Untouchable value

Nov 1, 2000 12:00 PM, David Gersh

In the information age, a company's most important asset often is - duh! - information. But are we doing enough to keep it safe?

A corporate security director stands in the control room double-checking the systems, the nightly ritual. Doors locked, cameras scanning the empty parking lots and doorways, motion detectors at the ready; everything is running smoothly.

The next morning, he learns that a hacker broke into the computer system the night before, stealing the company's most sensitive data before launching a crippling attack against one of its customers. Now the customer is threatening to sue the company for not protecting it against third parties. The company stands to lose millions from the loss of information and the damage to a valued customer.

Any company that thinks it is immune to this kind of threat should think again. Hundreds of millions of dollars were lost to hackers, disgruntled employees and other information thieves in 1999. In today's business world, information security is as important as physical security in protecting a company's vital assets and reputation. The company that relies solely on firewalls and passwords to protect its information may risk its assets and market share.

Is information security your responsibility? Currently, most companies separate their physical and information security departments. However, as we enter the 21st century, the role of corporate security is changing. "We're seeing a number of companies today that are combining their information security and physical security departments," says Charles Le Grand, director of technology for the Institute of Internal Auditors. "The organizations are realizing that much of what they're trying to secure - their principal assets - are information. So they need to closely mesh the activities of information security and physical security practices, and it's hard to do that if the two are under different management."

One such company is Microsoft Corp., Redmond, Wash., which recently combined its information, physical and corporate security groups under chief information security officer Howard Schmidt. Schmidt also serves as international president of the Information Systems Security Association (ISSA), located in Oak Creek, Wis. One reason companies are looking to combine these formerly disparate security functions, Schmidt says, is that "there's an overlap as we move from a physical society to a technical society when it comes to protection of documents." The newest physical security devices will either protect computers or be computer-based. Information and physical security are growing together because, "when it comes to electronic or physical threats, the security mindset is the same," Schmidt says.

"Most companies will say that their most important asset is their people, which is a question of physical security," Schmidt says. "However, as information security is becoming more important to the profitability of a company, we're seeing many companies developing robust information security programs on a par with what they have relative to physical security."

The evolving field of information security shares a basic goal with physical security: to establish identity and authorization.

Technology Several information technologies have emerged. One of them is Public Key Infrastructure (PKI), which many believe will shape the e-business world. PKI is not so much a product but an infrastructure used in a range of applications, solutions and technologies. A simple definition of PKI's function is that it provides encryption and digital certificates. PKI manages the certificates that ensure authentication, authorizes a user to enter into a secure transaction and decrypts the data for the user.

"With PKI," Schmidt explains, "you have a greater ability to positively identify the person using your resources. You can, based on a person's unique key, give them access to a network while limiting the amount of resources to which they have access."

PKIs are gaining in importance. One indication is President Clinton's recent signing of the digital signature bill, making electronic signatures - and, by extension, electronically signed transactions - legally binding. The security of digital certificates relies on PKI to positively identify someone. PKI is also the driving technology that secures the information held in other new technologies such as smart cards and biometrics.

Another technology receiving a lot of attention is the smart card. "You can control physical and logical access on a single card," says Karen Williams, executive vice president of operations and business development for SiVault Inc., Irving, Texas, a third-party service bureau for smart cards. "The beauty of the card is that the level of security can be adjusted to meet program goals and objectives," she adds.

Smart cards offer increased security and convenience over magstripe cards because information is held in the card, rather than in the reader. Because information is encrypted on a chip embedded in the card, a single card can access multiple buildings and perform multiple functions without having to be manually added to each individual reader. In addition, "you can require a card to control logical access so that you need both the correct password and matching card to log-on to your PC," Williams says. Smart cards also offer increased convenience, Williams explains, because "of the capability of loading and updating the card applications over the Web. You can choose and personalize the applications you want from a home environment."

"Smart cards are something that we, as an industry, are just starting to get our arms around," Schmidt says. "I think it's something that's long overdue." One reason for the delay, Williams suggests, is that "there's an infrastructure issue, a changeout issue with existing technology. For new companies and buildings, smart cards are the way. I think, in the next three to five years, we will see a huge transition as companies upgrade existing readers and look to smart cards to add an additional layer of security."

One of the most intriguing applications for a smart card involves storing biometric information on a card. Access then requires the card and a biometric match to the template. Combining the accuracy and security of a biometric scan with the portability of a smart card would allow a user to travel and still use the same card to positively validate his or her identity and unlock information. "The goal of biometrics is simply to replace passwords and to authenticate the user," explains Kurt Kyvik, marketing and communications director for AuthenTec, Melbourne, Fla., a producer of fingerprint sensors. "When you use biometrics, you're taking security to a new level because it can't be shared with another user. With passwords you never really know who's accessing the system, you only know the password used to gain access."

The field of biometrics is advancing quickly as companies look for new solutions to the problems that plagued early optical sensors. Many optical sensors can't register 15% of the population into the system. AuthenTec's sensor, for example, looks below the skin surface and is not affected by dirty, scratched, or excessively moist or dry skin, problems that can obscure the read with optical sensors. As the technology is advancing, the reads are becoming more reliable and the price is going down. "Right now we're positively registering more than 98 percent of the population and we're adding about $40 to the cost of a keyboard," Kyvik says. "The problem with maintaining passwords," he adds, "is a hidden cost that few people see. The estimates we have say that helpdesks spend approximately 60 percent of their time on password issues."

Like smart cards, biometrics has a variety of applications. Sensors may be used for access control, to combat time-clock fraud or as a required e-mail signature. In applications such as network and Web authentication, mobile-commerce and access control, biometrics is likely to play a role in the positive identification systems of the future.

These and other technologies can be mixed and matched to provide access, authentication and authorization as best fits the business model. One such combination involves tagging smart cards for use as part of an asset management system. "Asset management asks who goes where, when and with what," explains Don Small, president of Automated Identification Technologies (AIT) L.L.C., Irvine, Calif. PKI encrypts the wireless transaction between a tag and detector to ensure that the transaction is secure.

The applications of an asset management system are limited only by the business model. "We're installing a system for a company that has been experiencing capital asset losses of more than $2 million a year, primarily in laptop computers," Small says. "By tagging both people and assets, a company can maintain a correlation of who is moving what out of the facility when and determine if it is a valid transaction. I can leave with my laptop and you can leave with yours, but you can't leave with mine," he continues.

For additional security, an asset management system can incorporate a biometric scan into the tag. "A computer could then compare the template in its database with the read from a scanner," Small explains. "The system could track you by the tag and use the biometric to ensure that you are who you say you are." Such a system provides enhanced assurance of identity over tagged cards, which may be lost or stolen.

As the demand for security increases, these function-specific mechanisms are achieving prominence in a marketplace with virtually unlimited needs and applications. The security mechanisms that come to the forefront "will be whatever is appropriate for a given situation," Le Grand says.

Designing a secure system A system's examination should reveal whether you need to implement a new plan that accounts for both physical and information security. This process resembles physical risk assessment, but there are several important differences.

"We now have to integrate the recovery process for physical facilities with what information might have been damaged at the same time," Le Grand says. "The impact of fire, flood and earthquakes is no longer confined to physical facilities that are rebuilt. We must consider what information might be lost and where that information is provided for recovery," he continues.

Karen Worstell, vice president of information security for venture consulting firm Atomic Tangerine, San Francisco, argues that, for information security, "a level of due diligence is more effective than risk assessment. With physical security you're worried about things that have a somewhat predictable nature. You can look at a table that says if you live in this area you can expect the following." However, when it comes to software or hardware failures and malicious events, "there's nothing anywhere that can give you any prediction about logical problems," she adds. "That's why we suggest that companies examine the standards in their industry to look for what constitutes reasonable security."

Schmidt cautions, however, that "standards and practices are all relative to the business model and the size. Standards for one company may be too difficult to implement or simply unnecessary for a smaller company." Industry best practices, specific vulnerabilities and the business model must all be taken into consideration before you implement new security measures.

Current security measures Existing firewalls and passwords are not useless or obsolete. While they cannot secure a system without other measures in place, they allow you to "start with a much smaller base of threats, types of transactions and authentications you have to look for," Le Grand explains. "What you want is redundancy. If your firewall is designed to keep a certain type of transaction out, and someone gets that type of transaction through, you don't want to get caught flat." Furthermore, more advanced tools only function properly if you have the right groundwork. "If you implement intrusion detection too soon, it will tell you to fix things that due diligence would have found," Worstell says.

Teamwork: what's your role? Increasingly, due diligence and the search for "reasonable security" are leading companies to seek out-of-the-box solutions, a complete security solution that usually consists of multiple technologies.

Auditors, managers, security directors and board members are all working together to determine a company's vulnerabilities, the sensitivity of data in vulnerable areas and the level and type of security required to adequately protect it. "We're seeing a lot more pressure put on the board of directors to ask the right questions and get the right answers," Le Grand says. "So they're saying to management, `convince us that we have adequate security over our information assets.' Then they're asking the auditors to provide assurance that the plan is consistent with best practices and is reasonable for the assets being protected."

It is critical in this process that security director have the proper experience and know his limitations. "If you're managing a security function, whether it's electronic or physical, there has to be that security mindset and awareness that those who are not in the security profession may not have," Schmidt says. "Information security is a responsibility that is coming closer to the physical security world," he continues. "Always remember that there are people out there who have that core competency. Don't be afraid to leverage them and make them a part of the process."

What if something happens anyway? The unfortunate truth is that, even if your security meets or exceeds industry best practices, you may still be the victim of an attack. "The situation won't get better," Worstell predicts, "because machines are unlikely to be highly secure."

"The evolution of information technology has been so fast," Le Grand elaborates, "that its been next to impossible to put any kind of standards or best practices in place because, as soon as you get a documented and agreed to set of standards, they're obsolete because of the new technology that comes out."

The success of a lawsuit would depend largely on if the company's security can be deemed "reasonable." "If the board hasn't taken any action to ask what are best practices and are we following those, then the company can be held liable because they were negligent," Le Grand explains. "The next question is, if my `state-of-the-art' security that meets industry best practices isn't enough and something happens anyway, am I covered? And here's where the insurance companies are saying they play a role in defining what constitutes best or acceptable practices for the coverage they're going to offer," he adds.

Internet insurance: are you covered? "Hacking and breach of security attacks are not regulated to the point where companies are required to publicly state that they have been hacked," says Bob Wice, director of business development for INSUREtrust.com, Atlanta, an e-business risk management provider. "There hasn't been a lot of litigation because companies are very scared to get these types of breaches out in the public because of their stock prices and market share. A lot is done under the table because it would be a PR nightmare." In response to these worries, companies are beginning to offer Internet insurance against the risks associated with viruses, denial of service attacks and other breaches of computer security.

A general policy should cover malicious events and information losses. Any company that conducts e-business or relies heavily on the Internet should start exploring technology insurance options today. Assistance should be sought from auditors, lawyers, managers and the board of directors to make these evaluations as exact as possible. As with any kind of insurance, it is important to examine the exact terms and limitations of the policy before signing.

Some technology insurance policies carry the added benefit of a physical security review. INSUREtrust.com includes an evaluation of physical risks, policies, procedures and technical risks in their network assessment. "We make recommendations to the company as to what they need to do to get insurance, so we also get the company to a certain insurable standard," Wice explains. "No matter what kind of technical security you have, if someone can physically take out a laptop or server, you're going to be vulnerable."

Internet insurance may - depending on the business model - carry a high premium, but it also carries a guarantee that the company will not suffer a breach of security and, if they do, they will have financial recourse.

Final advice "Don't be too concerned about the technology," Schmidt advises. "Much like the technological advancements in physical security, it's just a mechanism by which you achieve certain levels of security. It shouldn't become a conflicting issue as these worlds come closer together," he continues. "Both physical and information security professionals need to be open-minded about the model as it continues to evolve."

Colleges and universities face an interesting dilemma. Tens of thousands of students and professors want easy access to a wealth of private information. Colleges want to provide such access and still ensure the privacy and integrity of the data. Without the proper security systems, unauthorized users could, for example, view a student's grades, tuition balances or other sensitive records on the campus intranet.

Pennsylvania State University, a member of the Big Ten college athletic conference, turned to Entegrity Solutions' NetCrusader and PC-DCE enterprise security solutions to provide authentication, ensure data privacy and integrity, and control access privileges. NetCrusader offers a flexible, scaleable security infrastructure that adapts distributed computing technologies to address the needs of a large enterprise. With Entegrity, students can view their loan status, add and drop classes, track degree requirements and view transcripts online through the Comprehensive Academic Advising Information System (CAAIS).

"NetCrusader and PC-DCE provide the missing pieces to help us to improve student services using the Web while maintaining desktop-to-data center security," says Ken Blythe, director of the office of administrative systems at Penn State. The underlying security technology in the CAAIS is also the foundation for Penn State's Executive Information System, the shared Big Ten Virtual Electronic Library and e-commerce initiatives.

According to Blythe, NetCrusader will integrate authentication systems throughout the Big Ten that normally do not work together. Once authenticated by their local campus, patrons receive common security credentials that let them access online library materials throughout the Big Ten with digital certificates, username/password pairs or other forms of authentication.

"We prefer to have commercially available software solutions like NetCrusader so we can take commercial components and plug them in, rather than continue to build this kind of middleware functionality from scratch," Blythe said. "Secure Web applications are helping the university reduce costs and operate more efficiently."

Want to use this article? Click here for options!
© 2008 Penton Media Inc.

This month in Access Control

• Opening Up About Door Closers
• An Enterprise Approach
• The Framework For Open Systems
• On A Higher Plane
• More from April's issue