In our virtual roundtable industry experts discuss the greatest security threats to IT professionals and where the much hyped fields of PKI and biometrics are heading.
Is information security a business enabler?
Wilson: Users accessing IT systems assume information security is a given. If the system provider overlooks it and problems occur then it is a business DISabler. IT security will, in most applications, not motivate new business, but its absence will deter business.
Ghosh: The advice that I give my clients is that IT security is the thing' that allows you to do all those things you always wanted to do on the Internet...but were previously too scared to do. Traditionally, business managers viewed IT security as the thing' that prevented access to information to all but staff on the internal network - that retards business. Organisations that implement good information security practices have the confidence to allow staff, partners and customers access to their information systems to get timely and consistent information - that enables business.
Denehy: Having an appropriate information security regime, including considered policy and practices, is as essential to a business as having the right amount of insurance cover. Businesses face risks when their information is disclosed or altered as much as they do from fire or storm. If a business does not manage this risk adequately, it is not conforming to best practice.
Vila: Organisations are increasingly offering services over the Internet and replacing paper transactions with electronic ones with their suppliers, customers and other parties. These initiatives offer significant cost savings and new revenue channels but can only be truly effective where adequate information security is in place.
What's the greatest security threat for IT managers?
Wilson: Malicious damage caused to systems data - primarily from external intruders accessing the company's systems via the Internet. The Internet's strength is its openness but its weakness is also its openness.
Ghosh: The greatest security threat for IT managers in the current business environment comes from organisations' misconceptions that information security is a cost of doing business, rather than a business enabler. Many IT managers struggle to develop security funding strategies that mount compelling business arguments to maintain or improve resourcing of intelligent security practices. Also, as more and more victims, and their insurance companies, look towards recouping the costs of security incidents, organisations face large financial risks from so-called downstream liability'. This is a strong reason to ensure that your computer systems cannot be used by your own staff, or a third party, to attack someone else.
Denehy: The greatest threat comes from managers who do not believe there is a threat to them. As the boundary between a business's network and those of suppliers and clients becomes more and more blurred, the number of people who have access to a system increases dramatically - and it would be naive to believe that all of those people are well-intentioned.
Vila: The greatest security threat for most IT managers is that they do not have an overall understanding of where the risks and weaknesses are in their infrastructure. Many organisations have focused on point security, which has resulted in some parts being very secure while others have been left wide open.
Where do the main security threats and risks come from?
Wilson: Inadequate procedures for the connection of internal systems to the Internet. Of key concern is maintaining software patches at adequate levels; also of concern is the insufficient security testing by software vendors of their products. Another issue will be trying to keep multiple distributed firewall configurations in sync. As the volume and scope of stored data increases so does the risk to a business if it is lost or exposed to unfriendly parties.
Ghosh: There are two categories. Firstly, opportunistic criminals who take advantage of easy targets for monetary gain or other crimes of acquisition; for others to make a political or religious statement or protest; to create fear; for vandalism; and to organise criminal activity. These are often lower impact incidents, but are more likely to be attempted.
Secondly, for higher impact crimes, survey after survey suggests that between 70 to 80 per cent are perpetrated by insiders (such as staff or contractors already authorised to use the systems). The problem with the Internet is that we often don't know if the attacker is in fact an insider, coming from the outside.
Denehy: The main risks still come from insiders - that is, people who have authorised access to systems. Connection to external networks increases the number of potential malicious attackers, but in general these people have to take greater risks to fully compromise information systems, and thus are more likely to be detected and stopped. If one starts with the combination to a safe, one doesn't get caught walking in the door with jemmies or explosives. Of course, if you don't mount a guard, external attackers become a larger risk.
Vila: There are a number of current IT trends that raise significant security questions: connection of corporate networks, applications and information to other organisations and the Internet. This covers authenticating unknown users; organisations you know nothing about; 24x7 services; contingency plans; ensuring security of increased numbers and diversity of platforms and technologies; updating patches; increased regulatory pressures - such as privacy.
What will be the common security threats in the next two years?
Wilson: Hacking from the Internet, new and innovative viruses spreading via e-mail, and e-mail eavesdropping.
Ghosh: Last year, I predicted that 2001 would be the year of the political or religious zealot. This is consistent with what we have seen so far. When information is power', more and more of the threat will be about collecting information about and from competitors, stopping competitors servicing their clients and attacking competing e-brands.
Denehy: At a technical level, it is expected that viruses, worms, and Trojans will become more sophisticated and start becoming hybrids or changing the nature of their attacks and appearance with time. One of the greatest risks will be the worldwide shortage of experienced information security practitioners, who will become increasingly unaffordable to keep as permanent staff for all but the largest businesses.
Vila: The most common security threats will continue to be the exploitation of Internet or network connections by hackers and viruses. As electronic commerce continues to grow, the temptation and opportunities for fraud will increase.
How is the function of IT security changing now?
Wilson: It is becoming more difficult to manage due to the greater technical complexity of IT security solutions (such as firewalls, VPNs and the like). This will be a growing challenge for small to medium-sized businesses that will move to outsource. The issue for companies then will be how well they manage the outsourcer and who has liability if there is a problem.
Ghosh: IT security isn't really changing - it's just starting to be recognised as a core business competence rather than a black-art'. The black art' is diverging into two distinct areas: certain security skills are becoming commodity items - things that developers and administrators do as part of their day-to-day roles. The other is that security skills are becoming so-called expert' skills. This includes enterprise skills such as risk management and building security organisations.
Denehy: The role of IT security is being seen more as part of the risk management strategy for businesses. The IT security practitioner will need to know how to assess and provide adequate advice to their executives and provide reasonable options to mitigate risks.
Vila: IT security needs to be focused on providing end-to-end solutions. This requires security proactively involved in the design and implementation of new applications and infrastructure rather than being added as an afterthought.
It seems that PKI has been talked about for years. What impact is PKI really having now? And where is it going?
Wilson: The sales hype from vendors has been that of attempting to push PKI into business areas not having a great need for it due to its complexity. PKI was always set for specific market segments like finance and government and needed to be proven to be user friendly and reliable before the wider business community would adopt it. PKI is currently not regarded as a high priority in manufacturing (Orica's space) due to usability and cost issues, although these are expected to be overcome in the next two to three years.
Ghosh: The building blocks for useful PKI are only just falling into place. This includes: maturity in technical product offerings for all parts of the PKI environment. PKI will start having an impact when there is a substantial penetration of people using digital signatures. Business cases for PKI implementations are failing because of the high cost of achieving this penetration, but this is changing.
Denehy: The main barrier to the deployment of PKI more generally is still associated with issues of legal liability - who carries the liability when something goes wrong, as it inevitably will. There are some very large-scale pilots happening now all over the world, and the lessons learnt in the logistics of these will help determine whether it is economic to manage PKI when tens or hundreds of thousands of certificates, or more, are involved. There is no doubt though that the alternatives to PKI for a given level of risk are much more expensive.
Vila: The desire to drive down the cost of handling paper documentation while still maintaining a signature' has resulted in a number of public sector organisations investigating the use of PKI as part of an overall electronic solution.
In the finance sector there is likely to be increased use of PKI under Identrus. Several of the Australian and Asia-Pacific banks have already PKI-enabled some of their corporate treasury applications.
There has also been increased corporate interest in using PKI as part of secure e-mail solutions for sensitive documents.
Will biometrics be of concern to IT managers?
Wilson: Two-factor authentication is very much needed by IT managers to ensure only valid users are able to access the network. It can be delivered via smartcards, tokens, biometrics or other technologies. The winning technologies will be those that can be delivered at the lowest cost, are the easiest to install and use, and are reliable and accurate. Biometrics has improved significantly in these areas and will be very attractive in the future.
Ghosh: A problem with PKI is binding the real person to the identity described by the digital certificate. Biometrics solve this problem by transforming unique personal characteristics into a digital description. As the cost of biometric devices make them more accessible, IT managers can also use the technology for other applications that need a strong binding between the real person and their digital identity. Even for many day-to-day transactions, biometric devices can be less intrusive than expecting users to remember their password or PIN and hence attractive for customer-intensive applications such as automatic teller machines.
Denehy: If IT managers have a need for strong methods of identification and access control, they should at least consider biometric devices as an adjunct to other access methods such as cryptographic tokens or one-time passwords.
Vila: The best niche for biometrics in the near term will be where it provides a more convenient method of authentication than the traditional user ID and password or smartcard.
Widespread biometric usage will be held back by the cost of rolling out the infrastructure, the lack of open standards and potential end-user resistance.
What measures should Information Technology security vendors be taking?
Wilson: IT managers are purchasing best of breed IT security products, hence the vendors need to ensure their products are interoperable and, in the current economic environment very cost effective, otherwise they will be turned away. The growth area will be fully managed IT security services.
Ghosh: Security product vendors need to be building to open security standards. Too many security solutions are proprietary or may as well be. Security solutions need to integrate and cooperate across the enterprise to protect transactions from conception, through to fulfilment and all the technologies in between.
Denehy: Security vendors need to ensure that hardware and software have default configurations which are secure. They should also be making more use of formal and independent evaluation methods, such as Common Criteria certification, to help customers make informed decisions that they do in fact perform the security enforcing functions they claim to deliver.
Vila: IT security vendors should be focusing on products that reduce the administrative workload for maintaining and monitoring security. The Holy Grail of security products would be being able to centrally manage, administer, monitor and respond to threats for all of an organisation's infrastructure and applications. A number of vendors are now moving into this space but most of the solutions are still immature or incomplete.
| Denis Wilson | Corporate IT security manager for Orica |  |
| Ajoy Ghosh | E-security adviser for the Privacy Compliance Centre and member of the Australian Information Industry Association's e-policy taskforce and Standard Australia's committee IT/12/4 on security techniques |  |
| Dr Brian Denehy | Chief scientist, research and development for 90East (Asia Pacific) |  |
| John Vila | Director, trusted e-business, PricewaterhouseCoopers |  |