The Slammer: Malicious code has emerged as the single-largest factor behind security breaches. According to the CSI/FBI Survey 2002, more than 94% of large corporations worldwide have had sizeable downtime and financial losses due to malicious code attacks. As per the recent CII-PricewaterhouseCoopers Survey, 75% of Indian corporates have had serious incidences of malicious code attacks "forcing them to shut down external connections to the Net, resulting in large losses due to downtime and lost business opportunities". The recent SQLSlammer attack is a case in point. Electronic Scavenging: Next to security breaches caused by malicious code, the second major cause of a security breach—often used for corporate espionage— is ‘electronic scavenging’. Electronic scavenging involves rummaging through disposed magnetic media for retrieving sensitive data that is left behind on it. Results from an MIT study, which is being published in the January/February 2003 issue of IEEE Security and Privacy, suggests that the secondary market is awash with confidential information. Scavenging through the data retrieved from 158 used and formatted disk drives, the students at MIT’s Laboratory for Computer Science found more than 5,000 credit card numbers, detailed personal, and corporate financial records, numerous medical records, gigabytes of personal email, and pornography. The intention here is not to scare you. How-ever, if you are one of those who consider data a critical corporate asset, and essential to business continuity, read on...

WHO’S THIS STORY FOR? An IT chief in a mid-size company, managing growing amounts of data WHAT DOES IT ANSWER? n What are the real threats? n What do I protect? How? n How much should I spend? n Which product should I buy? n Will it impact our business?

While integrity, confidentiality and availability of data that a computer system or a network holds are increasingly becoming the lifeline for any organization, the growth of threats and vulnerabilities that affect data integrity, confidentiality, and availability have unfortunately kept pace with the growth and development of IT itself. No wonder then, managing information security has become a high priority area for organizations. The objective of information systems security is to minimize the risks in the use of IT while optimizing performance and introducing predictability to operations. While the nature of threats to an organization’s information assets continues to change, the good thing is that the efficient use of people, processes, and technology still continue to remain the foundation of an effective security management initiative. However, before proceeding to determine what needs to be protected, what is more critical is the degree of protection each asset requires. The security levels need to be determined in order of priority, and people across the organization should be aware of the same.

Analyze your business impact
Most organizations realize the need to protect their systems adequately. The challenge is how to determine what to protect and how much should be protected in addition to issues related to costs. The answer is simple, though tough to implement and quantify. Allocation of financial resources should be on the basis of the value of information they seek to protect. An information system in an organization involves people, processes, and technology. It is important that an IT security solution design considers all the above factors. The business impact analysis is also important to understand the degree of potential loss that may occur. This will cover not just direct financial loss, but other issues, such as damage the reputation and regulatory effects.

Business impact analysis (BIA) is essentially a means of systematically assessing the potential impacts resulting from the exploitation of vulnerabilities. This involves a comparison of the cost of the risk vis-à-vis the cost of controlling the same. Also, the probability that vulnerability will be exploited needs to be determined. To determine BIA, it is important to first classify the information assets, which in term will help determine the area of concerns. Based on this one can figure out the vulnerabilities and probability of security breaches. Multiply vulnerability with probability and you have in hand the business impact.

Compare this with the cost of managing the threat and you have the order of priority in which they need to be protected and hence the deployment cycle.

Having determined the business impact and having compared it with the cost to control/mitigate the risks, one is aware both of the order of protection and the level of protection sought. This enables the organization to spell out its requirements and decide on the technology/products that best meet its needs, considering a number of other factors as well like cost—both one time and recurring, and upgradation capacity.

It is also important to understand and categorize your security considerations on the basis of how it needs to be tackled. Information security products are broadly classified as technological and ‘soft products’, or ‘non-technological services’. Purchasing information security involves mapping the purchase decision to business requirements in a phased manner.

Categorize your needs
Security considerations of today are different. It includes protecting against attacks coming from the Internet and the Intranet, enabling trust and privacy protection for e-transactions, controlling access to systems and performing security management. Security management needs can be categorized into three broad areas—identity management, access management, and threat management.

Identity Management: Web-based technologies have spawned major changes in how business is conducted today. Faced with this accelerated change in business growth, business managers need to find new ways to control access to corporate resources, along with new tools to secure those accesses. They must also comply with new privacy regulations that require enhanced security for user access to systems while meeting increased cost constraints.

Identity management is the creation, management, and use of online or digital identities. It also helps an organization track and maintain personal information through directory systems, provisioning tools and synchronization services that automate the user management process across human resource applications, IT systems, and non-IT environments. It should also be able to help increase productivity while reducing user support costs. Usually all standard identity management tools come with web-based self-administration tools and features like single sign-on solution, which enables strong authentication using a range of techniques including PKI, biometrics and hardware tokens. In addition, an identity management tool should be scalable so as to keep pace with the business growth and needs.

Access Management: Business-critical data and processes are more vulnerable than ever due to increasingly sophisticated attacks and the dispersal of applications across the extended enterprise. Native platform security—whether a web server, application server, or an operating system—is ineffective against internal and external attacks that gain access to administrator privileges. Additionally, privacy and commercial confidentiality requirements often conflict with system administration rights, which may provide unhindered and unmonitored access to sensitive business and personal data.

The best access management tools are those that can address these issues with a comprehensive access management solution that holistically monitors platforms throughout the business for conformance to access policy, including distributed servers, applications, mainframe systems and physical access devices. It also helps organizations decrease the risk of internal and external attacks, thereby enhancing system availability. In addition, it helps reduce costs with centralized administration and enhance usability through personalization.

Threat Management: Hackers as well as political activists, competitive snoopers, and disgruntled employees, drive the proliferation of threats that include dangerous viruses, worms and malicious code. Even subtle outbreaks of these threats can bring company operations to a halt, leading to severe financial losses and countless hours of lost productivity. In addition, simple everyday activities such as sending and receiving email, sharing files, utilizing online resources and conducting real-time transactions can rapidly disrupt an under-protected environment.

Threat management solutions enable organizations’ to elevate their current defensive security practices to proactively protect against today’s and tomorrow’s threats. It enables organizations’ to isolate, contain, and extinguish enterprise threats and prevents further infection during a virus outbreak.

Once you have categorized your security needs, its important to evaluate each of the products based on where it fits in the entire need matrix of the company and compare it with the business impact before you sign on the dotted lines. Any business whose network is exposed to third party networks or connected to multiple physical locations where the database is distributed across the network and users log in from remote locations regardless of its size needs to invest in security solutions.

The scale and exact nature of security solutions to be deployed will of course vary on a case to case basis.

Enterprises require from their security solutions the same ‘abilities’ that business demands from IT. These include affordability, flexibility, interoperability, manageability, and scalability. IT executives should ensure that IT requirements at their enterprises include detailed current information about security needs and that chosen and candidate solutions address those needs adequately.

Interoperability: This is one key parameter to evaluate any product as security architectures, like IT environments they protect are likely to remain hybrid, multi vendor deployments for the foreseeable future at most enterprises. Unfortunately where IT security beyond fighting viruses is concerned, many of the current offerings are fragmented, highly manual, and reactive. Such fragmented or poorly interoperable solutions cannot deliver maximum security and RoI. Hence care should be taken to ensure that the chosen solutions integrate into comprehensive, synergistic and centrally manageable resources. It should also interoperate with key applications and incumbent security solutions to optimize both protection and business value and be easy to deploy.

The security solution should be capable of running on a variety of platforms available in the market and should be interoperable seamlessly. You should not need to decide your operating environment based on security products. The security products should mingle with your network without major restructuring. The security products you are buying should also be capable of integrating seamlessly with other best of breed ones.

Scalability: Another important question that a person needs to ask is how scalable the security product or solution is. This is extremely important and an enterprise should have a clear roadmap of possible future applications and IT requirements as well as the security needs and have scalability built in accordingly. All business application profiles (BAPs) and user application profiles (UAPs), or their equivalents, should be updated, expanded, and integrated with data from relevant security solutions.

This will help you best match solutions with specific requirements and resources within the enterprise and evaluate those solutions more accurately and realistically.

It is also important that you choose a vendor who keeps abreast of the latest operating systems and platforms by releasing new versions and can demonstrate you a clear roadmap of the same. The roadmap claim should be backed-up through historical proof. Also, the upgrades should be automated and should be implemented with a minimum of user disturbance and no system downtime.

Vendor Support: While most of the big companies have in-house resources to manage their IT need, a majority of the smaller companies cannot boast of the same. However, irrespective of whether you have the capability or not, vendor support should still be an important criteria for choosing a product. As a security solution includes a combination of hardware and software, one should certainly look for services that include application support and be very clear and specific about the service-level agreement.

RoI & Affordability: While security may be one of the few areas where RoI is fairly obvious, even to non-technical business executives and managers, you may still need to justify the investment every time. From an affordability point of view you need to focus on security solutions and approaches that support layered or tiered approaches. This can help restrain the growth of security costs, generally and for specific applications, and lines of business within enterprises. Proactive security management will help not only maximize RoI but return on value (RoV) as well!

Shubhendu Parth