Chapter 7. Enterprise Security

Previous page
Table of content
Next page

Chapter 7. Enterprise Security

"You ask, what is our aim? I can answer in one word: Victory victory at all costs, victory in spite of all terror, victory, however long and hard the road may be; without victory, there is no survival."

Sir Winston Churchill

Web services and the other technologies that have been discussed can be considered offensive technologies. They can be applied strategically as growth engines in order to capture business benefits such as increased revenues, reduced costs, and improved productivity. Security represents the other side of the equation and is equally important. It can be applied strategically as a defensive measure in order to protect the business from a variety of risks and to enable the growth engine to operate successfully. While most businesses have had security departments within their information technology groups for decades, the threat to enterprise security is becoming more severe. Attacks are becoming more diverse, more frequent, and more dangerous.

The CERT Coordination Center located at the Software Engineering Institute at Carnegie Mellon University in Pittsburgh, Pennsylvania, is one of the foremost organizations handling computer security incidents and providing analysis and statistics. It focuses on education, training, and research into survivable enterprise management and survivable network technology. Over the past decade, CERT has seen the number of reported incidents grow from 252 in 1990 to 2,412 in 1995 and to 52,658 in 2001. The vulnerabilities reported by CERT have also grown from 171 in 1995 to 2,437 in 2001. According to CERT, the possible effects of an attack include denial of service, unauthorized use or misuse of computing systems, loss, alteration, or compromise of data or software, monetary or financial loss, loss or endangerment of human life, loss of trust in the computer and network system, and loss of public confidence.

The Computer Security Institute and the FBI conducted a joint Computer Crime and Security Survey in 2001 and collected responses from over 500 U.S. corporations, government agencies, and universities. They found that 85 percent of the respondents had experienced computer security breaches within the last 12 months. Additionally, the survey found that financial losses from computer breaches had risen over the years from an average of just over $1 million per business in 2000, to an average of over $2 million per business in 2001. These data are just the tip of the iceberg, since many businesses had not quantified the extent of their financial losses or did not want to report them.

In recent years, the industry-wide costs due to security compromises have been in the billions of dollars. The "LoveLetter" virus in mid-2000 caused an estimated $6.7 billion in damages. Security compromises such as worms, which are self-propagating malicious code, have been able to cause numerous other adverse effects as well. They can spread rapidly within minutes or hours and can often cause noticeable degradation of worldwide Internet response times. As an example, the Code Red and Nimda worms infected hundreds of thousands of systems. According to CERT, the Code Red worm infected more than 250,000 systems in nine hours on July 19th, 2001. In addition to self-propagating, it was also programmed to launch a distributed denial-of-service (DDoS) attack against www.whitehouse.gov between the 20th and 27th days of the month. The Nimda worm caused average Internet round-trip response times to slow from around one-quarter of a second to one-half of a second on September 18th, 2001, just after it was initially detected.

The threat is that as businesses increasingly open up their networks to the outside world, they are increasingly exposing themselves to breaches in computer security. Not all threats come from the outside, and the internal employee threat is well-documented, but the increasing level of always-on connectivity to the Internet means that systems are wide open to attack and can be used as launch-pads for attacks on other systems. As we become increasingly dependent upon the Internet as a global network in order to conduct business, we are increasingly opening ourselves up to the inherent security risks of being connected. In the early days of corporate Internet adoption in the mid-1990s, security departments were horrified at the thought of connecting business applications and data to the outside world. There was a clear distinction between the internal, trusted corporate application environment and the external, untrusted environment. Somehow, along the way, the enthusiasm for "everything Internet" seemed to push these concerns aside. Today we are paying the price, with an increasing number of threats and attacks being reported. The threat is getting more severe and we are continuing to add to our level of exposure by opening holes in our networks to allow for extranets, telecommuting, and wireless access. We'll discuss wireless security later in this chapter since the topic has risen in importance due to the increasing adoption of wireless LAN technologies and the increasing adoption of wireless devices themselves.

The emerging and disruptive technologies that we have discussed earlier also add to our increasing level of vulnerability. Web services, peer-to-peer, real-time computing, and mobile business all rely on increased connectivity, sharing of resources, and rapid exchange of information in order to enable powerful business benefits. We are encoding more of our business processes and intellectual assets into software solutions and are increasingly opening these up to employees, customers, and partners. Even if the threat level stayed constant, we are substantially increasing our risks due to exposure. For these emerging technologies to be successful and to yield their promised benefits, several things must occur. Firstly, the technologies must not be oversold. Businesses must be realistic about what these enablers can and cannot do and about the level of effort required to implement them and drive changes in user behavior and adoption. Secondly, businesses need to make security an integral part of their initiatives not just for traditional applications and processes, but for their new initiatives as well. Software vendors and service providers offering these new solutions such as Web services need to ensure that their software has the necessary security frameworks built in. They need to help educate businesses on how to implement their solutions in a secure and auditable manner.

Software vendors are now becoming more proactive about ensuring that security best practices are followed when developing their own software prior to general availability. Businesses can also help to push for greater levels of security to be built into the solutions that they utilize. For example, Microsoft's Secure Windows Initiative represents its efforts to improve the security of its server software products by educating its developers in best practices, using new tools to verify secure code, and establishing a focus on security from management. Software vendors can play a key role in addressing some of the common software vulnerabilities by shipping their products with security, in effect, "turned on" when the product is installed. Since good security policies tie back to how well software is configured in its production operation, if software is configured securely when first installed, there is a better chance of keeping these types of settings in effect. In the end, however, it is the responsibility of the business using the software to ensure that the security configurations such as authentication, access control, and encryption are properly managed and audited on an ongoing basis.

Disruptive technologies such as Web services rely on increased connectivity and sharing of resources. They also rely on the underlying movement toward software as a service and the general theme of the Internet becoming a "business operating system" for the entire universe of users, devices, and applications. Initiatives such as Microsoft's Passport and the Liberty Alliance Project founded by Sun Microsystems and others are calling upon business users and consumers to use their network-resident authentication as a universal gateway into these future applications. The concept of single sign-on authentication for a multitude of applications is highly attractive, but it will need to be adopted carefully on the part of consumers and businesses alike. As the business benefits of these disruptive technologies beckon to us, we need to understand the tradeoffs. The single sign-on services offered by the industry on this Internet business operating system are visionary, but, require considerable trust. Trust has always been one of the main barriers to adoption for businesses to leverage the Internet. Security is only one piece of the trust equation, but it is clear that security will play a key role in deciding the eventual take-up rate for these emerging solutions. The era of "build it and they will come" passed many years ago; today's era is more aptly named "trust it and they will come." It is perhaps with this in mind that Microsoft Chairman and Chief Scientist Bill Gates wrote his well-known memo to employees in early 2002 calling for a shift from focusing on software functionality to a new focus on security and privacy something he called "trustworthy computing."

Although trustworthy computing is a superset of enterprise security, the latter can be considered the foundation upon which trust in computing can be built. The broad approach to enterprise security typically consists of three areas for consideration: prevention, detection, and reaction. This approach can be applied from the personal level all the way up to corporate and even global levels. The fight against cyberterrorism and even physical terrorism is waged in the same manner. We need to take actions to prevent it from occurring or at the very least to minimize the threat, detect when it is occurring, and be able to react swiftly to control the damage and catch the perpetrators if and when an attack does occur. In the following sections, we'll look at each of these areas and will explore some of the emerging technologies in the security arena that can be used to set up and enhance the defenses.

 


Previous page
Table of content
Next page
Business Innovation and Disruptive Technology. Harnessing the Power of Breakthrough Technology. for Competitive Advantage
Business Innovation and Disruptive Technology: Harnessing the Power of Breakthrough Technology ...for Competitive Advantage
ISBN: 0130473979
EAN: 2147483647
Year: 2002
Pages: 81
Authors: Nicholas D. Evans
BUY ON AMAZON
Inside Network Security Assessment: Guarding Your IT Infrastructure
WebLogic: The Definitive Guide
Logistics and Retail Management: Emerging Issues and New Challenges in the Retail Supply Chain
GO! with Microsoft Office 2003 Brief (2nd Edition)
Professional Struts Applications: Building Web Sites with Struts ObjectRelational Bridge, Lucene, and Velocity (Experts Voice)
Junos Cookbook (Cookbooks (OReilly))
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy