Our mission in Information Security is to enable secure & reliable business. In going about our mission, we’ve constantly tried to take a very deliberate service-oriented view of information security rather than a purely enforcement approach. Like any other organization, we have our information security policies that need to be complied with in order to maintain a secure posture for our overall business. But instead of constantly taking an enforcement-only view, we’ve instead always looked to work with our business customers to help enable them to comply with our policies. The reason was simple: pure enforcement is not a sustainable model.
You may be able to get by forcing a few process changes, stopping a few applications from going into production or mandating certain controls that increase the cost of operating data centers, all in the name of policy compliance. But to the business, you’ll be seen as an inhibitor or a road block that the business would just want to try to avoid.
So what does a more service-oriented view of information security look like? It starts very simply by always trying to put the business first and then looking at information security through that business lens. We do this to see how certain policies or controls are needed in a given situation affect the business. It is the negative affect that we try to minimize and it turns out that in most cases, this turns out to be a financial affect or a performance affect on the business.
There is often very little you can do on the financial side other than to ensure the financial hit of security controls is minimal. But on the performance side, what we didn’t want to get into was leaving the business with a second problem they inherited (performance) by addressing the first problem (security).
There is of course the operational and process side of business we look at in information security to ensure appropriate management of information security risk as it pertains to our data. But since more and more of our data is digital and is being managed with software and infrastructure, a bulk of what we end up managing is application and hosts that may require certain controls in order to comply with our policies. What kind of load balancing does a business need if we enforce IPSec or SSL? How does an application’s performance get affected by the introduction of AntiXSS? How do you ensure optimal performance of SharePoint under certain security controls that are required as a result of the type of data the SharePoint instance is hosting? A more recent example showcasing the synergy between performance and security involved our latest release of AntiXSS. In the current release, we spent a considerable time in performance testing and performance optimizing the library to ensure it provides an optimized as well as a secure technique to guard against cross-site scripting attack vectors. These and others are questions we look to give guidance on and so far, it has been an incredibly successful marriage between security and performance that provides the opportunities to serve our businesses with the level of service we want to provide in order to ensure we are seen as an enabler of secure and reliable business rather than an inhibitor.
Security and performance are just two attributes of a system… you have to consider these alongside a list of others including reliability, scalability, usability, and accessibility. As you’re looking into security controls, you have to balance out the entire set of attributes which is why the business lens is so critical. Having a performance team within Information Security has made it possible to provide the comprehensive level of performance tuning and security our customers demand.