Security, Liberty, and IT Fraternity

Information security has been among the top areas of IT spending over the
last few years and will continue to be so this year. Surveys have shown that
despite increased spending, security violations are growing more frequent.
Increased regulatory compliance requirements have also made the top management
focus more on information security issues. Furthermore, with most companies now
having operations in other parts of the world (either directly or through
partners), worldwide IT security, too, has assumed importance. Prudent
prioritizing of areas for security spending and adopting appropriate strategies
have become more important than in the past.

Base your expenditure on well-formulated risk-assessment and risk-treatment
plans: It is crucial to start with a rigorous risk-management effort. This would
require you to identify what you need to protect, analyze scenarios, assess
risks involved, work out a risk treatment plan, select controls, and plan
implementations.

Make sure you update them periodically to reflect the changes. Use specialist
services to assess vulnerabilities in your network and applications by
penetration testing, rather than finding them out after a security incident.
Risk management is the key and technology has to come later.

Use
security awareness and corporate culture to advantage: Create awareness on
security aspects by employee training. For example, an in-house newsletter can
highlight the security threats. Also, ensure that employees are continuously
informed of security risks, policies and their role. Use the ability of the
employees to come up with suggestions and support them for their extensive
participation. Make sure that departments that are stakeholders in a successful
security programme take effective part in the entire awareness program.

Enforcing is important: Policies for many security processes are usually
written, but unless those are implemented, no real purpose is achieved. Make
sure the policies are updated periodically. Majority of times, implementation of
the right policy would be more cost-effective than technology investment to take
care of protection.

Implement an appropriate Information Security Management System (ISMS). There
is an increased activity across the industry to adopt standards such as BS7799.
An ISMS includes essentials for a good security program-systematic assessment
of risks, setting up of the risk treatment plan, selection of controls,
implementation of guidelines, policies and procedures. Set up an effective
organization to implement and enhance the ISMS periodically and to effectively
implement the various requirements.

Use Managed Security Service Providers (MSSP). Most large set-ups now provide
round-the-clock information services to their customers. All of them require
round-the-clock vigilance to monitor intrusions and to respond to the incidents.
Use MSSPs to get round-the-clock vigil and management of security infrastructure
at lower costs. Further, MSSPs can get bring in many other benefits including
the use of event correlation tools and automation (all of which would be very
expensive to own individually).

Adopt automation: Any information security set-up involves analysis of huge
volumes of event data and reports. Adopt automation, wherever possible, in patch
management, log analysis, consolidation of reports, analyzing or alerting.

Develop metrics for the security programe: Develop metrics for the security
programme and make it part of the organization's MIS as a regular report (eg,
as Information Security Scorecard). Highlight information security to the top
management by this report and by other ways. All of these can not only make
technology work better for you but can also ensure that business would be better
prepared to meet the ever-growing compliance requirements. This will also ensure
that the top management approves security budget proposals for your security
programme.

The public keys to protect your info

Enterprises have traditionally spent a significant amount securing the
network perimeter against external threats by deploying security systems like
firewalls, intrusion detection systems, and anti-virus software-little
realizing that information assets are just as vulnerable from within an
organization as outside. Quite a few recent surveys corroborate this fact.
Discontented, reckless and greedy employees, and, in some cases, disgruntled
former workers can all be bigger threats than the mysterious hacker. Also, as
more companies outsource portions of their business or extend the
network/corporate resources, vital company information could easily fall into
the wrong hands. To build adequate safeguards, the key is to build
"Trust" around these systems.

Talking of Trust, there are many questions to explore:

• How do we transact with faceless individuals literally sitting across the
  two ends of the wire?
• How do we know whether the persons or entities we are dealing with are
  indeed the same as they claim?
• Can we be sure that the information we sent across went without someone
  else taking a look at it?
• How do we know that the data we received has not been altered mid-way?
• What if the person we transacted with went back on his word? Do we have
  any evidence of the same?

In the physical world, we use and associate the signature of
a person to establish the identity and credibility of the individual, but what
happens in the electronic world? Coupled with all the above concerns is another
dimension of the law-what is the legal validity and sanctity of an electronic
transaction in any court of law?

Therefore, "creating trust" in an e-environment
involves assuring the transacting parties about the integrity and
confidentiality of the transaction along with authentication of the sending and
receiving entities such that both entities cannot repudiate the transaction. The
enabling technology to achieve "Trust" is PKI (Public Key
Infrastructure). Indian IT Act 2000 validates the use of Digital Signature,
which also enjoys evidentiary status in Indian courts of law.

Electronic passport

A Digital Signature Certificate is like an "electronic
passport." It's the identity of an individual on the Net. For a Digital
Signature to enjoy this legal status, it has to be issued by a licensed
Certifying Authority, or CA. Certifying Authorities are awarded licenses by the
Controller of CA (CCA) after ensuring that the licensee fulfils the stringent
criteria laid down in the IT Act. Once an individual gets an unique Digital
Signature Certificate issued by a certifying authority, the individual can affix
his or her unique digital signature on any e-mail, communication, transaction,
document or, for that matter, any content in the electronic format.

What can PKI do?

PKI, as we know it today, has evolved beyond the traditional offering of
e-security, and is considered a basic enabler of new e-business revenue streams.
PKI solutions can be used to secure a wide range of business-to-consumer (B2C)
and business-to-business (B2B) applications over the Internet. Early in its life
cycle, PKI only stepped in to provide application level security, doing away
with the weaknesses inherent in IDs and passwords, and linked the identity of
users to their Internet hosts through digital certificates. But later it went
further, and crossed the boundaries of security by enabling a host of services,
which were not previously enabled. The list: Digital Signing of electronic
documents; Electronic supply chain management; Electronic eOrdering and
eProcurement and Online eGovernment Services

These examples are new applications which were not commonly
carried out over for the Internet, but are now enabled due to the enhanced
security offered by PKI.

PKI-the technology

PKI is one of the few technologies today that integrate the disciplines of legal
practices and information technology. This results in several unique deployment
challenges. To understand PKI, one must appreciate the underlying concept of PKC
(Public Key Cryptography). It would be safe to say that though PKI is not a
technology at the forefront, PKC Techniques are pretty much the building blocks
for security applications.

What is public key cryptography?

While the private key, as the name suggests, is private to the user, the
public key is open. A user signs a piece of data with the private key to prove
identity, integrity and non-repudiation, whereas the user uses the public key of
the recipient to ensure privacy of data by encrypting the data with the public
key. Extend this concept from users to devices and applications-you have
public key cryptography forming the centerpiece to provide security. PKI boils
down to the infrastructure that is used to maintain the public and private key
pairs for operations.

If you look worldwide for significantly large and successful
PKI deployments you will find that these things are common:

• PKI is part of a government-to-consumer interface

• Technology-specific legislation prescribe clearly the use
  of PKI

• Effective drive and implementation mandates from
  authorities

• Enterprises have opted for the managed PKI services
  model, rather than setting up their own PKI

Moving forward, PKC plays a vital role in building blocks for
the emerging domain of "Application Security". Products and services
are being developed to address requirements like data security (data at rest,
databases, in-transit data) and transaction security (channel encryption). It's
just that many organizations are now realizing faster than before that the
"internal threat" or "application vulnerability" factor is
significantly high as corporate networks move beyond the realms of conventional
networks.

The new face of security

The rise of e-business and greater awareness of security issues has changed
the face of security. Customers, shareholders, staff and increasingly regulators
are demanding a greater commitment to security and associated privacy issues.
Three major trends are becoming apparent to security advisors: the need for
integration of security and privacy; the convergence of information security and
physical security; and the emergence of new security technologies such as
biometrics.

A typical network security scanner like the 'Infiltrator' can quickly audit computers for vulnerabilities, security holes and exploits, and information enumerations. Infiltrator can reveal and catalog a plethora of information on scanned computers - such as installed software, shares, users, drives, hotfixes, NetBios and SNMP information, open ports and much more.

Holistic approach: Corporate security can no longer be
considered a piecemeal, low-priority operation applied to discrete areas. It
should be an integrated management discipline. If different business units can
set their own standards and procedures, hackers are presented with greater
opportunities to find gaps in corporate defenses. The security strategy should
include everything from establishing standards to processes to education.

Close the window of opportunity: Move your strategy from mere
'intrusion detection' to a multi-layered 'intrusion prevention'
approach. This will reduce the lost productivity and costs.

Provide security for people as well as data: There's
also a growing convergence between information security and the physical
security of people and property. Technology can play a key role in establishing
physical security, not only by establishing physical access systems, but
monitoring them as well. An organization's most critical corporate information
isn't simply stored in computer files-it resides in the minds of its
workers.

Balance the competing needs of security and privacy:
Rights of privacy tend to be 'absolute,' whereas the level of security must
be appropriate to your organization and its business interests. Any perceptions
by the market that your organization is not respecting the privacy of employees
or customers will quickly undermine brand equity. Work with your legal, HR and
communications advisors to develop communication strategies explaining your
policies and ensure that you live up to your own policies.

Stay tuned for the next 'big thing:' Stay current
with emerging security technologies like biometric identification. It is the
technique of identifying a person based on physiological and behavioral
characteristics. Physiological biometrics includes face, eye (retina or iris),
finger and palm identification, while behavioral biometrics includes voiceprints
and handwritten signatures. Latest thinking is that biometrics (what you are)
combined with other layers of security such as password (something you know) and
tokens or certificates (something you have) can provide the highest levels of
security.

Identity control

In the past, many enterprises addressed business issues with disconnected IT
initiatives targeted at a single problem-for example, having a Web presence,
or complying with new government mandates. The result is a hugely complex IT
environment that locks away information, hampering the enterprise's ability to
grow and prosper. While many enterprises struggle with highly complex IT
infrastructures, a few have created environments in which people communicate and
collaborate easily and always have the tools and information required to work
effectively. Two key characteristics distinguish these enterprises from the rest
and make them leaders in their respective industries: adaptability and agility.
Increasingly, agility itself is becoming a strategic imperative. Enterprises
that are developing strategies to increase agility and adaptability are
discovering that identity management is crucial. Identity management enables
enterprises to put technology to work for the people who power the business.

Secure Identity Management combines directory, meta
directory, provisioning, password management, auditing and professional services
to help solve critical business problems that all share. Identity integration is
the entry point into secure identity management. With identity management you
can:

• Gain control of identity and lay the foundation for other
  identity-based business initiatives that enable the agile enterprise

• Strengthen security around critical business data and
  physical resources, while ensuring easy access with a single password, ID
  card or fingerprint

• Provide real-time information on key performance
  indicators to all levels of management, improving decision making and
  complying with the real-time disclosure requirements of many regulations

• Create employee portals to reduce costs by empowering
  people to obtain information and perform many tasks and transactions on
  their own

• Slash application development costs by moving to web
  services that unlock and dynamically combine siloed information or software
  capabilities to provide more intelligent information and more useful
  services

• Automatically provision new users with access to business
  resources based on their role, increasing productivity for users and
  administrators

• Automatically modify or secure access the moment a user's
  role changes to keep confidential resources safe

• Implement secure password management to mitigate security
  risks, minimize cost and improve user experience

• Provide secure, remote access from any location to
  resources based on a user's role or relationship

• Maintain an audit trail that demonstrates compliance with
  internal business policies and external regulations

Identity Management solutions enable enterprises to gain
control of identity while leveraging previous investments and the proven
business processes they have developed over the years. These solutions unify
across resources and location barriers, providing the foundation to securely
deliver the right content and information to the right people at the right time,
while reducing IT costs, and enhancing user experience. It also provides
organizations the agile foundation they need to keep pace with tomorrow's
world.

With contributions from Editorial Advisors -Sekhar
Sethuraman, Advisor (Secured Converged Networking), Ramco Systems; Urmez
Daver, Consultant,  SafeScrypt; Ramesh Narasimhan, Country
Manager (ITS) IBM Global Services India; and Ashit Panjwani, National
Manager (Alliance & Marketing) Onward Novell Software

Source:Dataquest