FRAMINGHAM (07/17/2000) - Security at most businesses today is broken.
Intrusion and virus detection measures react to threats only after they've been discovered in the wild. Firewalls bog down traffic, not to mention that they have security vulnerabilities of their own. And because there are so many points of vulnerability across an enterprise, no one's really managing it all.
Point products plug specific holes but don't talk to one another, making a bad situation worse.
Problems like these leave a bad taste in the mouths of most corporate executives, who see security as clumsy, reactive and confining, rather than the protective cover security managers say it can be to help businesses advance online quickly and safely.
"People try to ignore security because they perceive it as something that will make their tasks more difficult," explains Ian Poynter, president of security consulting firm Jerboa Inc. in Cambridge Mass. "We'd like to see security as an enabler so you can actually use it as a selling point to your senior management."
So security managers say their real challenge is to put information security in its rightful place as a way to make business work, not slow it down. That means creating a proactive, scalable and flexible security infrastructure that's ready to accommodate new applications, mergers and other network changes in real time, according to John Pescatore, an analyst at Gartner Group Inc. in Stamford, Conn.
And therein lies the vicious circle: How do security managers sell a network upgrade when security already has such a bad reputation?
It'll take a change in corporate culture.
The first level of change is teaching non-IT people that data security is a problem that must be addressed in the physical world, not just in a technical context, says Pete van De Gohm, chief security officer at Enron Energy Services in Houston. "You need an integrated approach where all of your employees understand the value of the information that they have and correctly label it, whether it's a physical or a logical medium," he says.
Van De Gohm, who manages both information and operational security at Enron, says he practices what he preaches.
The deregulated energy industry is fiercely competitive. So van De Gohm designed the physical layout of Enron's offices so there's no outside entry near the mergers and acquisitions department. This way, he physically protected a key area in which the company's most important competitive data is stored and processed.
During the past two years, the Federal Reserve Bank of New York has also rolled out an aggressive program to educate and inform users, business managers, executives and even armed guards about the way digitized assets can be compromised.
But to make them understand, you have to learn their concerns and explain the situation in ways they can understand and put to practical use, says Jenean Paschalidas, director of security training and policy enforcement at the New York Federal Reserve.
Paschalidas has gone so far as to compare the bank's digitized money to that of the gold bullion in the bank's basement vault. That comparison helps the bank's armed guards realize how important it is to guard modem ports and check for disks and laptops that people carry out of the bank's Manhattan buildings.
The bank also has adopted a strong user education program - the type of program that should be the linchpin of any organization's security policy, according to John Lucich, president of the High Tech Crimes Network (www.htcn.org).
For companies that don't have as many resources as the Federal Reserve, Lucich suggests using technology to help enforce user policy.
"We talk about segmentation, demilitarized zones and other elements of a secure architecture. But then end users have access to anything they want, even though you wouldn't let your servers have that access," Lucich explains. "So end users should be segmented through a firewall inside the network that won't let them do unsafe things."
Just as important to this employee education process is the technical staff, many of whom commit security gaffes of their own (like punching holes through firewalls to let certain types of traffic in to support new applications, or downloading cool technical stuff they shouldn't).
"Once employees are aware of the value of their intellectual property, then those who design the technical infrastructure can see how this information logically goes through the network and see all the possible ways that information can be vulnerable," van De Gohm explains. "Then they use technology to mitigate those vulnerabilities."
For example, the vast majority of vulnerabilities reside in the application code itself. So some of the most intensive training should be offered to the programming team so programmers can learn how to develop code that's free of common vulnerabilities, says Poynter.
In fact, all change control policy should formally include security sign-off on projects, says Paul Raines, vice president of information asset protection at the Federal Reserve Bank of New York.
"This is one of the most difficult challenges a security manager has," Raines explains. "Developers don't know security. But they don't like security people hanging around because they think the security staff holds things up."
So the security manager must get buy-in from the top, he says. But the people at the top won't buy in to processes that may not be able to keep up with the flow of business.
"Are you going to tell your stockholders that we decided to delay our next version for three months while we figure out the security bugs?" Raines asks.
"No. Most companies put applications on the Web and let hackers do the beta testing on the security holes."
This is why it's important to change the mind-set of the security group from one that bogs down business to one that enables business, Pescatore says.
"Too many security groups are focused on auditing problems vs. proactive enablement of business," he explains. "The security group needs to change from being the group that says no' at the end of a project to the group that gets involved in the beginning of a project by building secure hooks into the infrastructure."
That means developing review processes and tweaking the infrastructure to keep pace with business development cycles, from concept through change management and beyond, Poynter adds.
For example, businesses today are grappling with a proliferation of wireless devices like the personal digital assistants and cellular phones that are now accessing their networks. Obviously, these devices are becoming valuable business enablers by supporting all types of remote inventory and order-entry applications. But it's nearly impossible to authenticate and grant privileges to these devices because their ability to use passwords, user names or encryption is almost nonexistent.
So, instead of inhibiting business flow by saying, "No handheld access devices because they're insecure," the security manager can raise questions that would solve the user problem while minimizing risk - questions like, "Should we allow all of our users in from all these devices? Should we let them do all things from these devices?" says Pescatore.
Erasing the Security Lines
As security personnel learn to work proactively with other business and IT departments, their next payoff will be a merging of IT roles and responsibilities, Lucich contends.
"You can't have these segmented IT domains where the leader of each domain doesn't answer to anyone in another domain," Lucich explains. "Everyone talks about the coming convergence of technologies. Sooner or later, you'll also see the convergence of responsibilities. Then there needs to be a chief security officer who says, I'm the one in charge of this infrastructure, and the key pinnacle here is security.'"But to make this cultural change, security managers must drop their hard-line stances on "bulletproof" security and learn to manage risk, Raines says. That means levels of security will be different for every situation, depending on what you most need to protect, what resources you're willing to put toward that protection and what you're willing to risk to allow business processes to flourish.
If security professionals can show others in the organization that they can balance the needs of business against risk and protection, then it won't be long until they're invited into the boardroom to articulate security issues, Raines says.
Only when all these elements - awareness, integration and boardroom buy-in - come together can security managers push their agendas toward building a comprehensible, flexible security architecture.
So say goodbye to the fortress mentality - guns, locks, fences and dogs, says van De Gohm. And, he adds, work to get everyone on the same page: "The integrated approach is the best security process there is."
Where's Your Weak Link?
No matter how proactive your security infrastructure may be, there's still the weakest link to think about - the company's human population.
Therefore, security policy is key to making or breaking an organization's information-protection measures, says Paul Raines, vice president of information asset protection at the Federal Reserve Bank of New York. That's why Raines' organization enforces a strong security policy throughout the user population.
Start by keeping the policy simple, Raines suggests. Put it in language that users understand. And keep it short. (Raines' group keeps its user policies to two or three pages.) Key points to consider, he says, include the following:
-- Avoid unauthorized access to resources outside the company's network.
-- Don't allow people to transport intellectual property outside the company.
-- Use strong alphanumeric passwords, update them regularly, don't share them with anyone and don't hide them near computers. To avoid forgetting, Raines advises using passwords that sound familiar when spoken, like ipa2thflg ("I pledge allegiance to the flag").
-- For road warriors on laptops, use application-level encryption, work off disks and keep them with you, or remove and vault the hard drive.
-- Don't put any sensitive data on handhelds. If they can access the network, install password programs on them.
-- Delete user accounts upon employee termination and recover all equipment used by that employee to access the network.
At the network level, Raines also advises periodic security tests - everything from war dialing (automated calling of banks of phone numbers) in order to find undocumented modems to encrypting stored data on servers and checking password strength with password-cracking tools.