Organizations tend to progress through several maturity levels with respect to security. The first of these is a perception of security as a very difficult discipline. One indicator of this maturity level is that the organization knows it is weak in this area, and the expectation of possible security exposure fosters an attitude of vigilance and a willingness to engage specialists. It pays at this level to hire the best practitioners available and then focus on skills transfer as a large component of the engagement.
Despite the myths, security controls are really not difficult to master. Most of the work is simple configuration and a few command-line scripts. As the organization gains some familiarity with security, the perception swings to the other extreme. Security is now easy. Once the configurations and command syntax are understood, the organization designs a set of controls and then implements them across the messaging network. Once the security issues have been addressed, the organization becomes resistant to further changes. Nobody wants to be the one to raise the security flag again. Due to that inertia, most organizations do not proceed past this maturity level. The primary indicators of this maturity level is confidence and a reluctance to engage specialists. The organizations that believe most strongly in their own security are the ones most likely to under-invest and fall behind over time.
The next higher maturity level comes from a deep understanding of the many security controls and the interdependencies between them. Although the configuration and commands are easily mastered, subtle interactions between them determine whether the resulting system is effectively secured … or not. The complexity of the systems involved and the variety of security controls available means that the possible interactions are endless. The result is that organizations with the deepest skills doubt the effectiveness of their security controls. They invest more heavily in detection and recovery aspects of the system, they continuously test and probe the security, and they train their in-house staff well. They also understand the one thing a consultant brings to the table that their permanent in-house staff cannot provide: a perspective not bound by the organization’s culture and expectations. Organizations at this maturity level engage a particular type of specialists. They need someone who will challenge their own highly skilled people. They need the best. They need IoPT Consulting.
Your certified and experienced IoPT Consulting professional provides a full range of expert WebSphere MQ security services for organizations of any size and at any maturity level. Pick from one of the offerings below or contact us to discuss your specific requirements.
- Free Security Health Check
IoPT will, at no charge to you, review the configuration of selected queue managers and provide a written report noting any issues found, including recommendations for next steps as needed.
- Regulatory Compliance
Avoid surprises. Get a heads-up on critical security issues before the auditor arrives. Frank Dodd, PCI, HIPAA, FIPS, all regulatory regimes have a few things in common: authentication, authorization, accountability, and availability. When it comes to WebSphere MQ, AMS, FTE Broker, and MQTT, these are our core competencies.
- Security Architecture
The best time to design security is to bake it into the application design and enable it from Unit Test all the way through to Production.