InformationWeek
Defining The Business Value Of Technology
|
August 21, 2000 |
 |
How Secure Are You?
continued...page 3 of 3
 |
| More on security: |
|
|
 Send Us Your Feedback |
The need to address employee breaches is often obscured by all the solutions for physical and network security. Firewalls and authentication systems do a good job protecting networks from remote attacks, and heavy doors with biometric locks and video cameras can keep strangers from breaking in at night, but employees are already on the inside.
"When we were evaluating co-location centers, people in the front lobby would brag about Kevlar-lined walls, and some even talked about withstanding nuclear attacks, but hardly anyone talked about personnel security," says Wade Myers, chairman and CEO of Interelate Inc., an ASP that provides customer-relationship management services and software. "Realistically, the risk of someone shooting bullets or nuclear missiles into the data center is very low."
At one facility, Myers and his team walked in the back door and into the data center unchallenged. The co-location facility was expanding rapidly, and a small army of employees, contractors, and business partners were scurrying about setting up new servers and switches. "There's a fast-growth mentality; everything is moving so fast that they haven't had time to put proper practices in place."
Encryption can provide an added level of security when hackers do masquerade as authorized users or administrators and gain entry. If secure-session options are used, Web browsers and servers do a good job encrypting the data they exchange. However, traffic often traverses LANs in the clear.
"Most companies are appalled at the amount of sensitive information we pull off their networks during our assessment," says RIPtech's Belcher. "Encryption would have more acceptance if some nontechnical managers could actually see what is going across their networks."
Companies are starting to enhance security by encrypting data stored on servers, but a lot of desktop data remains exposed. Desktop solutions provide encrypted folders into which sensitive files can be dropped, but they may rely too much on users to know what needs protection. Similarly, when users register for digital certificates, they indicate how the certificate is to be protected--such as smart card or password--and "no protection" may be an option.
"Someone could walk up to your desktop and get to your certificate without having to get through any security," says Scott Schnell, VP of marketing for RSA Security Inc. Authentication systems often aren't extended to the desktop, and people can simply bypass the logon procedure and gain access to the local system. Stolen notebooks are completely vulnerable if the contents aren't encrypted.
RSA is starting to see some customers implement an always-on policy for hardware-based authentication. Users must have a token to access any machine, internal or external.
One new security challenge is the complexity and granularity of protection needed by business-to-business computing environments. Originally, vendors helped customers build moats that kept outsiders out, but E-business is all about inviting some of them in. "The next stage is being able to have very detailed access and content control," Schnell says.
Through a partnership agreement, RSA's strong-authentication and digital-certificate technologies are being coupled with Netegrity Inc.'s multilevel access-control expertise to produce a security system that can accommodate many types of users and scopes of access rights.
The CSI/FBI report states that "the threat from computer crime and other information security breaches con-tinues unabated ... the financial toll is mounting."
Companies must secure the areas where the main risks reside--which are not always the current source of pain. For example, companies with employees in Europe must comply with the European Union's privacy directive, which goes into effect in 2001.
"A small security review up front might cost $100,000, while an emergency response to an incident after the fact would run $350,000 to $500,000," Lobel says. According to the InformationWeek Research survey, however, nearly half of the respondents are spending only $50,000 or less on security.
The best technologies and wisest policies will take security only so far without extensive user and management buy-in. "You have to create a win-win situation," says Andrea Hoy, chief information security director for Fluor Corp., an $11 billion engineering, construction, maintenance, and diversified services company in Aliso Viejo, Calif. "Users have to see the benefits to themselves: Strong security is keeping the wrong people from seeing their salary and personnel records or getting into the bank accounts where their checks are automatically deposited," says Hoy, a security professional for more than 15 years and the 1991 winner of the Security Education Manager's Award for her work applying continuous process improvements to the implementation of information security.
Absolute protection may be unattainable, but better levels of security--with equal parts vigilance and honest commitment--will go a long way to protect your company.
Illustration by Ricarrdo Stampatori
Back to This Week's Issue
Send Us Your Feedback
Top of the Page
