Renewal of faith
When he was asked to resign, a customer service executive in one of
India's major books and magazine distributors, copied the entire subscriber
database. No, he didn’t sell or circulate it to rival companies. Instead, he
sent a direct mail to all subscribers on look-alike stationery, informing them
that their subscription period was nearing its end, and asking them to send in
renewal fees. About 18% of the subscribers responded with cheques to his
similiar sounding 'company'. The company lost around Rs 15 lakh, a lot of face,
and had to honor the subscriptions.
To his own credit
He was involved in automating the process of transferring credit card
payment data from his organization to a credit card company. Several years
later, he became the desktop support consultant and was given privileged access
to NT servers. He used this privilege and his knowledge from the previous role
to re-visit the database and siphon off around $400,000 over five years. The
incident was detected when a customer complained that he was billed for the same
item twice. Not only did the incident trigger off bad press and loss of customer
confidence, the company’s relationship with key business partners also became
strained. Also, 100 man-days were spent investigating the incident and taking
remedial action.
We have not even started talking about hackers and industrial
espionage! Security breaches can happen any moment and the threats to your
company’s information assets are many, calling for a full-fledged information
security program. The ownership of this program, however, must not rest only
with the IT department. Remember–the IT department can only be the custodian
of information, the real losers in a security mishap are the business process
owners.
Best |
|
What’s more, regardless of the type or location of the
perceived threat, it is essential that an effective system for securing the
integrity of information assets–while maintaining the availability of the same–ensure
that the information is accessed only by those authorized to do so. This also
means that the system should be able to implement policies that determine ‘who’
is authorized for ‘what’ access and to ‘which’ information, thereby
denying any malicious or destructive intrusion. Based on our research, and
interaction with experts, we present the best way to secure the lifeline of your
enterprise–information.
What are the technologies?
As dependence on IT systems grows, securing information assets has become a
business-critical function. While technologies available to business managers to
achieve these security objectives are many and varied, essentially, all
information security technologies can be thought of as performing one or more
roles. From basic access control software implementations to biometrics-powered
systems integration, all security products and services are now available in the
country through an assortment of security vendors. The critical decision,
however, is to decide what would be useful, versus fanciful security.
Firewalls: Firewalls are relatively simple and very
effective software and hardware, configured to protect the enterprise’s
perimeter. They shield the secure internal environment from the potentially
hostile external environment by governing the flow of communications to and from
the internal environment and the external environment.
Virtual Private Networks: Net-based VPNs create secure
connections over the Internet for remote access for telecommuting employees,
trading partners, and customers. By using digital encryption, they guard against
interception and disclosure of information in transit.
Multifactor Authentication: Traditional authentication
such as passwords are now being replaced by newer identity management methods.
Passwords that are easiest to remember are the ones that are easy to crack. On
the other hand a password that is hard to guess is hard to remember, thus
increasing administrative cost of maintaining passwords. Multifactor
authentication involves the use of techniques such as biometrics ("what you
are" authentication), and random password generators ("what you
know" + "what you have" authentication).
Trust Infrastructures: Trust infrastructure depends
upon a third party to register the identity of users and provide assurance for
those users on a real-time basis. Although an organization can choose to build
its own certificate authority and take responsibility for issuing keys and
certificates to its trading partners, third parties most commonly offer this
service.
Single Sign-On (SSO): This allows users to log on to a
system once to gain access to all the applications they are authorized to use.
When properly implemented, SSO can enhance security by providing a solution to
the users’ problem of managing and remembering a different user ID and
password combination for each application used. SSO is more than a convenience–it
also enhances security by reducing such possibilities as users leaving lists of
user ID and password combinations near their desktops or PINs attached to their
tokens with post-it notes.
Access Control: In essence, access control is
implemented as a database of users and their privileges. Many application
software suppliers offer access mechanisms. In addition, the digital certificate
that is at the heart of trust infrastructure can be the basis for access
control.
Buying information systems security
A complete security solution that maximizes the benefits of networked data
communications must address to a complete set of security issues–from physical
protection of assets to user authentication, access control, encryption,
management and monitoring of the network. An enterprise may employ any or all of
these elements to achieve integrity and access control. However, acquisition and
deployment of information systems security cannot be done without careful
planning and requires the maximum management effort. Here are a few things that
the management can keep in mind when thinking of incorporating security tools in
their information systems.
Draft a security policy: Security technology
acquisition and deployment must be governed by a security policy. The policy
must set out the objectives, and dictate what is to be protected, at what cost,
and with how much management effort. It is of utmost importance that you get the
top management to drive the initiative.
Assess your needs: The critical phase of any
technology purchase is need assessment. Management should carefully weigh
exactly what is expected of the security system to be acquired. Business
objectives and risks arising as a consequence of IT usage must be the only
drivers in the purchase decision.
Create the business case: From the perspective of
ensuring adequate return on investment it is always best to create a business
case for deploying security products. This is easier done for preventive and
enabling technologies, than for monitoring and integrative technologies.
Buy today, plan for tomorrow: This issue addresses the
vendor and product selection process. It is possible that as security needs grow
and more systems are added to the enterprise portfolio, the IS security may
become ‘over-cooked’. All purchase decisions should be made weighing
long-term IT usage objectives and the security implications of such usage.
Assess change on systems users: Security deployment
tends to affect systems users in the most direct manner. User irritation arising
from very tight security measures will defeat security objectives in the long
run. Before the purchase and deployment of security systems, assess what the
likely impact would be on user compliance to security measures.
Purchasing security
Information security products are broadly classified as technological and
‘soft products’, or ‘non-technological services’. Purchasing information
security involves mapping the purchase decision to business requirements in a
phased manner. In terms of the security stepladder, the following could form an
indicative path for security technologies acquisition and deployment for an
enterprise.
Preventive: Technology deployment starts with IT
systems initiation into the business. These technologies and methods help to
prevent security incidents from occurring. They operate in a defensive paradigm,
where the objective is to defeat known incidents that have occurred. Examples of
these include use of anti-virus software, network protection through firewall’s
and technologies for back up and restoring data.
The |
|
Firewall | Rs 1 lakh —10 lakh |
Anti-Virus | Rs 50,000-15 lakh |
Content inspection | Rs 2 lakh upwards |
IDS | Rs 3 lakh upwards |
Secure Backup | Rs 1 lakh upwards |
Vulnerability scan | Freeware / Rs 1 lakh |
Web Management | Rs 2 lakh upwards |
Log Analyzers | Rs 4 lakh upwards |
Biometrics | Rs 2 lakh upwards |
Monitoring: As an enterprise grows and it’s
computing infrastructure becomes more dispersed monitoring tools become
essential. In this phase, delegation of control of IT systems occurs. Monitoring
technologies should be deployed to facilitate a single point of security
controls for the IT systems across the enterprise at this stage.
Enabling: As the enterprise initiates e-business
operations and shifts towards the ‘clicks-and-mortar’ business model of
transacting electronically with business partners and customers, the enterprise
needs to switch over to the infrastructure paradigm. The objective here is to
create a security infrastructure that other systems can use. Examples of these
technologies include the use of public key infrastructure-based digital
certificates to secure e-mail messaging, conduct e-commerce, and implement VPN.
Integrative: By the time an enterprise enables its
core functions, it has already spent a considerable amount. In the integrative
stage, it needs to maximize investments. Integrative tools such as single
sign-on enterprise security management provide the basis of integrating multiple
business apps by facilitating a shared security apparatus for applications
across enterprise. If the goal and tolls are right, and the plan too, you can
look to being secure!
Forecast: 2001-03
Operating Systems
- High-value
applications will continue to be hosted on mature operating
system platforms through the forecast period. - The process of
uncovering and repairing security breaches in Windows products
will recur through the forecast period, resulting in more robust
versions. - The move to
server appliances for application and storage services will be
motivated, in part, by the fact that they provide standardized,
pre-configured security features. - Concerns will
emerge regarding the security of new operating systems for
handheld and cellular devices such as Palm OS and Symbian EPOC.
Network Directory Services
- The focal point of SSO authentication and authorization products will
shift from access control lists to network directories and LDAP.
Authentication
- Tokens and
biometrics will increasingly augment password-based
authentication for high-value systems during the forecast
period. - Two-stage
authentication systems that use more rigorous multifactor
authentication to provide access to critical data will be
offered in the marketplace. - Trusted
third-party service providers will play a stronger role in both
authentication and authorization (via digital certificates)
during the forecast period.
Middleware
- Microsoft’s
COM and the industry consortium OMG’s CORBA will continue to
compete as the standard for object and component request brokers
through the forecast period. - The TP monitor
and MOM markets are mature and will remain stable through the
forecast period. A small number of suppliers dominate each
market. - Traditional
middleware categories such as RPC and MOM will continue to
depend on external security mechanisms while focusing on a
narrower and more basic set of interoperability concerns. - Extensible
Markup Language will join Java, CORBA, and COM as a key
ingredient in transporting sensitive data, particularly over
TCP/IP protocols.
Malicious
Code
- Antivirus
software will continue to be the most widely deployed type of
security software. - However,
security threats other than viruses will cause more problems,
precisely because antivirus software is already so widely
deployed.
Virtual
Private Networks
- Organizations
will continue to deploy or enhance VPN architectures to support
mobile workers and exploit the ubiquitous Internet. - Trusted third
parties (certificate authorities) will provide key management
support to VPN users. - VPN appliances
will appear in the marketplace for both the enterprise side and
the user side of the VPN.
Firewalls
- The
proliferation of small and midsize enterprises connecting to the
Internet will create a market for firewall appliances that will
grow rapidly through the forecast period. - Consumer use of
personal firewalls will increase dramatically as a result of the
proliferation of always-on Internet access. At the same time,
enterprises will move to provide uniform firewall support for
remote workers. - Firewall
products will incorporate functionality such as authentication
services and content filtering facilities as suppliers continue
to add value to their products.
Intrusion
Detection Systems
- Hybrid IDSs will become more common than systems based on
either anomaly or misuse detection. Similarly, hybrid systems
will encompass both host- and network-based products. - Aided by VA products, new services will be offered to test IDS
configurations in place in an organization. - Communication appliances providing plug-and-play IDS services
will appear in the market, aimed at a wide spectrum of users:
SOHOs as well as enterprise network managers.
Source:
Pricewaterhouse Coopers
Vendors for you
Anti-virus
Software
- Network Associates
- Symantec Corporation
- Trend Micro
- Computer Associates
Firewall
- Check Point
- IBM
- Novell
- Cisco
- Network Associates
Intrusion Detection
Systems
- Internet Security
Systems - Network Associates
- Network Ice
- Network Security
Wizard - Axent Technologies
- Network Flight
Recorder
Virtual Private Networks
- Check Point
- Cisco
Random Password
Generators
- Ace Server from RSA
Technologies
Content Inspection
- Mimesweeper
- Computer Associates
- Network Associates
- Symantec
- Trend Micro
Public Key
Infrastructure
- Entrust
- Baltimore
- VeriSign
Single Sign-on
- IBM
Enterprise Security
Management
- Axent Technologies
- Bindview
- Computer Associates
- IBM
Log Analyzers
- Webtrends