IT SECURITY has become the new buzz word, particularly in light of the alarming rise in Internet hacking and malicious code activity.
However, despite this, the actual processes and software which helps secure IT systems from malicious attacks have never acquired the glamour of, say, the latest ERP (enterprise resource planning) or CRM (customer relationship management) packages that organisations pay top dollar to acquire.
This could be because while ERP or CRM systems bring immediate and tangible benefits to the bottomline of organisations, the benefits of topnotch IT security that good firewalls and anti-virus systems and even physical checks on the network can bring are not easy to quantify.
As IT research agency Gartner says, given the 'non-productive' nature of most information security expenditure, it's difficult to obtain and maintain support for strategic security initiatives.
'The expected benefits of security investment must be articulated in business terms and they must be linked to drivers that are specific to the organisation's environment, strategy and culture,' says a Gartner analyst.
However, many analysts feel things are changing and there's a greater awareness among CEOs and company boards that a robust security system is needed to keep an organisation running smoothly.
Shirley Wong, managing director of local IT company Frontline Solutions, says this new sense of awareness arises out of the publicity given to security threats coming from more complex and organised attacks against IT systems of governments and corporations.
'These reports highlight the design flaws exploited by these attacks. Hence, a more holistic and structured approach to IT security design has been adopted by the IT security industry,' Ms Wong told BizIT.
'Due to the increasing reliance on IT systems by both governments and commercial organisations to manage sensitive information, there's a greater awareness of the need to address IT security in the earlier stage of designing an IT system,' she adds.
Frontline Solutions, which manages the desktop firewall system for the Singapore public sector, is a wholly-owned subsidiary of Frontline Technologies Corporation.
Philip Coler, chief information security officer of IT services company EDS, adds that there is an urgent need to design in security into an IT system and not add it as a layer on top of the system at a later point. 'If operating systems or applications are inherently weak then protecting that software from exploitation becomes difficult,' says Mr Coler.
In his discussion with BizIT, he gave an interesting analogy to explain why it's so important to build in security while designing an IT system. 'If you had contents in your home that you wished to protect, the job becomes more difficult if only a frame of the structure (home) exists. If you add walls, windows and doors, locks, integrate a monitoring and alarm system, to your home then protection of your belongings becomes a bit easier.'
Mr Coler adds that if security is included in the design strategy when designing hardware and software then the base for security is stronger and 'we can augment security capability that is acceptable to the requirements at hand'. Explaining why there is such a sudden emphasis on security, Mr Coler explains that during the past 10 years we as individuals, companies and nations have become more dependent on computer systems and networks to drive our economic engines, allow broader access to information, and to collaborate in ways that 'our grandparents could not have imagined'.
'We are also now more dependent on technology and the networks that connect various technologies together. Now that we depend on these systems to such a degree that we nearly take these technologies and networks for granted.'
However, this dependence has an unsavoury side effect. During the past decade the Internet has become a more attractive place for organised crime, corporate espionage, and government sponsored activities.
'So the threat has increased - criminal elements have better financing, better talent and show ever-increasing sophistication in the types of attacks and exploits. Most individuals who use the Internet and email to any great degree, have already likely been the intended target of a phishing scam.'
Mr Coler, however, adds that it is not these first level threats, like phishing attacks, that are the most problematic for businesses or governments. It's the more serious theft of sensitive information, be it government, military, or competitive information protected by companies that is more worrisome and an ever more lucrative target.
While companies around the world face the ever increasing threat of hacking, espionage and denial of service (DoS) attacks over the Internet, government departments are just as vulnerable to such attacks.
As Frontline's Ms Wong says, with government operations dependent on IT systems, the protection of these systems and related assets have become an important challenge for governments around the world. 'It's known that attackers on IT systems are no longer just script-kiddies and can be from organised crime syndicates,' says Ms Wong.
She adds that as part of Homeland security, the protection of IT systems and IT assets have become just as important as protection of physical assets. 'For example, if the command and control systems of government agencies are infiltrated and taken out at a time of national emergency, the ability of the government agencies to respond to these crises will be badly affected.'
EDS' Mr Coler, agrees with Ms Wong. According to him, all governments have information that must be protected; private information of its citizens and sensitive or classified information for government operations. 'Government services are increasingly dependent on IT, driving increased efficiency and allowing for expanding services,' says Mr Coler.
He adds that traditionally governments have been able to protect most information through strong physical security and limited encrypted networks. 'However, we are now in a digital society and we have systems that allow us to gain access to services and information without ever visiting a government office. To allow these services to be degraded to any significant degree has unacceptable consequences with regards to government operations and services to the citizens.'
Mr Coler adds that there has been a recognition among governments around the world of the need to take a more comprehensive approach to IT security. 'Homeland security concerns are very broad and they have a difficult mission (and) IT security is one of many issues they must contend with.'
The point to note here is that while both government departments as well as private corporations need security, the risk profile of the two may differ somewhat.
As Frontline's Ms Wong says: 'A government department tends to be more concerned with internal threats as compared to external ones. The reason is that government departments' IT systems tend to be more isolated from external networks due to the nature of the government operations.'
She adds that although emphasis on IT security design will cover both internal and external threats, usually more thought will be put into addressing internal threats for government systems. 'Private corporation tends to have a higher risk tolerance as compared to government corporations as a certain level of trust can be assumed between business units. However, such assumptions cannot be taken in a government corporation due to internal security policies.'
EDS' Mr Coler has a slightly different take on this. He says: 'In today's digital economy, communications, banking and finance, government services, corporations, education and entertainment all depend on a digital infrastructure.'
This (digital) infrastructure is now as important as roads, rail, and bridges, he adds. Transactions and services in our economy need to meet requirements that ensure that we have interoperability, secure transitions and assured identity of parties. 'The use of digital signatures will become more common and are legally binding when specific conditions are met . . . The digital economy transcends borders and is sometimes discussed as the global information grid.'
In such a situation, there has been a gradual convergence between government and commercial practices. 'Some of that convergence has been dictated by government; however, an ever increasing number of commercial entitles have a greater appreciation for risk and may exceed regulatory requirements to limit liability,' he says.
According to him, there has also been increased cooperation between government, industry and academia in the development of complementary standards and technology. To a question as to whether outsourcing of security requirements would work the best for governments, Ms Wong says that there needs to be a balance between outside experts and internal staff to handle security for governments. 'While daily security operations and maintenance can be outsourced, governments still need to maintain an internal team to handle the more sensitive areas. The internal team will also act as a check against any violations by the external parties.'
EDS' Mr Coler adds that any organisation, be it government or private faces a series of make or buy decisions. 'What do I do myself and what do I outsource.'
'What tends to happen is the core of the business - that is what the organisation does well - it keeps inhouse; other areas should be considered for outsourcing.'
Keeping in mind that no company or government would outsource it's responsibility to provide security, the best course for government entities is to maintain the responsibility for security inhouse and outsource parts of the operation to gain capability that they could not be built in house. 'We have also seen reduced cost and increased efficiency as a deciding factor,' Mr Coler adds.
This article first appeared in BT on June 11, 2007
