Security from the top down

May 1, 2001 12:00 PM, Jeanne Bonner

Ian Poynter advocates a holistic approach to security. The president of Jerboa, an information security consulting firm located in Cambridge, Mass., Poynter insists that information security measures are ineffective when they are tacked on at the end of a project. In business since 1994, Jerboa employs some 50 information and physical security consultants and provides security reviews, security policy development, seminars and penetration testing. Poynter recently shared his opinions on the state of information security with iSecurity.

Q
What do physical security managers need to know about network security?

A
That information security should not be done in a piecemeal fashion. The general media has helped to focus attention on security breaches but the solutions taken are an example of the “fighting fires” mode of operation. The media is concerned about stolen data; I am interested in prevention, in systems engineering. The landscape of computer security will change dramatically in two or three years. Information security will be considered a legitimate expense within the organization.

Q
What are some of the most important issues in security today?

A
I believe there is a perception problem. Consumers may avoid online shopping, but they will hand their credit card to a waiter who could then hand it off to the busboy for nefarious deeds. My own pet area of information security is the intersection of security and usability. Companies need to understand that security adds value to a product and increases usability.

People buy security products — what we call point products — but don't think about integration or planning. You have to plan for security. It boils down to risk management. You can leverage security to add value, and security offers a competitive advantage.

Q
At the SANS Network Security 2000 conference in October 2000, you discussed why security products fail. Can you elaborate on this topic?

A
Security products fail because a systems engineering approach is not taken. Few organizations follow sound software engineering principles. We need to create security systems, not products. When software is developed, the security component is often tacked on afterward as an afterthought. We believe security works best when it is an integral component of the design from the outset of the project. When developers are working on a server, they are thinking about how quickly the server can be deployed and how efficient it will be. They are not necessarily thinking about how the server can be compromised, and they should be.

Security sophistication is improving; however, some of the software and hardware giants ignored the issue for a long time. Microsoft ignored security. But there was a groundswell within the company and among its clients that shifted the company's approach toward security design. The well-publicized denial-of-service attacks on various Web sites brought attention to the problem. The brick-and-mortar companies such as Wal-Mart and General Electric realized that security could not be ignored — it is part of their bottom line. And they needed their software suppliers to follow suit. These companies said to their suppliers, “We cannot take the system down for three weeks. What are you going to do about it?” Software must integrate security features from the start.

Q
What distinguishes Jerboa from other companies?

A
We are pure play consultants. We do no resell. We offer strategic consultancy — we seek to be strategic rather than tactical. What companies need more than security products is to construct a security policy. Jerboa's philosophy is the holistic approach, which says you must consider the whole organization and its business processes when designing a security program. We advise our clients to assign a value to pieces of information — i.e., databases — and then set a policy on how that information should be handled.

Q
What services do you offer?

A
We do security planning, information security audits, secure coding and code reviews. We design secure architecture. We also do penetration testing to find holes in a client's systems. We do informed and uninformed testing — informed being where the company tells us the security configuration. We look for flaws in the design. We sometimes decline requests for penetration testing because we are not sufficiently convinced that the company wants to invest in a real solution. It's a waste of our time otherwise.

Q
Who uses your products?

A
Our clients run the gamut from Fortune 100 to Internet startups. Clients include large financial companies, pharmaceutical concerns, utilities, healthcare organizations. We have worked with a number of healthcare organizations because of new legislation called the Health Insurance Portability and Accountability Act (HIPAA) which seeks to standardize healthcare processes to ensure security and privacy in the handling of patient data (see www.securitysolutions.com for more information about HIPAA).

“Security sophistication is improving; however, some of the software and hardware giants ignored the issue for a long time. Microsoft ignored security.”

We consulted with an information management company recently on its online document management system. We have clients for whom we design systems and we have clients for whom we do one-day security audits. We prefer to work with a client from the start of a project so we can influence the security design.

Q
What does Jerboa's one-day security review consist of?

A
We send a team of security consultants to a company, and they sit down with management and the IS and IT personnel. We review the company's security procedures and policies, and we ask about their networks. The company in turn picks our brains. We don't issue any reports — it's an opportunity for the company to ask anything they want.

Q
What would a more substantial security review consist of?

A
In a more substantial review, we collect information about the company and we analyze it. We issue a report detailing possible security breaches. We can point out potential pitfalls. In an audit, we do a wide-ranging analysis — we crawl along the floor checking wires, we look at the configurations, we verify procedures. Sometimes companies have policies in name only.

Q
Do clients resist your top-down approach?

A
Sometimes there is resistance, and we feel the companies are paying us to be honest. We add value to our services by being honest with the client. With some of the newer single-factor identification systems, I am prompted to ask: Are you solving the problem or just merely changing it? For example, with PKI technology. IT massively overloaded this technology. But the certificate is still password-protected and the PKI is used in conjunction with something else. There are no quick fixes in security.

For the record

About the author

Jeanne Bonner is associate editor of Access Control & Security Systems Integration and iSecurity.

About the companies

Visit infoLink at www.securitysolutions.com for more information on companies featured in this article.
Jerboa — 160

Want to use this article? Click here for options!
© 2008 Penton Media Inc.

This month in Access Control

• Opening Up About Door Closers
• An Enterprise Approach
• The Framework For Open Systems
• On A Higher Plane
• More from April's issue