Friday, July 04, 2008

Green Security

You all know how environmentally-conscience I am. Actually, I don't consider myself to be all that "green," aside from the environmental science merit badge I earned as a Scout. However, working for a global company (and especially the Air Force, in a prior life) reinforces one of my personal tenets: move data, not people. In other words, I look for ways to acquire security data remotely, and move it to me. I'd rather not fly to a location where the information resides; data centers are too distributed, cold, noisy, and cramped for me to want to spend a lot of time there.

So, when Bill Brenner of CSO asked if I had thoughts on "Green IT," I think I surprised him by answering postively. You can read some of what I said in his article Cost-Cutting Through Green IT Security: Real or Myth?

For Richard Bejtlich, director of incident response at General Electric, the biggest green security challenge is in how the company moves people around. Incident response investigations often require people to fly to offices spread across the country. But travel can be expensive and the environment certainly doesn't benefit from the jet fuel that's burned in the process.

Bejtlich's solution is to find more remote ways for employees to conduct incident response.

"Rather than have the carbon footprint of a plane trip, we can instead focus on moving the data we need (for incident response) instead of moving the people," he says. Bejtlich says a lot of the work can get done using virtual technology without reducing the quality of the security.

To achieve this at GE, Bejtlich has made use of F-Response, a vendor neutral, patent-pending software utility that allows an investigator to conduct live forensics, data recovery, and e-discovery over an IP network using the tools of their choice. "For $5,000 we can use the F-Response enterprise product throughout the company," he says. "It's a very good deal."

Bejtlich is also a believer in letting employees work from home. Like the reduction in air travel, working from home means fewer people burning gas on the way to the office.

"We encourage people to work from home so they don't waste energy on travel. The incident response team is all over the world anyway, so we really don't need to be in an office," he says. "Doing the job virtually makes budgetary sense, we spend more time getting the work done, and the bonus is it lowers our carbon footprint."

Virtual wonders

Bejtlich's success with virtual technology is music to the ears of Evolutionary IT's Guarino, who sees virtualization as a key to consolidating the IT environment and achieving green security.


Let me make a few clarifications. First, no one at GE uses F-Response. I mentioned it to Bill as an example of the sort of tool one could use to do remote forensics. I have a copy ready to test and I spent an hour on the phone speaking with Matt Shannon from F-Response, and I have high hopes for the product. Please don't read this as an endorsement of any single product. I mentioned F-Response to help get my point across to Bill.

Second, I don't see the "virtual technology" angle here. I didn't talk about "virtualization," so maybe the term was just used inappropriately.

Otherwise, I agree with my quotes on remote IR and working from home offices. They are key initiatives I would encourage other companies to adopt.

In fact, you could think of the home office as an example of move work, not people. Keep the people in place and move the job to them. In an increasingly competitive market where people with true skills are scarce, it's unreasonable to expect talent to uproot and migrate to an employer's location.

3 comments:

Vyacheslav said...

"move work, not people"

Don't you think that it seriously increase risks?
At the office we have an information security management system, some information security software, protected network, firewalls and IDS/IPS and so on. But we don't know how the employee protects his home computer. Maybe he even doesn't have an antivirus...
And giving access to our network from outside through the Internet, we're opening a door to a potential attacker.

Wayne said...

In response to vyacheslav: Our company policy is that the home computer is not allowed on the company network, each person we expect to telecommute is provided a laptop. Then we provide a robust remote access (VPN) solution to connect remotely. We feel it is a balanced solution.

Iain Dooley said...

re: increased risk. our developers all use vim and login to a dev server using an ssh connection. our dev servers run SSL on non standard ports, and we use HTTP AUTH. we're a software company so i guess that's a bonus. we don't have any n00bz that need to login from home to do work, but most of the apps we use (such as bugzilla) including our accounting application, are web based, so you just need: a) no passwords rememberd, b) always logout and c) SSL and that's as secure as you need to be.

cheers

iain