Q&A: Jeff Reich, Rackspace
- By The WHIR, October 15, 2008
-
Digg
Delicious
Reddit
Newsvine
Stumbleupon
Twitter
(close)
Share
|
Send |
Print |
Comments (0)
Level 1 PCI DSS Certified Service Provider! DataPipe delivers the best network & support; top tier data centers; New York metro, Silicon Valley, London, Hong Kong, Shanghai. DataPipe - Personal Touch, Global Reach.
Q&A: Jeff Reich, RackspaceIn an email interview with the WHIR, Rackspace chief security officer Jeff Reich discusses his session, "Who Do You Trust? How Knowing Who and What Your Users are Determines How Secure Your Information Is," at this week's InnoTech conference in Austin, Texas.
By Liam Eagle, theWHIR.com
October 15, 2008 -- (WEB HOST INDUSTRY REVIEW) -- Information security is a widespread matter of concern in the hosting business, simply because it is an issue of tremendous importance to hosting customers, and a matter of much regulatory scrutiny.
But in addition to information security's obvious technical side, there is a more practical side, that involves practices surrounding personnel - one of the greatest potential threats to information security at any business.
In a presentation at this week's InnoTech conference in Austin, Texas, Rackspace's chief security officer Jeff Reich will participate in a panel entitled "Who Do You Trust? How Knowing Who and What Your Users are Determines How Secure Your Information Is," during which he will attempt to impart some of his experiences in trying to deal with the security threat presented by people.
And these are not lessons that are necessarily limited to the hosting business, though Reich certainly holds a position of authority on information security, given his role with Rackspace.
The session will take place Thursday at 11:00 a.m.
In an email interview with the WHIR, Reich discusses the objectives of the session, and some of the possibilities he will present to companies of all kinds, interested in information security.
In describing your session, you refer to "implementing a security and controls program," which doesn't really identify a specific kind of business, or a specific set of security demands. How broadly applicable do you think the ideas you discuss in your session are?
Jeff Reich: The basics of implementing a security and controls program can apply to virtually every business situation. The key for a successful program is flexing your resources to the areas of highest risk and need.
Do you have a certain type of business in mind?
Every business can apply this principle.
Your basic topic is that the security of information relies on trust in the users who are handling that information. Can you give a specific example of a way in which information might be put at risk by users? The most common and potentially dangerous opportunity for information to be put at risk is putting it in the hands of people that may not be able to determine the effects of misuse. Undoing problems stemming from information misuse is daunting, at best.
Are there effective strategies for ensuring that the trust placed in the people using these secure systems is well founded?
You need to determine the knowledge, skills and characteristics of the individuals that will be entrusted with your data. The hardest part might be truly determining those characteristics. After that, you can use tests, interviewing, background checks and other tools to validate that you are about to entrust the right individuals.
Is there a sort of effective philosophy or system for combining the well known technical controls for security with practices for ensuring the trustworthiness of people?
A very basic strategy for ensuring that trust is well-founded is by first, educating users of information about the value and proper uses of the information, as well as some common misuses. The second portion of the strategy is using systems that behave in the manner that you expect. Systems do not need to perfect but you need to know what to expect and confirm that your expectations are met.
Monitoring the security of information on the technical side is a pretty broad and well-understood discipline. Beyond the initial vetting process, is there a good ongoing practice for managing monitoring the trustworthiness of people? The best way to monitor the trustworthiness of people is to manage them. People should be very clear on your expectations of them and then be held accountable to those expectations. Technology and systems can provide you with some monitoring statistics but I offer that anyone depending strictly on those metrics will not be able to demonstrate continued trust.
To read an interview with Rackspace's Troy Toman, on his InnoTech panel "The Evolving Data Center: From Red To Green," click here.
Tags: security ETT NEC Rackspace TRUSTe
Digg
Reddit
Facebook
Google
Yahoo! Bookmarks
Log into your account to access enhanced commenting features (such as external linking) in news, features, blogs and more.
Don't have an account yet? Register now!
- Submit your company to our directory
- Submit news, articles and guides
- Add enhanced comments with links
- and more!