"It is
impossible for ideas to compete in the marketplace if no forum for
� their presentation is provided or available." �������� �Thomas Mann, 1896
SECURITY IN INFORMATION TECHNOLOGY
Contributed by Sierra Systems Inc.
�
�
Introduction
Security starts with
the mundane. Loss prevention, damage control, and prevention of liability are
the initial targets of security planning. However, security in the context of
information technology (IT) is not just the prevention of loss or damage. It
is a business enabler that is increasing in prominence, especially with
companies for whom communication and collaboration lead to increased
functionality and revenue. Even for older organizations with well-established
business practices, good information security allows safe and profitable
ventures into activities that would have been foolish not long ago. Being able
to perform legacy communications and transactions in a more secure way may not
be the most captivating and seductive ability, but it forms the foundation for
performing modem and progressive secure communications and transactions that
set organizations apart from their competitors.
In this context,
security is a process that allows you to maintain a level of
confidentiality, integrity, and access
appropriate
to the resources you want to protect, such as systems, information, processes,
or any other personal or organizational asset. By the same token, security is
not a constant state, nor is it a tool. It cannot be purchased in a piece of
software or hardware. It is an approach and a process of continuous control
and improvement that must be considered along with any other requirements. It
must be integral to the design, creation, operation, and retirement of any
business�-critical resource.
Once the basics of
IT security are addressed, security tools and processes help to create and
optimize business processes and avenues that may not have previously been
open. Appropriate security can allow you to enter regulated or controlled
markets that are otherwise inaccessible.
Compliance with
regulatory and industry security standards can become a competitive advantage
if it is achieved in ways that enhance operational efficiency and
effectiveness.� Customers that are wary of electronic transactions can be won over if
the information security practices and infrastructure arc demonstrably
dependable — especially if they can be audited by a known auditor. This
paper explores these basic risks faced by any organization that depends on IT,
and provides perspective and potential approaches to the business benefits
that can he attained through better security.
Essential Security Risks
There are many risks
faced by an organization that relies on its information technology for
business-critical activities. These risks may include functional loss through
direct electronic intrusion, functional, financial or intellectual damage
through an information security breach, or indirect damages and liabilities
that may fatally cripple an organization. It is important to recognize the
differences in progressive degree of damage. A direct intrusion against an
organization may be a serious affair, but indirect damages may be more
damaging and less obvious. Indirect third-party damages may have far-reaching
functional, financial and legal consequences.
“We
have been Hacked!”
This distressed
announcement indicates a direct intrusion event:
•���� An unknown external entity has gained entry into your systems.
•���� Discovery of system changes, the purposes of which are unclear.
•���� A partner, competitor or other party informs you that illicit activity is coming from your systems.
This is the classic
security incident — an electronic intrusion. You may not know who is behind
the incident, or even if it is manual or automated. You may not know where the
intruder is, or even if they are inside your organization. You don’t know
their plans or extent of actions they’ve already taken. What is known is
that you have lost control of your resources. This may lead to an immediate
interruption of normal business and possibly lead to other consequential
internal or external damages. Unfortunately, discovery of this type of event
is comparable to finding the lock broken on the door to your office; while it
maybe the work of vandals who made no entry, it often signals further damage
inside.
“Hacker Accesses
Patient Records” (The Washington Post) “A hacker gained access to
confidential medical information at the University of Washington Medical
Center, using the Internet to download thousands of files containing patient
names, conditions, home addresses and Social Security numbers, hospital
officials said yesterday. "The intruder ... tapped into two databases
containing 4,000 or more patient records. [A] Web site in the Health Sciences
Department of Pathology, which served as the platform for the hacker,
previously had about as much security as a computer dedicated to history or
literature, even though it was linked to databases containing patient
records.”
“How
did they know that?”
Strange events maybe
your only clue to an incident that results in serious indirect damages:
•���� A potential client suddenly cuts off negotiations and signs on with a competitor.
•���� An unknown company files a patent on a critical unreleased product or process�you have been working on.
•����� Confidential customer information turns up in other organizations.
This sort of
information security incident may be facilitated by anything from clerical
errors to an undetected intrusion, and can be very damaging to an
organization. In more complex forms, an intrusion that leads to the loss of
sensitive information may undermine every action taken by the company — yet
go undetected for long periods. Many organizations that fall victim to this
choose not to publicize it, fearing additional loss of credibility and good
will.
“Hacking of Web game
EverQuest linked to local teen” (The Seattle Times) ... [A teenager’s
hacking gave him] access to personal information on hundreds of thousands of
players and Sony employees. The hacker.. .was able to access the home
computer of the company’s vice president of product development, Brad
McQuaid, and downloaded documents for an as-yet-unreleased version of the
popular role-playing fantasy game. Sony, which declined comment on the
investigation, says the game is played by as many as 400,000 people worldwide
and reaps more than $50 million a year in revenue.”
“They are suing us!”
If consequential
damages from an incident proceed to the point where they affect other parties,
you may find yourself in a most serious situation:
•���� Your organization is caught unprepared for a security incident, and the operations center is fully occupied with the recovery for several days. A company for which you provide service sues for failure to live up to your service level agreement.
•��� Highly confidential information that you have licensed from another company is posted to the Internet. The licensor sues for trade secret damages and breach of contract.
•��� Personal data that you are legally required to protect is released in a way that�causes damage to the individuals. They file suit, and your company principals are held personally liable.
Direct intrusions and
cracks with ongoing damage may not be the worst events an organization faces.
Consequential damages such as the loss of personal information confidentiality
may lead to a loss of continued access to business. Loss of financial or
medical records that you are legally mandated to protect could mean stiff
penalties. Losing control of critical systems in certain environments may lead
to secondary or tertiary consequences that include the loss of life. These
third-party liabilities can lead to loss of market share, loss of good will,
and even to issues of criminal liability. Many people are unaware that company
principals can actually be jailed for criminal negligence or other liability
charges if poor company security practices are to blame for serious loss or
injury.
“Mounting a
Defense” (Government Executive Magazine) “In 1992, a reclusive young man
from Portland, Ore., used his computer to gain [root-level] access to the
control systems for all the dams in northern California. He first penetrated
the Bureau of Land Management’s computers in Portland, which provided the
system connections he needed to enter the dam controls. PhantomDialer, or
PhantomD as he was known among hackers, could have opened the gates of the
Oroville Dam and flooded the surrounding region, causing incalculable damage
and loss of life. .. .60 miles south [of Oroville Dam] is metropolitan
Sacramento with its 1.5 million people.”
Key Security
Benefits
IT security that
effectively balances the needs and risks faced by an organization should
provide a number of functional benefits to the organization. These may
include:
•���� adding value to existing services by enabling new activities or services
•���� preserving current organizational functions by meeting new regulatory requirements
•��� increasing an existing customer base by increasing service levels
•��� increasing an existing customer base by reducing transitive risk
•��� opening new markets by meeting security requirements for entry
•���� enabling positive revenue associated with new activities or services
•��� increasing competitive advantage compared to other service providers
•��� reducing costs associated with unstructured risks
Well-designed security
architectures provide these benefits as well as risk reduction. While it comes
as no surprise that good news never gets as much airplay as bad news, being
recognized as having a good security infrastructure usually goes along with
recognition for strategic and effective use of technology in general.
Conversely,
poorly-designed architectures invite subversion of security measures and
practices if they are not synchronized with the day-to-day reality of how the
organization works. If individuals in an organization need to thwart or bypass
standard security tools and pohcy m order to do their work, the current
architecture and business activities are in need of re-examination and
coordination. Generally this sort of internal lack of synchronization is
evident to external parties as well, if only as an appearance of
disorganization.
“We
could not do that before!”
•���� An improved network security policy makes it possible to design, deploy and�� maintain value�adding extranet applications that were otherwise considered too risky.
•��� With secure coding practices in place, you can attest to a system’s compliance with HIPAA security rule or Gramm-Leach-Bliley privacy regulations.
•���� Your new information security policy and secure collaboration system allow you to�work and exchange information directly with vendors and customers in a controlled environment, without undue risk to sensitive data.
Just a few years ago,
it would have been considered too risky to share networked resources with
vendors, partners, and customers. With a good security architecture and
compliant infrastructure, it is now possible to have shared collaboration
systems available over the Internet to international partners, using
encryption and authentication tools that make it even more secure than the old
manual methods.
“M.D. Anderson
Cancer Center details plans to beef up wireless LAN security” (Computerworld)
“The MID. Anderson Cancer Center in Houston plans to beef up security for a
wireless LAN pilot project with technology that can rapidly and dynamically
change encryption keys to block hackers from accessing private information....
Technical papers published this summer pointed out the vulnerability of
encryption keys to over-the-air sniffing [and in response] the center has
decided to augment WEP with dynamic key management [that can] change keys
‘as often as every three minutes, if that’s what they want.’ [B]ecause
of security concerns and the strict privacy mandates of the federal Health
Insurance Portability and Accountability Act (HIPAA), Anderson is
‘proceeding cautiously’ with its wireless LAN pilot pixject. [Thel system
offers ‘a near-term solution to secuflty issues,” adding that other issues
with WEP “must be addressed in the two-year window prior to HJPAA
compliance’ ... ‘which requires data to be secure in transit and
storage.”’’
“We
can make money with this?”
•���� Flexible extranet tools are now possible with an enhanced security & network architecture allowing you to provide revenue-generating services to clients that were previously impossible or prohibited.
•���� With documented security practices and testing, you complete an SAS-70 assessment and can provide services to organizations that otherwise would have refused to do business.
•���� New clients are interested and less apprehensive of new services when you have an auditor certify your compliance with industry security standards.
� Increasing visible and real security gives your organization the ability to pursue profitable clients, partnerships, collaboration and other revenue enabling/enhancing activities
“Security—Building
Trust to Enable eConimerce” (IDC) “... No longer just insurance, security
is the foundation on which e-conimerce will be built, as security coupled with
new business processes allows for the creation of trusted business
relationships, whether business-to-business or business-to-consumer. [..j The improvements
m a number of security technologies have allowed companies, especially large
ones, to increasingly regard security as a positive infrastructure element.
This infrastructure issue was driven by the need to expand trusted
relationships with customers, partners, suppliers and channels. Most
companies’ greatest asset is their content. The ability to use security
technologies (e.g., authentication and authorization) to enable greater access
to corporate content deepens and stabilizes relationships. These trusted
relationships can yield numerous benefits, such as higher transaction rates
with greater scalability, lower cost per transaction, transference of
personnel from low-value interactions to high-value personalized service, and
so on. Overall, enterprises increasingly use security products and services to
help them dramatically scale revenue, transactions, and/or customers at high
double-digit rates while confining cost increases to single- or low
double-digit rates. If implemented successfully, this practice ensures
profitable growth.
“This
saves us money.”
•���� Avoiding risk through improved resistance to attacks and outages allows higher service level agreements, reduces expenses for business continuity activities & insurance, and dependence on expensive recovery services
•���� Improved security infrastructures permit safe and secure telecommuting, saving on recurring office space expenses and allowing more flexibility in tight real estate markets.
•��� Operational streamlining through improved information security makes it quicker and easier for internal organizations to share information with each other.
� In real terms, security policy and architecture should simply reflect the real values and risks of the organization, so compliance with a well- designed security policy is the same as compliance with a well-designed operational process. If done well, it is never a burden to improve security around your valuable resources.
“Radical move:
States try tax outsourcing” (Computerworld) “A small group of companies is
participating in a project to outsource sales tax collections. State
government backers of the project hope it will revolutionize the way sales
taxes are collected and paid. Taxware International Inc. in Salem, Mass., and
subcontractor Hewlett-Packard Co. have developed a transaction server that
interfaces with a merchant’s retail system via an Internet connection to
automate tax calculation at the time of sale. What makes this project
groundbreaking is the agreement by participating states to ...shift some of
the potential routine tax audit liability—a major burden for businesses—to
the outsourcing vendor. IT and tax managers said that for a remote tax
transaction system to work, it must address security, the transaction-
processing speed and the accuracy of the tax calculation. But if those
concerns can be satisfied, the potential benefits, including reduced
compliance costs, will be attractive to firms.”
Integrating
security in an organization
How can your
organization avoid undue loss and liability, and leverage security to provide
tangible benefits? By having a plan, and following through. Overall, a proven
way to integrate security is to start with these basic phases:
•����� Know your organization - gather business and technical requirements, assess current logical and physical security capabilities
•����� Know your assets, how you value them, and threats they face - perform an inventory of resources, risk assessment, and security infrastructure audit
•����� Determine the manner in which you want to protect those assets - adopt or create an appropriate security policy; validate against industry standards and regulatory requirements
•����� Define the most effective way to react to protect those assets - create and validate procedures that implement the policy, as well as refining the policy to reflect technical capabilities and optimizations
•����� Implement security tools and procedures - bring your organization’s technical infrastructure into compliance with security requirements, and coordinate security plans and measures with partners and clients
•����� Update and maintain the plans - revisit requirements, policy and operations on a regular basis to protect and optimize the organization’s activities
When defined and
documented, these are the key aspects of a “security architecture” where
each component builds on and supports the next Inventory, assessment and audit
provide the information necessary to create a security policy synchronized
with the real risks and requirements of the organization. With this policy in
hand, security procedures and IT disaster recovery plans can be created.
Operational experience using these procedures and plans creates feedback
information that is useful in subsequent assessments and audits.
Within this
architecture, risks should be addressed through prevention where appropriate,
control for events that may still occur, mitigation if damage occurs, and
plans for recovery and restoration. Design of a good security architecture
hinges on good information and good judgment; extreme security is often
extremely expensive and inappropriate.
Not all incidents or
events can be prevented, and mitigation or acceptance should be considered as
appropriate responses to some threats. Some threats may be simply accepted
because the risk is very low. The risk of many normally-anticipated threats
may be protected against through common security measures. Threats with a very
low risk but extreme consequences may be addressed with mitigating actions,
such as insurance and recovery plans, rather than taking preventive measures
that are prohibitively expensive or hinder normal business practices.
Recommended
solutions
Clearly there are
risks present to any public or private organization, and the appropriate way
to address these risks is through appropriate security architecture. Creation
of this architecture is a nontrivial activity, but neither is it a long and
drawn-out process. Even in the largest and most complex of organizations, the
most effective approach is an iterative one, addressing immediate issues with
tactical solutions and long-term issues with a process that contributes to
continual refinement of the architecture.
Partnering with a
security service organization that has experience in your line of business
increases the likelihood of success in developing the most effective, most
beneficial, and least intrusive security architecture for your organization.
Visit the Authors Web Site
Inquiry Only - No Cost Or Obligation
�
�
�
Search Our Site
Search the ENTIRE Business
Forum site.�Search includes the Business
Forum Library, The Business Forum Journal and the Calendar Pages.
Disclaimer
The Business Forum, its Officers, partners, and all other
parties with which it deals, or is associated with, accept
absolutely no responsibility whatsoever, nor any liability,
for what is published on this web site.��� Please refer to:
Home��� Calendar��� The�Business�Forum�Journal���� Features��� Concept��� History
Library� �� Formats��� Guest�Testimonials��� Client�Testimonials��� Experts��� Search
News�Wire���� Join��� Why�Sponsor���� Tell-A-Friend���� Contact The Business Forum
The Business Forum
Beverly Hills, California United States of AmericaEmail:� [email protected]
Graphics by DawsonDesign
Webmaster:� bruceclay.com
�
� Copyright The Business Forum Institute 1982 - 2009� All rights reserved.
