At the most basic level, almost every human activity carries a measure of risk. Whether it’s crossing the road or ordering a meal, we calculate our exposure to danger and adjust our behavior accordingly. The whole process is usually automatic – except when we suffer a near miss in inclement weather or discover a cockroach in the salad. Then, issues of risk and its twin partner trust come very quickly to the forefront of our minds.
Similar problems are starting to arise as we move our commercial and governmental processes into a more open networked environment. Concepts of trust and risk that developed over hundreds of years – based on traditional paper-based methods of communication or finance, or that relied on computer systems and networks physically closed to the outside world are now being challenged by the still largely unknown implications of a truly interconnected world.
Mention the subject of IT or network security to most people in the industry, however, and you’re likely to get a stock range of responses that rarely consider the broader implications of risk and trust in the networked world. And it’s here that some pitfalls lie for network owners and users of all types as they try to exploit the potential of e-commerce.
Information security is often seen solely regarding the necessary hardware or software such as firewalls or encryption that can be used to control access or authenticate and protect messages.
Decisions on information security are usually left to technology staff to make and implement, with senior management rarely being involved in the process.
Many security problems are caused by all too human misperceptions of where dangers lie and the ability of particular measures to avoid them.
Security is seen as being ‘negative,’ contributing nothing to a company’s performance but interfering instead with a whole range of accepted working practices and creating additional work for already stretched resources.
Security only needs to be reviewed when there is some significant change within an organization or when an attack of some kind happens.
These viewpoints, while once perhaps having had some validity, are now becoming dangerous assumptions that can not only increase the vulnerability of an organization to attack from within or without, but may cripple a company commercially without the need for any particular subversive intervention.
To take each point in turn:
Products or technologies should only be used within the context of an overall IT security policy, when there is a particular problem that needs addressing and where risk can be quantified, however roughly, to justify the investment or the possible impact on business operations.
That information is an organization’s most valuable asset has become a cliché in recent years. Commitment to the principle – at least where its security is concerned – is often only given lip service by senior executives, despite the legal responsibility that they have to protect their resources to the best of their ability.
Also, as electronic exchanges of all types become increasingly familiar, a capacity to trust the integrity of an information source, a business partner’s IT environment, or even a telecoms operator will have a significant impact on that organization’s brand values. In the same way, that value can be assigned to a name for quality, safety or some other consumer criteria, so too will the worth of trust in an electronic marketplace. Senior management has a key role to play in developing a conscious security culture amongst the workforce and responsibilities are delegated at their peril.
Vulnerabilities must be analyzed and monitored in as disciplined a way as possible, with the results being made available in forms – graphic or text – that are readily understandable by senior corporate decision makers.
Negative perceptions of security must be changed, and this is another management job. A culture must be created that sees security as a business enabler, not a hindrance and one that can allow innovation – through new processes and new customers – not stifle it. If by operating safely, an organization can take more risks than its competitors, especially in an e-commerce context, then there’s more potential for profit, more financial security for the organization and hence more security per employee. The very existence of e-commerce has only been made possible by the development of security techniques such as cryptology or authentication.
Casting security policy in stone may have been appropriate in the castles of the Middle Ages, but even they had the choice of raising or lowering the drawbridge as conditions changed. Along with cost and ubiquity, one of the main benefits of the newer networking technologies is flexibility, while threat levels can rise and fall even during a single day’s operations as a new site comes online, or a new virus gets loose on the Net. Vulnerabilities on a network must be capable of being monitored dynamically, and information about new threats or infrastructure weaknesses made readily available as they emerge. An organization’s assets and policy may be static, but threats by their very nature are mobile and mutable.
All fine in theory, but how can something so intangible as risk – or indeed trust – be measured? Physical assets can be easily counted, and their values totaled together and balanced against the cost of countermeasures such as bars, locks, alarms or security patrols. Information and the emerging virtual trading communities seem far harder to track.
This is where a series of initiatives – some public and some private – have been at work over recent years, usually in low-profile mode, finding ways of measuring risk, defining policies and processes that can help manage risk and security, and developing globally recognized standards of electronic trust.
One example is the work that has been underway in the UK on developing the standard known as BS7799 – a code of practice for information security management – which looks like developing into a truly international standard.
BS7799 allows compliant companies to publicly demonstrate that they can safeguard the confidentiality, integrity, and availability of their customer’s information and is rapidly becoming an essential ‘seal of approval’ in the world of e-commerce. If an organization wants to trade securely over the Internet, it should ensure that both itself and its partners have this accreditation.
As well as giving complete security controls for computers and networks, BS7799 also provides guidance on the safety policies, staff security awareness, business continuity planning and legal requirements. BS7799 is an essentially a management standard intended to ensure that senior executives develop and then stick to approved methods of storing, processing and transmitting information and that they have adjusted these accordingly as commercial or technological conditions change.
One of the key exercises that must be carried out to win and then keep BS7799 accreditation is risk assessment or analysis. This process balances the mainly planned safeguards against the risks (i.e. probability) of failing to meet business objectives. In this context, business goals relate to exposure and the resulting regulatory penalties of financial losses.
While the principles of Information Security can be complicated to the uninitiated, this essentially boils down to an equation best represented by a cube drawn in a 3-D space created by the threat-vulnerability-asset parameters. The mitigating effect of a safeguard, for example, reduces the volume of the cube and helps us to start reasoning about measuring risks.
Some risk analysis and management methods have been developed over the years, and these are currently available either in the form of guidelines to applied manually or as interactive software packages. The UK Government’s approach, CRAMM (CCTA Risk Analysis and Management Method), for example, is available from some commercial sources and consists of an assessment of assets and safeguards by an approved consultant and the subsequent production of a set of countermeasures to reduce risk.
CRAMM, like some other risk analysis methodologies in other countries, was developed in the early days of computers, when IT security could be ensured through physical measures or the use of closed networks. Security audits could proceed at a leisurely pace, taking some weeks typically, and would only need to be instituted every couple of years.
Everything is now changed, and new ways have had to be found to carry out this process. Because of the speed with which network topologies, services, and applications change and the whole interconnected nature of the new business world, risk analysis management systems must operate in a more dynamic way.
Fortunately, a new generation of products is starting to emerge that can automate the whole process, with the latest versions being able to scan a network and produce real-time analyses of vulnerabilities – in forms that senior executives can understand – along with suggested fixes for particular hardware or software problems.
Without the third generation support that these systems can provide, the speed with which potential threats from new networking architectures or applications emerge will outstrip the ability of management to keep up. The result will be to either open the network to exploitation from outside or inside the company, or to so severely limit the company’s networking options that new business possibilities have to be refused.
E-commerce is starting to create an actual ‘just-in-time’ economy. Those seeking to exploit these new ways of doing business will have to move into the world where network security becomes a real-time, automated process that is seen as supporting the business – not limiting it.