- 27 February, 2006 14:09
The most secure IT system in the world is one that does not connect to anything, including electricity, that no one uploads or downloads anything on, and that sits in a sealed room, safe from intrusion or contact of any sort.
This is not a particularly useful system, but a safe and perfectly operating one. Unfortunately also not a particularly realistic one.
As soon as you connect an IT system to the real world, whether a physical end user or an electronic network, you then open it to vulnerabilities, be they sourced from nuisance actions, criminal deeds or just plain stupidity. A virus every second is how one security vendor describes it.
Natural disasters, market and economic pressures, and increased regulatory oversight are driving organizations towards a state of greater risk awareness than ever before - some might say, a greater state of paranoia.
Whatever the mental state, this then requires a range of security measures to prevent or militate against each and all such problems. And when you do this, you inevitably have to play security off against productivity, efficiency and ease of use. Network speed slows to a crawl, passwords at every level become a nightmare, access restrictions impede effective use of resources: you have to pay the ferryman . . . don't you? Well, not always.
In many instances, upgrading or revamping your security can not only simplify operations, reduce costs and open new areas of functionality previously on the too-hard list, but in fact it can become a point of differentiation - a boon to marketing the organization.
"Our security model is not perceived, as it might otherwise be, as an impediment to business," says Richard Swift, operations manager for Yieldbroker, Australia's only fixed-income trading portal for fund managers. "Instead, it is often one of the attributes giving us unique credibility as a company taking security seriously and allowing us to maintain our valued position on users' desktops despite ever-increasing expectations from users' local security gatekeepers."
Security is important for an organization doing trades averaging $10 million each, and daily trading passing the $500 million mark. System failures are more than an inconvenience in this market, which is definitely not for the faint-hearted, and also not for those with a slapdash attitude to functionality.
"The system [we previously had] was operating on infrastructure purchased during the dotcom boom," Swift says. "Its value was depreciating rapidly and support options, where we could find them, were growing increasingly costly. Although the system had generally operated reliably, it was time to reconsider our hosting options. A recent increase in our regulatory requirements made us look favourably upon providers with relevant accreditation."
Yieldbroker aimed for a new system that would offer both security and functionality. "The drivers for the project were many: to improve operational transparency, to comply with industry best practices, to reduce costs and to modernize the infrastructure.
"End users have noticed a significantly improved response to requests for issuing new cryptographic certificates. And we've already made substantial savings as a result of the project," Swift says.
A similar outcome occurred for Queensland University of Technology's IT services. Having recently implemented a Juniper firewall and routing technology, QUT IT Service's team leader and technical architect for network applications, Terry Smith, says in general the impact on functionality and usability has been favourable.
"Clients [meaning staff and students] are able to access an increased range of services available on the Internet faster and more reliably; client system configuration has been simplified. Clients are satisfied with the solution and the number of client support calls has significantly decreased since implementation," Smith says.
In addition, he adds, the effort required to maintain the solution is significantly less than required for the previous in-house solution, which means resources are freed to work on other security-related activities.
On a more fundamental level, though, there may be considerable albeit hidden costs. Andrew Walls, principal security consultant with Cybertrust, suggests that when security is woven in from the start, "you don't notice it. In fact, it can be a lot more efficient than the bandaid approach. But security as an afterthought or after the fact - there are inevitable downsides.
"Some people have more kit than they can use; it may be easier, crude and even effective, but does it cost less than monitoring and analysis?" The obvious message, then, is to go beyond patching and bandaids.
QUT's Smith says that security is taken very seriously at the university and is considered at every level of the organization. "Starting at IT governance and spanning through to client awareness initiatives, every aspect of security is considered in QUT's security framework. The [Juniper] solution was but one component within this framework.
"By considering security as a strategic goal [rather than a tactical necessary evil], it is possible to provide IT security with minimal impact on functionality and usability, and to actually increase productivity by minimizing downtime related to security events."
For final words of wisdom on ensuring a positive outcome from security implementation, Swift recommends the following observations:
- Look to deploy established commodity products that integrate well and be familiar with both the strengths and limitations of each
- Select service providers based on reputation and accreditation
- Leverage economies of scale available to service providers to achieve substantial solution cost reductions
- Develop a culture where security is expected and appreciated by staff and customers alike
- Have realistic expectations about the future of single-factor password security, get familiar with PKI (Public Key Infrastructure) and design a road map for moving to multifactor authentication
- Sell security to internal stakeholders as an asset or feature, with its own intrinsic value, rather than an unfortunate cost or overhead.