False sense of security


21 May 2008

Recent media reports of high-profile data loss and theft suggest many organisations are still struggling with the fundamentals of IT security. Knowledge Ireland goes behind the headlines to talk to the security professionals witnessing developments first-hand.

Last month’s revelation that Bank of Ireland had lost laptops containing details of thousands of customers was the latest in a long line of news stories that highlighted concerns already rife within the IT security sector. For some time vendors have been warning their customers about the risks around data leakage to little avail.

“People were aware there were issues surrounding data security but it’s only beginning to get traction now that the media has highlighted the problem,” says Brian Lynch, sales director with Eurokom. “We’ve been preaching about it for the past five years but it’s been falling on deaf ears because people won’t think about problems like this until it happens to them. This is exactly what happened with viruses when they were only prepared to do weekly updates. Now it’s once an hour in most organisations.”

To protect data on laptops, USB keys and other devices, all the talk is about end-point encryption. As part of a top-down approach, organisations are able to centrally manage content as it moves between hardware that wanders in and out of the office. Not only is a user name and password required from boot-up, file and folder encryption can also prevent unauthorised access even if a laptop is stolen when it is switched on. And with the 256-bit Advance Encryption Standard, it would take serious criminals with powerful computers to gain access.

“All the major software players are going down the route of delivering end-point security. It’s not about antivirus any more. Corporate products will have network access controls to manage the desktop and laptop and what happens remotely,” comments Michael Conway, managing director of Renaissance. He gives a long roll-call of devices and protocols – SD cards, USB ports, Bluetooth, 802.11 – that highlight the scale of the containment problem. “There are a thousand and one ways of bringing in stuff and a thousand and one ways of bringing it out. It’s the biggest threat and vulnerability that organisations haven’t addressed effectively.”

Sinead Kelly, sales manager for the IT express division in Morse, says there is a business imperative that organisations are only just starting to get. “Recognising that the leakage or theft of sensitive data can be incredibly damaging to any business, there are several data security measures that can be taken with mobile users specifically in mind, and business should be looking to implement such measures as a priority in order to protect sensitive data.”

Kelly says discussions around data used to be about compliance and the best way to keep records for extended periods of time. Now the onus has shifted and the concern is in making sure data is safe and encrypted in everyday operations. “You have to be able to persuade your customers that your data is safe if you expect them to do business with you,” she says.

According to Paul Dwyer, CEO of TeamInfoSec, many organisations are simply unsure of what to do. “People are finding it difficult to manage information as an asset and understand the regulations they have to comply with. They don’t understand what’s needed in terms of data protection and therefore can’t implement the relevant controls. They are looking for guidance.”

That said, he has little sympathy for Bank of Ireland. “For it to get the very basics wrong and not have encryption on its laptops is unforgivable. Every bank and institution should have an information security management system. Information is seen as a valuable asset whether it’s in a filing cabinet or on a laptop.”

Despite the threats, many organisations are suffering from security fatigue, according to Paul Large, chief technical officer at the PFH Technology Group. He has some sympathy for organisations like the Bank of Ireland which have a huge and varied remit when it comes to security, ranging from online banking and coping with phishing scams to perimeter security. “You get drawn into some areas and sometimes forget the obvious things. Encryption is important but there are so many other areas to be addressed that it’s hard for an organisation to know where to start,” he says. “There are products out there but they come at a cost, firstly in procuring the equipment but, secondly, in terms of the management and implementation of the systems. The business has to put a value on the data that justifies it.”

Management challenge

The management challenge is always a problem because of a disconnect between IT and the business, according to Large. “Without clear policies from a management level it’s hard for the IT guys to implement systems. And a lot of management simply don’t understand security issues.” The other problem, he says, is that tighter security around data can impact on productivity. “The technologies required can be difficult to implement and make it more difficult for users. People need to be able to work easily and flexibly and that’s not always possible amidst tight security.”

Mike Smart, product marketing manager at Secure Computing, picks up on the point: “Security is a combination of convenience and efficiency. Too often it’s one or the other. You have got to find a balance in the middle.” He points out that it’s not just about spending money; policies and procedures are an important part of securing data. “It’s not just about technology; it’s about process, people and awareness. There is no vendor that says it has it sewn up and can offer complete protection. Technology is a very small part around the data security initiatives that a company must have.”

Most vendors would stress that software solutions and IT infrastructure count for little if the organisation fails to get the security message out to its employees. Putting policies in place has long been recognised as a starting point for better security, but despite years of banging the drum, vendors fear that few organisations have achieved the security-conscious culture that is needed.

Richard Foley, managing director of Reflex IS, describes the approach to drawing up defined internet and email policies as “one step up from desperate” in most organisations. “There will be a general set of outlines but they are totally open to interpretation in my experience. If policies were in place and adhered to then some of the high-profile incidents we read about wouldn’t have happened.”

The risks that organisations run are high, not just in terms of data leakage. “If you don’t appropriately manage your web policies you can compromise yourself internally,” says Michael Conway of Renaissance. “If there is inappropriate use of materials, such as pornography downloaded from the internet, you run the risk of being sued. If a company is aware of the threats and vulnerabilities but doesn’t do anything about it, then it’s negligence.” Policies reduce risk but will also prevent people wasting time on the internet. Controlling which people can access which data can extend far beyond casual web browsing. Strong policies should have a direct bearing on reducing risk around data leakage by controlling where data is kept and who can get to it. “It’s about compliance; about deciding what’s appropriate for individuals within an organisation to be looking at,” adds Conway.

This feeds into a wider strategic discussion about access control. At Sun Microsystems the drive around its Sun Ray Client product is to put security and access in the hands of the IT department. It uses the thin-client computing model, which is one of the best ways to protect against viruses, service attacks and data theft, according to Stephen Ennis, technical director with Horizon Open Systems, Sun’s country partner in Ireland.

“Users have the same experience; they have their Windows environment up and running and it all looks the same. The difference is that the date is controlled and managed centrally – which means it is also secured centrally,” he says. There is logic in this approach which many organisations miss, according to Ennis. “If the data is managed by the IT organisation it is inherently more secure because the people who manage it know more about what to do than users at their desktops. Regardless of whether it’s corporate spreadsheets or word files, the opportunity for somebody to take that data by stealing the PC, or by hacking into it, can’t happen because the data is held centrally.”

Such an approach requires a fundamental rethink of IT strategy where the architecture of the organisation is re-evaluated in its entirety. Other advantages with the thin-client model, such as power-saving benefits and the easier distribution and management of critical business applications, will also come into play. “Even if viruses do get through they tend to be null and void because they don’t find the infrastructure that they expect,” says Ennis.

At PFH, Paul Large is working with lots of technologies that help organisations retain greater control over their data and security infrastructure. There is a VMware desktop infrastructure product that allows third parties to access a company’s data via a virtual desktop. The data can be accessed but it is always secure. “A software company, for example, could have a team of developers in India working on its code without it ever leaving the building. It helps protect intellectual property.”

There is, however, plenty of room for more control, according to Large, particularly when organisations are using different products from different vendors in multi-layered security solutions. “One of the things really missing is a central management system, an all-encompassing network management tool like HP OpenView that pulls together a view of infrastructure from different vendors,” he concludes.

By Ian Campbell

A culture shift to greater security

1. People, culture and education are key
Information security is as much about these three factors as it is about regulations and processes. Security standards will be ineffective if people do not understand them or their importance. A key to successful management is to understand the possible range of effective and secure responses and to provide ‘recipe book’-style solutions that can be applied in these situations. This needs to be rooted in a clear understanding of the value of an organisation’s information assets and the risks associated with them.

2. Learn from others
The introduction of the Sarbanes-Oxley legislation in the US provides many examples of good practice. A focus on the intent of the legislation rather than the letter of the law leads to more effective and economic approaches to information security. Industries such as banking, which rely upon a highly proactive security approach and visible presence from compliance units, also provide considerable learning.

3. Embed security thinking from the start
IT controls are often rendered ineffective if they are not reinforced by efficient business processes and behaviours. Information assurance thinking must be present throughout the design of new business processes and organisation. Place the technical aspects of the problem in a business and human context. Security controls can therefore be introduced in response to the risks to valuable assets – for example citizens’ information – that are much more than just rules or processes.

4. Create a genuine ‘controls culture’
This requires persistent long-term commitment from senior officials. The structures contained in long-accepted best practices are a great starting point, and the first step is to get a full understanding of the gaps in an organisation’s controls. But the real key is to make sure that top management also embed cultural change at the lowest level of the organisation where the failures typically occur. Until that is achieved, many organisations remain both unaware of the risks and their businesses and their customers remain hugely exposed.

Source: Kevin Duffy and Kevin Gleeson, PA Consulting Group

This article appears in the latest edition of Knowledge Ireland, the bi-monthly information and strategy magazine, which is in shops now. To read the full version of the story in the digital edition, go to www.knowledgeireland.com.