It's time to revisit your company's security procedures, says Bill Haase, a consultant in IBM Global Services' security and privacy practice. "Security is going to be an effort," Haase says. "It has been an inadequate effort heretofore."
Haase spoke about IT security trends and shared project planning tips with IBM Corp. users who convened in Nashville for this week's Share IBM user group conference. The semiannual educational conference - run by the independent Share organization - drew 2,100 attendees to its roughly 1,000-session lineup of tutorials, product previews, user case studies and hands-on labs.
Corporate security efforts in the past have focused on securing the perimeter of an enterprise, Haase says. As business strategies change and companies begin to outsource more functions and open their business networks to trading partners, they need to adapt their security policies and procedures to keep up.
Some trends he's seeing among IBM customers include efforts to build security into applications. The challenge is devising ways to authenticate application components across supply chain networks as those applications exchange information, Haase says. He described new "data-based" networks using XML that will depend on integration of key Web services standards - Security Assertions Markup Language and XML Key Management, for example - to bind security provisions to data so that as data moves between organizations, it retains its security attributes.
Secure software development also is a key area that needs attention, Haase says. Stronger and more granular user-authorization policies need to encompass three key attributes: the user's role, the class of data being accessed, and the user's requested action, he says. In addition, companies are developing stricter code review policies to ensure that any software code developed meets security guidelines before being introduced into an enterprise network.
There is a trend to integrate physical and network security policies, too. For example, a company might specify that a person who has not physically signed in to its office building cannot access its network from a local workstation, Haase says.
His advice for Share attendees is threefold. First, revisit security policies, procedures and standards, Haase says. Look at how they address user authentication, user authorization, data classification, audit controls and trails, and enterprise security architecture.
Second, invest in security management infrastructure. Policy management and enforcement functions should be built in, and physical and network security controls should be integrated, Haase says.
And third, conduct baseline security assessment and gap analysis.
"This is just a short list," Haase told attendees. "And it'll take you a year."