Making sensible investments in security.
That scenario is one of every executive's worst nightmares. Unfortunately, it is a recurring nightmare, because most business leaders don't know enough about computer and network security to understand what level of expenditure they need to make and what security programs and practices they have to implement to appropriately protect their business. Consequently, security efforts are often unfocused and under-funded.
Effective security is driven by business needs, so it is more important to think clearly about security from a business perspective than from a technical perspective. Start by understanding what you need to protect--it is usually a very short list. For example, a hedge fund company might determine that the three most important things it needs to protect are its analytics, its positions and investor information. With those clear goals in mind, it is straightforward to develop measures and control processes that will genuinely protect the business. Let's look at the key elements of a security program.
The Key Principles
Practical security rests on three key principles and a simple corollary. The key principles are authentication, authorization and auditing.
Authentication addresses the need to verify the identity of users and software processes. In its simplest form, this is usually accomplished with a user name and password (something you know). Applications handling highly sensitive data often require a higher level of identity verification. Sometimes hardware tokens or biometrics are used for this purpose (something you have, plus something you know). To verify the identity of servers, for example to make sure your systems are interacting with legitimate business partners, software mechanisms like digital certificates are often used.
Authorization addresses the need to manage access to resources. This principle applies at all levels in an IT environment, ranging from administrator access to devices like touters and computers to role-based access to particular applications. For example, a banking application may allow a teller to cash a check for up to $5,000, but requires a branch manager to perform withdrawals above that limit.
Auditing addresses the need to be able to track who did what and to ensure the integrity of information. While automated mechanisms are necessary, effective auditing usually combines electronic means with manual control policies and practices.
The corollary involves the concepts of prevention and detection. Prevent what you reasonably can and be sure to detect what you can't prevent. Too often, companies deploy prevention-oriented security measures that hurt the conduct of the business because they fail to consider alternative detection-oriented approaches. The detection measures are often closely related to compensating controls.
To illustrate the importance of considering both prevention and detection in securing your company, consider the example of the foreign exchange trading desk of a major financial institution. It had designed its trading application to prevent traders with expired authorization credentials from performing any actions. Clearly, the firm was trying to protect itself from traders whose employment had been terminated. What the firm had not considered was that authorization credentials expire all the time (by firm policy). It had created a situation in which traders were regularly locked out of their accounts for hours at a time while the market was moving. Traders couldn't get out of bad positions or take advantage of the market moving as they had anticipated.
The solution was to change the trading application to support the detection philosophy. When a trader's credential expires while the market is open, the account is no longer locked. Rather, a control program is launched that carefully monitors and records all of the trader's actions and alerts a supervisor if certain trigger conditions are detected.
These twin concepts come to play in the hacker scenario at the beginning of this article. With hackers developing new exploits hourly, you should take measures to prevent as many attacks as are reasonable, but you will never be able to prevent all possible attacks. Once you accept that the power of prevention is limited, you can turn to detection. In this case, it means instrumenting your systems so that they can recognize anomalous conditions or activity and quickly alert appropriate personnel.
Most organizations that are hacked don't even know it. There is no excuse for that, because routine and inexpensive measures such as reviewing firewall and system logs will tell you what you need to know. In larger organizations, where manual inspection of logs would be impractical, deploying a commercial intrusion detection product makes sense.
Mapping the Security Space
Sometimes while developing a practical security program, it is hard to know what aspects of security to consider. The ISO 17799 standard serves as a useful framework for thinking about security because it identifies the various dimensions of the problem. How far you need to go in any dimension depends on the specifics of your business. The standard covers a wide variety of security areas (see table on the next page).
A discussion of an ISO security standard automatically raises the topic of certification. Frankly, security certification is one area where many companies spend their money foolishly. The most common mistake is to hire an accounting firm to perform a SAS70 assessment. Before dropping $250,000 or more on such an assessment, step back and take a few moments to understand why you think you need it.
On reflection, most organizations come to understand that what they really need is an independent third-party security review performed by security experts that generates a written report that can be given to prospective customers, auditors or regulators, and not a SAS-70 report. These security reviews generally cost far less than an SAS-70 and provide the necessary information to correct deficiencies that are found.
While the framework of the ISO 17799 standard offers much value, the certification provisions prescribed by the standard are largely unworkable and will not make economic sense for most organizations. Nevertheless, there is value in the act of assessing compliance with the standard, rather than certification. It is an excellent way to quickly determine the strengths and weaknesses of a company's own security infrastructure, as well as the security infrastructure of critical thirds parties that it uses--for example, Internet service providers (ISPs), application service providers (ASPs) and development partners.
Thinking About Security by Analogy
In the late 1970s, the manufacturing community changed the fundamental way it thought about quality. Manufacturers realized that quality was not something that could be inspected at the end of an assembly line producing widgets. Rather, they realized that quality was something that had to be inherent in every stage, from design through delivery.
Security and quality are much alike. Just like quality, security has to be thought about and integrated into every aspect of a business. And just like quality, designing it in actually costs less in the long run.
What does "designing it in" mean? In a Web application, for example, it might mean designing a subroutine to check the value of parameters passed to the server from the client browser. At an architectural level, it means moving away from the old notion that you can put a hardened perimeter around your enterprise by using firewalls and instead adopting the concept of defense in depth.
This change in mindset is necessary because with today's technology, there are simply too many ways to pass malicious content through even properly configured firewalls. The situation is further compounded by the prevalence of electronic connections to business partners and application service providers (such as payroll processing, 401(k) plans, benefits management). Many organizations can no longer distinguish between "inside" and "outside."
The defense-in-depth approach means that you build business-appropriate security mechanisms, practices, procedures and controls into every system and application.
No one likes to hear it, but there is no free lunch where security is concerned. Ensuring the security of your enterprise costs money, and those costs are likely to increase for the foreseeable future. They are driven by required equipment, security products, personnel and outside expertise. Just like application development, security initiatives typically require a significant one-time investment and then generate ongoing operational costs. It makes no sense to detect anomalous activity if you are not going to have someone respond to the alert.
From a financial management perspective the right questions to ask are:
Is the budget we are allocating to security commensurate with our security threats and the damage to the business that might result? In most organizations, reputational damage far outweighs direct loss and cost of recovery.
Are we spending our security dollars wisely, in ways that best support our business?
Do we need to allocate security dollars to other departments in order to make security integral to our operation?
The essential security principles of authentication, authorization, and auditing are not hard to understand. However, understanding security by itself is not enough. Effective security begins with understanding what your business needs to protect, and developing practical plans to accomplish that. That practical approach includes developing a security architecture embodying the defense-in-depth philosophy, and it comes to fruition when organizations recognize that security cannot be bolted on; embracing the ideal that security is integral to every aspect of the business.
Unless driven by a specific regulatory or customer requirement, it is almost always better to think in terms of security assessment or compliance assessment, rather than certification, because you simply get something meaningful for the money spent. Finally, security costs are likely to rise for the foreseeable future. The management challenge is to figure out what is the least you can spend to adequately protect your enterprise and then spend those funds wisely on the necessary people, products, and services.
Areas covered by ISO 17799
Asset Classification and Control
Physical and Environmental Security
Communications and Operations
System Development and Maintenance
Business Continuity Management
Jonathan Gossels is President of System Experts Corp. (www.systemexperts. com), a network security consulting services company based in Sudbury, Mass.
|Printer friendly Cite/link Email Feedback|
|Title Annotation:||special section|
|Date:||Dec 1, 2003|
|Previous Article:||SFAS 150's unintended Alchemy: turning positive into negative.|
|Next Article:||Network security: as the worms turn.|