Security

Finally, a sensible security scheme

Visa's "defense in depth" approach to security proves once and for all this is not mission impossible.

Stay on top of the latest tech news with our free IT News Digest newsletter, delivered each weekday. Automatically sign up today!

By Jon Oltsik
Special to ZDNet
Commentary—If you want to see a good example of security, think of your local bank.

At many large branches, customers are greeted at the front door by an armed guard providing perimeter security. Inside, the bank is well-equipped with security cameras for surveillance and manual alarms that can be activated by threatened tellers.

The last line of defense of course is the bank vault itself. Securing the money in a safe means that bad guys have to go to extraordinary lengths (think dynamite or safecracking) to pull off a heist.

This classic "defense in depth" architecture protects every layer of the infrastructure and is the basis of all good security models. Take Visa's Cardholder Information Security Program, or CISP, for example. Mandated in 2001, the program defines 12 security standards for all Visa payment system constituents. The standards include perimeter security, ongoing surveillance and protecting critical data at rest and in flight.

Visa clearly understands the risks of weak information security on its business, which is why it demanded CISP compliance. Service

When it comes to protecting the crown jewels (aka corporate information) few companies do anything.
providers were told to submit compliance documents by September 2004, to conduct quarterly system perimeter scans and to update documentation on an annual basis.

Compared with systems at other enterprises, CISP is like Fort Knox. Most companies still dedicate most of their security budget to perimeter products such as firewalls and filtering gateways—and things go downhill from there. Businesses tend to pay marginal attention to surveillance by setting up chatty Intrusion Detection Systems, or IDSes, and occasional system audits.

When it comes to protecting the crown jewels—that is, corporate information—few companies do anything. Servers maintain default configurations, loads of system administrators have root access, databases are tuned for performance not security, and information is stored on open storage platforms in clear text.

Anyone else thinking "Swiss cheese" at this point?

Confronted with this situation, many companies freak out and rush to find an encryption tool to protect their intellectual property. I think this has something to do with the popularity of Dan Brown novels myself, because encryption is only part of the solution. If I can break into the server, or exploit database or system vulnerabilities, I can still get access to encrypted data—every time.

The first step here isn't nearly as sexy as encryption: It's boring, old audit. For example, remember Oracle's "unbreakable" campaign?

There are simply too many risks and vulnerabilities out there to continue this type of irresponsible behavior.
Well, Larry Ellison's software company has issued six major alerts for Oracle products in 2004 alone. Systems need to be audited for patches, stale accounts, default passwords and configuration problems.

Since many small businesses just don't consider security, database-penetration testing, vulnerability and (yes) encryption, tools from companies such as Application Security can help. The same is true of host vulnerability-scanning software from providers such as Foundstone (McAfee), Internet Security Systems and Symantec.

Moving down the proverbial technology stack, storage infrastructure seems to have a permanent spot at the back of the security line.

In a recent Enterprise Strategy Group survey of end users, 30 percent of respondents said their information security policies and procedures don't include data storage technologies such as storage arrays; Storage Area Networking, or SAN, switches; or storage management software. Eight percent of storage administrators and 16 percent of security administrators believed their storage infrastructure was insecure. Only 37 percent of the respondents claimed that their companies had undertaken a storage security audit. Does anyone else want to stuff their money into a mattress?

Again, this doesn't need to be the case. Service offerings from @Stake, Glasshouse and McData specialize in storage security audits and remediation. Storage security technologies from Decru, Kasten Chase, NeoScale Systems and Vormetric are slowly gaining visibility.

Even with some of these leading-edge technologies available, will anything change? You bet it will. Chief financial officers loathe spending money on insurance such as information security technology, but they hate having their intellectual property lifted a heck of a lot more. Marketing executives feel pretty foolish when national headlines describe how the company's customer database was cracked by some "Star Trek"-loving system administrator.

Finally, let's not forget those government wonks with the ever-growing list of regulations. These aren't isolated issues; they have an impact on companies every day. Something tells me there will be less rhetoric and more vaults, moving forward.

One additional security cliche warns against locking the doors but leaving the windows wide open. Leaving corporate data unprotected is clearly an example of this. Let's face it: There are simply too many risks and vulnerabilities out there to continue this type of irresponsible behavior. Heck, Visa certainly recognizes this and is mandating changes to its constituents. Smart companies will respond quickly to protect themselves and their customers, while fools will wait for further regulations or costly breaches before they learn.

biography
Jon Oltsik is a senior analyst at the Enterprise Strategy Group.

Editor's Picks

Free Newsletters, In your Inbox