency and rigor and with grounding on practical things.
ISO 27000 series 1,2,3 will be discussed at a high level with the intent to establish the linkage to the standard that they address in detail - the ITU/T X.805 standard.
Times is of the essence - prevent-detect-respond!