InformationWeek.com

Join Kevin Mitnick - the "most wanted computer criminal in the world" - as he shares his secrets on the security threats facing corporate America.

Welcome Guest. | Log In| Register | Membership Benefits

August 31, 1998

Acceptable Risks

Continued...page 3 of 4

InformationWeek Research Security Survey icon

Print this story

Plan Ahead For Security
Although security is often fundamental to success, it often remains an afterthought. Companies looking to increase their business opportunities via the Web typically look first at applications and then consider infrastructure issues. "We see many cases where ERP or sales-force automation implementations fail when infrastructure and security come into the picture after the fact," Kelly says.

Chart Another believer in proactive measures is Intralinks, a financial services company that coordinates loan syndications. Intralinks helps its 15 bank clients parcel out pieces of loans and other financial instruments to 2,700 institutional investors by providing a central Web site where they can exchange offering memoranda and interact with one another regarding the deals. Investors access Intralinks' servers to retrieve copies of documents describing the terms of the deal and submit forms indicating their willingness to participate.

Intralinks doesn't do it alone. The company's security is based on Lotus Domino and is hosted by IBM Global Services. The company's practices are so stringent it has refused to work with at least one institution whose security procedures didn't pass muster. "There has been an example of that," says Lenny Goldstein, Intralink's chief technology officer. "It was a business decision rather than an IT decision."

For those who do make the security cut, Intralinks drives them when feasible to adopt the highest common denominator. "If J.P. Morgan does something a little differently than Chase Manhattan but if Chase is more stringent, we will do it their way," Goldstein says. One example: companies that change their passwords every 90 days were asked to change them every 60 days because that was the most rigorous requirement among the group.

One of Intralinks' trusted customers is PNC Bank Corp., which has raised $2 billion in 10 different deals. The Pittsburgh-based bank is confident it can handle security issues and plans to venture into other areas of electronic commerce. The most important elements are deploying powerful 128-bit encryption and incorporating security during project formation. "Our experience was positive enough that we are working toward an Internet-based solution for treasury management," says James Mikula, CIO for corporate banking at PNC.

Security products that used to be viewed as risk-management tools are now being considered an "enabling mechanism" that is necessary for new business ventures.

The Boston Globe, for example, takes security more seriously now that its advertisers can place advertisements online and pay for them with a credit card. "It has expanded our view of security," says Dave Pearson, director of IT infrastructure. "I view it more as enabling than risk management, though it has to do both."

Chart For example, the Globe is centralizing its security management using Netegrity Inc.'s SiteMinder, which is based on the Lightweight Directory Access Protocol. SiteMinder separates security access from application development and frees developers to create programs that are better suited to the business, such as allowing advertisers access to their account balances.

Creating Complexity
Some companies that build extranets realize they have to secure much more than the extranet itself, and often end up reworking their company's entire security regime. "Our extranet brought us into a whole new realm of things we never did before in terms of security," says Scott Decker, VP of information services at VHA, an alliance of 1,200 independent health-care providers and suppliers that uses an extranet to exchange health-care news and textbooks.

The extranet will become far more complex as applications come online for exchanging patient records and lab reports. The Irving, Texas-based alliance is planning to elevate its security by using encryption and digital certificates for sensitive data. That review process and the resulting heightened awareness about security has affected the way VHA views all types of information. In the past, for example, VHA delivered CD-ROMs that contained a catalog of supplies and their prices. "We never thought about security with those things," Decker says. "But now we think differently."

Surprisingly, however, 43% of companies surveyed don't take the basic step of classifying their data into security categories. This is a critical step in identifying data worth protecting. Although 19% do this process daily, another 14% classify their data annually.

Continued...page 4
Return to page 1, 2