In Person: Enterprise Security

'New technologies bring in newer threats'

Today's networks are well protected from the outside, but are quite vulnerable once you get inside. Dion Wiggins, Research Director, Gartner explains the problems behind this approach, as well as the threats coming in with newer technologies. by Anil Patrick R

What are the new threats and vulnerabilities that enterprises are confronted with as they open up their networks to business partners, suppliers and mobile workers?

There are many security threats. For example, if you look at enterprises today, they are typically very well protected from the outside. They have this 'castle' or 'fortress' mentality. They build rigid walls that are very hard to break from outside. Once you are inside, there is very little security in most cases.

Take for example, technologies such as wireless LANs. I know of an office that has banned wireless LANs. Yet, the office above has a wireless LAN that is completely open. So they are able to look around their own office (network) by hooking into the wireless LAN above, and 'VPNing' back into the original network.

With mobile devices the threats are getting more powerful now. For example, you can store up to 1 GB with (matchbox sized) microdrives, that can be used in a PocketPC, or one of the other devices. I can walk into an office and if no one is paying attention, I can literally plug that device into a USB port, where there is very less security on the machine. Most PCs will just accept the device without security checks. I will be able to download whatever I want into that device.

One of the biggest issues today is that companies aren't standardizing on mobile device practices, let alone mobile devices themselves. A large percentage of users with their own mobile devices don't even set passwords. The devices usually contain e-mail as well as corporate and private information. They also contain contact databases and many other things. There are thousands of such devices lost or stolen a year.

New technologies like Web services present additional threats. What are these new threats and can they be overwhelmed?

Web service security is very much over-hyped. However, the reality is that Web services are not natively secure. They are secured by third-party technologies.

These are technologies that have been used for a long time like SSL, client and server-side certificates. There are security standards coming in now like WS-Security. These standards are addressing a lot of the new things required for Web services, which have never been required from any other technology. For example, role-based security within data. I may be transmitting a complete set of data over a Web service. But the data on the other side has to be personalized. I want individual A to be able to access, say 1,2 and 5. Individual B to access 1, 2, and 7, and individual C to be able to access only 6 and 3. These kind of requirements need standards and layers of encryption that need to be manipulated only according to the user's role.

The standards are maturing and it will probably be a year, to a year-and-a-half away from actually being mature. Security of Web services is a relatively minor issue compared to what people make it out to be.

Can you suggest a basic framework to secure the present day enterprise?

The first thing is to have a security architecture. As I mentioned earlier, most of today's enterprises just focus on the 'fortress' model. They don't focus even on the basic issues of people security.

Technology is just an enabler to help you implement security. There are many culture and people-related factors. Many companies require employees to wear an ID badge. If the CEO or one of the senior managers isn't wearing their ID badge, will they be challenged? In most companies, they will not be. These are the people who have access to all the important information in the company. Say, the CEO is dismissed by the board. If the person was of a negative nature, he could do a lot of damage because no one would challenge his ID. This is why security is a people issue.

From the security or IT perspective, you need an architecture that goes down into many layers. Start off with a multi-enterprise architecture even if you are a single enterprise. Then layer down into processes and business functions. After this comes styles of applications and finally blocks. Blocks can be technology, standards, products, etc. That layers into an overall technology architecture.

Why should security policies be tailored to each organization rather than use a 'one size fits all' approach?

That approach is simply not good enough. You need to think about how it applies to your business. You also need to apply logic and devise frameworks about how you are going to support your partner businesses.

For example, if you VPN into someone else's network, you are using their security policies, and vice versa if they come into yours. If you are transmitting data between, you might be sharing security policies. So it is necessary.

When it comes to slashing costs or budget reductions Security gets hit first. Can you provide advice to CTOs/CIOs to help them justify security spends?

I'd like to explain this with an example. A bank had a security problem. Around 30 or 40 accounts had their passwords taken and accessed and money transferred to another account. This was a very simple security breach. The person who did the breach simply put keyboard sniffing software and captured the passwords. To repair the security holes is easy. But repairing the damaged trust is a big task.

In an enterprise, look at the cost of not having security and what will happen if you have a breach. What will be the damage done to the business? If your customer data is exposed on the Internet, what is the damage caused? Will you lose sales, will it cause losses? What are the other factors that come into play? You need to determine what level of risk is acceptable. There is no such thing as perfect security. There has to be a certain level of acceptable risk.

Do you think Indian enterprises make the grade when it comes to securing its IT infrastructure?

Few do, to be honest. There is a lot more work that needs to be done on people and processes. They lack in security culture.

For example, if you have security policies documented, it will be interesting to do a survey of how many people can tell you what is on their security policy. Many companies give employee manuals, which goes on to the shelf. Nobody has a look at it till there is a need to reference it. A simple way to do it will be to have a one page document that explains the security policies at a high level. These are just basic things in many cases.

IT is just part of the picture. Security is more of a business issue than an IT one.

Anil Patrick R can be reached at anilpatrick@networkmagazineindia.com