march 2009 - lef | leading edge forum - helping cxos ...€¦ · 17/03/2009 · of thought leaders...

In Pursuit of Digital Trust – An Executive’s Guide to Information Security

Donal O’Shea

Derived from the work of Ron Knode

March 2009

EXECUTIVE PROGRAMME

LEADINGedgeforumWorldwide CSC Headquarters

The Americas3170 Fairview Park Drive Falls Church, VA. 22042 United States +1 703.876.1000

Europe, Middle East, AfricaRoyal PavilionWellesley Road Aldershot, Hampshire GU11 1PZUnited Kingdom+44(0)1252.534000

Australia/New Zealand26 Talavera Road Macquarie Park, NSW 2113 Australia+61(0)2.9034.3000

Asia139 Cecil Street#06-00 Cecil HouseSingapore 069539Republic of Singapore+65.6221.9095

About CSCThe mission of CSC is to be a global leader in providing technology-enabled business solutions and services.

With the broadest range of capabilities, CSC offers clients the solutions they need to manage complexity, focus on core businesses, collaborate with partners and clients, and improve operations. CSC makes a special point of understanding its clients and provides experts with real-world experience to work with them. CSC is vendor-independent, delivering solutions that best meet each client’s unique requirements. For 50 years, clients in industries and governments worldwide have trusted CSC with their business process and information systems outsourcing, systems integration and consulting needs.

The company trades on the New York Stock Exchange under the symbol “CSC.”

Designed and produced by CSC’s UK Marketing & Communications department.© 2009 CSC. Printed in U.K. 03/09. All rights reserved.

Leading Edge Forum

Asia Pacific, AustraliaLevel 7, 570 St Kilda RoadMelbourne, VIC 3004Tel: +61.3.9536.4327 Fax: +61.3.9536.4400

Belgium, Luxembourg and The NetherlandsKosterijland 203981 AJ BunnikThe NetherlandsTel: +31.30.6574.574 Fax: +31.30.6574.590

FranceImmeuble Le Balzac10 place des Vosges, 92072 Paris La Défense Cedex FranceTel: +331.55.70.52.80 Fax: +331.55.70.50.59

United Kingdom, Ireland, Iberia, Italy, The Nordic Region, Germany, Austria, Switzerland and South AfricaVintners’ Place68 Upper Thames StreetLondon EC4V 3BJ United KingdomTel: +44.20.7015.6000 Fax: +44.20.7015.6850

United States and Canada3170 Fairview Park DriveFalls ChurchVirginia 22042United StatesTel: +1.703.641.3479 Fax: +1.703.204.8355

About the Leading Edge ForumCSC’s Leading Edge Forum (LEF) is a global community whose programmes help members realize business benefits from the use of advanced IT more rapidly.

LEF members work to spot key emerging business and technology trends before others, and identify specific practices for exploiting these trends for business advantage. Members enjoy access to a global network of thought leaders and leading practitioners, and to a powerful body of research and field practices.

LEF programmes provide CTOs and senior technologists with the opportunity to explore the most pressing technology issues, examine proven state-of-the-art practices, and leverage CSC’s technology experts, alliance programmes, and events. For more information about LEF programmes, visit www.csc.com/lef The LEF Executive Programme is a premium, fee-based programme that helps CIOs and senior business executives develop into next-generation leaders by using technology for competitive advantage in wholly new ways. Members direct the research agenda, interact with a network of world-class experts, and access topical conferences, study tours, information exchanges and advisory services. For more information about the LEF Executive Programme, visit lef.csc.com

LE

AD

ING

ED

GE

FO

RU

M – E

XE

CU

TIV

E P

RO

GR

AM

ME

IN P

UR

SU

IT O

F D

IGITA

L T

RU

ST

– AN

EX

EC

UT

IVE

’S G

UID

E T

O IN

FO

RM

AT

ION

SE

CU

RIT

y M

AR

CH

20

09

Certified as a Forest Stewardship Council mixed sources product. Aleo 80 is produced using 80% recovered fibre, comprising of 60% de-inked post consumer fibre and 20% recovered fibre, with the balance of the sheet being 10% FSC accredited virgin fibre and 10% virgin fibre.

The fibre content of this paper is manufactured from 80% recycled paper

Author Donal O’Shea


Editor Anne Pappenheim Production Manager Keren Hayden Graphic Designer Andy Scrivner


2 1

Contents

Introduction ................................................................................................................3

Identity management ...........................................................................................10

Intellectual property protection ......................................................................20

Compliance management ..................................................................................24

Mobile/wireless security ..................................................................................... 33

eThreats and countermeasures ........................................................................41

Transparency and assurance ............................................................................45

Summary and key points ...................................................................................48

Introduction

This report is designed to provide an overview of what an executive – rather than an IT person – might need to know about information security in the IT-driven world of today. Between 2006 and 2008, CSC published eight reports on ‘digital trust’ developed by security expert Ron Knode. This paper draws upon Ron’s work, the primary theme of which is that enterprises that pursue a strategy for increasing digital trust will both create business value and reduce their exposure to risk. Protecting the firm should not be the only objective of an IT security programme. We recommend that information security professionals check out the complete eight-volume report1.

IT security is increasingly becoming a priority for corporations and organizations all around the world. Executives recognize that the very viability of an enterprise can be put at risk by the lawsuits or negative publicity that can come from malicious and accidental security breaches alike. However, few firms focus on the upside, and the many market advantages that a reputation for digital trust can create.

To both minimize risk and maximize opportunity, business leaders must have a clear understanding of the information security issues that may affect their firm’s top and bottom lines. This report attempts to explain these issues from a business executive’s point of view, and we encourage our more technology-savvy clients to share this work with their business colleagues.

The report begins with a broad discussion of the importance of business trust in general, and the key components of digital trust. We then assess the pursuit of digital trust across six strategic information security domains: identity management, intellectual property protection, compliance management, mobile/wireless technology, eThreats and countermeasures, and finally the transparency and assurance of the integrity of the Internet itself.

While Enterprise IT will be responsible for managing most of the implementation issues, tomorrow’s business leaders need to understand the growing intersection of business and information security strategies, encompassed by the concept of digital trust. This report is intended as a means toward that end.

Figure 1 – The digital trust research project

1. Shaking Hands with the Digital Enterprise

2. Identity Management

3. Intellectual Property Protection

4. Compliance Management

5. Liquid Security

6. eThreats and Countermeasures

7. Transparency and Assurance

8. Epilogue and Strategic Roadmap

31. http://lef.csc.com/library/publicationdetail.aspx?id=856

4 5

Trust can be defined as the assured reliance by one party on the future behaviour of another party. It has been the basis of all commerce through history. When one farmer delivers a cartload of straw to another, he expects to get paid for it. If he feels that there is a likelihood that he might not get paid, he will not deliver the goods.

There are a variety of ways in which we build trust in our customers and suppliers so that we can rely on them to pay or to deliver the promised goods. The customer can have a reputation for paying on time. Our perception of the customer can be that he is reliable – because he wears a suit and tie, perhaps, or because of the size of his home or car. We could put a process in place whereby payment is lodged in advance with a third party to be handed over only when we have delivered the goods. Or a technology could enforce such a process – for example, the bar of chocolate is released only after the appropriate coins have been deposited into a machine.

All in all, there are many ways that a supplier can earn our trust. Words like confidence, assurance, security, faith, belief, reliance and reliability are all used to help explain what trust is. Measures of trust have generally included both sociological and psychological components dealing with degrees of ‘expectancy’ concerning the reliability of ‘promises’ of many types.

Figure 2 – Broad sources of trust

PerceptionReputation

Process Technology

Trust

In PuRSuIT Of DIGITAL TRuST – An ExECuTIvE’S GuIDE TO InfORMATIOn SECuRITy

4 5

In the information-rich world in which we live today, trust takes a different shape, though it is no less essential to the functioning of online commerce than it has been to farmers through the ages. figure 3 hints at the extent of the challenge.

Digital trust is technology’s contribution to the full fabric of trust: the hardware and software that prevents unauthorized access to a system; the passwords and biometric features that permit access only for those who are authorized; the rights management functionality that allows some, but not others, to listen to music or watch movies online. Digital trust results from the sum of a system’s security technologies and processes, which provide us with the evidence – the transparency – that gives us confidence that the system operates as advertised, and that no unadvertised activities are occurring.

This trust is dependent not only on security features, but also on the ability to deliver perceivable evidence that the security actually works. Our perception might cause us not to use a system, or to use it only for a certain subset of its capabilities – we may be prepared to use a system for a $50 transaction but not for one of $1,000.

ultimately, it is how that digital trust is perceived by the people within today’s networked enterprises that determines the extent to which a transaction or relationship will continue.

Figure 3 – Digital trust and the enterprise

•Globalecommercespendingisnowwell over $100 billion

•TheaverageUKInternetuserhas20different online identities

•Over5billionsongshavebeen downloaded from Apple’s iTunes

•Since1999,morethan90percentofall documents have been created in digital form

•Over40percentofallUSInternet users use Internet banking

•Therenowarewellover1billionemailusers worldwide


6 76 7

figure 4 shows some examples of digital trust at work.

Implementing an electronic border control system reduced processing time at border checkpoints dramatically (top left). While processing time is reduced, so too are the chances of infiltration, thanks to the assurance that a passport is genuine and that it truly belongs to the bearer.

Similarly (top right), the implementation of identity management technology to introduce single sign-on across corporate applications resulted not just in economies of employee time and effort – significant in the face of today’s widespread user-provisioning problem – but also improved perimeter security.

Intellectual property management offers big returns on digital trust. Active management of the digital rights to Tv programming enabled the nBA (America’s national Basketball Association) to increase the value of its Tv contract when it came up for renewal (bottom right). The increase was driven in part by making programmes safely available over the Internet and on mobile phones.

Figure 4 – The dividends of digital trust

Before digital trust

After digital trust

0

Time to process visitor/

immigrant (sec) 100

200

300

... Or more

Time Border control

system

Com

pound application

of digital trust


After digital trust

0

Provisioning cost

contribution (%)

50

100 Cost Converged

identification

User provisioning

Cost reduction


After digital trust

0

NBA annual broadcast contract revenue

($ million)

200

1000Revenue

Digital rights in sports broadcasting

21% increase

in latest contra

ct

400

600

800767

930

And risk exposure is

reduced!


6 76 7

The price to be paid when digital trust – or the technologies it is based upon – fails is high. figure 5 indicates the scale of the problem and some of the costs associated with recent security failures. And these are only the ones we have heard about!

The problems profiled in this figure impose all kinds of penalties. There are problems that cost money, problems that steal value, problems that send people to jail, problems that sap capacity for no productive reason, and even problems that generate whole new business models based on digital theft and fraud.

Overall, the most costly problems for the enterprise are those in which a security failure results in adverse publicity and the organization as a whole loses the public trust. financial services companies suffering the loss of valuable customer data – such as credit card numbers and individual tax numbers – can be very badly hurt in the marketplace. The political fall-out of an intelligence agency or government defence department suffering a successful cyber-attack could be catastrophic. With legislation in states such as California, simply covering up such security breaches is no longer a viable or even legal option.

Figure 5 – When digital trust fails

•Over150millionidentitybreachessinceJanuary2005

•Identitybreachescostover$20billionperyear

•Identityfraudcostsmorethan$50billionperyear

•Illegalcopyingthrives,atanestimatedcostofover $2 billion in video, $4 billion in audio and $30 billion in software

•Plagiarismisrampantinschoolsanduniversities

•Thereweresome30,000uniquephishingURLsasof2007

•Over95percentofallemailsarespam

•5percentofInternetusershavestoppedbankingonline

•Wespend$6billionperyearonSarbanes-Oxley compliance

•AcreditcardnumberwithPINisworth$500on the black market


8 9

Traditional information risk management focuses on the risk of loss to existing business functions and assets, but often does not extend the analysis to new business functions, features or operational services, nor to any increased revenues based on these activities. The focus is on reducing the likelihood that something bad will happen. Hence information security budgets have been viewed as a cost of doing business, with little positive value attached.

But pursuing digital trust is about more than dealing with the risk of loss. As shown in figure 6, a digital trust strategy upends the formula by taking the offensive as well as defending the organization’s assets. The focus shifts toward making positive decisions that benefit the enterprise, without ignoring the consequences of risk exposure. In this context, IT security, properly applied, can be a money-maker as well as a cost.

Figure 6 – Information risk management and digital trust

•Defendwhatyouhave

•Reducethechanceof‘bad stuff’ happening

•Increasethevalueofwhat you have

•Improvethechanceof‘good stuff’ happening

Information risk management

Digital trust strategy



8 9

Applying digital trust is a technology-based strategy for enhancing business value while at the same time addressing information risks across the breadth of the modern digital enterprise. There is a payoff for having digital trust, and a penalty for lacking it.

To succeed, the pursuit of digital trust must become a common objective driving the design, deployment and use of information technology security systems and processes. While there are a great many technologies needed to sustain digital trust, as shown in figure 7, there are six broad categories that cover the core capabilities. This report will discuss each of them in turn:

• Identitymanagement.

• Intellectualpropertyprotection.

• Compliancemanagement.

• Mobile/wirelesssecurity.

• eThreatsandcountermeasures.

• Transparencyandassurance.

Figure 7 – The six areas of digital trust

Identity management

Intellectual property

protection

Transparency and assurance

Digital trustCompliance

management

Mobile/wireless security

eThreats and

counter-measures


10 11

Identity management

Put simply, identity management deals with identifying individuals to a computer system, and controlling each individual’s access to resources within that system by associating user rights and restrictions with the identity the user has established2. This is summarized in figure 8.

Identity is at the heart of nearly every digital transaction. When we check our frequent-flier mileage, obviously the airline’s system needs to know who we are so that it can retrieve the correct balance. Similarly, an online bank needs to know who we are to show our account status, and needs to have a list of what services we use to know whether we may transfer money from one account to another – and so forth. Identity management is all about controlling and automating the process that governs what functionality each user has authorization to access.

Identity management systems enable IT administrators to manage user permissions, privileges, and the individual profile data required for the online enterprise. Through a range of features, identity management provides a centralized, single point of administration for provisioning and de-provisioning accounts, as well as user self-service password management, application access management, the ability to delegate responsibility to partners, and full auditing and reporting capabilities.

This automation of administrative tasks can save significant money and resources. for example, providing self-service password management to deal with forgotten passwords eliminates a large percentage of helpdesk calls. An identity management solution that is quickly and easily deployed can provide a dramatic return on investment.

Figure 8 – What is ‘identity management’?

Identity management objectives:

•Provideuserids/passwordstonew application or system users based upon who they are and what access rights they have

•Ensureaccesstoafunctionisrestrictedtothose entitled to use it

•Enableself-servicepasswordmanagement to reduce support costs

•Preventaccesstothesystemforthoseforwhom the entitlement has been withdrawn (for example, employees who have left)

•Manageaccesstomultiplesystemssothatauser needs only a single id and password

2. IT insiders will say this is too much of an oversimplification, as identity management also relates to non-humans communicating with each other.


10 11

In most situations we connect a claim of identity – I am Bob – with some method of proof – such as a password – that verifies the subject is who and what the set of claims declares. This connection links a claim of identification with a method of authentication. In other words, we attempt to prove that we are who we say we are.

In most situations, our claims regarding identity are solely what we say about ourselves. We supply our user id, height, weight, age, employment, position, location, certifications, marital status and so on. In some contexts, what others say about us is more important – and more trusted – than what we say about ourselves. for example, reputations are shown on eBay through different numbers and colours of stars. We do not really care whom we are buying from – only that we can trust that they will deliver the goods we have purchased, safely and promptly.

An individual with an eBay account needs a separate user id and password to access an Amazon account. Amazon also uses reputation as the essential identity for negotiating sales. However, reputation does not carry over between sites; an eBay reputation means nothing on Amazon and vice versa.

These barriers are referred to as the ‘walled garden’ effect, and its elimination is one of the great motivators for new directions in identity management technology. People want fewer user ids and passwords, and they don’t want to have to provide the same information over and over again.

Figure 9 – Essential concepts in identity management

Problems that need to be addressed:

•Lifecyclemaintenanceofelectronicaccounts

•Provisioningandde-provisioning

•Authenticationandauthorization

•Accesscontrol

•Singlesign-on

•System-to-system;machine-to-machine

Proposed solutions:

•Directory-centred

•Federated

•Personalidentityframeworks


12 1312 13

The drivers’ licensing system used in most parts of the world illustrates many of the attributes of and issues associated with identity management.

Modern licences include a photograph of the driver and perhaps some biometric information such as a fingerprint. In many countries, the first time you apply for a licence you must physically go to the licensing office. The reason is the need for authentication: you must be present for the taking of the photograph that will be an integral part of the licence, so that an official can verify that you are who you say you are, usually by checking your ‘proofs of identity’. In most jurisdictions two documents are required – such as your passport, marriage certificate or birth certificate.

your driver’s licence may contain other information – that you are not permitted to drive unless you are wearing spectacles, for example. The licensing office’s file associated with your licence might also list the details of parking tickets you have received, and whether they have been paid. It can also show that you have been banned from driving, or that you are wanted on suspicion of a crime. A police officer can obtain that information very quickly from your licence number.

The literature on identity management always mentions authentication, but treats it as a separate subject. yet neither identity management nor authentication have any value without the other. Authentication is the process of verifying a claim that someone is who they say they are (see also page 17). Authentication is a prerequisite for identity management, but identity management also includes the process (sometimes called authorization) of verifying that an authenticated person has the authority to perform certain activities. for example, to drive without glasses.

Figure 10 – Personal identity management: the driver’s licence


12 1312 13

In order to validate our identity claims, the claims must be catalogued. The most common technique for this is the enterprise directory.

used by nearly every major commercial and government enterprise, the directory-centric approach to identity management confirms existence and rights within the span of control of the enterprise directory – what we call the ‘walled garden’. Every user has an entry in the directory based on their position or group. The directory entry will then allow them access to one or more specific applications. A good example is when individuals take up a new job, as part of the orientation process during their first few days in the company, their information will be entered in the various enterprise directories along with indications of what data they may access and what other online and physical access privileges they will have. for example, they may inspect the company’s online organization chart, but not the payroll files; their id card may grant access to the main building, but not the data centre.

In the best case, this provisioning occurs only once, and for one directory. More often than not, the provisioning occurs several times – once for each application. for example, it is not unusual to find separate directories for email, human resources and Internet portal applications within a single enterprise.

Enterprises with the right kind of multi-purpose directory capability can configure some applications to share identity information. Whenever this happens, the number of individual system and application user ids and passwords is reduced. In the perfect case, the directory hierarchy supports a single sign-on capability for all applications and systems across the enterprise, based on the access rights and roles of a subject as provisioned in the directory.

Figure 11 – Directory-centric identity management

Application

Application

Application

Applicationdirectory

Identification information

(PKI) directory




•Currentlythemostcommonformofidentitymanagement

•Confirmsexistenceandrightswithinaspan-of-control:

– The concept of a ‘walled garden’

– Typically restricted to a single ‘enterprise’

Application

Application


14 1514 15

Often, we would like a subject’s identity to flow freely – but securely – beyond the confines of the enterprise. Identity federation is a way to achieve this. In this approach, organizations form a federation for collaborating on identity information. Specifically, enterprises connect their own identity mechanisms with the identity mechanisms in other like-minded enterprises in order to extend digital trust for identity from one ‘walled garden’ to another. This simplifies identity management by reducing the number of identities required per person, and streamlines business processes because people are no longer burdened with multiple sign-ons and sign-offs, as long as the applications and permissions involved are within the boundaries of the negotiated trust agreements.

federated identity management is a good step toward addressing the single sign-on problem by allowing a user authenticated on one site to use other, federated, sites – the user no longer needs multiple user ids and passwords. for example, having made a booking on united Airlines, you can transition without signing on again to participating hotel and car-hire company web sites to complete arrangements for your trip. The united system will pass an identity token to the other sites as required.

The companies or web sites participating in the federated identity management system can be using entirely different technologies within each others’ systems – for example, different kinds of authentication systems, or directory services from different vendors. Many have found that the biggest problem with implementing a federated identity management system is not the technology but the business and legal negotiations necessary to agree on issues like liability in the event of problems. Boeing and Southwest Airlines are reputed to have spent four months setting up the technology for a federated system – and then spent two years negotiating the agreement.

Figure 12 – Federated identity management

Application

Application

Application



(PKI) directory




Application

Application

Enterprise 1

Application

Application

Application



(PKI) directory




Application

Application

Enterprise 2

SAML Assertion

negotiated Trust Agreement

•Companiesforma‘federation’toshareidinformation

•Links‘walledgardens’

•Singlesign-onwithinthefederation


14 1514 15

Some questions are not answered by the ‘walled garden’ or federation approaches. What happens when we need to establish a digital identity beyond the boundaries of enterprise trust agreements? How can we separate our digital identity as a private person from that established exclusively on behalf of our company or agency connection? How can we buy goods from hundreds of web sites without having hundreds of digital identities to manage, and increasing the risk of identity theft by repeating our identity credentials over and over to multiple sites?

Either we have to manage many digital identities, or we need to establish a trust model in which we can control our identity even as we present our many claims about ourselves and others. This is addressed by a recent initiative in the identity management space. Identity 2.0 is the name given to a collection of ideas targeted at creating an identity management system that is not centred either on a central directory or federated directories, but on the user. It is driven by the desire to get away from walled gardens.

Identity 2.0 is very much in its early stages, with a great deal of debate among the engineers on how to address various issues – some as serious as whether any of the proposed solutions can really be secure. Among the multiple definitions of Identity 2.0 there are a variety of players with entirely different approaches, with perhaps the most notable examples being OpenID and Microsoft’s CardSpace.

The idea of putting the end user in charge of his or her own identity management is very attractive, not least since it addresses the issues of privacy, and even convenience, better than systems in which somebody else holds an individual’s identity information. But real world implementation is still a long way off.

Figure 13 – Identity 2.0: user-centric identity management

•Emphasizestheconceptofan‘opengarden’

•Separatesidentityacquisitionfromthepresentationofidentity

•Relyingpartydoesnotneedtocheckwithidentitysource

verification of applicant

Application for identification

Public digital id

Public digital id

Request for issuance of digital id

Issue

CertificationAuthority

Validation Authority

Old school

nOT uSED: no central validation authority

Online store or blog, or wiki, or ???

On-the-spot validation and

acceptance

Source: http://web2.wsj2.com

Web user

Registration authority

Identity challenge

Proffer


16 17


Public Key Infrastructure (PKI) looked set to be hugely important a decade ago, but its complexity prevented it from moving out of the laboratory. IT management largely forgot about PKI, but it is of interest again now that technology advances have made its complexity less forbidding, and fraud and digital theft have made its advantages more valuable.

PKI is used on the web to provide secure connections between your PC and web sites such as Amazon. you may have heard of it as SSL (Secure Sockets Layer3) – or the newer TLS (Transport Layer Security). It automatically comes into play when you go to the checkout screen on any reputable Internet merchant’s site. It authenticates the site that you are communicating with, and it encrypts your transactions to prevent eavesdropping or message tampering.

The reason we believe that PKI is going to re-emerge more broadly is the growing need for improved security, data integrity and practical identity management. As enterprises allow partners, suppliers and subcontractors access to their networks, they need to minimize the risk of unauthorized access or tampering. Also, regulatory compliance will increasingly demand the use of two-factor or better authentication using smart cards and the like. PKI is ideally suited to support these requirements.

for those who would prefer to have others deal with the complexity of PKI implementation, we are also seeing the emergence of over-the-web digital certificates and identity management services – Security-as-a-Service from the computing ‘cloud’4. We will be following these developments closely.

Figure 14 – The rebirth of PKI

Indicates that TLS is active

Double-click on Lock

icon to get certificate

3. Or seen it as an icon of a lock or a key on the status bar at the bottom of a browser page when it is in use, as shown in the figure.

4. ‘Cloud’ computing is the currently popular term for computing services provided over the Internet. Examples would be Amazon’s AWS, Salesforce.com and Google Apps.


16 17

Authentication is a process that verifies that someone is who they claim to be. usually, this involves a username and a password, but it could involve a smart card or biometric scans.

In the united States, consumer authentication by online banks and other financial institutions is by user id and password – despite the fact that such simple authentication is not very secure. A user’s password can easily be discovered by a variety of malware and non-tech means (described later in this report). Online banking sites in Europe try to make things a little harder by asking not for a password but for a randomly selected subset of the password (such as the second, third and last characters). Increasingly, online financial sites that cater for wealthier clients are using two-factor authentication involving a token such as those shown in figure 15.

The SecurID authenticator from the company RSA, for example, is a small electronic device that generates a new one-time password every 60 seconds. Patented technology synchronizes each authenticator with the security server, ensuring a high level of security. The authenticator – something you have – is coupled with a secret personal identification number – something you know – to create a combination that is impossible for a hacker to guess. The technology is available from several vendors for as little as $5 per device.

More elaborate biotechnology solutions include smartcards, and fingerprint, retina and iris scans. A retina scan requires you to be very close to the scanner; you may not blink and must hold steady for a few seconds. Iris scanning is just as effective and a lot easier to achieve. An iris scanner can be a normal digital camera – as much as a few metres away – with some appropriate lighting, and software implementing a recognition algorithm.

Figure 15 – Authentication

•Verifiesthatpeoplearewhotheysaytheyare

•Justasimportantasidentitymanagement

•Passwordsaremainsolution,butrarelymanagedrigorously

•Hardwaresolutions–token,biometric(fingerprint,retina,face)–areexpensive

Personal access code changes every

60 seconds


The politics of identity management

not much of any significance goes on in the world of information technology that doesn’t become embroiled in industry politics. Identity management is no exception.

The first identity management political brouhaha was the outcome of an action by Microsoft.In1999,MicrosoftintroducedanidentitymanagementsystemcalledPassport.The objective was that Passport would be a safe gateway to the web, and would provide single sign-on for access to ecommerce and other sites. Over time it became clear that Passport – being an identity directory – had a database of valuable information about its users. In effect, if Passport became the preferred gateway to the Internet, Microsoft would possess a treasure trove of consumer information that it could use for marketing purposes. Microsoft’s competitors, led by Sun Microsystems, decided that that was not a good idea, and together with a group of IT vendors, large enterprises and telecoms providers, formed the Liberty Alliance to promote a federated identity management approach that would not require a large central repository of valuable consumer data.

Of course, nobody would openly admit that Liberty’s aim was to kill Passport – which it did. As the Liberty approach evolved, other players emerged. OASIS (Organization for the Advancement of Structured Information Standards) – another IT industry consortium – came out with the Security Assertion Markup Language (SAML) to provide a standard way to exchange information between an identity provider and a service provider. Liberty incorporated SAML into its standard, which had the result of increasing the number of its supporters in the battle with Microsoft.

Many people resented the industry squabble – especially the ‘geeks’ who have always resented the large corporate IT vendors – and in 2004 some decided to form their own organization, the Identity Gang. This ad hoc group was interested in user-centric identity management, known as Identity 2.0, where no large corporation would hold people’s identity information. Much discussion and a good deal of engineering have been invested in Identity 2.0 (see figure 13). unfortunately, it can often take years for even a good IT idea to gain traction, and it would appear that there are currently too many security and usability problems with existing Identity 2.0 implementations for the concept to be universally adopted.

The advent of cloud computing is accelerating the need for an industry-wide identity management solution, and many IT people feel that the outlook for the current cornucopia of standards clubs is not promising. A widely held opinion is that the vendors who make up these bodies have a vested interest in not developing a universal standard, as it is diversity that allows them to differentiate their products and solutions.

What is needed, perhaps, is for a galactic player on the web – say, Google – to join a cross-industry consortium that will settle on a solution to identity management, which will then become ubiquitous. This will be an area of upcoming LEf research.

no matter what the technical solution there will be naysayers – those with a competitive axe to grind, those who believe they have a superior technical solution, and those who hate conformity. Like the GSM5 mobile phone standard, the solution does not have to please everybody; it just has to be used by nearly everybody!

5. The Global System for Mobile Communications standard for mobile phones.

18 19


Actions businesses can take

• Implementsinglesign-onidentitymanagementtechnologyforallinternalapplications to improve workforce productivity, but also to understand the technology and issues for subsequent deployment of federated identity management.

• Pressvendorstoconsolidatearoundanindustry-wideidentitymanagementsolution:

- Specify in every Request for Proposals that vendors must subscribe to a ubiquitous identity management standard.

Questions to ask IT about identity management

• Dowehaveanidentitymanagementsysteminplace?

• Isitafederatedsystem?

- If so, with what organizations do we have identity management agreements?

• Arewemembersofanidentitymanagementgroup?

- Which one?

- Why that one?

• Doweplantodoanythingaboutuser-centricidentitymanagement–Identity2.0?

• Doweusetwo-factorauthenticationforourcustomer-facingapplications?

- If not, why not?

- What about for our internal applications?

18 19


20 21

Intellectual property protection

Intellectual property (IP) creates enormous value in today’s economy. By some estimates, intangible assets – a significant portion of which is IP, much of it patents – represent over a trillion dollars of value for just the S&P 500 companies alone. for many organizations the digitization of almost everything is a commercial opportunity, enabling them to extract value from information that previously lay fallow.

not surprisingly, then, IP protection has become a crucial business issue. not every piece of recorded data is intellectual property, but IP can cover all manner of information including:

• Ideas,includingpatentsandtradesecrets.

• Performancesandotherexpressedproductsofthemind(includingbooks,films, music, inventions, formulae, manufacturing processes and industrial designs) that hold actual business value or potential.

• Informationprotectedbygovernmentregulations.

• Non-publicprivateinformation(NPPI).

• ProtectedHealthInformation(PHI),atypeofpersonalIP.

• Informationprotectedbyindustryregulations.

• Informationclassifiedas‘companyprivate’.

figure 16 illustrates the rich landscape of information and information characteristics for IP.

Figure 16 – The key dimensions of intellectual property

Intellectual property value characteristics

Information life cycleCreation and Receipt > Distribution > Use > Maintenance > Disposition

Patents

Brand

Trademarks

Copyright

Businessplans

Proposals

Trade secrets

Regulated data

non- public private

data

Classified data

Otherdata

Originality

Authenticity

Integrity

Confidentiality

Access/usage/Rights


20 21

To understand the IT issues associated with the protection of IP, you must keep four factors in mind:

1. Legal, social and political threats present a constant challenge. This is particularly evident whenever rights management technologies are applied to IP at the level of the individual user. unfortunately, many very capable individuals and organizations are committed to overcoming IP protections, and this affects the selection and development of techniques that can be used. Moreover, the consistent legal frameworks needed to make IP protection effective around the world are not yet in place.

2. No single vendor or toolset can meet all your IP protection needs. In particular, IP protection techniques are tightly linked to compliance and identity management problems. An end-to-end IP protection solution will require an amalgam of several technologies aimed at different dimensions of security and digital trust. The effort required to integrate these point solutions will be substantial.

3.ManyoftheIPprotectiontechnologies(seeFigure17)aresonewthattheyhave no track records to enable us to judge good from bad. vendor claims must be verified, and complex competitive evaluations are the rule.

4. All of the content encryption solutions being used by the major audio-video distributors have been broken. People who think DRM6 is an assault on individual freedoms, or an attempt at monopolistic business practices, often have few qualms, and thus attacks and compromises will continue.

Figure 17 – The challenge of IP protection

Current technologies used for IP protection use one or more of five basic protection techniques:

1. Content monitoring

2. Content encryption

3. fingerprinting and watermarking

4. Time stamping

5. Content comparison

Some of the products designed for specific IP protection needs and technologies look very promising, though they have not been around long enough to build up a track record.

6. DRM – Digital Rights Management – technology that limits the use of digital media such as music and games.


Most attention in IP protection planning is paid to confidentiality and access and usage management – known variously as Digital Rights Management (DRM), Enterprise Rights Management or Digital Asset Management.

Confidentiality is provided either by content encryption of some kind, or by enterprise-wide content monitoring and filtering. Access and usage management are typically pursued either by an extension to specific content encryption approaches, or through fingerprinting or watermarking technologies (which involve embedding in the content difficult-to-remove codes that show its provenance or identity).

There is considerable resistance to DRM in the consumer value chain, and alternative business models are emerging. for example, eMusic is a subscription-based online music store where users can download tunes in MP3 format, compatible with all digital music players and free from DRM software restrictions such as expiry dates, or copying limitations. More recently, Apple has made available more than ten million DRM-free songs from major labels on iTunes. While DRM-restricted music is likely to be around for the medium term, it is clear that the dike has been breached.

As highlighted in figure 18, IP is much more varied in business-to-business value chains. The range of possible combinations of formats, locations, business models, organizations, processes, applications and security policies across businesses make IP confidentiality and content management far more complicated.

The standard practice among companies has been to put their most sensitive IP on a server with strong control mechanisms, and severely restrict access to it. Often it is the host system that is being protected rather than the data itself; once users have valid access to the system, they are trusted to follow the rules and be careful about how, when, where and with whom sensitive information is used.

Increasingly, the high value of IP is motivating enterprises to improve protection, and they are moving beyond systems-centric protection to information-centric approaches. In addition to protecting and even enhancing the value of IP, this can also reinforce regulatory compliance and reporting.

Figure 18 – Approaches to IP protection

IP value characteristics

Co

nte

nt

Consumer value chain B2B value chain

Contracts, business plans, financial trading, research papers, patents, credit records, books, papers, brand labels, proposals, specifications, trademarks, trade secrets ...

video

Audio

Software

$2.3B (Internet piracy)$3.8B (other)

$4.2B (piracy)

$34B (piracy)

$??B

•Fingerprinting

•Watermarking

•DigitalRightsManagement

Political and legal brouhaha

•Contentmonitoringandfiltering

•Digitallossprevention

•EnterpriseRightsManagement

•Fingerprintingandwatermarking

•Timestamping

•Contentcomparisonandscoring

22 2322 23

22 2322 23


The biggest problem most enterprises face in the realm of IP protection is keeping executive management aware of the risks and issues that deserve its attention before they become a liability. Processes and policies can help with this, but they cannot guarantee it. Only the presence of informed, alert and empowered employees can ensure that the right things happen.

• Searchthebusinessforintellectualproperty(IP)thatwouldhavevaluetocustomers and clients, or to others who would be prepared to pay for it.

• Establishaclassificationforallintellectualpropertywithintheenterprise,showing what information must be secured, and to what degree.

• Ifyourenterpriseprovidesconsumer-facingdata,ensurethatthedataisappropriately protected, with the knowledge that current protection schemes are vulnerable.

Questions to ask IT about intellectual property protection

• HaveweimplementedDRManywhereinourITsystems?

- Where?

- Why?

• Havewehadfeedbackfromcustomersorthepublic?

- What was it?

- What did we do about it?

• Didwetake,orwerewesubjectto,anylegalaction?

24 25

Compliance management

In recent years compliance management has become of paramount importance to a wide range of businesses, and inevitably the onus of delivering tools to make compliance easier and cheaper falls on IT. Since the history of data processing started with reporting tools, IT has been uniquely positioned to meet these compliance challenges.

Enterprises today are subject to more regulatory demands than ever. Governments regulate everything from safety to privacy. When the government does not regulate, other entities intervene – trade associations, industry self-regulation and standards bodies. for example, any enterprise anywhere in the world that accepts payments through vISA or MasterCard must comply with the Payment Card Industry Data Security Standard (PCI DSS).

The effort needed to achieve and sustain compliance can overwhelm organizations and introduces substantial unexpected costs, particularly when new compliance mandates are imposed. AMR Research estimates that by the end of 2008, uS public companies will have spent $32 billion on compliance with the Sarbanes-Oxley Act7. Many surveys have attempted to pin down ‘the cost of compliance’ for SOx. Results vary, but reported costs range from 0.3 to 3 percent of revenue.

While SOx is not typical of all regulatory mandates, it does illustrate the effect of new compliance standards and the dangers of non-compliance. Studies have shown that when a failure of compliance is found, executives lose their jobs, auditors’ fees rise considerably, and public companies frequently have to restate earnings, with significant impact on shareholders. The challenge for the business is to minimize compliance costs, yet fully meet mandatory requirements, even as they change and expand.

7. JohnHegertyandEricKlein,SOX: A Six-Year, $32B Compliance Effort, AMR Research Inc., february 2007.

Figure 19 – Compliance management

Compliancemanagement

Intellectualproperty

protection

Identity management


Mobile/ wireless security

eThreats and countermeasures

Reporting

Digitaltrustflow

Evidence

Operation

24 25

A wide range of IT tools are available to support compliance management.

Tools help in two ways: they enable the clear expression of corporate policies, in terms of the mandates with which all levels of the enterprise must comply; and they enable the implementation of controls across the systems used in an enterprise to verify that those mandates have been complied with.

Since there are so many compliance mandates, and since each mandate overlaps others, enterprises are adopting control frameworks to manage compliance. Control frameworks, such as those shown in figure 20, help organize and identify specific control objectives so that it is clear what needs to be done at each level of the organization.

One such tool, widely used internationally, is CobiT8. CobiT facilitates the definition of policies, and tracks their implementation throughout an organization. Developed from observed best practices, CobiT helps to select controls for implementation in accordance with acknowledged information risk levels, and allows for standardized control mechanisms across business units. This can make compliance reporting easier and less expensive.

By providing appropriate talking points for discussion with their IT counterparts, CobiT can also help business executives to understand the enterprise’s IT systems and to decide the level of security and control that is necessary to protect their companies’ assets through the development of an IT governance model.

8. CobiT (Control Objectives for Information and related Technology) was created by the Information Systems Audit andControlAssociation(ISACA),andtheITGovernanceInstitute(ITGI)in1992.

Figure 20 – Compliance support tools

IT control models

Model Origin

Security Code of Conduct uK (Department of Trade and Industry – DTI)

Information Technology Canada (Canadian Control Guidelines Institute of Chartered Accountants – CICA)

Security Guidelines, uS (national Institute of includingFIPS199and StandardsandTechnologyitems from Special – nIST) Publication 800 Series, especially Spec Pub 800-30, Spec Pub 800-53 and Spec Pub 800-14

Control Objectives for International (Information Information and related Systems Audit and Control Technology (CobiT) Association – ISACA – and the IT Governance Institute – ITGI)

SysTrustTM Principles and uS – Assurance Services Criteria for Systems Executive Committee and Reliability Canada – Assurance Services Development Board

A business control model requires IT controls. CobiT fills the COSO need for an IT controls framework.

Business control models

Model Origin

Internal Control – Integrated uS Framework by COSO (Committee of Sponsoring Organizations of the Treadway Commission)

The Cadbury Report, Code uK of Best Practices, by the Cadbury Committee of the united Kingdom

Guidance on Control by CoCo Canada (Criteria of Control Board at the Canadian Institute of Chartered Accountants)

The King Report South Africa

The Vienot Report france

•COSOcompliant(COSOisSECrecommended)

•AcceptableITframework

•Internationallyrecognized

•Businessprocessoriented


26 2726 27

Compliance with government and other regulations can require all sorts of contortions. There are within the IT realm three essential cornerstones that can help an enterprise address many of the rules they are required to follow. They are:

1. Encryption of data, both in motion and at rest – this can prevent data from being stolen, or if it is stolen or mislaid, can provide legal protection for the enterprise.

2. Content monitoring and discovery – controlling access to enterprise data based upon the access to which each user is entitled, or retrieving data related to a specific issue or event; for example, all the emails related to a legal suit.

3. vulnerability management – protecting the enterprise against malware and other malicious cyber-attacks.

These are addressed in turn on the following pages.

Figure 21 – Three basic steps

Configuration awareness and

supervision

Regulated data retention

and control

Discovery and litigation

Public disclosure

Contracts, licensing and

usage

Identity and access

Compliance

Management

EncryptionContent monitoring

and discovery

Vulnerabilitymanagement


26 2726 27

Enterprises have long used encryption to protect data as it moves through networks, including email and web-based applications (see figure 28 below). Today, however, an increasing number of enterprises are encrypting stored data as well. This is costly, but given the privacy obligations demanded by law in nearly every major country, for many companies it is a justifiable cost.

While these laws insist on strong privacy controls for an individual’s data, inevitably there are breaches. And, following California’s SB 1386 in 2002, more than 40 states in the united States have now passed additional laws that require timely notifications of those who may have been affected by such a breach. Encryption provides an important exemption from these breach notification statutes. If private information was encrypted before it was lost, then no matter how it was lost, no notification is required. In fact, both Massachusetts and nevada have recently mandated encryption of ‘sensitive personal information’ held by a company.

vendors now offer systems that encrypt all data stored on data centre hard drives with hardly any performance penalty, which used to be a major objection to encrypting enterprise data. As this is done at the hardware level, application programs need no modification and little human management is required. These systems also include precautions to ensure that encryption keys cannot be lost, and that they work across products from different vendors.

Figure 22 – Encryption


28 2928 29

Content management has two meanings. One is all about making sure that information – say, for web pages – is easy to update in a consistent and controlled way; that policies are adhered to; and that formatting is controlled – for example, to meet the branding rules of the enterprise.

The other sense of content management – often called Information Rights Management (IRM) – is about restricting access to different kinds of data, to meet compliance regulations or just to implement sensible protection of IP. Enterprises holding regulated data are subject to special rules for storage, access, dissemination and accountability reporting, as well as to compliance audits and penalties when those rules are not followed. Privacy regulations, export control regulations, safety and health regulations, pharmaceutical and chemical testing regulations, classified data access regulations, and many more that apply to industry-specific needs, are all directed at limiting the exposure of specific kinds of data assets. Prominent today are the personal privacy regulations that restrict the types and conditions of disclosures of ‘Personally Identifiable Information’ and establish notification triggers and process standards in the event that unauthorized disclosures occur.

There are several approaches to restricting access to data based upon various permissions. The information to be protected can be encrypted, and IRM tools prevent the protected content from being decrypted except by authorized users. Activities such as printing, copying, editing, forwarding and deleting can be permitted or barred at the individual document level. Most tools provide audit capabilities showing who accessed what and who set or changed policies or permissions. Recent technology can inspect transactions as they cross the network and determine in real-time if entitlement policies are being adhered to.

Figure 23 – Information Rights Management

IRMcanhelpdothefollowing:

•Preventanauthorizedrecipientofrestricted content from forwarding, copying, modifying, printing, faxing or pasting the content for unauthorized use

•Restrictcontentwhereveritissent

•Enforcefileexpiration(sothat document contents can no longer be viewed after a specified time)

•Enforcecorporatepoliciesthatgovernthe use and dissemination of content within the company

Some things that IRM can’t prevent:

•MaliciousprogramssuchasTrojanhorses, keystroke loggers and certain types of spyware from erasing, stealing, or capturing and transmitting content

•Someonefromhand-copyingorretyping restricted content displayed on a screen

•Someonefromtakingadigitalphotograph of a screen displaying restricted content


28 2928 29

There is now a requirement that data of all types – official documents as well as emails, instant messages, voicemails, document drafts and presentations – must be retained in case of litigation9, and must be retrievable if needed in an investigation, internal or external. for IT, this issue of ‘investigative support’ has two components: data retention and eDiscovery.

There is no legal mandate to retain data for any particular length of time and an enterprise can delete data such as emails as part of a ‘routine, good-faith operation’. However, if the enterprise becomes aware of potential legal action, it must put a litigation hold on all relevant information and be prepared to justify the timeliness and extent of that hold.

Protecting the firm under these laws requires a stated data retention strategy and evidence of its enforcement. An enterprise should be protected if it has a data retention policy that meets legal requirements where they exist, and otherwise is a sensible business policy for the industry and kind of business it is in. figure 24 shows the retention strategy of a medical society – an industry with strict retention requirements.

Retaining too much data, for too long, is expensive, and can lead to unnecessary anguish in the event of belated litigation. The data storage industry has devised various technologies to reduce costs. One is deduplication, which removes duplicate data, yet ensures it can be correctly reproduced if retrieved. Other tools, and outsourced eDiscovery services, address the challenges of searching archived data to find everything relevant to an investigation, and allowing annotation while ensuring that evidence is not tampered with.

Some enterprises prohibit the use of potentially valuable tools, even including text messages and emails on mobile phones, because of potential problems in the event of litigation. Each enterprise must decide what data retention strategy makes sense for them.

Figure 24 – eDiscovery

Document

OSHA logs – records of job-related injuries or illnesses, the dates, and the nature of the incidents

4 yearsAttendance records

5 years following the end of the year to which they relate, plus the current year

Payroll records – including name, social security number, wage rate, number of hours worked daily, weekly gross wages, deductions, allowances claimed and net wages

6 years

Personnel file records – including application, pre-employment tests, performance appraisals, rate changes, position changes, transfers, promotions, demotions, documentation of disciplinary actions and job descriptions

6 years after termination

Medical records – adult patient or deceased patient 6 years from the last date of service

Medical records – minor 6 years from the last date of service, or until the minor reachestheageof19,whicheverislonger

Personal accident report/injury claim 11 years

Employee medical records and analysis is required by OSHA Duration of employment plus 30 years

Medical and exposure records relating to toxic substances 40 years

Records pertaining to unfair or discriminatory employment practices and the Americans with Disabilities Act

until the final deposition of the charge of action

ERISA records (Employee Retirement Income Security Act) Indefinitely

Labour contracts Indefinitely

Source: Monroe County Medical Society (New York) Document Retention Guide

9. IntheUS,theFederalRulesofCivilProcedurerevisionofDecember2006definesthatalitigatingpartyinacivil suit can request “… any designated documents or electronically stored information – including writings, drawings, graphs, charts, photographs, sound recordings, images, and other data or data compilations – stored in any medium from which information can be obtained either directly or, if necessary, after translation by the responding party into a reasonably usable form; …”

Retention period guidelines


30 3130 31

you can discover your enterprise IT vulnerability, just as with your home PC, by running software tools such as a virus scan that look for threats of various kinds. Once vulnerabilities are found, they must be reported, tracked and addressed. In addition, the status of the entire activity of managing vulnerabilities must be tracked and reported for the benefit of system administrators and auditors.

System ‘vulnerability’ stems from flaws in protocol, design and implementation, as well as poorly set up and administered systems that introduce weaknesses into the operating environment. vulnerabilities also stem from improper configuration of hardware and software – for example, choosing the wrong options when setting up the operating system. The logical presumption is that if you start with a secure technical configuration and you keep it intact, then vulnerabilities are less likely to emerge.

As illustrated in figure 25, the use of automated tools has spread through the entire vulnerability management life cycle. vendors large and small have toolsets that will help find, store, prioritize, test, repair, relay or report vulnerabilities in operating systems, applications and a wide variety of devices. Increasingly, these tools adhere to a common standard so that they can communicate with each other. SCAP (Security Content Automation Protocol), which is endorsed by the uS Government, is a composite of open standards that is emerging as the accepted protocol.

Several security tool companies specialize in tracking and reporting new vulnerabilities as they emerge. Subscribers receive daily notices of new malware and attacks. With more than 20 new vulnerabilities being reported per day, finding and responding to all known vulnerabilities is an expensive proposition but one that is necessary in any compliance management programme.

Figure 25 – Vulnerability management

Reporting

Service desk

Problem management

Change management

Configuration management

vulnerability tracking and accounting(Risk ranking and correlation)

Controls claims

Transaction and access auditing

vulnerability discovery(Configuration)

policy management

vulnerability management


30 3130 31

Regulatory authorities

The 2006 Annual Report of franklin Resources, Inc., a global investment management organization, lists six uS domestic agencies and 28 global agencies as regulatory authorities – that is, legitimate rule-setters that have compliance mandates and standards affecting its operations. The same report lists the “extensive and often complex, overlapping and frequently changing regulation domestically and abroad” as the first of 20 risk factors, which could “adversely affect our reputation, prospects, revenues and earnings.”

Similarly, WellPoint, Inc., the largest health benefits company in the united States, lists “changes in state and federal regulations, or the application thereof” as the first of 27 risk factors in its 2006 Summary Annual Report.

The European union has issued important regulations aimed at protecting the privacy of individuals. Perhaps the most widely known aspect of the Eu policy is the prohibition on the transfer of personal data to other countries. Other provisions require that enterprises be able to prove that a data subject has consented to the data being acquired and used. The policy also requires that consumers be able to inspect all data processed about them.

Worldwide, and across all industries, the influence of regulatory authorities is growing. In light of the recent global financial problems it is likely that we will see even more regulations. Thus the demands of compliance management, particularly on IT, will remain a high priority.



• Provideadequateemployeetrainingonwhatcompliancemeans,forthecompany and for employees individually; and what employees need to do to ensure that the firm is protected at all times.

• Inspecteachemployeeroleorpositiontodeterminethedatatowhichthatperson should have access. Document this process. Creating and maintaining a complete data rights plan for the enterprise is painful, but can be essential.

• Dependinguponyourindustryandmarketposition,determinewhetherthecost of encrypting the most sensitive data stored in your data centres (known as ‘at rest data’) makes sense. If it does, IT will need funding for the appropriate systems.

• Ensurethattheenterprisehasanadequate,writtendataretentionpolicy.

– Look for ways to prove that this policy is enforced – for example, be able to demonstrate a secure storage environment and prove that you conduct annual audits.

– Make sure that this policy does not prevent employees from using new technologies that would improve productivity or business processes.

Questions to ask IT about compliance management

• Haveweeverhadacompliancefailure?

- If so, what happened?

• DoweknowwhatSOXorlocalinvestorprotectionlawscostusasacompany?

• Dowehaveanyspecialcompliancerequirementsbecauseofwhoandwhatweare (for example, our particular industry)?

• DoweuseCobiToranyothercontrolframework?

•Whatspecializedtrackingandreportingtoolsdoweuse?

32 33


32 33

Mobile/wireless security

Over the past decade IT has seen the significance of time and place shrinking. Long gone are the days of users confined to mainframe terminals, and even to desktop PCs. now we often have no idea – and can no longer afford to care – where a user is when he is accessing our systems. nor can an organization any longer get away with providing a 16-hour-day, 5-day-week computing service. Even though users have their own computer power in their PCs, they need to be able to access enterprise data at any hour of the day or night from anywhere in the world.

What’s driving this is not that all-the-time, every-place access to corporate computing resources makes life easier for employees – some will say it doesn’t. It’s that this time- and place-shifting can dramatically enhance business operations.

And technology platforms are shifting, too. IT increasingly can no longer dictate what kind of device an employee, partner, supplier or customer can use to access the enterprise network. IT must be able to handle just about anything, yet still control the risk to the enterprise. new and ever-more-powerful wireless technologies are taking these challenges to a whole new level of complexity.

Figure 26 – The end of time and place – and things

‘My place’

Place flexibility

‘My time’

Time flexibility

‘Their time and place’

’90s Small footprint

LAn/cable

Late’90s– early ’00s

Dock and playWi–fi

Mid ’00s On the go

Mobile broadband presence

End ’00s Ubiquity

Seamless connectivity

34 35

Taking the wires away seems like a great idea. first came the mobile phone. Then we were able to get our email at Starbucks. now we are all familiar with the ease and convenience of untethered connection to the Internet, and routinely access our corporate networks from our laptops at the airport or beside the pool. This new flexibility has improved personal productivity, and brought about new ways of doing business – and even new forms of management, with the ‘always on’ manager.

unfortunately, this new degree of flexibility is accompanied by a new dimension of corporate – and perhaps personal – risk. Wireless networks are easier to hack than wired networks, because you don’t have to physically tap into a wire. This is ruthlessly exploited: the person next to you in the airport lounge may well be trying to record your keystrokes to discover your online banking password, or the launch price of your soon-to-be-released widget.

The early wireless networks had very poor security. Authentication was often ignored and poor encryption meant that these networks could only be protected against casual eavesdropping. The many readily available hacking tools led to public networks being discredited for enterprise use. A hacker who breaches your corporate wireless network might then be able to access your otherwise-secure corporate wire network and cause havoc. Similarly, home wireless networks were often left unprotected, or protected by very weak password keys.

In recent years, wireless security has been greatly improved, and enterprises that take care can be reasonably comfortable with the security of the wireless connections used by their employees.

Figure27–Wirelessnetworksecurity


34 35

Data encryption is an essential component of any security programme (see also figure 22). Before selecting an encryption technology you must determine what level of security your business model requires. A restaurant chain does not need technology of the same complexity and expense as a defence contractor – though if the restaurant stores customers’ credit card information and is averse to bad publicity, it will require a serious encryption scheme. Once the scheme has been selected – usually by choosing a vendor’s product – it must be properly configured, and a supporting management process put in place and enforced.

Encryption itself is worthless unless you also deploy effective user authentication and identity management. If authentication is limited to a user id and password you can be sure that the level of security provided is weak – though it may still be adequate for many consumer-facing systems. In any case, the enterprise must adhere to good practices of password management, such as enforcing strong passwords and regular password changes by the user. no matter how strong the encryption algorithm, it is for naught if users indulge in poor practices. Thus the key to a secure enterprise is employee commitment, and that can only be achieved through education and communication.

Another matter for enterprise attention is wireless network monitoring for authentication of devices. Technology is now available to detect and block unauthorized access to a wireless network, or to detect the existence of an unauthorized network. If your enterprise takes wireless security seriously, it will be using these technologies.

Figure28–Approachestowirelesssecurity

•Encryptionandkeymanagement(VirtualPrivateNetworks)

•Deviceanduserauthentication

•Reliablephysicalcustodyofdevices

•Real-timemonitoringandcontrol of wireless communications


36 3736 37

Even with the best encryption we still have to worry about the physical custody of laptops and smartphones. A recent report shows that thousands of laptops are reported missing (stolen or just lost) at uS airports every week!10 Stealing them is a big, global business.

If your laptop contains valuable data, make sure the data is encrypted. you might also consider installing theft recovery software on all enterprise laptops. This software will report the IP address – and hence, with luck, the whereabouts – of any Internet connection the laptop is plugged into. (Stolen laptops travel around the world to an amazing extent.) Some of these products also enable the remote destruction of data on the stolen laptop.

vPns – Virtual Private Networks – use encryption to provide a secure ‘tunnel’ through the Internet from a laptop anywhere outside your premises to a corporate network. A properly configured and used vPn can provide secure communications over untrusted networks such as the public Internet.

Another important component of any programme designed to secure enterprise wireless networks is real-time monitoring of the networks. Tools are available to flag network nodes failing and any service reduction due to signal interference. The software also tracks wireless intrusions and hacking attempts, including rogue devices and denial-of-service attacks. Some will automatically shut down access by the rogue pending analysis. There are also software tools that enforce security policies for all devices in a network, including ensuring compliance with encryption and authentication policies.

Figure 29 – It’s not just the data …

•Recognizethegreaterriskoflosswithsmaller,commoditydevices

•Payspecialattentiontothedevicesthemselves:

– Inventory control and replacement

– Software data recovery, software data protection

– Over-the-air patching and updates

– Changing access rules

– Audits

•Demandthatoperatorsprovidehandsets which can be disabled if lost or stolen

10. Reported by the Ponemon Institute following research done for Dell Computer: http://www.dell.com/content/topics/global.aspx/services/prosupport/en/us/exec_summary?c=us&l=en&s=gen


36 3736 37

Bluetooth is a wireless Personal Area network or PAn. It is increasingly popular for connecting electronic devices such as telephones and PDAs to a computer, or a headset to a mobile phone. Over the next couple of years, we should see PAns replace the mess of wires we now have in our homes connecting peripherals to PCs or home entertainment systems11.

There has been much discussion about Bluetooth security – or rather, the lack of it. If the technology is being used to connect a headset to a mobile phone inside an automobile there is not much to fear; but it is not an appropriate mechanism for exchanging control signals for a power grid or train.

ZigBee is a newer PAn protocol that, from the outset, has been designed with low power consumption and security in mind. ZigBee also supports the concept of mesh networking, which allows automatic configuration of a new network, as well as reconfiguration of the network in case of a node failure. This self-organizing, self-healing capability is ideal for building management (HvAC, energy monitoring, access control); home automation (lights, heating, home theatre); system monitoring (water sensors, motion detectors, humidity sensors); and control (industrial plant) applications. An illustrative application of mesh networks is for environmental monitoring in vineyards. Sensors on the canopy of vines monitor temperatures and dew levels, and help the viticulturalist decide when to pick grapes for maximum sugar content. In the event that a network node is damaged by a tractor, for example, the remaining nodes sense that a node failure has occurred, reconfigure their network and continue to function without interruption.

Expect to hear more of ZigBee in future.

11.CiscointroducedtheirWirelessHomeAudiosysteminJanuary2009,bringingHi-Fimusictoanyroominthehome without wires.

Figure 30 – Bluetooth and the like

•PersonalAreaNetworks(PANs):

– Short-range, low-power wireless connections

•Eliminatecables,keysandphysicalconnectors:

– for cameras, printers, phone headsets, automobile starters and audio equipment

•Bluetoothisthemostcommontechnology

•ZigBeeisdesignedforlowpowerandhighsecurity

•SpecialneedsforPANsecurity:

– Encryption and password-based identification and authentication

– usually no audit capability available


38 3938 39

The US National Institute of Standards and Technology warningtogovernmentITdirectors

Agencies should be aware that maintaining a secure wireless network is an ongoing process that requires greater effort than that required for other networks and systems. Moreover, it is important that agencies assess risks more frequently and test and evaluate system security controls when wireless technologies are deployed.

Maintaining a secure wireless network and associated devices requires significant effort, resources and vigilance, and involves the following steps:

• Maintainingafullunderstandingofthetopologyofthewirelessnetwork.

• Labellingandkeepinginventoriesofthehandhelddevices.

• Creatingbackupsofdatafrequently.

• Performingperiodicsecuritytestingandassessmentofthewirelessnetwork.

• Performingongoing,randomlytimedsecurityauditstomonitorandtrackwirelessandhandheld devices.

• Applyingpatchesandsecurityenhancements.

• Monitoringthewirelessindustryforchangestostandardsthatenhancesecurityfeaturesand for the release of new products.

• Vigilantlymonitoringwirelesstechnologyfornewthreatsandvulnerabilities.

Agencies should not undertake wireless deployment for essential operations until they have examined and can acceptably manage and mitigate the risks to their information, system operations, and continuity of essential operations. Agencies should perform a risk assessment and develop a security policy before purchasing wireless technologies, because their unique security requirements will determine which products should be considered for purchase.12

12. nIST Special Publication (SP) 800-48, Wireless Network Security, 802.11, Bluetooth, and Handheld Devices, written by Tom Karygiannis and Les Owens.


38 3938 39

The perfect mobile phone

Mobile phones are personal devices, and so subject to a myriad of requirements reflecting individualtastesandworkingpatterns.JapanisaboutthreeyearsaheadofbothEuropeand the united States in mobile phone functionality, services and technology. Many of the featuresofaJapanesemobileareminortechnicalachievements–oftennotatalldifficultto implement – but they provide significant user advantages. Here are some of the features thatarecurrentlyavailableinJapan:

• An anchor point for a wrist strap or lanyard. for years it has been inconceivable that aphonewouldbesoldinJapanwithoutsuchafeature,thoughtheyareonlynowappearing in our world. Many people like the idea of being able to secure their mobile in their hand as they do a camera.

• Waterproof phones. We all know someone who has dropped their phone in the washbasin – or worse!

• Enhanced ruggedness. Sometimes we sit on them, and frequently drop them.

• Recovery and security features that you can activate when you’ve lost your phone. for example, the missing handset calls and reports its whereabouts to you 10 times a month, orthehandsetisdisabledtopreventaccesstoyourprivatedata.Japan’sNTTDoCoMocalls this the Omakase Lock, and if it is activated the phone becomes unusable.

• Theft alarm. If your child’s mobile is snatched from her hand, a lanyard attached to her clothing pulls a pin and the handset emits a high-pitched shriek, flashes a bright strobe light, and automatically calls you and her child-minders to alert you to the incident.

• Fingerprint reader. If it becomes the norm, this could be the key to two-factor authentication for access to financial and shopping sites over the Internet.

• Authentication features. A mobile handset can be a secure authentication device holding passwords, keys or digital certificates. With RfID or near field Communications technology13, a handset can be used to open secured doors, pay for rail journeys, parking tariffs,andevenchewinggum.InJapan,allthesecapabilitiesarereadilyavailableinhandsets and are being used in the railways and convenience stores.

• Good looks.Japanesephonesareallsmall,lightandgood-looking.

finally, and most important of all, we would like our mobiles to enable us to hold normal telephone conversations – wherever we are. Even Silicon valley is laced with black spots where phone calls cannot be made or are lost, so much so that one still hesitates to use a mobile for important business calls. Our mobiles must work all the time, including when we are in a crowded public space with hundreds of other mobile users.

13. Both Radio frequency Identification and near field Communications are technologies that transmit information wirelessly over a very short distance (4 inches or less). RfID is used to track items on store shelves, production lines, and checkout counters. nfC is used in contactless access cards or payment cards.


• Deploytheadvancedencryptionandkeymanagementtechniquesthatarenow available to minimize wireless-related security vulnerabilities.

• Putstrictaccessprivilegesonmobiledeviceuserstoprotectsensitiveinformation.

• Createsecuritypoliciesspecifictomobiledeviceusage.

• Minimizetheimpactofalostdevice:password-protectalldevices,encryptsensitive documents on these devices, and don’t allow the use of automatic scripts for vPn login – the password must be entered every time.

• RegularlybackupPDAandSmartphonedatatoaPCtopreventpermanentloss for whatever reason.

• ConsiderusingantivirussoftwareforPDAs.Network-levelscansarethemost effective, centralized way of preventing viruses and other disruptions associated with mobile devices.

• Ensureyouraccesscontrolincludesbothhardware/device-basedauthorization and application-based authorization.

• Providespecializedtrainingtomobiledeviceusersandadministrators,including simple guidelines for the physical security of devices and a reporting mechanism in case of loss or theft.

no single security solution will work for mobile devices given the nature of the environment. But using the existing IT security infrastructure to cover mobile devices simply isn’t practical – it will render the devices almost useless. Enterprises must treat mobile security as an independent task, creating and implementing mobile-specific security policies. A comprehensive risk analysis of the potential security hazards associated with the use of mobile devices should be the first step.

Questions to ask IT about mobile security

• Dowehaveawrittenmobilephoneusepolicy?

• Dowepermittheuseofwirelesslaptopsinpublicplaces?

- If so, what security precautions do we take on the laptops?

•Whatareourinstructionstoemployeeswholosealaptop?

- To whom do they report the loss?

- Are there any repercussions?

- How do we investigate whether we have lost critical data?

40 41

40 41

eThreats and countermeasures

Protecting the organization’s information assets, including hardware, software and data, is a multifaceted problem.

The greatest threats to hardware – processors, servers, desktops, laptops, mobile devices and networking hardware – are physical: theft, loss, and damage from fire, flood, storm and other natural disasters. for the most part, these threats are best dealt with through appropriate disaster recovery and business continuity planning to enable acceptable recovery after they happen.

The main threats from the Internet (eThreats) target the software running on these machines and the data stored on them.

‘Core’ applications are the programs that support the organization’s primary activities. They are as diverse as the organizations that use them. for example:

• Anenterpriseresourceplanning(ERP)systemcontrolsamanufacturer’sinventory, production and distribution operations.

• Claimsprocessingsystemsareusedbyinsurerstostore,reviewandpayclaims.

• Sales-forceautomationsystemstrackcontacts,proposals,contractsandothermaterial needed by sales teams.

• Computer-aideddispatchsystemsmanagepolice,fireandambulanceservices.

When any core application is down, the organization’s ability to function is severely hampered.

A variety of tools and techniques are available to help cope with eThreats. for example, a firewall system makes it possible to monitor incoming Internet traffic for any attempted unauthorized access to the enterprise network. Intrusion detection systems can determine if the enterprise is under attack and recognize unauthorized activity such as a hacker attempting to access files or surreptitiously use company systems. Password management can enforce regular changes of passwords, and insist on a complex combination of uppercase and lowercase letters and numbers that are nearly impossible to guess or automatically generate.

Figure 31 – What needs to be protected

•TheinitialdesignoftheInternetdidn’trecognizeoriginalsin!

– It is open

– It is complex

•Whatneedstobeprotected?

– Hardware

– Core applications

– Data:

– Integrity

– Confidentiality

42 43

Malware–malicioussoftware–comesinmanyguises.Justkeepingupwithitsvarious forms and attacks can be a full-time job. Among the most important ones to know about are:

• Viruses are placed in software which, when run, spreads the virus to other software. A virus requires an initial user intervention – such as opening an email – to spread.

• Worms spread automatically. They are programs that actively transmit themselves over the Internet to infect other computers.

• Trojan horses appear to perform a legitimate function but in fact execute undisclosed malicious functions. viruses and Worms are often also Trojan horses.

• Spyware typically monitors a user’s web browsing and displays unsolicited advertisements; it is often embedded in user-installed software.

•Adware automatically displays advertisements on a computer. It could be considered benign if the user has agreed to accept advertising. As malware it is disruptive and annoying.

• Keyloggers record a user’s keystrokes and transmit them to a system that extracts usernames, passwords, credit card numbers and the like.

• Rootkits take unauthorized control of a computer system by modifying parts of the operating system or installing themselves as drivers or kernel modules. (The name derives from the unix term ‘root’ access, which refers to the administrator’s access rights. They are perhaps the most dangerous kind of malware.)

All of these malware variants can violate personal privacy by transmitting buying habits, user names, the computer’s IP address and other information to a third party. furthermore, the impact on both enterprise and individual productivity of having to detect and remove malware, and perhaps recover lost data or reinstall a system, is significant. Regrettably, we cannot predict a diminution in the frequency of these attacks. The best we can hope for is better and better tools for dealing with them.

Figure32–Malware

•Viruses

•Worms

•Trojanhorses

•Spyware

•Adware

•Keyloggers

•Rootkits


42 43

AlltheotherproblemsintheITworld

Other malicious activities that plague IT and that are important to the business are:

A Denial of Service attack is a malevolent effort to prevent an Internet site or service from functioning efficiently or at all, temporarily or indefinitely. Such attacks often use ‘bots’ to infect thousands of computers that then simultaneously download pages from a targeted web site. This massive simultaneous workload is designed to overwhelm the web site and cause the owner, or (more often) the ISP, to have to shut it down. figure 33 shows the traffic at a political blog web site after material was posted that an activist group considered controversial. The solid block on the right of the graph shows artificially generated traffic of 10 million bits per second, designed to make the data being hosted inaccessible by overloading the server. Prompt reaction by the host data centre recognized malicious Internet traffic and defeated it.

Spam is the bane of our online lives – no computer user is in any doubt about what it is. It has become slightly less of a problem in recent times because of the improving spam filters deployed by email providers and enterprises.

Phishing is another well-known Internet scam – though judging by its continued success not everybody manages to avoid it. Phishing is the fraudulent attempt to obtain personal identity information (such as usernames, passwords and credit card details) by masquerading as a trustworthy entity on the web. Communications purporting to be from, say, PayPal or Wells fargo Bank are commonly used to lure the innocent.

Bots – derived from ‘robot’ – are programs designed to perform an automated task. A good use of a bot is to gather web page information for a search engine such as Google. The bad guys can use a bot to infect and gain control of a PC and then send spam or even participate in a denial of service attack on a web site by sending page requests as quickly as possible.

Web Application Exploitation is now common enough to have books written about it. A sequence of commands is inserted into a web page, an email, a virus, or whatever, in order to cause unintended or unanticipated behaviour of a web site or application. Often the insertion is possible because of a vulnerability in an application or system caused by a design error.

Public Source Information Gathering is the use of legitimate Internet tools such as search engines, government and other public information sites, to obtain information about a person for malicious use. Is your resumé on the Internet? Have you, perhaps, been a party in a corporate law suit, or are you in SEC filings, as a result of which a trail of information about you can be found on the web? Have you Googled yourself to determine what information is out there? Is all of it correct? Correcting inaccurate information is particularly difficult and frustrating.

No-Tech Hacking. Examples include shoulder surfing – looking over someone’s shoulder at an ATM to see them enter their PIn, or looking at the task bar icons on a neighbour’s laptop to see what firewall she is using, with a view to tapping into her wireless link; and tailgating – following closely on the heels of somebody who used their employee badge to enter a secure area. Perhaps the last refuge of the no-tech hacker is dumpster diving – trawling refuse piles of discarded printouts and documents in search of ids and other information which could be used maliciously.

Enterprise, Terrorist and State-Sponsored Attacks are not much discussed but are something to have on your radar screen, depending upon the parts of the world in which your business operates. In such an attack, all or any of the above malicious tools are used – with a vengeance – by the agents of one group against the electronic infrastructure of another. The attacked assets need not necessarily be government sites. In April 2007, during a period of poor relations between Russia and Estonia triggered by the relocation of a Soviet war memorial, Estonian banks, email services and other eCommerce sites came under sustained attack from hijacked computers all over the world. The attacks lasted for three weeks, and the results would have been more serious were it not for the Internet-savvy community in Estonia who, with the help of experts from abroad, were able to minimize the impact and eventually shut down the attacks.

Malicious interference with our use of the Internet will increase going forward. This is a reality we will have to deal with. fortunately, tools exist and are rapidly evolving to meet new threats. As business executives, we have no choice: we must meet the challenge, despite the cost in resources and time.

Figure 33 – The impact of a Denial of Service attack


• Keepupyourenterprise’sguardagainstITsecuritythreatsevenintougheconomic times.

• Keepabreastofemergingnewapproachestobusinesscontinuityplanninganddisaster recovery. new approaches to data centre management involving cloud computing could make acceptable disaster recovery plans less expensive.

Questions to ask IT about eThreats and countermeasures

• HowmanypeopledowehaveinITdedicatedtotryingtoeliminateeThreats?

– What do these efforts cost us, including software licenses and subscriptions?

• Haveoursystemsoranyofourapplicationsorwebsitesbeenbroughtdownbymalware or some kind of attack?

– What happened?

– Did our customers or partners react?

– How long did it take us to recover?

– Do we know by how much our revenue stream was impacted?

•Whatkindofdefencesdoweusetoday?

• Arethereadditionalthingsweshouldbedoing?

• Isthisduetoalackofinvestment?

44 45

44 45


Customers and partners need confidence that enterprises are addressing all of these security issues and providing a secure environment in which to conduct business. To improve consumer trust, various Internet players have been experimenting with the idea of ‘trustmarks’. In the united States, the Good Housekeeping Seal of Approval is a widely accepted trustmark for household goods. In the uK, the Kitemark® of the British Standards Institute fulfils such a role. On the Internet, a trustmark is a symbol or icon displayed on a web page that aims to help people evaluate the trustworthiness of information, services or products on that web page or web site.

figure 34 displays some of the better-known IT trustmarks. none have become sufficiently well established in consumers’ minds that they are taken as real assurance that the site is authentic or adheres to the practices claimed by the mark. for example, even the lock used as a trustmark by the SSL at the bottom of a browser page (as shown in figure 14) can be tampered with to falsely show a secure connection.

We hope that true standards of trust that can be easily understood and verified by the marketplace will eventually emerge. But until they do, individual company efforts will make a real difference and can be deployed as a real source of competitive advantage.

Figure 34 – Representations and trustmarks

Softwareandsystems

Ethical intent

Consumer privacy

Vulnerability status

Other online services

Trust for the digital trust

brokers

Onlineenterprisewebsites


• Considertheuseofatrustmarkdependinguponwhichmarketyourenterprise serves.

• Ifyourenterpriseservesconsumersonline,monitortheevolutionoftrustmarks to track their effectiveness among your customer demographic.

Questions to ask IT about transparency and assurance

• Doweusetrustmarks?

• Dowehaveanyevidencethattheyhelpouronlinesales?

• Havewehadanycommunicationwithourcustomersaboutthem?

• DoweprovideasecureInternetlinkbetweenourcustomersandour web site? And do we display the SSL ‘lock’ trustmark?

46 47

The perfect Internet

Today’s Internet has evolved over nearly 40 years. In its evolution it has had to incorporate so many patches and modifications that it is now unwieldy and brittle. Some problems relate to performance, capacity and availability; others to management and control; but those that are of most interest here concern security and integrity.

The original Internet architects were mostly academics who designed a system for resilience and openness, with little consideration for traditional IT security issues. Anonymity was built in – anyone can use the web without indicating who they are. Most of the time this is not an issue, but, as we painfully know, there are many malicious users out there sending spam, scamming with phishing sites, sending us malware, and worse. They exist because we cannot identify them and hold them accountable. But if we want a ‘secure’ system that has no spam, no phishing, no crooks selling us stuff that they will never deliver, and no anonymous shady characters chatting online to our daughters, we will need a very different Internet.

A truly secure Internet would have built-in authentication and identity management. Such an Internet would require us to cede some elements of privacy and anonymity, and many people will object, especially since it is unnecessary for most current Internet usage. But if identification capabilities were available to law enforcement, hackers could be traced, and spam could be eliminated – or much reduced. The trade-offs between anonymity and security will remain complex.

The security implementation issues will prove equally challenging. Re-architecting a network as complex as the Internet, and then changing a system used 24 hours a day by billions of users, is of the order of replacing an aircraft engine while the plane is in flight. To aid this process the uS national Science foundation has funded a national research network – GEnI, the Global Environment for network Innovations – to explore designs for a new Internet. This effort enables innovations to be tested and stressed under load before even thinking of introducing them to the real world.

The reality is that we will never achieve a perfect Internet. We can, however, vastly improve the ad hoc system we have today, and the web’s pervasive usage and potential value will justify the necessary expense. unfortunately, these improvements will take time, and in the meantime the malefactors will continue their scams with more impunity than we would like.

46 47

48 49

The concept of digital trust is based upon the idea that information security is not just about protecting the firm. It is a strategy for creating value by improving the trust and confidence of your firm’s business ecosystem. Such strategies must be broad based and cut across the six major areas this report has assessed:

1) Identity Management has three main approaches: the very common, but limiting, enterprise directory; federated identity management, an excellent way to expand digital trust across collaborating partners, but requiring complex contracts; and a future Identity 2.0 approach, which does away with the centralized database of personal information but has many technical and implementation challenges. A related issue is authentication, where the problem is that many companies use relatively weak password systems to protect their web sites and applications.

2) Intellectual Property (IP) protection seems like a ‘no brainer’ – an enterprise’s IP is often its crown jewels. But while protecting IP is critical, the real digital trust challenge is to leverage IP securely so that its value can be exploited in the marketplace. This often requires complex access and sharing policies that seek a balance between security and opportunity. Merely locking up IP will increasingly be seen as insufficient.

3) Compliance management has become a major issue around the world with laws such as the Sarbanes-Oxley Act in the united States and the European union privacy directive. non-compliance is not an option, and the required reporting inevitably falls to IT. It is also necessary that IT be able to trace and reproduce all documents pertaining to an event that is the subject of criminal investigation. eDiscovery of emails, instant messages, documents and call centre records requires extraordinary amounts of storage and special software. Digital trust increasingly requires control over virtually all corporate data, and an audit trail of who accessed what and when.

4) Wireless networks require special attention to secure both the networks and the data that resides on them. It takes a dedicated effort to implement secure authentication, encryption and network monitoring in a wireless environment. But such efforts are becoming essential. few firms can afford to deny themselves, their partners and their customers the potential value of mobile and wireless systems. Early leadership here is a good example of how digital trust can be used to drive important competitive advantages.

5) The Internet has spawned a host of new eThreats that must be understood and dealt with every day. Malware and all sorts of other intrusions and attacks require continual countermeasures. Among the primary threats are viruses, worms, Trojan horses, spyware, adware, keyloggers, rootkits, and denial of service attacks, any one of which can cause great damage to the firm. While there are tools to address these problems, they must constantly evolve to keep pace in what is essentially an arms race with hackers and criminals worldwide. Constant vigilance is required.

Summary and key points

48 49

6) Customers and partners need confidence that enterprises are addressing all of these security issues. They need to have digital trust in online services. This confidence is encouraged by business transparency, by providing a constant stream of evidence that the enterprise is a secure environment in which to conduct business. The most powerful assurance is the customer’s own experience, but the enterprise must also make continual efforts to demonstrate that its site is safe to use. Surveys have shown that trustmarks, imperfect as they are, do increase the value of transactions conducted on a web site.

IT security has become a major burden for enterprises all around the world, and this burden will not diminish any time soon. However, a well-thought-out strategy, careful planning, and equally careful execution can turn a burden into a business advantage. As long as business partners and customers have reason to worry about the safety of their personal information and/or IT usage, those firms that pursue a reputation for digital trust will enjoy a significant market advantage.


50 PB


Donal O’Shea


March 2009

EXECUTIVE PROGRAMME

LEADINGedgeforumWorldwide CSC Headquarters

The Americas3170 Fairview Park Drive Falls Church, VA. 22042 United States +1 703.876.1000

Europe, Middle East, AfricaRoyal PavilionWellesley Road Aldershot, Hampshire GU11 1PZUnited Kingdom+44(0)1252.534000

Australia/New Zealand26 Talavera Road Macquarie Park, NSW 2113 Australia+61(0)2.9034.3000

Asia139 Cecil Street#06-00 Cecil HouseSingapore 069539Republic of Singapore+65.6221.9095

About CSCThe mission of CSC is to be a global leader in providing technology-enabled business solutions and services.

With the broadest range of capabilities, CSC offers clients the solutions they need to manage complexity, focus on core businesses, collaborate with partners and clients, and improve operations. CSC makes a special point of understanding its clients and provides experts with real-world experience to work with them. CSC is vendor-independent, delivering solutions that best meet each client’s unique requirements. For 50 years, clients in industries and governments worldwide have trusted CSC with their business process and information systems outsourcing, systems integration and consulting needs.

The company trades on the New York Stock Exchange under the symbol “CSC.”

Designed and produced by CSC’s UK Marketing & Communications department.© 2009 CSC. Printed in U.K. 03/09. All rights reserved.

Leading Edge Forum

Asia Pacific, AustraliaLevel 7, 570 St Kilda RoadMelbourne, VIC 3004Tel: +61.3.9536.4327 Fax: +61.3.9536.4400

Belgium, Luxembourg and The NetherlandsKosterijland 203981 AJ BunnikThe NetherlandsTel: +31.30.6574.574 Fax: +31.30.6574.590

FranceImmeuble Le Balzac10 place des Vosges, 92072 Paris La Défense Cedex FranceTel: +331.55.70.52.80 Fax: +331.55.70.50.59

United Kingdom, Ireland, Iberia, Italy, The Nordic Region, Germany, Austria, Switzerland and South AfricaVintners’ Place68 Upper Thames StreetLondon EC4V 3BJ United KingdomTel: +44.20.7015.6000 Fax: +44.20.7015.6850

United States and Canada3170 Fairview Park DriveFalls ChurchVirginia 22042United StatesTel: +1.703.641.3479 Fax: +1.703.204.8355

About the Leading Edge ForumCSC’s Leading Edge Forum (LEF) is a global community whose programmes help members realize business benefits from the use of advanced IT more rapidly.

LEF members work to spot key emerging business and technology trends before others, and identify specific practices for exploiting these trends for business advantage. Members enjoy access to a global network of thought leaders and leading practitioners, and to a powerful body of research and field practices.

LEF programmes provide CTOs and senior technologists with the opportunity to explore the most pressing technology issues, examine proven state-of-the-art practices, and leverage CSC’s technology experts, alliance programmes, and events. For more information about LEF programmes, visit www.csc.com/lef The LEF Executive Programme is a premium, fee-based programme that helps CIOs and senior business executives develop into next-generation leaders by using technology for competitive advantage in wholly new ways. Members direct the research agenda, interact with a network of world-class experts, and access topical conferences, study tours, information exchanges and advisory services. For more information about the LEF Executive Programme, visit lef.csc.com

LE

AD

ING

ED

GE

FO

RU

M – E

XE

CU

TIV

E P

RO

GR

AM

ME

IN P

UR

SU

IT O

F D

IGITA

L T

RU

ST

– AN

EX

EC

UT

IVE

’S G

UID

E T

O IN

FO

RM

AT

ION

SE

CU

RIT

y M

AR

CH

20

09

Certified as a Forest Stewardship Council mixed sources product. Aleo 80 is produced using 80% recovered fibre, comprising of 60% de-inked post consumer fibre and 20% recovered fibre, with the balance of the sheet being 10% FSC accredited virgin fibre and 10% virgin fibre.

The fibre content of this paper is manufactured from 80% recycled paper

march 2009 - lef | leading edge forum - helping cxos ...€¦ · 17/03/2009 · of thought leaders...

Documents