Advertisment

Security: Liberty, and IT Fraternity

author-image
DQI Bureau
New Update

Information security has been among the top areas of IT spending over the

last few years and will continue to be so this year. Surveys have shown that

despite increased spending, security violations are growing more frequent.

Increased regulatory compliance requirements have also made the top management

focus more on information security issues. Furthermore, with most companies now

having operations in other parts of the world (either directly or through

partners), worldwide IT security, too, has assumed importance. Prudent

prioritizing of areas for security spending and adopting appropriate strategies

have become more important than in the past.

Advertisment

Base your expenditure on well-formulated risk-assessment and risk-treatment

plans: It is crucial to start with a rigorous risk-management effort. This would

require you to identify what you need to protect, analyze scenarios, assess

risks involved, work out a risk treatment plan, select controls, and plan

implementations.

Make sure you update them periodically to reflect the changes. Use specialist

services to assess vulnerabilities in your network and applications by

penetration testing, rather than finding them out after a security incident.

Risk management is the key and technology has to come later.

Use

security awareness and corporate culture to advantage: Create awareness on

security aspects by employee training. For example, an in-house newsletter can

highlight the security threats. Also, ensure that employees are continuously

informed of security risks, policies and their role. Use the ability of the

employees to come up with suggestions and support them for their extensive

participation. Make sure that departments that are stakeholders in a successful

security programme take effective part in the entire awareness program.

Advertisment

Enforcing is important: Policies for many security processes are usually

written, but unless those are implemented, no real purpose is achieved. Make

sure the policies are updated periodically. Majority of times, implementation of

the right policy would be more cost-effective than technology investment to take

care of protection.

Implement an appropriate Information Security Management System (ISMS). There

is an increased activity across the industry to adopt standards such as BS7799.

An ISMS includes essentials for a good security program-systematic assessment

of risks, setting up of the risk treatment plan, selection of controls,

implementation of guidelines, policies and procedures. Set up an effective

organization to implement and enhance the ISMS periodically and to effectively

implement the various requirements.

Use Managed Security Service Providers (MSSP). Most large set-ups now provide

round-the-clock information services to their customers. All of them require

round-the-clock vigilance to monitor intrusions and to respond to the incidents.

Use MSSPs to get round-the-clock vigil and management of security infrastructure

at lower costs. Further, MSSPs can get bring in many other benefits including

the use of event correlation tools and automation (all of which would be very

expensive to own individually).

Advertisment

Adopt automation: Any information security set-up involves analysis of huge

volumes of event data and reports. Adopt automation, wherever possible, in patch

management, log analysis, consolidation of reports, analyzing or alerting.

Develop metrics for the security programe: Develop metrics for the security

programme and make it part of the organization's MIS as a regular report (eg,

as Information Security Scorecard). Highlight information security to the top

management by this report and by other ways. All of these can not only make

technology work better for you but can also ensure that business would be better

prepared to meet the ever-growing compliance requirements. This will also ensure

that the top management approves security budget proposals for your security

programme.

The public keys to protect your info



Enterprises have traditionally spent a significant amount securing the

network perimeter against external threats by deploying security systems like

firewalls, intrusion detection systems, and anti-virus software-little

realizing that information assets are just as vulnerable from within an

organization as outside. Quite a few recent surveys corroborate this fact.

Discontented, reckless and greedy employees, and, in some cases, disgruntled

former workers can all be bigger threats than the mysterious hacker. Also, as

more companies outsource portions of their business or extend the

network/corporate resources, vital company information could easily fall into

the wrong hands. To build adequate safeguards, the key is to build

"Trust" around these systems.

Advertisment

Talking of Trust, there are many questions to explore:

  • How do we transact with faceless individuals literally sitting across the

    two ends of the wire?
  • How do we know whether the persons or entities we are dealing with are

    indeed the same as they claim?
  • Can we be sure that the information we sent across went without someone

    else taking a look at it?
  • How do we know that the data we received has not been altered mid-way?
  • What if the person we transacted with went back on his word? Do we have

    any evidence of the same?

In the physical world, we use and associate the signature of

a person to establish the identity and credibility of the individual, but what

happens in the electronic world? Coupled with all the above concerns is another

dimension of the law-what is the legal validity and sanctity of an electronic

transaction in any court of law?

Advertisment

Therefore, "creating trust" in an e-environment

involves assuring the transacting parties about the integrity and

confidentiality of the transaction along with authentication of the sending and

receiving entities such that both entities cannot repudiate the transaction. The

enabling technology to achieve "Trust" is PKI (Public Key

Infrastructure). Indian IT Act 2000 validates the use of Digital Signature,

which also enjoys evidentiary status in Indian courts of law.

Electronic passport

GENERATING THE ROOT KEY: SafeNet's Luna CA3 is a hardware security module (HSM) that is used to generate the root key in a PKI system and keep the private key secure. It uses a pin entry device (PED), EEPROM-based data keys and a PC Card reader that attaches to the server via an LVDS cable and PCI adapter. Containing a processor, firewall, flash memory and RAM, the PC Card is built with extra epoxy and secured with triple DES encryption. The card will destroy its contents if compromised

Advertisment

A Digital Signature Certificate is like an "electronic

passport." It's the identity of an individual on the Net. For a Digital

Signature to enjoy this legal status, it has to be issued by a licensed

Certifying Authority, or CA. Certifying Authorities are awarded licenses by the

Controller of CA (CCA) after ensuring that the licensee fulfils the stringent

criteria laid down in the IT Act. Once an individual gets an unique Digital

Signature Certificate issued by a certifying authority, the individual can affix

his or her unique digital signature on any e-mail, communication, transaction,

document or, for that matter, any content in the electronic format.

What can PKI do?



PKI, as we know it today, has evolved beyond the traditional offering of
e-security, and is considered a basic enabler of new e-business revenue streams.

PKI solutions can be used to secure a wide range of business-to-consumer (B2C)

and business-to-business (B2B) applications over the Internet. Early in its life

cycle, PKI only stepped in to provide application level security, doing away

with the weaknesses inherent in IDs and passwords, and linked the identity of

users to their Internet hosts through digital certificates. But later it went

further, and crossed the boundaries of security by enabling a host of services,

which were not previously enabled. The list: Digital Signing of electronic

documents; Electronic supply chain management; Electronic eOrdering and

eProcurement and Online eGovernment Services

These examples are new applications which were not commonly

carried out over for the Internet, but are now enabled due to the enhanced

security offered by PKI.

Advertisment

PKI-the technology



PKI is one of the few technologies today that integrate the disciplines of legal
practices and information technology. This results in several unique deployment

challenges. To understand PKI, one must appreciate the underlying concept of PKC

(Public Key Cryptography). It would be safe to say that though PKI is not a

technology at the forefront, PKC Techniques are pretty much the building blocks

for security applications.

What is public key cryptography?



While the private key, as the name suggests, is private to the user, the

public key is open. A user signs a piece of data with the private key to prove

identity, integrity and non-repudiation, whereas the user uses the public key of

the recipient to ensure privacy of data by encrypting the data with the public

key. Extend this concept from users to devices and applications-you have

public key cryptography forming the centerpiece to provide security. PKI boils

down to the infrastructure that is used to maintain the public and private key

pairs for operations.

If you look worldwide for significantly large and successful

PKI deployments you will find that these things are common:

  • PKI is part of a government-to-consumer interface

  • Technology-specific legislation prescribe clearly the use

    of PKI

  • Effective drive and implementation mandates from

    authorities

  • Enterprises have opted for the managed PKI services

    model, rather than setting up their own PKI

Moving forward, PKC plays a vital role in building blocks for

the emerging domain of "Application Security". Products and services

are being developed to address requirements like data security (data at rest,

databases, in-transit data) and transaction security (channel encryption). It's

just that many organizations are now realizing faster than before that the

"internal threat" or "application vulnerability" factor is

significantly high as corporate networks move beyond the realms of conventional

networks.

The new face of security



The rise of e-business and greater awareness of security issues has changed

the face of security. Customers, shareholders, staff and increasingly regulators

are demanding a greater commitment to security and associated privacy issues.

Three major trends are becoming apparent to security advisors: the need for

integration of security and privacy; the convergence of information security and

physical security; and the emergence of new security technologies such as

biometrics.

A typical network security scanner like the 'Infiltrator' can quickly audit computers for vulnerabilities, security holes and exploits, and information enumerations. Infiltrator can reveal and catalog a plethora of information on scanned computers - such as installed software, shares, users, drives, hotfixes, NetBios and SNMP information, open ports and much

more.

Holistic approach: Corporate security can no longer be

considered a piecemeal, low-priority operation applied to discrete areas. It

should be an integrated management discipline. If different business units can

set their own standards and procedures, hackers are presented with greater

opportunities to find gaps in corporate defenses. The security strategy should

include everything from establishing standards to processes to education.

Close the window of opportunity: Move your strategy from mere

'intrusion detection' to a multi-layered 'intrusion prevention'

approach. This will reduce the lost productivity and costs.

Provide security for people as well as data: There's

also a growing convergence between information security and the physical

security of people and property. Technology can play a key role in establishing

physical security, not only by establishing physical access systems, but

monitoring them as well. An organization's most critical corporate information

isn't simply stored in computer files-it resides in the minds of its

workers.

Balance the competing needs of security and privacy:

Rights of privacy tend to be 'absolute,' whereas the level of security must

be appropriate to your organization and its business interests. Any perceptions

by the market that your organization is not respecting the privacy of employees

or customers will quickly undermine brand equity. Work with your legal, HR and

communications advisors to develop communication strategies explaining your

policies and ensure that you live up to your own policies.

Stay tuned for the next 'big thing:' Stay current

with emerging security technologies like biometric identification. It is the

technique of identifying a person based on physiological and behavioral

characteristics. Physiological biometrics includes face, eye (retina or iris),

finger and palm identification, while behavioral biometrics includes voiceprints

and handwritten signatures. Latest thinking is that biometrics (what you are)

combined with other layers of security such as password (something you know) and

tokens or certificates (something you have) can provide the highest levels of

security.

Identity control



In the past, many enterprises addressed business issues with disconnected IT

initiatives targeted at a single problem-for example, having a Web presence,

or complying with new government mandates. The result is a hugely complex IT

environment that locks away information, hampering the enterprise's ability to

grow and prosper. While many enterprises struggle with highly complex IT

infrastructures, a few have created environments in which people communicate and

collaborate easily and always have the tools and information required to work

effectively. Two key characteristics distinguish these enterprises from the rest

and make them leaders in their respective industries: adaptability and agility.

Increasingly, agility itself is becoming a strategic imperative. Enterprises

that are developing strategies to increase agility and adaptability are

discovering that identity management is crucial. Identity management enables

enterprises to put technology to work for the people who power the business.

Secure Identity Management combines directory, meta

directory, provisioning, password management, auditing and professional services

to help solve critical business problems that all share. Identity integration is

the entry point into secure identity management. With identity management you

can:

  • Gain control of identity and lay the foundation for other

    identity-based business initiatives that enable the agile enterprise

  • Strengthen security around critical business data and

    physical resources, while ensuring easy access with a single password, ID

    card or fingerprint

  • Provide real-time information on key performance

    indicators to all levels of management, improving decision making and

    complying with the real-time disclosure requirements of many regulations

  • Create employee portals to reduce costs by empowering

    people to obtain information and perform many tasks and transactions on

    their own

  • Slash application development costs by moving to web

    services that unlock and dynamically combine siloed information or software

    capabilities to provide more intelligent information and more useful

    services

  • Automatically provision new users with access to business

    resources based on their role, increasing productivity for users and

    administrators

  • Automatically modify or secure access the moment a user's

    role changes to keep confidential resources safe

  • Implement secure password management to mitigate security

    risks, minimize cost and improve user experience

  • Provide secure, remote access from any location to

    resources based on a user's role or relationship

  • Maintain an audit trail that demonstrates compliance with

    internal business policies and external regulations

Identity Management solutions enable enterprises to gain

control of identity while leveraging previous investments and the proven

business processes they have developed over the years. These solutions unify

across resources and location barriers, providing the foundation to securely

deliver the right content and information to the right people at the right time,

while reducing IT costs, and enhancing user experience. It also provides

organizations the agile foundation they need to keep pace with tomorrow's

world.

With contributions from Editorial Advisors -Sekhar

Sethuraman
, Advisor (Secured Converged Networking), Ramco Systems; Urmez

Daver
, Consultant,  SafeScrypt; Ramesh Narasimhan, Country

Manager (ITS) IBM Global Services India; and Ashit Panjwani, National

Manager (Alliance & Marketing) Onward Novell Software

Advertisment