Making Business Sense of Information Securitybuell/References/ComputingHigherEdMi...and other specialized businesses. Strong business ecologies have formed in India, Taiwan, coastal

Root Document

Making Business Sense of InformationSecurityVersion: 1.0, Feb 10, 2006

AUTHOR(S):Dan Blum([email protected])

TECHNOLOGY THREAD:

VantagePoint

ConclusionEnterprises must operate on a global scale and build IT capabilities to remain competitive and leverage new businessmodels. They must also fend off threats from heightened criminal activity. Risks will continue to increase with ITautomation and interdependence.A well-managed security program must provide strong, security-related processes thatare integrated into appropriate business processes, envision a long-term strategy, and communicate it to the business.Organizations that invest in a comprehensive, business-like approach to security will be well positioned to achieve theassurance required to conduct and expand business online within an acceptable margin of safety.

Page: 1

Security and Risk Management Strategies

In-Depth Research Overview

58068

mailto:[email protected]

Publishing Information

Burton Group is a research and consulting firm specializing in network and applications infrastructure technologies.Burton works to catalyze change and progress in the network computing industry through interaction with leadingvendors and users. Publication headquarters, marketing, and sales offices are located at:

Burton Group7050 Union Park Center, Suite 510Midvale, Utah USA 84047-4169Phone: +1.801.566.2880Fax: +1.801.566.3611Toll free in the USA: 800.824.9924Internet: [email protected]; www.burtongroup.com

Copyright 2006 Burton Group. ISSN 1048-4620. All rights reserved. All product, technology and service names aretrademarks or service marks of their respective owners.

Terms of Use: Burton customers can freely copy and print this document for their internal use. Customers can alsoexcerpt material from this document provided that they label the document as Proprietary and Confidential and addthe following notice in the document: Copyright © 2006 Burton Group. Used with the permission of the copyrightholder. Contains previously developed intellectual property and methodologies to which Burton Group retainsrights. For internal customer use only.

Requests from non-clients of Burton for permission to reprint or distribute should be addressed to the MarketingDepartment at +1.801.304.8119.

Burton Group's Security and Risk Management Strategies service provides objective analysis of networkingtechnology, market trends, vendor strategies, and related products. The information in Burton Group's Security andRisk Management Strategies service is gathered from reliable sources and is prepared by experienced analysts, but itcannot be considered infallible. The opinions expressed are based on judgments made at the time, and are subject tochange. Burton offers no warranty, either expressed or implied, on the information in Burton Group's Security andRisk Management Strategies service, and accepts no responsibility for errors resulting from its use.

If you do not have a license to Burton Group's Security and Risk Management Strategies service and are interestedin receiving information about becoming a subscriber, please contact Burton Group.

Table Of Contents

Synopsis.......................................................................................................................................................................... 4Analysis...........................................................................................................................................................................5

Business and Technology Trends Driving Security....................................................................................................5Globalization, Technology, and New Business Models......................................................................................... 5Process Networks: A Modern Business Vision...................................................................................................... 6Transformative Technologies................................................................................................................................. 7Security Counterpoints to Process Networks..........................................................................................................8Social Software and Collaboration......................................................................................................................... 8Security Counterpoints to Social Software and Collaboration............................................................................... 8Where Are Business and Technology Driving Security?....................................................................................... 9

Risks to the Business.................................................................................................................................................10Hunting in Packs................................................................................................................................................... 10Shifting Attack Targets......................................................................................................................................... 11Will the Security Situation Get Better or Worse?.................................................................................................12

How Much Should Organizations Spend on Security?.............................................................................................13Security Spending Is Linked to Bigger IT Management Issues............................................................................13It's Hard to Pin Down the Right Amount of Security Spending........................................................................... 14The Crux of the Matter..........................................................................................................................................15

How Should Organizations Address Compliance?...................................................................................................15Get Set to Manage Many Compliance Mandates, and More to Come..................................................................16Let Risk Management Select the Right Targets....................................................................................................16Take Due Care with Compliance, Partnering, and Outsourcing...........................................................................17

How Should Security Needs Be Communicated?.....................................................................................................18What Technical Security Capabilities Should Organizations Envision?.................................................................. 19

Flexible and Fine-Grained Zoning........................................................................................................................20More-Trustworthy Systems...................................................................................................................................20Internet Identity.....................................................................................................................................................20Better-Protected SOAs..........................................................................................................................................20Advanced Content Control....................................................................................................................................20Trust Frameworks................................................................................................................................................. 21An Organization-Wide Control System................................................................................................................21

Recommendations.....................................................................................................................................................21The Details.................................................................................................................................................................... 23

Information Security Management........................................................................................................................... 23Risk Management and Security Drivers............................................................................................................... 23Security Management Processes...........................................................................................................................24Compliance and Control Standards.......................................................................................................................24Concepts and Methodologies................................................................................................................................ 25

Security Technology Model......................................................................................................................................25Conclusion.................................................................................................................................................................... 27Notes............................................................................................................................................................................. 28Related Research and Recommended Reading.............................................................................................................29Author Bio ....................................................................................................................................................................30

3

BURTON GROUP 7050 Union Park Center Suite 510 Midvale · Utah 84047 · P 801.566.2880 · F 801.566.3611 · www.burtongroup.com

Synopsis

Organizations must operate on a global scale, build information technology (IT) capabilities to remaincompetitive, and fully leverage new business models that require cross-organizational business processes. At thesame time, all organizations must address threats from heightened malicious and criminal activity online, rangingfrom nuisances all the way up to information warfare. Risks will continue to increase with IT automation andinterdependence. Organizations must get smarter about security and consider it up-front in business riskmanagement to avoid large-scale emergencies and the need for frequent and expensive shifts in direction.

It is difficult to measure security spending accurately across different organizations. Although spending istypically higher in vertical industries, such as financial services, medical services, or government, compliancemandates are raising costs for additional industries. Large organizations also have the potential for diseconomiesof scale in security because their complexity and diversity negatively impact the effectiveness of securityspending, which is generally related to the manageability of IT environments. Some organizations spend toomuch, others too little, and their efficiency often varies dramatically with the quality of IT security andmanagement programs.

Compliance mandates are forcing organizations to improve business risk management processes, and informationsecurity issues must now be considered by “C” level executives. Risk management is the right approach to set thedirection on security spending amounts and objectives, and to ensure the program is shooting at the right targets.But continually changing compliance demands continually change risks and targets. Organizations requireadaptable security programs that promote sound security practices and treat compliance needs holistically.

A well-managed security program starts at the top and must provide strong governance, business riskmanagement, auditing, and control processes. Security groups and the organization must communicate clearly andcontinuously with a minimum of fear, uncertainty, and doubt (FUD). The security program must also envision along-term security strategy and communicate it effectively to the organization. To that end, this overviewproposes a security technology vision whose key components are flexible and fine-grained zoning, more-trustworthy systems, Internet identity, better-protected service-oriented architectures (SOAs), advanced contentcontrol, trust frameworks, and an organization-wide control system for information protection.

Organizations that invest in good security programs by creating and realizing a long-term security strategy will bebetter positioned to achieve the assurance required to conduct and expand business online within an acceptablemargin of safety.

4


Analysis

The emergence of the information age, with its increasing dependence on information and communicationsnetworks, continues to present organizations with a tumultuous IT landscape. Organizations must operate on aglobal scale and continually enhance IT capabilities to remain competitive and fully leverage new businessmodels that require cross-organizational business processes. But at the same time, they must be able to adapt tochanging business and technology environments without continually making dramatic structural changes.

Technology advances occurring over the next five years will sweep ongoing waves of disruptive innovationunevenly across multiple vertical industries. Advances in IT and communications are both the enablers and theresults of increasingly dynamic working relationships within organizations, among organizations, and betweenorganizations and customers of all types and sizes. These dynamics are driving challenging new securityrequirements.

Organizations must meet IT security challenges by building sustainable information protection governance,processes, and technology architectures. Along the way, there are many business questions in the subtext,including:

● Where are business and technology trends driving security?

● Will the security situation get better or worse?

● How much should organizations spend on security?

● How should organizations address compliance?

● How should security needs be communicated?

● What technical security capabilities should organizations envision and establish?

Business and Technology Trends Driving SecurityGlobalization, outsourcing, transnational operations, technology advancement, and nearly ubiquitouscommunications are creating new business models that demand new IT capabilities with corresponding securityfeatures. Business process networks spanning multiple organizations are emerging that require loosely coupledtechnology architecture, real-time communications, social software, and collaboration software. These trends aredriving organizations to consider information security up-front and along with business planning and business riskmanagement. The trends are also driving information security architectures to support future IT environments thatwill be even more distributed than the ones that exist today.

Globalization, Technology, and New Business Models

Globalization and technology are advancing at a rapid pace, raising new markets in their wake. As more and moreregions are wired for business and begin to participate in world trade, hundreds of millions of people arebecoming global consumers and joining the global labor force.

Once just a convenient source of cheap labor for organizations in North America, Europe, and other areas,developing countries have created world-class call center, engineering, design, manufacturing, system integration,and other specialized businesses. Strong business ecologies have formed in India, Taiwan, coastal China, andmyriad other locations, and universities in these countries are churning out legions of well-educated engineers andother specialists. Global organizations increasingly have the opportunity to leverage offshore outsourcing formore than just cheap labor—such outsourcing is now also a source of strategic innovation and competitiveadvantage.

5


Along with globalization, technologies such as the Internet, mobile computing, location-aware global positioningsystem (GPS) services, radio frequency identification (RFID) tagging and sensing of objects, and a plethora ofother IT capabilities constitute a powerful knowledge and communications engine. This engine is drivingadvances in computing, communications, biotechnology, nanotechnology, genetics, development of new energysources, medicine, transport, adaptable and efficient supply chains, and a variety of other areas. New modes ofworking, living, and learning will continue to emerge worldwide. Most people, firms, governments, universities,nonprofits, and other organizations must continuously adapt (and even occasionally reinvent themselves) toremain relevant and competitive.

Global organizations face the greatest challenge when they compete to gain share in rapidly developing markets.Selling to Asian markets, in particular, often requires a local presence and localized products, as well as radicalinnovation in design, manufacturing, and form factors. In many cases, the knowledge and capabilities forged inthe Asian crucible are well-suited to generate product variants that come back to compete in more-developedmarkets. Successful global organizations in the early twenty-first century must not only develop the ability tooperate flexibly on a global basis—they must also master new business models and technologies that enablepartnering across larger and more complex value chains, or find ways to reduce the length and complexity ofthese value chains through innovation. The ability to manage and secure IT capabilities that produce and enhancevalue will be a critical success factor for most organizations, and it will also be one of the principal governors forhow rapidly business change can occur.

Process Networks: A Modern Business Vision

A 2005 book by John Hagel III and John Seely Brown, titled The Only Sustainable Edge,1 eloquently advocatesinnovative strategies for riding the wave of business change stemming from globalization, partnering, andtechnology advancement. These ideas beg difficult issues of control, compliance, and trust. However, the book'svision provides a useful context to frame this overview's discussion of where business and technology trends aredriving security.

Hagel and Brown argue that successful organizations can best thrive in today's competitive global environment byamplifying internal strengths and creatively and aggressively harnessing complementary capabilities from otherorganizations. The authors go so far as to say that a talent for accelerated capability building will eventuallybecome the strongest source of competitive advantage for most organizations.

In addition, Hagel and Brown propose a corporate strategy of leveraged capability building and enhanced valuecreation through strategic use of process outsourcing and offshoring. They advocate loose coupling of extendedbusiness processes with partners and effective management of the productive friction that results when diversepeople from multiple organizations and specializations come together to creatively resolve difficult businessissues.

These complementary strategies conjoin in the formation of process networks. Process networks are similar tolarge supply chain or product distribution operations, but they are more dynamic in that they mobilize highlyspecialized organizations across more than one level of an extended business process. Many organizations—suchas Nike and Cisco Systems—already orchestrate closed process networks for product manufacturing, marketing,and distribution. A very few, such as Hong Kong-based Li & Fung in the apparel industry, orchestrate open-process networks, which will, in time, become more common. Many other organizations participate in and benefitfrom emerging process networks.

Li & Fung, for example, serves apparel designers and retailers by obtaining their requirements for cost, quality,quantity, delivery, and appearance, and then assembling customized supply chain processes involving subsets ofits 7,500 business partners. Li & Fung chooses the participants for each step in the manufacturing process, definesperformance requirements, monitors quality, and orchestrates logistics. Figure 1 diagrams this example of aprocess network.

6


http://www.burtongroup.com/Content/doc.aspx?cid=796&display=full#25200

Figure 1: Process Network Example

Process networks rely on loose coupling, which is different from traditional hardwired approaches to cross-organizational processes. Loose coupling comprises a modular approach that specifies process owners andprocess outputs. Module outputs and accountability are stringently specified by the process orchestrator, but thedefinition of internal functionality is left to independent module owners.

Burton Group readers will note a similarity between loose coupling of process networks and loose coupling ofweb services developed according to SOA principles. The similarity goes deeper, in that both web services andnetworked processes rely on shared meaning (policy and semantics) and trust. Recent technology innovationswith Extensible Markup Language (XML) make it easier to represent shared meaning, and intense efforts aregoing forward throughout multiple industries to reduce the interaction costs of developing the trust relationshipsthat enable identity federation and web services. It is no accident that the emerging technologies and businessmodels rely on similar architectural underpinnings.

Importantly, the immediate examples of process networks are emerging in relatively low-risk industries, such asapparel manufacturing, shoe manufacturing, and retail. It is relatively more challenging to develop processnetworks that require or perform higher-risk functions, such as those involving large financial transactions or theexchange of medical records, where the cost of developing and maintaining trust relationships is higher.

Transformative Technologies

Process networks are still in their early stages, and it is unclear how rapidly, or how far, they will actually evolve.To a large extent, process networks are dependent on transformative technologies, such as web services, federatedidentity, and virtualization—all of which are moving into or toward early majority adoption in key industries andregions. These technologies will help enable process networks and large-scale distributed applicationenvironments.

Hardware, storage, and communications innovations are progressing, leaving the industry with much greaterprocessing power, bandwidth, and storage capabilities. Applications will grow in parallel with (but not quite keepup with) these innovations, thus requiring or enabling new data analytics, search capabilities, and interactionmodes for individuals and organizations. Computing grids enabled by web services and hardware or storagevirtualization will ultimately emerge out of these capabilities. These grids will still be very early in their evolutioneven in 2010, but their capabilities will already be starting to drive or enable yet more waves of capability andchange in the nature of business interactions.

In a world where organizations leverage each other and expose much of their value through web services,“software as a service” may become a viable notion. Marshall McLuhan's famous quotation “the medium is themessage” comes to mind, and one can imagine new business models (and security issues!) forming around thecombination of process networks and software as a service.

7


However, most organizations should not be thinking first of what web services they can sell, but rather, whatbusiness services they can provide and how they can use software to make those services more dynamic andinteractive.

Security Counterpoints to Process Networks

Although information security groups should try to enable business (rather than being naysayers), there arepractical counterpoints and limitations on modern business visions, such as that of Hagel and Brown. For onething, organizations can't just indiscriminately turn on the technological capabilities that IT creates. In the case ofSOA, the organization normally defines the relationships and the IT services that will participate. But in the Hageland Brown example, customers are giving this authority to the orchestrator and may thereby be acceptingunknown risks without any assurance that the proper controls are in place. For example, downstream liability mayflow from an outsourcer's improper treatment of identity data or from illegal financial dealings.

For IT, process networks will not change the nature of people, business interactions, cooperation, and competitionvery much, if at all. These networks will, however, allow far more rapid communications, leading to moremistakes and more benefits, all happening at an increasing pace. Visions of process networks must be properlybalanced against the realities of the world in order to avoid betting the farm on the wrong horse. And as processnetworks and related IT capabilities grow, attackers will learn how to take better and better advantage of themuntil they either collapse under their own weight, or proper attention is paid to the security issues involved.

Social Software and Collaboration

Social change is accompanying the increased use of digital goods and services in daily life and work, and thischange is in turn driving new technologies and market forces. Social software is a term used to describe softwarethat lets people interact, rendezvous, connect, play, or collaborate by use of a computer network. Organizations'collaboration tools can be regarded as a form of social software, or at least as a capability that cross-fertilizes withsocial software used on the Internet outside the organization. Both kinds of tools are becoming more commonboth at home and at work. In many cases, they are replacing or complementing traditional telephone, e-mail, andweb interactions.

Over the next five years, IT will approach (and in some areas arrive at) a tipping point toward always-on,pervasive bandwidth and wireless communication. Mobile devices using that bandwidth will become increasinglypowerful interaction and computing tools. At the same time, new information-sharing and application models willemerge from peer-to-peer (P2P) communications capabilities and application streaming. For example, it willlikely be possible for organizations to lower communication costs and increase capability by deploying softwarethat enables self-organizing wireless mesh networks. Users may be able to seamlessly move between in-homewireless, Worldwide Interoperability for Microwave Access (WiMAX) or third-generation (3G) broadbandwireless services, and local hotspots. It will also be possible to deploy various combinations of thick- or thin-client configurations to balance security, functionality, and performance needs.

Social software is thriving in the realms of online personal communication, commerce, entertainment media, andgaming. Innovative virtual-reality-style user interfaces created for gaming will appear in other online endeavors.Weblogs (blogs) and collaboratively maintained online resources (wikis) are funneling the knowledge andcreative powers of millions into the ubiquitous web. Hagel and Brown also highlight the importance of socialsoftware and always-on mobile devices and computers as means of lubricating the productive friction that occurswhen process networks take on difficult business problems, or during the myriad occasions when people inbusiness processes must perform exception handling. Social software benefits to process networks includecollaboration on demand, exception handling, reputation and identity management, auctions and reverse auctions,knowledge capture, knowledge repositories, and e-learning. In addition, many other societal applications willemerge that, while not necessarily suitable to all organization, nonetheless represent new business opportunities.

Security Counterpoints to Social Software and Collaboration

8


Social software and collaboration technologies can bring considerable advantages to the organization. However,attacks such as those posed by macro viruses can gain footholds in these rich, customizable, highly connectedenvironments, and, used in the wrong context, advanced tools could result in higher levels of inappropriate useand help desk calls. Thus, deployment must be calibrated to user roles and business needs. Organizations shouldconsider thin-client approaches, terminal services, and other solutions, as well as the conventional rich-clientsolutions. Collaboration capabilities should be provided in the context of appropriate tools tailored for each levelof user or role.

Also, these technologies, coupled with an increase in unstructured information, can spell an information leakagedisaster. For example, users can download data from legacy applications, manipulate it in a spreadsheet, and storethe file in a collaboration website for further modification, after which it can be e-mailed to someone who loads itback into the legacy application—bypassing all controls. New, powerful user tools coupled with collaborationtechnology may encourage casual disregard for established applications and their controls unless IT departmentscan make the controls work in a collaborative environment.

Spam over e-mail, spam over instant messaging (SPIM), spam over Internet telephony (SPIT), spam blogs(splogs), and other unsolicited and unwanted communications are constantly clamoring at the gates, and theseprofit-driven problems seem destined only to increase. Various filtering approaches are being tried, and many ofthese approaches come down to blacklisting or whitelisting, which rely on reliable source identification. Improvedability to ascertain digital identity, or at least reputation, has become an essential component for the safe orproductive operation of almost all online applications. The quality of the information available from blogs andwikis, for example, could be greatly improved with better identification and reputation services.

Where Are Business and Technology Driving Security?

Information security is not changing as rapidly as IT in general. The security management and control of people,processes, and technology has been known and practiced since the dawn of information networks, and longbefore. The essence of security is that an organization must develop a governance structure to address businessrisk management and internal control, write sensible policies, define accountability to enforce those policies, andensure that they are being enforced. This does not change. Even limiting the discussion strictly to technology,there are unchanging principles, such as defense in depth, least privilege, and so on. The defensive layers, such asperimeter, host, and application, and their basic characteristics, remain.

Business and technology trends are, however, driving continuous incremental change in technical securityarchitecture to support distributed perimeters, heterogeneous devices, and distributed application environmentswithin and among organizations, and with their customers of all sizes. Perimeters must become more flexible,systems more trustworthy, web services more secure, identity and reputation more accountable, management andcontrol more certain, and trust itself more definable and manageable to lower interaction risks and costs.

There is another critical point here. If one accepts that the practice of information security is already wellfounded, then:Q: Why are so many organizations in such turmoil trying to prevent insider attacks, comply with regulations,and cope with malware?

A: Many organizations, for all the pockets of technical excellence they may have, are not following goodsecurity practices comprehensively from the top down.

The executives of organizations that are not following sound security and risk management practices must learn tofactor information security into business risk management, consider security issues up-front in business planning,and drive good security practice down through the organization. Otherwise, organizations leave themselvesexposed to unacceptable risks and vulnerable to avoidable losses. Attackers will be more likely to converge onthem.

9


In the long run, addressing security up-front and making or reinforcing security-aware decisions from the topdown will cost less. Consider the simple example of data center consolidation. If security and risk aggregation arenot built into the implementation, an organization may wake up one day and realize it is dangerously dependenton a single logical or physical routing or operations infrastructure. The lucky ones will identify and address thisrisk before disaster strikes, but even they will have to spend much more time and money redoing the architecturethan would have been required if security and redundancy had been built in from the beginning.

Risks to the BusinessRisks will escalate with the increased automation, interdependence, and consequence surrounding ITenvironments. Information protection capabilities must cover all layers of applications and processes to defeatattackers of all sorts.

Globalization and technology advancement have raised the overall level of prosperity, but their effects areuneven. Many communities have been left behind or face heightened levels of unemployment orunderemployment. Global communications have intensified cultural conflict as well. The social and economicdislocation caused by globalization has joined conflicts over land, resources, and religion as a source of tensionbetween countries and societies that sometimes leads to violence and also motivates cyber-attacks.

The destructiveness of modern weaponry has generally discouraged full-scale international warfare, butasymmetrical conflicts employing terrorism, economic warfare, and information warfare will increase. Countriessuch as China, the United States, France, and others are known to be actively planning or preparing forinformation warfare, in some cases by pre-positioning people, plans, and capabilities to defend or attack criticalinformation infrastructure components, which include financial networks, utility networks, and in some cases thevery process networks that organizations are building to create value. Computer surveillance and counter-surveillance are becoming pervasive.

Increasingly violent acts of nature, such as tsunamis and hurricanes, are also on the rise, whether from long-termweather cycles, environmental and climate change, or both, and many IT environments are inadequately preparedfor this level of physical disruption. Although information warfare and bad weather are not the subjects of thisoverview, they must be considered in business risk-management planning along with the link between IT andbusiness continuity.

Of more day-to-day concern for information security practitioners, online users and organizations' ITenvironments now sit squarely in the crosshairs of a pervasive enemy—the online criminal.

Hunting in Packs

Most significant threats to organizations now follow money, not notoriety. Although there are still those who hackor research for the joy of solving hard problems and the recognition that comes from publishing information abouta vulnerability, significantly more hackers are blending into the broader criminal networks.

Online criminals often hunt in packs. Exploit-coders communicate freely with one another over the Internet and atconferences to create attack tools. Criminals can rent access to botnets of already-compromised systems ordevices to conduct attacks. Identity databases or information on business plans, products, processes, or designs areat risk of theft by insiders, criminals who penetrate organizational networks, or both in collusion. Once theinformation is obtained, it can be sold to still other criminal elements; for example, there are websites that sellcredit card numbers.

Criminal elements are adept at masquerading as, or infiltrating, legitimate organizations. For example, it wasrevealed in February 2005 that Nigerian scammers and other thieves used previously stolen identities to createapparently legitimate organizations seeking ChoicePoint accounts, and over the course of more than a year,opened about 50 accounts and received personal information on consumers in order to facilitate at least 750 casesof identity theft.2

10



There are many variants of online criminals. Some, like China's Titan Rain group,3 are apparently involved ininformation warfare or industrial espionage. Fringe elements of environmental and other groups may engage insocially motivated cyber-attacks, or “hacktivism.” Many criminals are involved in identity theft, and othersemploy extortion through distributed denial-of-service exploits using botnets to attack online properties such as e-commerce sites, financial services, or so-called gray markets like online gambling that may be a low priority forlaw enforcement protection.4

The potential ties between cyber-attackers and violent criminal groups make infiltration or investigation risky,and—because of organized cybercrime's amorphous, distributed, and transjurisdictional makeup—it is extremelydifficult to apprehend and convict perpetrators. Ultimately, the legal system must provide a stronger deterrent tocybercrime on the international playing field. Although there have been some successes in high-value or high-publicity crime cases, some references3, 4 suggest that the effectiveness of law enforcement against industrialespionage and cyber-extortion has been poor. Governments five years from now may be no better prepared to dealwith cybercrime than they are today, due to international jurisdictional challenges, lack of expertise, and lack ofresources. Organizations must be prepared for the threats to continue amid a continuing deficit of effective legalremedies and deterrents.

Shifting Attack Targets

Security of personal computer (PC), server, and mobile device operating systems is still far from ideal, butsignificant progress has been made in patch update distribution and quality control. Increased deployment offirewalls and anti-virus technologies watching for attacks on systems have motivated attackers to shift some oftheir focus to applications, users, and even security software, such as personal firewalls found on many systems.Applications transferring funds or databases holding troves of assets such as credit card numbers are particularlyattractive targets.

Malware exploits are falling on fertile ground. Phishing has been found in more than ten languages and countries.A late-2005 survey of online safety in the United States5 found that 70% of users thought that phishing e-mailswere actually from financial (or other) institutions, while 81% lacked comprehensive anti-virus, anti-spyware, andpersonal firewall protections (though most of these users thought they were protected).

Phishing attacks combine technical trickery and social engineering. They include bulk e-mail deceptions,redirection of users to deceptive or malicious websites using poisoned Domain Name System (DNS) servers(pharming), compromised routers, infiltrated browser helper objects, bogus search engines or search engineentries, and modifications to configuration entries such as the “hosts” file on computer systems. Maliciouswebsites, toxic blogs, and other online systems scan or attack visitors and entice users to reveal accountinformation and other secrets for use in financial fraud.

When phishing afflicts consumers, one can argue whether or not it is fair that organizations should have to takeresponsibility for the users' mistakes and naiveté. Yet phishing is bad for brands and may even pose legal risks inlitigious societies. Many organizations are increasing efforts to protect customers from phishing, but this is noeasy task. It will require user education, spam blocking, improved security of DNS and other networkinfrastructure, sophisticated intrusion detection systems, automated fraud detection, improved authentication ofusers (using tokens, biometrics, or other forms of two-factor authentication), and rapid response to significantlyreduce the effectiveness of these attacks.

The term “spyware” is vague, encompassing everything from tracking cookies to extremely malicious attackprograms. Certain attack programs, such as keyboard logging or remote control Trojan horses, are increasinglyprevalent and of great concern. These attack programs may embed themselves in trusted applications so as toevade detection by firewalls. When embedded in the operating system itself, attack programs are referred to as“rootkits,” and these are growing in number and are much harder to remove than viruses or previous types ofmalware infestations.

11






Embedded attacks seem to be the coming thing. Each new medium—P2P, Voice over Internet Protocol (VoIP),instant messaging (IM), Really Simple Syndication (RSS), and Bluetooth—has been used as an attack vector todistribute malicious code and entice users to visit malicious websites. For example, attackers wrote programs tohide within the breach created by Sony Corporation's (now withdrawn) CD copy protection software, whichalthough not designed to be an attack tool, hid information in the operating system much like a rootkit.6Sophisticated man-in-the-middle attacks, though rarely seen today, may also emerge.

Will the Security Situation Get Better or Worse?

Individuals and organizations are becoming ever more dependent on the automation, intelligence, and storedknowledge or data provided through information technologies. There is a growing interdependence betweenorganizations, online applications, information infrastructure, and communications infrastructure. At the sametime, IT complexity is rising, and the growing value and consequence reposed in IT attracts more numerous andsophisticated criminals and other attackers.

This is why—when asked “Will the security situation get better or worse?”—information security professionalswho are taking the long view usually say: "Worse." However, over any short-term period, the situation mayimprove or worsen, with respect to the overall risk from particular types of attacks. Thus, while the red linedepicting risk level over time in Figure 2 is generally rising, it undulates up and down over the years like anirregular sine wave. The worms and viruses that rocked the IT world from 2001 to 2004 were more efficientlyneutralized in 2005, even though there were more of them. Yet throughout 2003–2005, phishing, spyware, Trojanhorses, and other threats emerged in large numbers, and it is likely that 2006 and 2007 will see more of them, aswell as rootkit exploits. More attack programs will embed themselves in a variety of applications, thus becomingmore difficult to detect and remove. It will require improved user awareness and layered defenses, such asdetection, system integrity controls, user authentication, and application security, to contain emerging attacks.

Figure 2: Escalating Risk and Consequence

12



Yet even as the countermeasures now under development for 2006 and 2007 become effective, the criminalecosystem will move on to new levels of exploits. To the extent industry doesn't learn well from history, it willhave to repeat it. Future exploits will attack new applications and media that are rolled out with insufficientsecurity provisions or without anticipating the nature of attacks or the impact of new communication channels.For example, one client's chief information security officer (CISO) said “Web 2.0” Asynchronous JavaScript andXML (AJAX)-enabled technologies, which offer thick-client usability with all the control problems of thinclients, “scared the bejesus” out of him. His organization is already blocking services like meebo.com for IM thatwould bypass the corporate IM gateways. In general, there will be continued attacks on web services, popularbusiness applications, and the security software itself. Typically, exploits will aim at whatever technology is themost widely used, which is why vendors such as Microsoft and Symantec have been targeted the most, and Linux,Apple Computers, and McAfee less.

Extrapolating current trends toward embedded attacks, social engineering, and attacks on applications, it is clearthat security will increasingly be required for applications—and in the context of the applications, not just at thebits and bytes speeding through the network. Emerging protection functions will need to understand and manageaccountability, change control, and runtime control for the applications and services themselves, in order toproperly secure them, and security must be instilled into the software development lifecycle (SDLC).

To put things into perspective, however, for all the risks and exploits, as of early 2006, the Internet still exists, lifeas we know it goes on, economies still mostly move forward, and people still buy Christmas presents on theInternet. It is a testament to the resilience of people and organizations that they were able to adapt (or muddlethrough) even when the Blaster worm “rocked the IT world” and doomsday fears of “zero day worms” abounded.Nonetheless, continued escalation of threats and consequences is forcing organizations to factor an increasedinformation security burden into their processes and budgets.

How Much Should Organizations Spend on Security?Security spending has become as inevitable now as death and taxes. Business stakeholders often ask: “Why do wehave to pay so much?” In answer, one might offer the drivers for information security presented in the previoussections and argue that the real questions should be: “How much is enough? Are we shooting at the right target?Are we spending efficiently to make the organization adequately secure?” The real total cost of informationsecurity is quite hard to measure, and Burton Group believes there are dramatic differences in effectivenessbetween organizations that just muddle through versus those that follow a systematic, comprehensive approach toinformation security from the top of the organization on down.

Security Spending Is Linked to Bigger IT Management Issues

Burton Group is not a quantitative research firm, but it can discuss known statistics and statistical trends. Firstamong these is that no consensus exists among quantitative researchers, or among organizations themselves, onhow to measure the actual amount of security spending, on what that spending is, or what the spending isdelivering. However, some interesting numbers and ideas are set forth for the reader to consider, and to provokemore thoughts on making business sense of security.

According to an unpublished IBM Tivoli study commissioned with International Data Corporation (IDC) in 2004,projected IT budgets worldwide over the period 2003–2008 will grow at an average of 4.6% annually. However,management (or operations) labor is growing at 10% per year and will constitute 73% of IT budgets by 2008.These labor costs include some security-related costs, such as rebuilding malware-infested systems, reconfiguringsecurity services, and compliance testing or reporting. But mostly, they involve maintenance, whether of securitycomponents or something else. IT capability feeds on itself and new systems accrete on top of old ones such thatmany organizations are like curators of IT museums. Sometimes the complexity of the environment itself createsproblems that require supplemental solutions, which add to the complexity.

13


IBM Tivoli argues that IT labor costs are reaching the point of crisis because they are crowding out the fundingavailable for new IT development activities, which are important for competitive advantage. Therefore, moresophisticated IT service management—including security and the automation of compliance functions—arecritical to preserving the productive capability of IT departments. Burton Group largely agrees with their opinion,but remains concerned that optimization will be difficult while IT continues its rapid rate of change.

Management problems in information protection are symptomatic of management problems in IT as a whole andvice versa. If the IT environment is in disarray, managing and securing it will be relatively more expensive. Someother statistics from the IBM Tivoli/IDC study mentioned previously—80% of problems are reported by users,and 85% of problems were caused by changes—suggest that a great many IT environments are in a mess. In somecases, organizations facing IT management issues have punted, outsourcing in a relatively indiscriminate fashion,thus often raising control issues. However, if more organizations take an approach to IT that is similar to theprocess and design optimization of manufacturing in the 1990's, implementing step-function changes will becomeless painful. Including security considerations in total design lifecycles would also simplify security budgetingand increase cost effectiveness.

It's Hard to Pin Down the Right Amount of Security Spending

Estimates of IT security spending as a percentage of the IT budget are all over the map. For example:

● 4.3% was an approximate weighted average of the “2005 CSI/FBI Computer Crime and Security Survey”7respondents who claimed to know the percentage of IT budget spent on security by organizations in the UnitedStates.

● 6–9% trending downward was a Gartner Group estimate issued in a September 2004 press release.

● 13% was the average from CIO Magazine's “The Global State of Information Security 2005.”8 Averageresponses from North America (11.4%) and Europe (12.3%) were lower than those from other world regions.

Why were the Computer Security Institute (CSI)/FBI and CIO Magazine estimates so far apart? Both tookrespondents from organizations of all sizes; only 37% (CSI/FBI) and 21% (CIO Magazine) of respondents camefrom large organizations (with over $1 billion revenue). However, CSI/FBI surveyed U.S. respondents, whereas CIO Magazine surveyed respondents worldwide. Also, CIO Magazine respondents were likely higher-rankingthan CSI/FBI's and (perhaps) more aware of all the “pots” from which security budget might come. CIOMagazine stated: “When asked where besides the security budget does money used for information security comefrom, 58% answered IT while 19% answered Finance. Other areas included Compliance/Regulatory departments(19%) and lines of business (18%).”

Burton Group guesstimates that most large organizations headquartered in North America or Europe spendbetween 5% and 10% of their IT budget on security, including contributions from business units. Compliancecontributions are probably a wash, as this additional money may be included in the IT security budget oraccounted for separately. The guesstimate does not include hidden costs, such as the lost time users mayexperience when their personal firewalls malfunction, or the excessive number of part-time, off-budget peopleinvolved in account maintenance at an organization with ineffective identity management (IdM).

This brings us close to the crux of the matter: How much is enough? There is a big gap between 5% and 10% ofthe IT budget, and IT budgets themselves vary significantly based on industry and organizational styles, profiles,and structures. Nor, due to measurement issues, is it necessarily true that the organization spending 10% is gettingtwice as much security for the money as the one spending 5%. It is possible, for example, that an effectivesecurity department might minimize its own budget by getting business units to do more of the security work forit—and embedding security into normal business processes is generally considered a good thing.

But leaving aside measurement anomalies, three factors could, in general, help large organizations determinewhere the right level of spending lies: 1) the vertical industry they are in, 2) whether they are realizing economiesor diseconomies of scale in information security, and 3) risk management considerations.

14




It has long been conventional wisdom that IT spending and security needs are higher in vertical industries (suchas financial services, health, and government) and lower in industries such as manufacturing and retail. Worstcase, a multinational financial services firm with an insurance arm likely holds high global brand equity andstores reams of sensitive consumer financial or identity information; conducts high-value transactions andsensitive merger or acquisition negotiations; generates valuable intellectual property through research anddevelopment (R&D) for new offerings; and is subject to more regulations than we care to enumerate. Best case, avery large, privately held retailer may operate only in one country, conduct relatively low-value transactions, andbe subject to almost no regulations impacting IT security. Thus, the conventional wisdom about vertical industryaffiliation determining spending levels still holds some validity both from compliance and security needs points ofview. However, regulations (such as the Sarbanes-Oxley Act [SOX], the EU Data Protection Directive, the U.S.PATRIOT Act, and many others) now affect companies in previously untouched vertical industries, such asmanufacturing, transportation, utilities, and even retail. These industries are also growing more dependent on IT.The bar has been raised for most organizations.

Security spending comes with both economies and diseconomies of scale. The larger the organization gets, thebetter the volume discounts on software and other leverage during negotiations with vendors, system integrators,or service providers. Many investments can be amortized over a larger population of users to yield a lower per-head cost. However, large global organizations often comprise multiple subsidiaries operating in differentjurisdictions with differing regulations, deal with many business partner organizations in many jurisdictions,retain managers, employees, and contractors with diverse cultural backgrounds speaking multiple languages,operate divergent lines of business in various industries, and host a wide array of heterogeneous IT applications,infrastructure, devices, and connectivity methods. The resulting threat, compliance, business, and installed-basecomplexity can create vast diseconomies of scale in security programs for large organizations.

Diseconomies might be reduced by optimizing messy IT environments that are driving high security andmanagement costs. But considerable complexity remains inevitable for many large organizations, and there arelimits to optimization. It is important to bear in mind Einstein's motto: “Everything should be made as simple aspossible, but no simpler.”

The Crux of the Matter

By one estimate,9 U.S. organizations and government have poured almost $40 billion into security technologyinvestments from 2000 to 2004. This staggering sum begs the question: “Was that too much?” However, it turnsout that may be the wrong question.

With virus and worm attacks grabbing headlines through 2004, tremendous investments flowed into perimeterdefenses and content control solutions for laptops and desktops. As Peter Kuper argues, “The security technologyfocus and subsequent total dollars spent is inverted. Collectively, during the past five years, organizations havespent more than US$15 billion on anti-virus and firewall/virtual private network (VPN) software (perimeter-related technology spending estimates based on IDC and Morgan Stanley research)—more than ten times theamount spent on encryption software, one of the more obvious technologies for protecting [the critical] data atrest.”9

After passage of California Senate Bill (SB) 1386 and similar laws requiring disclosure of security breaches, newheadlines surfaced concerning large-scale “data spills” at financial services firms, service providers, universities,and other organizations. Spending has begun to even out across Kuper's inverted funnel, shifting from theperimeter (and anti-virus) layer to internal networks, applications, and data.

However—given important management, availability, usability, and recovery issues—a pell-mell rush towarddatabase encryption isn't necessarily the right answer. Access control, internal network zoning, andphysical/personnel protections are also very effective data protection measures. Rather than stampeding this wayand that with the headline-obsessed herd, organizations should ask: “Are we shooting at the right target?”

How Should Organizations Address Compliance?

15




Laws and regulations are starting to address information age externalities—such as privacy and criticalinfrastructure protection—that the market would not otherwise factor into profit-loss equations. The proper way toaddress both compliance and “shooting at the right target” is through business risk management and a systematic,comprehensive approach to security—not by robotically following checklists. Unless security and the regulationsare addressed holistically, compliance programs will serve no more lasting purpose than rearranging deck chairson the Titanic, and profitability, partnering, and outsourcing efforts may all ultimately suffer. The challenge is toget the auditors, the executives, and the organization to start thinking this way.

Get Set to Manage Many Compliance Mandates, and More to Come

Organizations face a broad array of mandates for financial reporting, data protection, and business continuity fromregulatory bodies, business partners, and internal policies. At their best, compliance mandates eliminate marketexternalities, confer social benefit, or bring stability to competitive markets. At their worst, compliance mandatesgenerate unnecessary controls, restrictions, reporting requirements, and costs.

Constituencies—such as individuals, activists, regulators, and organizations—differ considerably on whetherspecific regulations are positive or negative for business and IT. Many consumers in the United States mightapplaud SB 1386, for example, because only with mandatory disclosure have they been able to discover just howbad IdM really is, and hope to shame data custodians into better behavior. IT staff, on the other hand, grumbleabout the murky definition of a “breach”; for example, does a printout of names and addresses accidentally leftunattended on a cafeteria table for 15 minutes (against policy, but apparently undisturbed) constitute a breach?

After Enron and other corporate debacles, investors welcomed SOX as a way to force management to providetruthful accounting statements. Yet the act had a huge, mostly unanticipated financial impact on IT staff, whowere confronted by legions of junior auditors bearing checklists about anti-virus controls, password lengths, andall sorts of things that arguably had little or nothing to do with executives misstating earnings estimates. Vendorssowed fear, uncertainty, and doubt (FUD) while some managers did not adequately control the scope of SOXactivities and bundled too many people, projects, and tools onto the compliance spending bandwagon. As a result,one survey of IT professionals found many saying that SOX rules would be the biggest waste of IT resources forpublic companies in 2005.10 Still, SOX has had a positive effect in general, as executives must now take moreaccountability for IT-related decisions or risks that could affect shareholder value. It will be interesting to seewhether other regulations, such as the UK Companies Act, have a similar effect.

Society is increasingly becoming aware of the extent to which networked databases include large collections ofever more detailed personal information.11 The story of privacy regulations is still being written; with theirbewildering multijurisdictional inconsistency, these regulations have caused their share of IT headaches. It isdifficult to simultaneously comply with French privacy laws and SOX whistleblower provisions at the same time,for example.

It is easy to be distracted by minutiae of compliance requirements and auditor checklists. Some excess costs willbe impossible to avoid. The obvious silver lining for security professionals is the heightened focus complianceputs on information protection, the support for myriad business cases. A less obvious but even more importantbenefit is that constant change in compliance mandates makes it more imperative than ever to create properlymanaged security programs. And for all their problems, many regulations get it right by pressing organizations todo something they should be doing anyway—risk management.

Let Risk Management Select the Right Targets

Compliance should encourage proper risk management, and many regulations, such as SOX as interpreted by theregulators, don't prescribe specific technical solutions. Instead they require that organizations conduct a riskmanagement process to determine what they should be doing about the problem the regulation addresses.However, organizations and their auditors don't always live up to the intent of SOX and other regulations in theway that they comply.

16




Risk management is the act, manner, or practice of supervising or controlling risks—including avoidance,acceptance, mitigation, or transfer of risks. (See the Security and Risk Management Strategies overview, “Concepts and Definitions.”) Business risk management is risk management carried out at the senior executivelevel. Consider a simple example: Suppose a business located its entire manufacturing plant on an active volcanobecause the land was cheap. Betting the business on a single volcano's quiescence would probably be consideredreckless. But what if management understood the probabilities of eruption, learned how to tap abundant volcanicenergy, and then decided to mitigate (or disaggregate) risk by locating multiple manufacturing plants on multiplevolcanoes? That might be considered brilliant.

The Internet's networks are like volcanoes. Information age businesses are becoming increasingly dependent ontheir abundant communications, collaboration, and commercial energies. But there is always the danger of majoroutages or attacks. Information security must be factored into business risk management at the senior level. Thisdoesn't mean that executives have to be technologists. But they must learn the basics of information security, andcreate processes that are certain to bring them the knowledge to understand how to mitigate (or disaggregate)Internet and other information risks.

But it would be disingenuous to say compliance demands only that organizations do what they should have beendoing anyway. Regulations create risks unto themselves, and also tend to demand much more documentation thaneven an organization accustomed to risk management would otherwise produce. Bad publicity, failed audits, andother compliance issues may be more of a risk than an actual incident or attack. Regulatory investigations can bedevastating to revenue, reputation, or a firm's share price. Legal discovery requests for reams of electronic recordsand documents can drain significant IT department resources. Organizations must employ risk management, but,in so doing, remain aware of compliance imperatives, and control IT accordingly.

The problem is that some executives and organizations have let compliance issues blind them to overallinformation security needs. Rather than creating the processes and allocating the resources to fully factorinformation security into risk management, they have looked for easy answers in the form of checklists or bestpractices. Many organizations have been driven in this direction by some auditing body shops, who like nothingbetter than to employ large numbers of low-paid workers to go through the mind-numbingly long checklists, suchas those in the Control Objectives for Information and related Technology (CobiT), often without evencustomizing these to an organization's unique risks and business environment.

Checklists can be useful as a source of sound security practices to consider, but there must be guidance from thetop. Executives and information security managers should start by working through the “InternalControl—Integrated Framework” report created by the Committee of Sponsoring Organizations of the TreadwayCommission (COSO), or a similar framework for business risk management. Good practices and checklistsshould be used (perhaps by modifying generic templates) after risk management and security evaluation of theorganization's unique characteristics has been done properly. CISOs and security managers should not hesitate topush back against excessively checklist-bound auditors. Checklists may satisfy one auditor one time, but theydon't create sustainable security or the competent flexibility needed to comply with the ongoing waves ofregulatory activity expected worldwide.

Take Due Care with Compliance, Partnering, and Outsourcing

As discussed previously, intense competition has driven outsourcing as a cost-cutting initiative, and in recentyears, outsourcing has emerged as a strategy for dynamic capability building in organizations. However,compliance is one of the flies in the ointment of outsourcing. Regulatory burdens, such as privacy protection,critical infrastructure protection, consumer safety, product quality, and accurate financial reporting, don't justdisappear when work is sent to an outsource partner. In most cases, accountability for regulatory complianceremains with the outsourcing firm, not the supplier. Assigning downstream liability or taking other measures toimprove control can add substantially to the cost of an outsource arrangement, particularly when sensitiveinformation is involved.

17


http://www.burtongroup.com/content/doc.aspx?cid=644

Loose coupling of process is a relative matter. Legal agreements and audit provisions will have to specify eachpartner's obligations and become part of the shared meaning and trust in the relationship. Industries need todevelop reusable audits—such as the Statement on Auditing Standards (SAS) 70 audit used in the serviceprovider market—and other certifications that can underpin multiple partnerships and thus hold interaction costsdown. Opportunities for loose coupling will vary by industry, with the credit card and apparel value chains sittingsomewhere toward the opposite extremes. Credit card networks hardwire some fairly stringent requirements withthe likes of Payment Card Industry (PCI) obligations, and these will only get more stringent amid the furor overidentity data spills. Regulations concerning zippers from Japan and yarns from Korea are relatively skimpy, soapparel industry process orchestrator Li & Fung gets off lightly. But global brands must guard their reputations;elsewhere in the apparel industry, Nike got nicked by adverse publicity about poor working conditions at some ofits Asian subcontractor facilities.

IT outsourcing, in particular, complicates control and compliance. A bank in the northeastern United States, forexample, outsources software R&D and maintenance to staff in India who gain access to the systems by VPN. ITsecurity at the bank must forestall any such users from parlaying their R&D access into production systemsholding Gramm-Leach-Bliley Act (GLBA)-relevant consumer information or SOX-relevant financial information.Meanwhile, the bank's legal department worries about enforceability of confidentiality contracts and dataownership laws overseas. Note that these are generic outsourcing concerns, and none of this is to suggest that staffin India are any more or less trustworthy than outsourced resources in Indiana (United States).

Another large, global company outsources the operation of almost all its networks and computers to a contractorand has effectively lost control of the environment because it no longer possesses system administrator passwordsnor provides much day-to-day supervision. The outsourcer has a good reputation for secure and competentoperations, but should something serious go wrong, the compliance consequences may come back to roost on theoutsourcing customer. To keep the outsourcer honest, provide early warning of problems, address incidents, andshow due diligence, customers that have outsourced large portions of IT must revisit outsourcing contracts toensure that adequate reporting, control, and rights of inspection are provided for. It is also important to addresources, or redirect resources, to provide more supervision or audit of third-party activities.

How Should Security Needs Be Communicated?During the planning and budgeting for security and the setting of policies, CISOs need to help their organizationsget away from false expectations and unworkable approaches. They must communicate that no matter how wellfunded the security program is, there will be many economic tradeoffs between security and other businessrequirements, and many risk-based tradeoffs between acceptance, transfer, avoidance, or mitigation of risk. Thebusiness cannot cost-effectively drive risk to zero, and there needs to be a shared realization that incidents willoccur. Also, there is no single technology quick fix to the information security problem.

CISOs should work to obtain more information security accountability, oversight, and buy-in at the chiefexecutive officer (CEO), chief information officer (CIO), and business unit executive levels. These executives arethe ones who are ultimately responsible for ensuring that processes exist to bring them the knowledge needed tofactor information security into business risk management, which defines the highest-level protectionrequirements. Such buy-in should, in general, not be solicited through FUD tactics as these may backfire andcause the CISO to lose credibility. The SOX “CEO jail card,” for example, has been grossly overplayed.

Communicating within the organization is a two-way street. CISOs should establish programs to instillappropriate knowledge and awareness in executives, managers, and staff members concerning their respectivesecurity-related roles so that security-related processes can become part of the way the organization naturallyworks. CISOs should first solicit business requirements that will affect security, then show the traceability fromthese requirements to the security projects that are ongoing. After enough knowledge and awareness is in place,some personnel will become more proactive in helping to set security requirements and provide feedback onsecurity projects. CISOs should always be on the lookout for opportunities to use security to enable additionalcapabilities in organizations that would otherwise be deemed too risky.

It helps to understand what business managers and staff members need to know with respect to informationsecurity, and what they don't.

18


Business managers and users must

understand and actively participate in:

Business should not have to understand:

● Business risk management ● Virus and malware protections

● Business continuity planning ● Host security

● Regulatory compliance ● Application and cryptographic security details

● User entitlements management ● IT disaster recovery details

● Third-party contracts and relationships ● Network security

● Communications and collaboration security

Table 1: Information Security Communication Considerations

However, there needs to be some transparency about the information security budget and its effectiveness. It isalso important to explain the rationale for restrictive measures, such as network zoning and desktop lockdown,that may have business impact, and to communicate procedures that enable appropriate degrees of flexibility. TheCISO can also build goodwill by providing tools and procedures to support the business in dealing with thoseitems (above) that it must understand and actively participate in.

Even in a well-run security organization, incidents will happen, and again, realistic expectation setting is the key.CISOs should communicate the notion of residual risk to business executives (who understand notions ofdiminishing marginal returns), and security staff should communicate the strong technical qualities of informationsecurity technologies to IT executives. There should be an incident response plan so that when incidents occur, ITcan show preparedness and operational excellence under pressure and get to the root cause fast. After incidentsoccur, the incident response team should always take the time to conduct a debriefing to determine process andcontrol improvements, and report the results to the stakeholders impacted to further enhance the credibility of theresponse actions.

What Technical Security Capabilities Should OrganizationsEnvision?

Organizations require a strong and risk-appropriate defense. Without risk analysis, it is difficult to know whetheran organization's technical security infrastructures are underprotecting or overprotecting. But although riskconsiderations will dictate different deployments and priorities at different organizations, there are a number ofsound technical security practices that most should follow. For example, organizations should deploy firewallsand anti-virus protections today. Over time, additional defenses will need to become as commonplace as thefirewall.

The long-term security technology strategy needs to be envisioned in light of current and emerging technologytrends, market trends, and attack patterns. Most of the capabilities needed for a strong defense are alreadyavailable, but many of the solutions are fragmented or immature. Each new type of attack (actual or imagined)seems to spawn a new product category, and overburdened IT security teams must install, operate, and manage acomplex array of technical solutions competing for limited monetary or attention budgets.

Overlap, requirements diversity, and myriad creative market-positioning efforts by the vendors have created acategory train wreck in the security software market. Customers cannot just evaluate products in a category, butmust look deeper into capabilities of products and how they integrate. This calls for a long-term vision and a morecomprehensive look at architecture.

The sections that follow propose high-level visions, or strategies, for the following components: flexible and fine-grained zoning, more-trustworthy systems, Internet identity, better-protected SOAs, advanced content control,trust frameworks, and an organization-wide control system for information protection.

19


Flexible and Fine-Grained Zoning

Today's perimeter technologies and zoning capabilities are too coarse grained for many organizations with theircomplex partnering needs, mergers/acquisitions, or organically developed data center sprawl. Process networks,real-time wireless communications, and social or collaboration software are demanding even more flexibility.Future zoning solutions will employ intelligent perimeter devices and proxies, virtual data centers, andsophisticated control services to become much more flexible and fine grained over the next five years. However,physical separation will always be the best guarantor for high assurance, and there remains doubt that virtualservers or multifunctional devices will be able to provide assurance of separation or isolation close to thatconferred by a dedicated firewall.

More-Trustworthy Systems

Current operating systems for PCs, servers, and handheld devices are still too vulnerable to malware, providemost users with more privileges than are good for them, and require too much end user management of securityconfiguration. Future systems will contain better host-based protections against malware and will be configurableto enforce policies that are dynamically controlled from security management systems. More-trustworthy systemswill not only protect themselves, but they will protect the users and applications to run on them, even if thismeans protecting the users from themselves through least-privilege approaches. Virtualization will be used toenable protection without sacrificing too much usability or compatibility. More-trustworthy systems will alsoleverage Trusted Platform Modules (TPMs), although there is a degree of uncertainty concerning how deeplyapplications, operating systems, and management systems will support TPM, even at the end of five years.

Internet Identity

The classic New Yorker cartoon caption, “On the Internet, no one knows you're a dog,” unfortunately refers to thegeneral level of user security awareness as well as organizations' inability to identify people on the network. Overthe next five years, an emerging class of Internet identity systems must and will address strengthenedauthentication/identification assurance, privacy protections, and redesign of the user interfaces that people employso as to increase security, safety, and awareness online. Privacy-friendly applications will enable individuals tomaintain multiple aliases or personas and will use data-masking techniques to protect personal information wherepossible in data exchanges that support outsourcing or other relationships. Organizations will be able to deal withidentity in terms of multiple contexts and representations so as to balance security, privacy, and convenience.Organizations will also be able to leverage better IdM tools internally. Identity of services and objects as well asidentity of people must be supported.

Better-Protected SOAs

In order to optimize application architectures and enable flexible process networks, organizations will have toadopt SOA design principles, and SOA will likely become the predominant design approach by 2010. But due totheir open and often externally facing nature, distributed SOA deployments may be very exposed to attacks. SOAsecurity support will be required for all phases of deployment. Security tools will be available for developing andtesting web services, controlling their configuration through web services registries, and controlling them atruntime through web service management infrastructures. Security token services and security policy repositorieswill provide the tokens and other cryptographic artifacts required to protect web services traffic and reflect thetrust relationships among organizations and domains using web services.

Advanced Content Control

Advanced content control technologies will be needed to enable social software and collaboration to operatesafely across distributed zones, environments, and organizations. Anti-malware protections will be provided forsystems, shared media such as databases, store and forward media such as e-mail, subscription/syndicationservices, and real-time communications.

20


Organizations must also attempt to prevent the leakage of confidential or sensitive content. Planners will be ableto select among ever-improving content filtering, encryption, rights management and other transforms, andphysical or network separation defenses to mitigate various content-related risks. Repositories and applicationsmay also become more adept at leveraging XML tagging and digital signatures to provide strong data labeling notonly for use control, but for data retention and destruction purposes.

Trust Frameworks

The ability to establish process networks, federate identity, use protected content across domains, and protect webservices across domains requires the domains to establish trust relationships. (See the Identity and PrivacyStrategies overviews, “How Can We Achieve Trust in E-Business?" and “Catching the Next Wave of Federation:Gaining Interoperability, Measuring Assurance, and Laying the Foundation for Trust.”) Trust relationshipsinclude business, legal, and technical components. Today, almost all trust relationships are pairwise. For example,there are few useful frameworks for an organization to be audited once and gain the trust of many partners. Overthe next five years, multilateral trust frameworks established within industry environments, such as the credit cardindustry, telecommunications networks, and government agencies, will enable wider use of federated identity andweb services. Over a longer period of time, more dynamic and widespread trust frameworks may be constructedthat will further reduce the cost of business interactions.

An Organization-Wide Control System

Organizations require a control system to manage all the other components. To realize the vision of flexible andfine-grained zoning, the control system must accommodate distributed perimeters. To support more-trustworthysystems, the control system must configure policy enforcement points and other security settings on every host,and manage accounts and other identity-related attributes across directory services as well as other repositoriescontaining this information. The control system must manage the complex cryptographic underpinnings ofInternet identity, better-protected SOAs, and advanced content control. The control system must also enable thebusiness to take feedback from security components and IT systems for incident detection and reaction, as well asaudit-or compliance-reporting program adaptation.

RecommendationsBe pragmatically paranoid. Risks are likely to increase over the long term, even if short-term improvements in thesecurity situation bring hope. Remain vigilant and prepare for attacks—not only against the operating systems, butalso against users, applications, and the security protections themselves. Don't allow the sensationalism ofmalware threats du jour to distract attention from the serious risks to critical applications and data from bothtrusted insiders and other insiders that may be able to escalate their privileges in the IT environment. All thesethreats must be dealt with. Ensure that controls address the principal risks to all high-value and critical assets.Don't disregard the potential for employees, contractors, and outsource/offshore insiders to easily escalateprivilege within a soft, chewy, or difficult-to-control network.

No one can tell an organization how much it should spend on security because this is a function of the risk levelsurrounding the organization's IT, the importance of IT to the business, and the manageability of the ITenvironment. The larger and more complex the organization, the more securing it is going to cost on a relativebasis. Organizations in industries such as government, financial services, and health care or life sciences generallyhave higher risks and complexity; organizations responsible for critical infrastructure or possessing strong brandassets also need to spend relatively more.

Many will argue that security spending is already too high and propose cuts, or outsourcing, to bring the costs inline. Outsourcing may make sense for some operational functions, but a knee-jerk response to reduce costs byoutsourcing indiscriminately will raise control issues and thus create new costs and risks. Organizations shouldhusband resources wisely, reduce unnecessary complexity in IT, and try to optimize future IT investments as thesuperordinate goal to optimizing IT security.

21





Compliance demands will increase and will continue to vary across jurisdictions. The only way to optimizecompliance spending will be to create an ongoing compliance program that weaves the necessary level ofassurance into the normal processes of the organization. IT security programs will need to be well governed andadaptable so that they can deal with new or changing regulations and optimize compliance with existingregulations through selective automation of IT management, documentation, and reporting processes.

Organizations should maintain strong risk management, governance, auditing, awareness, and otherorganizational processes necessary to drive a diligent approach to security. Tackle core problems by establishingbasic infrastructure, such as written policy, accountability and mechanisms for enforcement, managed desktopconfigurations, IdM, and network zoning. Make business unit executives accountable for managing the risk andfunding security appropriately for the applications and sites they control.

Raise the bar by following sound security practices, such as system hardening, better IdM, improved controlfunctions, and other capabilities. Most or all of these capabilities are essential to the basic health of IT and shouldbe budgeted year in and year out. Understand the business requirements for advanced technical capabilities suchas the technical security capabilities Burton Group envisioned in this overview. Create your own vision or roadmap and factor it into architecture and investment planning.

Virtually all types of organizations require the control layer and system hardening; large, distributed organizationswith complex data center environments are in strong need of flexible and fine-grained zoning; organizations withconsumer or public-facing business need Internet identity; and better-protected SOAs and advanced contentcontrol are required in many other scenarios. The more of these capabilities that are needed, the more advancedthe control system and the processes behind it must be. For example, detection and auditing technologies are goodto have, but qualified staff must be available to peruse logs, and processes need to be in place to ensure that theyare doing so.

Information security staff must communicate effectively with the business. If the program is not mature and theorganization is not in control, start by doing whatever is necessary to protect higher-risk systems on an emergencybasis, as well as dealing with the incidents that attracted the most attention (or outrage). But keep up-leveling thediscussion to try to obtain executive oversight and buy-in or to fix process problems, governance problems, andany other issues that render IT more difficult to manage or protect. Establish sound policymaking, auditing, andenforcement apparatus within your scope of influence. This includes management of partners and outsourcers, aswell as the workforce and all information resources.

The security program should set a steady, policy-driven course toward maintaining the critical processes andoptimizing the organization's protection posture. Because it is often difficult to put monetary values on alternativetechniques for risk mitigation, it is a mistake to treat the information security program as no more than a series ofprojects that must each be cost justified. Although security costs and tradeoffs should be considered in thebusiness case for applications and projects in general, planners should sell the need to treat the security programitself as an ongoing set of processes with sufficient and ongoing funding.

22


The Details

The purpose of this overview is to put Burton Group's coverage of information security programs andtechnologies into a business context. Business issues abound in all topics of information security management andtechnology. Many of these issues have been identified and addressed in other documents.

Information Security ManagementAs described in the Security and Risk Management Strategies overview, “A Systematic, ComprehensiveApproach to Information Security,” information protection is something you do, not something you buy.Information security starts with risk management and requires a strong process and effective technologies—allbased on a sound understanding of the business that the organization performs and how it performs that business.Figure 3 provides a framework for the systematic, comprehensive approach.

Figure 3: Framework for a Systematic, Comprehensive Approach

Risk Management and Security Drivers

Risk management and security drivers include the security landscape, the business environment, and the businessgovernance processes. This list provides details about coverage of risk management topics in Burton Group's Security and Risk Management Strategies documents:

● “Risk Management: Concepts and Frameworks” is an essential primer on how threats, vulnerabilities, andconsequences combine to form risks for the organization. It categorizes risks and prescribes approaches fordealing with different levels and types of risks.

● “Risk Aggregation: The Unintended Consequence” is also very pertinent to the business of informationsecurity. Efforts to automate the management of IT tend to reduce redundancy and reduce staffing involved infunctions such as directory services and key management. These functions then become points of riskaggregation. Although risk aggregation is not an argument against consolidation and manageability, it must be

23




http://www.burtongroup.com/Content/doc.aspx?cid=282


factored into planning so that thresholds are established and risks above those thresholds disaggregated as amatter of policy and process.

● “Security Governance for the Enterprise” evaluates various structures that can be used to govern securityacross different types of organizations. For large organizations with a significant dependence on IT, thisdocument generally recommends endowing a CISO position—independent of the CIO or chief financialofficer (CFO) reporting chains, with sufficient power and emphasis to oversee business unit level CISOs (ifany)—and 15 to 20 committees with ongoing authority to oversee the important security managementprocesses. The document also suggests rough order-of-magnitude staffing and budgetary needs for the CISOfunction.

● “Analysis of Information-Related Threats to Enterprises” discusses the motivations, capabilities, and otherattributes of people, acts of nature, or other actors that threaten legitimate organizations.

● “VantagePoint 2005–2006: Information Security Trends” includes a discussion of the security marketplaceand coverage of the security landscape and near-term security technology developments. This overview isupdated annually.

● “Enterprise Strategies for Defending Against Spyware” provides an overview of the spyware problem andstrategies for deterring, preventing, or detecting spyware.

● “In Their Sites: Phishing and Pharming Attacks and Prevention” addresses the question of how a lack ofability to trust the integrity of digital information goes right to the core of how business uses networks, andreviews techniques used to mitigate phishing and pharming attacks.

Security Management Processes

Security management processes include those shown in the “Organizational perspectives and business processes”column in Figure 3. These processes are covered in the online article “The Global State of Information Security2005.”8 Additional coverage appears in the following Security and Risk Management Strategies documents:

● “Business Continuity Planning for IT” discusses the increasing importance of IT for day-to-day businessviability and survivability. It highlights requirements for geographic diversity so that no single site, datacenter, or connection can shut down the productive capacity of the enterprise, and it recommends knowledgediversity and disaggregation of risks so that no single individual can wreak havoc. It also analyzes tradeoffsbetween relatively affordable off-site backups as a means of restoring capacity and more-expensive hot sitesfor enterprises with real-time processing needs.

● “Security Awareness, Training, and Education Programs for the Enterprise” discusses the critical importanceof awareness programs and the tools, approaches, and staffing required to maintain these programs.

● “Change Management for the Enterprise” and “Change Management with Assurance” identify changemanagement requirements and approaches. Selecting the appropriate level of change management rigor torequire for different risk levels and other situations, and determining how many redundant IT environmentsare required for development, testing, and production are significant business decisions.

Compliance and Control Standards

Business issues for compliance—a key driver for security programs—are covered in the following Security andRisk Management Strategies documents:

● “Pulling Up Your SOX: IT Impacts and Compliance” not only covers SOX compliance but also has usefulinformation on approaches for optimizing and automating aspects of compliance, and what to expect forcompliance-oriented tools and architectures.

● “Enterprise Security Control Standards: Which Ones and Where They Apply” recommends that organizationsadopt and follow control standards. COSO should be used for enterprise risk management, GenerallyAccepted Information Security Principles (GAISP) should be used for top-level guidance, and InternationalOrganization for Standardization (ISO) 17799:2005 is the best enterprise control standard. CobiT isproblematic for enterprise control and inappropriate for risk management requirements, but it may berequested by auditors and some mapping to CobiT may be necessary.

● “Security Metrics: Horses for Courses” deals with another important issue: the choice of metrics formeasuring security programs. This overview argues that return on investment (ROI) metrics, measurements ofday-to-day activities, and counts of vulnerabilities or scans have very limited usefulness in the security

24














programs. Useful metrics need to be calibrated against business goals, such as reducing the cost of patchmanagement, and measurements need to be standardized to work enterprise-wide.

● “Raising the Bar: Solving Medium-Risk Problems with Medium-Surety Solutions” recommends thatenterprises match the surety of systems to the risks the systems face. It also recommends that enterprises thinktwice about using low-surety systems for medium- or high-risk environments.

● “The Role of Information Protection in Regulatory Compliance: Views from Catalyst North America 2005”describes the issues and lessons learned that organizations in a number of industries have faced in regulatorycompliance.

Concepts and Methodologies

Additional concepts and methodologies are covered in the following Security and Risk Management Strategiesdocuments:

● The Reference Architecture Principles walk the reader through a number of business and technology issuesthat reasonable people disagree about. Determining enterprise, business unit, or project positions on issuessuch as outsourcing, vendor risk, and compliance are important prerequisites to effective decision making inthe program.

● “Recommendations for Developing an Information Security Program” describes how to use risk management,asset management, user classification, and other processes in a security program by following the systematic,comprehensive approach.

● “How to Develop a Security Technology Architecture Using Burton Group's Reference Architecture”describes how to employ Burton Group's Reference Architecture to create an information security architecturefor an organization, and then develop a high-level migration strategy for achieving that architecture.

● “Defending Against the Evil Insider” discusses the many risks that insiders pose and includes extensivecoverage of techniques by which insiders might defraud the business. The document also provides a goodsection on the selection of defenses against insiders.

● “Concepts and Definitions” defines a number of terms to improve clarity of communication.

Security Technology ModelThe Reference Architecture “Information Security Technology Model” Template diagram shown in Figure 4depicts security technology in a domain as the integration of users and content with a perimeter layer, identity andaccess layer, resource layer, and control layer. The control layer comprises the control system discussed in the “What Technical Security Capabilities Should Organizations Envision?” section of this overview. Each majorcomponent of the five-year vision maps to part of the template; for example, flexible and fine-grained zoningconcerns the perimeter layer, Internet identity concerns the identity and access layer, and more-trustworthysystems (a fortress of one) concern systems in the resource layer. The Template links to many documentscovering all these areas, as do the Security and Risk Management Strategies “In-Depth Research By Date”webpage and the Reference Architecture Technical Positions.

25











http://www.burtongroup.com/content/vdate.aspx?cid=6

http://www.burtongroup.com/content/tphome.aspx?cid=6

Figure 4: Information Security Technology Model

26


Conclusion

Enterprises must operate on a global scale and build IT capabilities to remain competitive and leverage newbusiness models. They must also fend off threats from heightened criminal activity. Risks will continue toincrease with IT automation and interdependence.

A well-managed security program must provide strong, security-related processes that are integrated intoappropriate business processes, envision a long-term strategy, and communicate it to the business. Organizationsthat invest in a comprehensive, business-like approach to security will be well positioned to achieve the assurancerequired to conduct and expand business online within an acceptable margin of safety.

27


Notes

1 John Hagel III, John Seely Brown. The Only Sustainable Edge. Harvard Business School Press, 2005.

2 “ChoicePoint.” Wikipedia.org. Accessed online 27 Jan 2006. http://en.wikipedia.org/wiki/ChoicePoint.

3 Nathan Thornburgh. “The Invasion of the Chinese Cyberspies (And the Man Who Tried to Stop Them).” TimeMagazine. 5 Sep 2005. http://www.time.com/time/magazine/printout/0,8816,1098961,00.html.

4 Evan Ratliff. “The Zombie Hunters: On the Trail of Cyberextortionists.” New Yorker Magazine. 3 Oct 2005. http://www.newyorker.com/fact/content/articles/051010fa_fact#top.

5 “One in Four Computer Users Hit by Phishing Attempts Each Month, According to Major In-Home ComputerSafety Study.” Staysafeonline.org. 7 Dec 2005. http://www.staysafeonline.org/news/press_dec07_2005.html.

6 “2005 Sony CD Copy Protection Controversy.” Wikipedia.org. Accessed online 27 Jan 2006. http://en.wikipedia.org/wiki/2005_Sony_CD_copy_protection_controversy#Legal_situation.

7 Lawrence A. Gordon, Martin P. Loeb, William Lucyshyn, Robert Richardson. “2005 CSI/FBI Computer Crimeand Security Survey.” GoCSI.com. http://www.gocsi.com/forms/fbi/csi_fbi_survey.jhtml.

8 Scott Berinato, Lorraine Cosgrove Ware. “The Global State of Information Security 2005.” CIOMagazine andPricewaterhouseCoopers. 15 Sept 2005. http://www.cio.com/archive/091505/global.html.

9 Peter Kuper. “The State of Security.” IEEE Security & Privacy. Sept/Oct 2005. http://csdl2.computer.org/persagen/DLAbsToc.jsp?resourcePath=/dl/mags/sp/&toc=comp/mags/sp/2005/05/j5toc.xml&DOI=10.1109/MSP.2005.134.

10 China Martens. “Sarbanes-Oxley Will Be 2005's Biggest Time Waster.” IDG News Service. 23 Aug 2005. http://www.techworld.com/applications/news/index.cfm?NewsID=4266.

11 W. Scott Blackmer. “Privacy and Information Management.” BlackmerLaw.com. Jul 2005. http://www.blackmerlaw.com/images/Privacy_and_Information_Management.pdf.

28


http://en.wikipedia.org/wiki/ChoicePoint

http://www.time.com/time/magazine/printout/0,8816,1098961,00.html

http://www.newyorker.com/fact/content/articles/051010fa_fact#top

http://www.staysafeonline.org/news/press_dec07_2005.html

http://en.wikipedia.org/wiki/2005_Sony_CD_copy_protection_controversy#Legal_situation

http://www.gocsi.com/forms/fbi/csi_fbi_survey.jhtml

http://www.cio.com/archive/091505/global.html

http://csdl2.computer.org/persagen/DLAbsToc.jsp?resourcePath=/dl/mags/sp/&toc=comp/mags/sp/2005/05/j5toc.xml&DOI=10.1109/MSP.2005.134

http://www.techworld.com/applications/news/index.cfm?NewsID=4266

http://www.blackmerlaw.com/images/Privacy_and_Information_Management.pdf

Related Research and Recommended Reading

Burton Group. Security and Risk Management Strategies “Concepts and Definitions.” BurtonGroup.com. 17 Jan2005. http://www.burtongroup.com/content/doc.aspx?cid=644.

Trent Henry. “How Can We Achieve Trust in E-Business?” BurtonGroup.com. 19 Apr 2004. http://www.burtongroup.com/Content/doc.aspx?cid=138.

Gerry Gebel. “Catching the Next Wave of Federation: Gaining Interoperability, Measuring Assurance, andLaying the Foundation for Trust.” BurtonGroup.com. 7 Dec 2004. http://www.burtongroup.com/Content/doc.aspx?cid=138.

Dan Blum, Fred Cohen. “A Systematic, Comprehensive Approach to Information Security.” BurtonGroup.com.24 Feb 2004. http://www.burtongroup.com/content/doc.aspx?cid=656.

29






Author Bio

DanBlum

Senior Vice President and Group Research Director

Emphasis: Security architecture, technology and products; compliance; identity management; federated identitymanagement; directory servicesBackground: Co-founder and principal of Rapport Communication, which merged with Burton Group in May1998.

Primary Distinctions: An internationally recognized expert in the areas of information security, compliance,identity management, federated identity, and directory services. Authored or co-authored over 50 vendor-neutralresearch reports, technical positions, and methodologies/best practices recommendations within his technology focusareas. He has consulted for many Global 1000 companies on key strategic architecture and technology decisions. Hehas participated in and contributed to standards organizations such as the International Information Integrity Institute(I4), Electronic Authentication Partnership (EAP), International Standards Organization (ISO) and NationalInstitutes of Standards (NIST). He has worked with technology suppliers, the Organization for the Advancement ofStructured Information Syntaxes (OASIS), and Liberty Alliance to promote the use of federated identitymanagement through industry events and interoperability demonstrations. He is also a columnist for NetworkWorld, co-author of "The E-mail Frontier," published by Addison-Wesley, 1994 and author of "UnderstandingMicrosoft Active Directory Services," published by Microsoft Press, 2000. He speaks at prominent industryconferences including Catalyst, I4, Networld+Interop, RSA Conference, Digital ID World, Information SecurityDecisions, and many others.

30


Documents

Making Business Sense of Information Securitybuell/References/ComputingHigherEdMi...and other specialized businesses. Strong business ecologies have formed in India, Taiwan, coastal