Products and Services
Whether you want to outsource your problem completely, or you want a partner to bring your internal processes, training and infrastructure up to speed, Ipsilon Consulting can help.
PCI-DSS Compliancy Management
Your PCI-DSS QSA's goals are not the same as yours. It's good to have a partner to audit your security and advise you on a cost-effective strategy for your security going forward. It really is possible to meet the standards, avoid costly fines, put your company on a solid security footing and leave your infrastructure in a more useable state than it is today. Let Ipsilon Consulting help you to get perspective on the whole problem in one go, instead of just another round of reactive and expensive fixes.
Secure your business, not just your Internet connection. Risk management is a culture change throughout a company. When people at all levels of your business learn to account for the risks inherent in the systems, processes and decisions they take, it finally becomes possible to account for security and business continuity correctly - in the business units that require it - and to set and meet fact-based SLA's. Risk management saves you money over time, allows you to plan for your business, and allows you to make the right decisions about where to focus your security, business continuity and disaster recovery resources.
As threats evolve, faster and faster, so the old model of security management, tasks and enforcement being split amongst networks, desktops, phones, perimeter, the HR department, finance and so many other places starts to fall down. A modern security solution will put control over security in the hands of the people empowered to make the decisions. The right security solutions allow owners of resources to control access to their resources, line managers to define the roles that their people can perform, and removes the unnecessary and costly layers of manual interpretation and implementation. Holistic security management at a technical level is cost effective and secure, leveraging the integrated products available from today's consolidated security vendors. Ipsilon Consulting can also help you to change the shape and working practises in your company to make these new paradigms effective, by matching your security governance and processes to emerging best practise.
Making Sense of Network Access Control
Network Access Control - or Admission Control - was pioneered by new startups as long ago as 2004. Most new security technologies get standardised, absorbed and consolidated in that kind of time frame. Far from consolidating, there are now as many NAC paradigms are there are NAC vendors. Despite this disagreement, network access control is still a critical tool to prevent the spread of viruses on almost any intranet. There is no one-size-fits-all answer, and your choice of NAC solution could affect your security for many years to come.
A penetration test is a great way to get a quick overview of where you are with your security. A default password on a default service on a database machine doesn't just tell you about that machine. It gives an insight into problems in your testing procedures, your build procedures, your staff attitudes, your patching regime for the class of server and the auditing of the layers of fire-walling that might have protected it. Ipsilon Consulting will not just provide the list of ports of holes that so many other security houses will provide; we will help you to understand the implications, and work as your partner to plan your next move.
No-one was ever fired for outsourcing IT to a reputable company. However, have problems just beeb hidden? In practise, many companies have simply outsourced the risk without outsourcing the security. Outsourcing provides a vendor to sue if things go wrong, but that may be cold comfort if your core business processes are out of action. Assumptions about the security of outsourced services are proving to be unfounded in very many cases. Ipsilon Consulting can help you to define coherent security policies, authentication systems, tracking and visibility across your diverse services, and make sure that these policies and practises are implemented coherently with existing partners and with new partners.
Web services are often built hurriedly, and are a dangerous combination of one-off code creation and exposure of data to the Internet at large. It's the one area for many non-IT companies where it is critical to ensure that secure development, testing and documentation practises are in place, as well as specific and white-box penetration testing and auditing.
Wireless and Mobile
Whether the CEO insists on integrating his iPhone, or an outside contractor has lost a laptop with critical data on it, the problem remains the same; how can your company devise and implement security policies, practises, infrastructure and responsibilities that allow people to work effectively and securely without setting the IT department against the business? Ipsilon Consulting has the experience and expertise to help.
It's not possible to secure a database by putting a firewall in front of it. As with everything about database engineering, careful design and evolution of your database security considerations will pay dividends later when you need to scale, evolve or provide new ways to access your data. Databases are big business. Oracle can secure your database for you, but costs quickly escalate our of control, and Ipsilon Consulting has found many cases where this has resulted no meaningful security being in place. This problem can be addressed without a major security breach forcing your hand.
Every year your border firewall meets less and less of your security needs. You can get ahead of the curve and proactively move more of your security enforcement to the networks, servers, PC's and devices that need protecting, and also gain efficiency savings and scaleability. Actual removal of a perimeter makes sense only for a small percentage of environments today, but with more distributed devices, online services and cloud-based solutions, it can only make sense to plan for the future.
IPv6 Readiness and Migration
The Internet has a fixed pool of (IPv4) addresses left, and rate of usage of that finite resource is actually increasing. The global registry will give out its last addresses to the regions in March 2011, and Asia is subsequently expected to allocate the last of those to ISPs in November 2011, with other regions running out shortly after. After that happens, it will simply become impossible for companies to purchase new IPv4 addresses. The global recession and other factors have blinded companies to the need to plan for the change, but some small changes today will significantly alleviate pain down the road. All companies need a plan: to avoid technologies that won't transition, to buy field or remote-upgradeable kit, to store IP information in a forward-compatible way... the list goes on, and every single person making design, purchase and configuration decisions in IT needs to be involved. There's still time to be proactive.