CMP -- United Business Media

Intelligent Enterprise

Better Insight for Business Decisions

 UBM
Intelligent Enterprise - Better Insight for Business Decisions
Part of the TechWeb Network
Intelligent Enterprise
search Intelligent Enterprise
Advanced Search

RSS
Webcasts
Whitepapers
Subscribe
Home



February 1, 2002

Partners for Protection

Both the public and private sectors need to work together to ensure the security of IT infrastructure

By Mark W. Doll

Recent events have highlighted long-standing security risks and vulnerabilities throughout our nation's critical IT infrastructure. The United States now needs to work quickly and thoroughly — in public/private partnership — to assess these risks and vulnerabilities and implement effective security policies, not only to address today's problems but also to prepare for tomorrow's unforeseen challenges.

The U.S. economy has flourished in an open society supported by a highly available critical IT infrastructure. In just the past 10 years, the number of computer networks and access points to the Internet has increased significantly. This evolution has resulted in unprecedented gains in productivity, connectivity, and wealth.

Unfortunately, security has not kept pace with IT system complexity, interdependency, and growth. Much of the U.S. IT infrastructure is privately owned and was built with less concern for robust security than may now be required. Internet technologies and new business processes have created new markets, relationships, and unprecedented access to information systems, but they have also created new risks to the security of those networks.

STATE OF IT

Today, an individual or concerted attack could not only affect computer-controlled systems for banking, telecommunications, and most, if not all, utilities but also the vital systems that maintain personal identities, medical and criminal records, and proprietary information.

Public and private sector organizations rely on many of the same IT systems to maintain productivity. Consumers and businesses today rely not only on their own ability to conduct transactions but also on the reliability and availability of applications and infrastructure that are managed by others, such as customers, business partners, government branches, and other organizations with which they have no "traditional" business relationships. This situation has created a highly interdependent "IT reliance chain" of systems and businesses.

But corporate America must not be paralyzed by the size of the problem. Instead, business must move resolutely to encourage companies and individuals alike to fix the current systems' vulnerabilities and tackle head-on the hard issues — such as authentication, authorization, interoperability, recovery, and validation — required for critical infrastructure security.

The recent terrorist events should galvanize the private sector's resolve. Indeed, the Administration has issued a call to action to the private sector and government alike, through President Bush's October 16th Executive Order creating the Critical Infrastructure Protection Board. The private and public sectors must work together to identify and prioritize vulnerabilities, single out best practices, and act swiftly to ensure the long-term safety and viability of the critical infrastructure on which the nation's economy, citizens, and government rely.

The failure on the part of an individual organization to properly maintain the security of its IT systems could have a potentially disastrous ripple effect on the nation's collective security. In fact, some of these failures have already resulted in litigation for the companies involved.

WHAT NEEDS TO BE DONE?

The security systems surrounding the United State's critical infrastructure, specifically the information and communications networks, electrical power systems, gas and oil transportation and storage, banking and finance systems, transportation systems, water supply systems, and emergency and government services, must be properly managed.

Effectively securing these systems will be a task of unprecedented proportions. Already, hardware and software companies are institutionalizing efforts to proactively post known vulnerabilities and provide patches to their customers. Leading companies are moving quickly to assess vulnerabilities in their operational infrastructures. But more must be done, for example:

1. Authentication and authorization. Authentication is the ability to determine who is using computer systems — how to make sure that individuals are actually who they say they are. Authorization is simply what an individual is allowed to use or see on a system. Without an appropriate system for authentication and authorization, businesses will be unable to track and limit unauthorized individuals that might gain access to systems for personal gain or cyber terrorism.

2. Interoperability. The second issue that needs to be tackled is interoperability. It's no secret that today there are countless numbers of different protocols for operating systems, applications, and hardware. Each vendor has a proprietary interest in its protocols, creating a dysfunctional environment of complicated interoperability between competing systems, applications, and hardware. This limited interoperability makes it costly and difficult for organizations to implement truly effective security solutions.

3. Recovery. Today, companies are relied on to independently act to implement fail-safe systems and contingency plans. Although most organizations have systems to restore a site, network, or system failure, many companies lack the necessary rigor and scale of recovery systems to respond to a national attack or cohesive cyber-terrorism threat. Any national consideration of IT security must take into account the necessity for a national program requiring and designing a national recovery system. Admittedly, this undertaking will be costly for both corporate America and the government.

4. Validation. Securing the U.S. critical infrastructure shouldn't be perceived as a problem that organizations can fix simply by purchasing the latest and greatest software or installing a firewall. Once a security application or process is put in place, it must be regularly monitored and its effectiveness validated. This applies to all levels of security, including authentication, interoperability, and recovery.

Unfortunately, a common set of standards for validating the security of computer and information systems doesn't exist. Instead, different countries, individual industries, application vendors, and hardware providers employ different standards for assessing vulnerabilities and the effectiveness of security solutions.

This lack of standards hampers efforts to conduct comprehensive risk assessments of network safeguards and controls across industries and applications. Companies must then determine how to make all these competing standards work within a complex corporate environment while allowing for innovation and growth. Any long-term discussion of IT security should, therefore, consider the need for harmonizing standards for validating effectiveness.



Rate This Article

Comments:

Optional e-mail address:

Validation is the most crucial issue that needs to be tackled, for without it, even the best public/private sector partnership will not accomplish systemic change. Only by regularly assessing the effectiveness of controls around complex issues like authentication, interoperability, and recovery will the private or public sector be able to ensure that any quick fixes are working as intended.

PUBLIC/PRIVATE PARTNERSHIP IS NECESSARY

The Executive Order on Critical Infrastructure Protection is a major step in the right direction. Importantly, the Executive Order requires the Board to work with members of the private sector, including the audit community, to "propose and develop ways to encourage private industry to perform periodic risk assessments of critical information and telecommunications systems."

Clearly, critical IT infrastructure security raises difficult issues. But a public/private partnership may help answer these difficult questions and deliberate on effective solutions.


Mark W. Doll is National Director, Security & Technology Solutions at Ernst & Young LLP. This column was based on Mr. Doll's recent congressional testimony before the subcommittee on commerce, trade, and consumer protection of the house committee on energy and commerce.


Most Popular This Week
Kimball University: Better Business Skills for BI and Data Warehouse Professionals
Business Process Management 101: The Basics of BPM and How to Choose the Right Suite
Forrester Sees Convergence Trend In BI, Search
A Mashup Gives New Meaning to 'Military Intelligence'

IE Weekly Newsletter
Subscribe to the newsletter
    Email Address