This is a difficult time for security managers. It's a new world after the terrorist attack of last year, and security managers have to adjust to the changed conditions.
There was a time when an IT-security failure simply meant that a Web page would be defaced, a virus would cause some downtime or, in extreme cases, some data would be stolen. But with the one-year anniversary of September 11, we are reminded that security failures have more severe consequences. It's clear, now, that another such attack could put you out of business, without proper preparation and procedures in place.
The fate of the world doesn't rest on every IT security managers' shoulders, but the world became a more serious place after September 11, 2001. The enemy might not be a competitor or some kid calling himself Keyser Soze; it could be a well-funded terrorist organization or a government.
Combine this with the fact that there is more data to protect, there are potentially more unknown holes in random applications, and every day there are remote individuals accessing your company's information over the ether, and the dangers posed by security breaches can be frightening.
There will be more data produced in the next three years than has been produced in all of human history. The task of keeping all that data safe falls into the lap of the security manager. Most of the data is produced as backups of current data, and all those backups floating around can create a huge security problem. The more original data you create, the more backups you need and the more potential problems you generate.
Solving that issue requires intensive policy planning and procedures. As technology writer James Michael Stewart said it in a recent tip for SearchSecurity.com, "If you can adopt the mindset that backup media are pocket-sized portable versions of your organization's data assets, you'll be able to adequately plan and implement security controls, precautions, deterrents, etc."
And don't forget about getting rid of data. One reason why we are producing so much data is that no one wants to throw anything away. Saving copies of important data is essential to business -- your business may be one that cannot survive without numerous data copies -- sometimes you have to dispose of unnecessary data to reduce the security risk. Build proven data deletion methods and procedures into those security policies.
Another troublesome issue for a security manager is the increased use of complex applications. As applications get more complicated, poorly designed applications pose a greater security threat. For instance, some of the biggest recent security breaches have been caused by buffer overflows aimed at particularly vulnerable applications.
But even if applications are well-designed, according to Chris Darby, CEO of @Stake, "vulnerability often appears at the 'seams' of application components." With companies making greater use of new kinds of applications, particularly Web services such as XML, .NET and J2EE applications, how is a manager to ensure that his infrastructure is secure? There is no easy answer to this question, but if you feel comfortable taking a lead from industry leaders, consider where they are spending money. According to @Stake, industry leaders are spending most of their security IT budgets on applications, particularly customization and product-security evaluations.
Data and application management have always been important issues for security managers, but one issue that has developed just over the last few years is the remote employee. As Darby points out, "networks are set up to let people in and out, so they can't be completely secure." The nature of networks is to allow access and to share information. To do this with remote workers requires a virtual private network, but Darby sees VPNs as providing a "false sense of security." VPNs are complex, temperamental tools that require precise configurations. The only real solution available to limit the security holes left open by the use of VPNs is to select the VPN product and server it runs on very carefully, and to be sure to use proper care in configuring it.
According to Chris Christiansen, vice president of E-business Infrastructure and Security Software at International Data Corp. (IDC), we can expect a merger of physical and IT security in the post September 11 age. But, as we have seen, that is not the only aspect of IT security that is changing. With all of the factors already discussed combining to keep IT security managers up at night, how will IT adapt to confront the changing face of security management?
Security is about protecting business assets. Physical and IT security have essentially been doing the same thing for years; it seems only obvious that the same team should manage them. Tightly integrating physical and IT security with the use of surveillance cameras, DVRs, motion analysis, facial recognition and, most important, correlating door systems with network access logs, can help protect enterprises from the most dangerous of security threats, the internal ones. Darby notes that, "the most damaging incidents stem from the abuse of existing privileges." "Existing privileges" implies intimate access of systems. To restrict this access, security mangers need to know who has access and when they have access.
And perhaps fortunately, some parts of the government have noticed the potential danger of an organized attack on the nation's IT infrastructure. The Federal Bureau of Investigation has created a program called Partnership for Protection. The program is managed through a Web site called Infraguard, which provides an outlet for companies to share information about viruses and hacker activities with each other and with other government agencies. These efforts will ultimately help the FBI to track hacker activity and hopefully thwart any organized attacks.
Even in this slow economic environment, changes in the IT security environment have been mounting in the past year. The present atmosphere for security managers is a difficult one, but with careful policy planning and decision making successful security managers will soon be measured by their successes rather than their failures.
About the author: Ben Vigil is technical editor at TechTarget.
This was first published in September 2002