What's the fuss about... security?

We all want to be safe and secure but you can go too far, says Quocirca's Clive Longbottom...

As we all know, the three main areas of concern for businesses when looking at dealing outside their own environment are security, security and security. However, as security companies have found, this rarely translates into hard money, as the perception is that security should be a 'hygiene factor', built into the fabric of the environment, and should cost no more than a few pounds per person.

However, we still get bombarded with PKI, DES, WEP, WS-S, SSL, SHTTP and so on, as if these magic acronyms will get us to part with our money. For those vendors that can get beyond the technology, we get the fear, uncertainty and doubt (FUD) messages of: "If you don't do this, the Black Hats will get you," or: "The greatest risk to your company is your own staff."

Most companies won't react towards these types of messages until something has actually happened, which of course is the worst kind of locking the door after the horse has bolted. What we don't often see are the messages of "What you need is the lowest level of security that is effective for your needs" or "The correct level of security will enable you to do x, y and z."

Quocirca believes in adequate security and that technology security has to be a part of a corporate's overall security.

Security starts with an audit of the current situation. First, what business are you actually in? If you create nuclear designs for a major world power, then it's probably necessary to have some serious security around the place. But if your business is in buying and reselling pencils, does it make too much difference if your competitor finds that you shifted an extra 24 gross last week?

Next, what are your existing policies and procedures when it comes to corporate intellectual property? What are your policies on telephone calls - do you reserve the right to record or listen in to all calls? How about fax machines? Do all faxes have to pass through a second person's hands prior to being sent, to ensure that competitive information is not being let out? How about paper mail? Are all external letters checked for address and do you reserve the right to open any item? Are employees' briefcases checked at regular intervals? Do you physically vet your employees for fitness for job?

The rising level of each of these begins to make most companies say "Well, of course we do the lower ones, but vetting employees is silly - it's too expensive."

This should point out the corollary in electronic security - too much is expensive and is ultimately silly. If your employees can freely post or take intellectual property out of the building with them, having an IT system that uses fully encrypted, electronically signed, virtual private networked transport within a bomb-proof data centre with biometrically controlled access is worse than useless.

This then leads us to what are we hoping to achieve through a security solution. Are we trying to create a fully impregnable system that can stop all forms of security intrusion, including internal and external intrusion attacks, viruses, Trojans and worms, denial of service attacks, data capture, and so on? Or are we particularly worried about certain areas?

Certainly, viruses should be a worry for all companies of any size, and recent solutions from the likes of Symantec, Trend, McAfee and so on can provide relatively easily supported solutions for server, client and email systems.

General hack attacks aimed at internet ports should also be viewed as a soft target and suitable firewall technologies from the likes of Check Point or Cisco or software systems from the likes of ZoneAlarm or McAfee will help to trap most of these.

For those of your employees who are mobile, the use of virtual private networks (basic systems built into Windows NT, more advanced commercial systems or fully managed VPN systems from the likes of Telenor or VanguardMS) will provide the means of moving data across secure connections.

Most of today's large applications come with built-in security at a per user or per role basis - these should be used as necessary to allow application access only to those who should have access.

Certainly, a piecemeal approach will lead to its own problems, not least of which is the management of the multiple means of access and the passwords associated with them (with up to 45 per cent of help desk queries being for password resets). A secure, single sign-on system from the likes of Computer Associates, Novell or IBM's Tivoli will not only manage all these passwords but will also introduce a broader capability of software-token based access, often around Public Key Infrastructure (PKI) technology - high priced, but leaving flexibility for the future.

Finally, hardware solutions including thumb- or iris-print recognition systems from companies such as Precise or AcSys or hard token solutions from RSA or Quizid can help to prevent unauthorised people from getting anywhere near accessing any of your client devices.

At the end of the day, any IT solution can be made very secure but will always be undermined by the lack of inbuilt security in the surrounding environment and in the people concerned with the data.

The best way to approach technological security is to seek an adequate level - one which prevents the main problems which could impact your capabilities to carry on business while enabling you to open up new routes of dealing with suppliers and customers alike. Don't get caught up in the hype - not everyone requires hyper security. As they say on television: "Don't have nightmares."

**Quocirca is a leading, user-facing analyst house known for its focus on the 'big picture'. For a full summary of its activities see www.quocirca.com, or reach the company's founding directors by emailing quocirca@silicon.com.

Also in this series:
What's the fuss about... virtualised IT infrastructure?
http://www.silicon.com/a55628
What's the fuss about... storage networking?
http://www.silicon.com/a55420
What's the fuss about... disaster tolerance?
http://www.silicon.com/a55340
What's the fuss about... CRM?
http://www.silicon.com/a55238
What's the fuss about... UnitedLinux?
http://www.silicon.com/a55136