Applying Pressure - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
IoT
News

Applying Pressure

Companies are banding together to push IT vendors into making their products more secure

"Everyone's looking at everyone else's work, saying, 'What can we do working in collaboration with each other to solve this problem?'" Carlson says from his Washington office, where he had just returned from a meeting last week of the House Subcommittee on Technology, Information Policy, Intergovernmental Relations, and the Census. Last month, the chairman of that subcommittee, Rep. Adam Putnam, R-Fla., co-authored an amendment to the 1996 Clinger-Cohen Act that would make information security a required consideration when government agencies buy computer systems. Putnam is monitoring self-regulation efforts by groups such as BITS in the private sector.

Microsoft's arrangement with BITS was the first of its kind, but it won't be the last, says Gytis Barzdukas, director of product management with the vendor's security business and technology unit. After six months of discussions, BITS talked Microsoft into providing more-favorable terms for Windows NT 4.0 custom support and making Windows support personnel available to BITS's members in their local offices. Both sides say further cooperation is planned.


The risks to a bank's reputation from security attacks can equal or surpass losses from lawsuits or penalties, Marguerite Gear, VP and sourcing manager at Bank of America. Photo by Sacha Lecca

The risks to a bank's reputation from security attacks can equal or surpass losses from lawsuits or penalties, Bank of America's Gear says.

Photo by Sacha Lecca
With new security threats popping up weekly, banks have kept one eye on the perpetrators and the other on regulators. Marguerite Gear, VP and sourcing manager at Bank of America, says the risks to a bank's reputation can equal or surpass losses from lawsuits or penalties. "In financial services, trust is paramount," she says. "Identity thefts, firewall attacks, viruses, or intrusions can devastate a bank."

Under Basel II, an accord reached last month by international banking authorities, large banks must be able to measure by the end of 2007 their exposure to operational risk, including software flaws, in addition to credit and market risk. Large financial institutions have had Basel II preparations under way for at least a year, beginning with compiling data about previous cyberattacks and formulating scenarios about potential new ones.

Conscious of the need to proceed without disrupting ongoing business activities, teams of IT, compliance, legal, and audit specialists are working to formulate plans combining all these elements. The hope is that by working collaboratively, they can present business heads with a single plan of action. "We don't want to go to them with one set of compliance questions and another set of security questions," says an information security executive at a large multinational bank.

When reviewing software products, this executive says, "we ask [vendors] to show us their model for providing software updates and patch distribution, both during the ordinary course of business and during emergencies." Vendors are grilled on their response procedures in the event of a crisis. Bank of America's Gear says banks routinely write into contracts clauses that specify software products are warranted as being free of malicious code. "It's a huge, huge issue," she says.

BITS has set the security bar high with its own stringent set of criteria for product certification, introduced in 1999 and reintroduced two years ago after being aligned more closely with the international security evaluation standard known as the Common Criteria. So far, only two products--HP's VirtualVault and Archer Technologies' SmartSuite Framework--have passed muster. "It tells us software companies have a lot of work to do in terms of meeting the targeted needs of our profiles," Carlson says.

Carlson and many security professionals agree that vendors have shown an increased willingness to address their concerns and acknowledge that IT departments bear much of the responsibility for securing their systems and networks. But they say vendor efforts haven't yet passed the most important test: There's been no decline in the number of security threats or attacks, or in costs associated with them (see story, Under Attack).

What comes next? BITS is working to define best practices for patch-management and on security issues associated with spyware, wireless technologies, and remote access. Users would also like to see increased collaboration among technology suppliers themselves. "Ultimately, I would like to see the industry get to the point where we have common security baselines among vendors," says Raymond James' Fredriksen.

Oracle is thinking along the same lines. "The next frontier is for vendors to drop their competitiveness," says Mary Ann Davidson, Oracle's chief security officer. "Developing secure code is not a trade secret. Vendors need to start calling each other up and sharing development techniques. The hackers certainly share attack and vulnerability information."

If the vendors can ever outpace the hackers, their customers will deserve part of the credit.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Previous
2 of 2
Next
Comment  | 
Print  | 
More Insights
2020 State of DevOps Report
2020 State of DevOps Report
Download this report today to learn more about the key tools and technologies being utilized, and how organizations deal with the cultural and process changes that DevOps brings. The report also examines the barriers organizations face, as well as the rewards from DevOps including faster application delivery, higher quality products, and quicker recovery from errors in production.
News
How to Create a Successful AI Program
Jessica Davis, Senior Editor, Enterprise Apps,  10/14/2020
News
Think Like a Chief Innovation Officer and Get Work Done
Joao-Pierre S. Ruth, Senior Writer,  10/13/2020
Slideshows
10 Trends Accelerating Edge Computing
Cynthia Harvey, Freelance Journalist, InformationWeek,  10/8/2020
Register for InformationWeek Newsletters
Video
Current Issue
[Special Report] Edge Computing: An IT Platform for the New Enterprise
Edge computing is poised to make a major splash within the next generation of corporate IT architectures. Here's what you need to know!
White Papers
Slideshows
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Sponsored Video
Flash Poll