WASHINGTON -- One evening not long ago, a business traveler between flights was making use of his time in a Hong Kong airport lounge by plugging his USB drive into one of the lounge's computers and toiling away on a number of different files.
But when it was time for the traveler to rush to his gate, he left the USB drive and its sensitive files behind, unknowingly exposing his organization's sensitive data to any opportunistic passerby.
Fortunately, the device was recovered by Gartner Inc. vice president Tom Scholtz, who recounted the story this week at the Stamford, Conn.-based research firm's IT Security Summit. Scholtz made the point that businesses must design, develop and implement security architectures that can mitigate the inherent risks that come with workers taking data with them on the road or using it in new ways.
"We need security architectures that will help us think of how to address problems of the future," Scholtz said, "but we also need security architectures to help us solve problems today."
While security architectures can be defined in a number of ways, Scholtz essentially described them as the policies, processes, components and systems that encompass an enterprise security program. Security architectures ideally provide more insight into how data and devices are secured and more choices in how they can be used.
Scholtz said the ideal security architecture development paradigm consists of three major levels:
This method enables an architecture to grow as a result of an organization's true needs; "So you can do high-level planning and separate that from the [various] technology religions," Scholtz said.
Getting a security architecture aligned with an enterprise's overall architecture is hard because it's difficult to find the resources to look beyond individual projects and focus on the big picture, said Thornton Dyson, a Houston-based enterprise architect with a government agency. But the advantages of building security into the development lifecycle make the effort worthwhile, he said.
"Security is often tagged on at the end of the [application] development process," Dyson said. "And [during] the readiness review, the security team gets hit with a black eye because it seems like security is holding things up."
Advancing a security architecture agenda would help that problem, Dyson said, but getting non-security IT pros to buy into the concept takes work.
"It's a challenge. You stand up and talk about it whenever you can," Dyson said. "You make elevator speeches or talk about it at parties. But there's some indication that they're beginning to pay attention."
Separately, Scholtz strongly urged security professionals to consider their budding architectures from three unique viewpoints: organizational, business and technology. The U.K.-based analyst said this ensures that it is compatible with the goals of the organization, the priorities of business managers and with other relevant technologies.
Scholtz's other security architecture best practices included avoiding a fixation with any particular organizational structure or format, ensuring that a choice of technologies is a constant option, and above all remembering that an architecture should never remain static.
"We're talking about a collection of models that we should use as tools to develop the best solution on a case-by-case basis," Scholtz said.
As for that abandoned USB drive, Scholtz said he turned it over to airport authorities, but likes to tell the story to illustrate one of the many common security problems that a mature architecture can help mitigate.
"It's not about the data stick," he said, "but who receives the data."