InformationWeek

Collapsing The Fortress Walls

By Bob Violino

t a recent conference on information security and the spread of high-tech crime, William Moran, executive VP and general auditor at Chase Manhattan Corp., lamented the new risks to data security and integrity, saying, "I liked it better back in the days when the data center was a fortress."

Too bad. Client-server systems and intranets are distributing data ever more widely. While CIOs charged with protecting that data agree the job was easier with highly centralized resources, it seems the trade-off is worth it: Dist ributed computing makes information more available and more useful to employees than ever before.

One way to ensure that client-server, intranets, and other distributed approaches bring value to the business is to safeguard the security and integrity of the information. It's also one of IT managers' biggest challenges.

First, points of vulnerability have increased dramatically in recent years. Corporate data-everything from information that helps employees do their jobs to trade secrets that help a company obliterate competitors-isn't centralized anymore. Most company data today can be accessed from hundreds, even thousands, of desktop and portable computers, located in dozens of remote offices. The Internet and intranets open organizations to even more possible intrusions.

Second, there are plenty of potential sources of attack. These include disgruntled employees-both former and current-malicious and mischievous hackers, computer viruses, and snooping competitors. Surveys conducted by the Compu ter Security Institute in San Francisco and InformationWeek, in conjunction with consultants Ernst & Young, find the number of attacks are rising and often result in huge monetary losses.

Information security breaches cost the 563 U.S. businesses surveyed by the Computer Security Institute a total of $100 million last year. Also, nearly half the companies surveyed had some form of intrusion or unauthorized use of their systems in the last 12 months, up from 42% in 1995.

Another survey, this one an InformationWeek/Ernst & Young poll of IT and security managers at 1,320 North American companies conducted last fall, found that nearly 80% of companies suffered a financial loss related to information security and disaster recovery during the previous two years. Of those that had a financial loss, more than 25% said the loss was up to $250,000; 4% said it was $250,000 to $1 million, and 1% put the loss at greater than $1 million; nearly 70% couldn't estimate the amount. Also, more than 65% of the survey re spondents said their IT security risks have increased over the past two years. Nearly 40% said risks have increased at a faster rate than the growth of computing resources.

Safeguarding Data
So how can you protect your valuable information when it's so widely distributed? The key, say IT managers and security analysts, is getting the right tools and people in place. The first part is getting easier: More good tools are becoming available. But good people-including senior IT security executives who can develop and oversee a comprehensive security policy and ensure that it's adhered to throughout the enterprise-are hard to find. "Organizations need a full-time security architect who's familiar with all the IT components," advises Ken Cutler, VP and director of the information security division of the MIS Training Institute in Framingham, Mass., and the former IT security chief at American Express Co. "There are security managers out there who don't even know what their environment looks like or which network protocols are in use."

There's good news on the horizon: Senior corporate managers are finally taking IT security seriously. In the past, many top managers viewed IT security as an added cost that contributed nothing to the bottom line. But today, with all the publicity about Internet attacks and computer crime, senior managers view security measures and qualified security staff as investments they need to make to protect some of their most valuable assets.

"The demand for qualified information-security professionals is rising exponentially," says Tracy Lenzner, president of Lenzner & Associates, an executive search firm in Williamsville, N.Y. She adds that companies seek executives to manage enterprisewide security, as well as those with strong technical skills to safeguard distributed systems.

Recruiters say experienced network security managers are commanding salaries of $95,000 to $140,000. IT security chiefs at larger companies are generally getting as much as $200,000, or even more, recruiters say. They estimate salaries in security-related jobs are rising about 20% annually. Companies also offer bonuses and other benefits to lure people.

In fact, budgets for IT security staffing-which includes consultants, contractors, and full-time and temporary employees-will increase by about 18% during the next year, according to a survey of 340 IT and security managers released in March by the Computer Security Institute and independent security consultant Charles Cresson Wood.

First Union Corp. is one company that's stocking up on security personnel. The Charlotte, N.C., bank is the nation's sixth-largest-and one of the first to use the Internet for financial transactions. It's a role model for setting up an IT-security operation in a distributed environment.

Peter Browne, a former security chief at Motorola, joined First Union about a year ago as senior VP of information security. Since then, he has assembled a 26-person team that includes experts in TCP/IP, Windows NT, Unix, NetWare, and SNA. The team even has a software engineer who continually tests the bank's systems by trying to hack his way in.

Browne manages the entire security infrastructure, including oversight of firewalls, encryption techniques, password protection, and antivirus software. But he makes it clear to First Union's business-line managers that they-and not he-are responsible for keeping their systems secure. To help them, First Union has adopted companywide standards and guidelines for such things as network access control, virus protection, and disaster recovery. Every business unit is tested quarterly against a compliance measurement baseline, and the compliance scores are placed in a database.

"We did this at Motorola, and everyone was competing to have the highest score," Browne says. "Over a two-year period the compliance rate went from 37% to 98%. We're trying to duplicate that here."

To further boost security and provide support when attacks do occur, First Union is creating an incident-re sponse team headed by the corporate hacker.

Hewlett-Packard is protecting itself against security problems arising from its increased use of the Internet and intranets. HP operates one of the largest intranets, and VP and CIO Robert Walker has dedicated several people to network security. He's also exploring new security technology such as biometrics, which includes retina and fingerprint scanning and voice recognition, to keep unauthorized users out.

While promising, biometrics technology is still relatively untested, lacking in standards, and costly. Fortunately, the list of useful tools to protect distributed data is growing.

Vendors of both security products and traditional IT gear are beginning to offer integrated packages with encryption, authentication, client and server firewalls, and antivirus software that supports multiplatform environments. These vendors include Bay Networks, HP, IBM, McAfee, Security Dynamics Technologies, and Sun Microsystems.

The closest thing to an enterprise wide authentication and encryption technology is Kerberos. It's a server-based security protocol that's also a major component of the Open Group's Distributed Computing Environment.

Technology managers have been slow to adopt Kerberos, but that may change as their options widen. Vendors including Cygnus Solutions in Mountain View, Calif., are introducing products that support the Windows NT and Unix-in variants from Digital Equipment, IBM, and Sun-platforms.

Kerberos uses a so-called ticket-granting authentication system, which provides a basis for single sign-on access to systems, while at the same time providing encrypted communications between clients and servers. The original Kerberos software code was designed at MIT and has been available free on the Internet for years. Despite that, only Cygnus and a handful of other vendors have adopted products based on the code.

Kerberos is only part of the solution. "Even if you have Kerberos at the server, you still need to protect the front end with s trong authentication and access- control mechanisms, such as ID cards and single sign-on," says Cutler of the MIS Training Institute. Cutler also recommends that organizations institute reliable audit-trail programs to track enterprisewide network activity and continuously identify users.

Some companies have sought outside help in protecting their networks. One company they've turned to is WheelGroup Corp., a San Antonio, Texas, company created by a group of former Air Force officers and data security experts. WheelGroup's Remote Intrusion Detection (RID) service continuously monitors all access points to a client's systems from a single location.

RID is based on WheelGroup's NetRanger security-management system, which uses a combination of router-based electronic sensors, an encrypted communications channel, and a database-management system to detect suspicious activity and unauthorized access on a network. When RID senses a break-in, it automatically cuts off network access and immediately tries to trace the source of the attack. Unlike a firewall, it doesn't interfere with normal network activity.

"It acts like a traffic cop as opposed to a roadblock," says Lee Sutterfield, WheelGroup's executive VP. WheelGroup began marketing NetRanger as a standalone product in January; 12 large companies are evaluating it, with six conducting pilot programs.

Managers can expect to see many such offerings. As distributed computing continues to grow, analysts anticipate a flood of products and services-including highly integrated product packages-to emerge for the protection of information. Armed with the right tools and people, organizations can at least attempt to recreate the old information fortress. It'll just be a lot bigger.

See charts related to this story

See related story: " Backup Also Gets Distributed "

Back to News in Review

Send Us Your Feedback

Top of the Page