Enterprise security planning in Australia right now is a mixture of good and bad: there is concern about the ongoing use of independent solutions along with optimism about the direction policy decisions are taking.
While shareholders and board members want bulletproof protection, security professionals are cautious about expecting miracles with money. Everything from core application policies to identity management and network perimeter defences fit into the whole-enterprise security policy.
Andreas Tilch, a security analyst with a large food producer, and an executive member of the Information Security Interest Group, a not-for-profit organisation of security professionals within Australia, said adopting a more strategic approach to risk management can address the ROI question, for the bean counters, of why strong IT security is beneficial to the company. Creating a risk management strategy at the enterprise level — which aligns itself to the IT strategy to support the business — will help to position the importance of security to the business, he said.
John Donovan, Symantec Australia and New Zealand managing director, said he is optimistic about the direction enterprises are taking with security policies. However, he expressed concern about the continual use of independent solutions. “Security is not an add-on feature; it is the core of what you do. It is as important as your data and applications,” Richard Turner, Asia Pacific vice president, RSA Security, said.
“At present, [security] looks like relatively weak security,” Turner said. “Anyone using passwords for authentication is being negligent, as they are just not secure. This is most apparent where remote workers are using passwords when logging in to use Web-based applications. Strong authentication is needed here.”
Tim Smith, national security manager for Alphawest, a vendor-neutral security consultancy with clients in the 500- to 10,000-screen range, noted that the legal implications of not doing security justice is important and there is a possibility directors and management being sued if their company is found to be negligent in the event of a breach.
“There has been a case where an organisation got hacked and a denial of service attack was launched against an ISP,” Smith said. “The ISP won an injunction to close the organisation at fault. Just like in a contract for regular employees, managers can be liable.”
“What enterprises are beginning to do right is to approach security from an all-encompassing management method,” Donovan said. “Enterprises are moving away from point-product solutions, and as such need to work with vendors who don’t push them.”
While many IT managers in Australian companies are focused on building “concrete” walls around their enterprise — seemingly forgetting that this work only goes half way towards stopping information security compromises — such walls prove useless against the growing threat identity-based security breaches from in-house sources, Turner said.
“It is most important to have an understanding of the risks to your organisation,” said Smith. “You can’t just throw money at risks and expect them to become secure. Why spend $100 securing something worth $1. The level of security really comes down to the importance of data, which is different for each organisation.”
A consultant’s approach is to do a risk assessment and define the critical assets; that way risks can be mitigated, Smith said.
Across the providers of all the layers of enterprise security, and the range of technologies within, is the unanimous belief that technology alone will not solve the security problem.
“Organisations need to be careful about putting blind faith in technology,” Mike Clarke, managing director, 3Com Australia and New Zealand, said. “You need a security integrator and the trusted, bigger consulting firms are well suited to this.”
Turner said: “If you have rigorous application policies in place controlling who has access to what combined with strict identity management and access control, your enterprise will be inherently more secure.”
While research and anecdotal data indicate that the number of external breaches has increased— and attracted enormous media attention — internal breaches remain a constant threat and potentially more damaging.
Turner claims that each major security breach at large companies, such as those in the financial sector, is committed by an employee, either directly or indirectly, so carefully controlled user access is imperative.
In order to prevent identity-based security breaches, Turner said RSA Security has found a “sweet-spot” with tokens. More advanced methods such as biometrics are also possible to implement, however the quality ranges between excellent and annoyingly useless.
“Good biometric systems are so expensive they prohibit large-scale enterprise deployments,” he said. “Entry-level biometric systems tend to be cheap and unreliable. For example, it is not uncommon for a thumb scanning device to be ‘thumbed’ five or six times before access is granted.”
Alphawest’s Smith agrees.
“We are not seeing an increase in biometrics, rather, tokens and smartcards are hot at the moment,” Smith said. Identity management, however, is only one aspect of an enterprise-wide security policy.
As more applications become Web-enabled and employees work remotely, the role of a secure network is critical. Donovan, from Symantec, said there are five protection technologies: AAA (authentication-authorisation-accounting), antivirus, firewalling, IDS (intrusion detection system) and VPN. “These make up the protection layer and must be tailored for your enterprise.”
Dick Bussiere, chief technology officer, Enterasys Networks Asia Pacific, said network design is one of the most important parts of enterprise security.
“The network has visibility into all resources and can exert a measure of control over who talks to who. Poor network design can unwittingly create vulnerabilities.”
Bussiere sees hardware security appliances as inherently more secure than the software approach.
“Generally, the appliance model is better since the vendor will have taken steps to ‘harden’ the device, and the underlying operating system,” he said. “The general purpose OS model is all right only if the installer had the necessary technical knowledge to perform the hardening process.
“The appliance may be a better deal overall from a cost perspective; the organisation has to acquire the equipment on which the security application will be deployed, and then pay someone to harden the equipment and install the software,” Bussiere said.
“We can see this in market trends — for example, the firewall appliance market is growing, while the firewall software market is stagnant.”
Alphawest’s Smith sees a place for both appliances and software.
“The advantages of appliances is that the worry of a suitable operating system is taken away; updates are usually automated, and with many organisations having remote offices they can double as VPN concentrators,” Smith said. With the use of software on top of a standard operating system, he said the problem is not security, it is updating and patching.
“However, we are seeing a lot of interest in loading cheap hardware with dedicated operating system software to fulfil such security purposes.”
The problems of risk assessment and liability are compounded when security, as with other technology spending, is expected to yield a return on investment.
“Companies today are expecting ROI for everything,” said Brooke Galloway, research director for services, IDC Australia. “In fact, security investment involves risk mitigation rather than ROI. It is hard to quantify ROI when nothing happens.”’ If companies are looking to control spending Paul Serrano, senior director of marketing for NetScreen Asia Pacific, recommends a modular approach to appliance features.
“Modular technology allows users and service providers to ‘turn on’ security features as required,” Serrano said. “This results in large operational savings.”