The main point of an operating system is to provide lots of useful functionality to applications and the users of the system. There are many features that can leave the system open for attack. But, there are also a number of features that can be used to enhance the security of the system.
Depending on the business role that a system plays within the organization, leaving it unhardened could lead to serious trouble for an organization. For example, an on-stage remote attack of two ATMs during one Black Hat session caused the machines to spit out all of their cash, proving that hardening the Microsoft Windows CE platform would have been a good idea for those ATM manufacturers.
Clearly the hardening and protection of the security systems themselves is of concern. Are vendors doing enough to help here? Are appliances as a replacement to open systems really the solution to this problem? Will the cloud help or hinder the hardening and protection of security systems?
The bottom line for the CSO/CIO is to ensure that only the necessary systems, applications, and users are able to interact with each other within the approved business context. To help monitor and control this, organizations should look to policy compliance solutions that allow them to define the approved business rules and enforce them based on the following factors: