In Person: Enterprise Security
'New technologies bring in newer threats'
networks are well protected from the outside, but are quite vulnerable once
you get inside. Dion Wiggins, Research Director, Gartner explains the problems
behind this approach, as well as the threats coming in with newer technologies.
by Anil Patrick R
What are the new threats and vulnerabilities
that enterprises are confronted with as they open up their networks to business
partners, suppliers and mobile workers?
There are many security threats. For example,
if you look at enterprises today, they are typically very well protected from
the outside. They have this 'castle' or 'fortress' mentality. They build rigid
walls that are very hard to break from outside. Once you are inside, there is
very little security in most cases.
Take for example, technologies such as
wireless LANs. I know of an office that has banned wireless LANs. Yet, the office
above has a wireless LAN that is completely open. So they are able to look around
their own office (network) by hooking into the wireless LAN above, and 'VPNing'
back into the original network.
With mobile devices the threats are getting
more powerful now. For example, you can store up to 1 GB with (matchbox sized)
microdrives, that can be used in a PocketPC, or one of the other devices. I
can walk into an office and if no one is paying attention, I can literally plug
that device into a USB port, where there is very less security on the machine.
Most PCs will just accept the device without security checks. I will be able
to download whatever I want into that device.
One of the biggest issues today is that
companies aren't standardizing on mobile device practices, let alone mobile
devices themselves. A large percentage of users with their own mobile devices
don't even set passwords. The devices usually contain e-mail as well as corporate
and private information. They also contain contact databases and many other
things. There are thousands of such devices lost or stolen a year.
New technologies like Web services present
additional threats. What are these new threats and can they be overwhelmed?
Web service security is very much over-hyped.
However, the reality is that Web services are not natively secure. They are
secured by third-party technologies.
These are technologies that have been used
for a long time like SSL, client and server-side certificates. There are security
standards coming in now like WS-Security. These standards are addressing a lot
of the new things required for Web services, which have never been required
from any other technology. For example, role-based security within data. I may
be transmitting a complete set of data over a Web service. But the data on the
other side has to be personalized. I want individual A to be able to access,
say 1,2 and 5. Individual B to access 1, 2, and 7, and individual C to be able
to access only 6 and 3. These kind of requirements need standards and layers
of encryption that need to be manipulated only according to the user's role.
The standards are maturing and it will
probably be a year, to a year-and-a-half away from actually being mature. Security
of Web services is a relatively minor issue compared to what people make it
out to be.
Can you suggest a basic framework to secure
the present day enterprise?
The first thing is to have a security architecture.
As I mentioned earlier, most of today's enterprises just focus on the 'fortress'
model. They don't focus even on the basic issues of people security.
Technology is just an enabler to help you
implement security. There are many culture and people-related factors. Many
companies require employees to wear an ID badge. If the CEO or one of the senior
managers isn't wearing their ID badge, will they be challenged? In most companies,
they will not be. These are the people who have access to all the important
information in the company. Say, the CEO is dismissed by the board. If the person
was of a negative nature, he could do a lot of damage because no one would challenge
his ID. This is why security is a people issue.
From the security or IT perspective, you
need an architecture that goes down into many layers. Start off with a multi-enterprise
architecture even if you are a single enterprise. Then layer down into processes
and business functions. After this comes styles of applications and finally
blocks. Blocks can be technology, standards, products, etc. That layers into
an overall technology architecture.
Why should security policies be tailored to
each organization rather than use a 'one size fits all' approach?
That approach is simply not good enough.
You need to think about how it applies to your business. You also need to apply
logic and devise frameworks about how you are going to support your partner
For example, if you VPN into someone else's
network, you are using their security policies, and vice versa if they come
into yours. If you are transmitting data between, you might be sharing security
policies. So it is necessary.
When it comes to slashing costs or budget
reductions Security gets hit first. Can you provide advice to CTOs/CIOs to help
them justify security spends?
I'd like to explain this with an example.
A bank had a security problem. Around 30 or 40 accounts had their passwords
taken and accessed and money transferred to another account. This was a very
simple security breach. The person who did the breach simply put keyboard sniffing
software and captured the passwords. To repair the security holes is easy. But
repairing the damaged trust is a big task.
In an enterprise, look at the cost of not
having security and what will happen if you have a breach. What will be the
damage done to the business? If your customer data is exposed on the Internet,
what is the damage caused? Will you lose sales, will it cause losses? What are
the other factors that come into play? You need to determine what level of risk
is acceptable. There is no such thing as perfect security. There has to be a
certain level of acceptable risk.
Do you think Indian enterprises make the grade
when it comes to securing its IT infrastructure?
Few do, to be honest. There is a lot more
work that needs to be done on people and processes. They lack in security culture.
For example, if you have security policies
documented, it will be interesting to do a survey of how many people can tell
you what is on their security policy. Many companies give employee manuals,
which goes on to the shelf. Nobody has a look at it till there is a need to
reference it. A simple way to do it will be to have a one page document that
explains the security policies at a high level. These are just basic things
in many cases.
IT is just part of the picture. Security
is more of a business issue than an IT one.
Anil Patrick R can be reached at firstname.lastname@example.org