"As enterprise ecosystems expand, and more and more functions are outsourced, you are increasingly relying on partners to manage the integrity and privacy of your data. How do you know if they are meeting these needs?"

Opening Statement

Hardly a day goes by without some security breach, information disclosure, or identity theft event making the news. Although still a concern, teenage boys hacking your system are the least of your worries these days. Organized cyber crime is establishing a stronghold, with determined and concerted efforts to move into the 21st century. Even governments are getting into the act. Whereas from an enterprise perspective we often say, "Information is an enterprise asset," from a security perspective we say, "Lost information is a liability." The new world brings new threats and challenges and requires new approaches. The cloud and mobile devices just make it that much harder, but they can't be ignored. So what is an enterprise to do in the age of increased threat and reduced budget?

BEYOND THE PERIMETER

Traditionally, we have approached security by hardening the perimeter to our organization through the use of firewalls and other devices. While this is still required, do you really think this is sufficient? The answer to that is simple: no. As business has become more distributed, outsourcing has gone global, supply chains are more connected, employees become teleworkers, customers demand better information, and so on, we have systematically punched holes into perimeter security until it now resembles Swiss cheese.

A more important question then becomes, how much of your security strategy depends on your perimeter? Will a reinforced perimeter keep your data secure? I read an astounding statistic a few years ago. A study sponsored by Dell documented that 12,000 laptops are left behind at airport security checkpoints every week in the US alone -- and only 33% of those laptops are reclaimed. On another note, an Internet search for "internal security breach" yields dozens of articles about loss, partner negligence, or theft as a result of actions taken by internal employees at hotels, financial services companies, and even online poker sites (shocking). What good does perimeter security do against these threats?

Perhaps you remember the US public service campaign from 1960s television that went something like, "It's 10 pm. Do you know where your children are?" For IT, we could rephrase it as, "It's 2012. Do you know where your data is?" Probably not, especially if it's in the hands of your partners or moved to the cloud. So the answer to the next question -- Is your data secure? -- is most likely, "I don't know." As enterprise ecosystems expand, and more and more functions are outsourced, you are increasingly relying on partners to manage the integrity and privacy of your data. How do you know if they are meeting these needs?

One approach is to require partners, outsourcers, ASPs, SaaS providers, and so on, to demonstrate appropriate security measures to mitigate the risks associated with your information. You want to know that they have thought about and devoted resources to the issue of security; have sufficient policies, procedures, and governance in place; and that you can work with them in the event of a security incident. An objective industry standard can be of great assistance in making this determination and codifying it into contracts.

Maturity in information security is achieved by implementing a set of controls, including policies, processes, procedures, applications, and technology. A mature organization will have processes to establish, implement, monitor, and revise these controls to ensure that the specific security requirements of your enterprise information are met. ISO 27002 (aka ISO/IEC 17799:2005), "Information Technology -- Security Techniques -- Code of Practice for Information Security Management," establishes guidelines and general principles for information security in terms of 39 specific control objectives and 100-plus specific controls covering:

• Security policy

• Organization of information security

• Asset management

• HR security

• Physical and environmental security

• Communications and operations management

• Access control

• Information systems acquisition, development, and maintenance

• Information security incident management

• Business continuity management

• Compliance

While these things are important, the approach needs to be extended to address new environments and guidelines, such as those from the Cloud Security Alliance. We'll see from the articles in this month's Cutter IT Journal that we also need to start thinking differently about security, especially about how we establish and authenticate identity.

SOLVING THE SECURITY EQUATION

Security is not a yes or no question, but rather an attribute of something that is considered valuable and at risk. How much security is needed and how secure something is must be determined in relation to the asset's perceived value and the risk to the asset. Risk is a combination of asset value, impact, threat, and vulnerability. Threat is an intention to inflict damage and includes the various mechanisms by which the asset can be damaged. Vulnerability is the susceptibility to damage from any particular threat.

Security risk assessment is the process of identifying business assets, recognizing the range of threats to those assets, analyzing the vulnerabilities, and understanding the business impacts of compromised assets. Risk mitigation is the application of security controls to gain a balance between security, usability, cost, and other business requirements.

In a business environment, security is used to protect assets of business value, such as customer information. Major business risks include disclosure of private (company or customer) information and theft of assets and information. If an asset is damaged or compromised, the enterprise will suffer a business impact. The magnitude of the impact will depend on the value of the asset and the scope of the loss. An event that causes business impact is a threat. To reduce vulnerability and prevent threats from becoming business impact events, enterprises implement security controls, both technical and procedural.

In other words, risk assessment yields a set of business and security requirements, expressed as a set of control objectives (i.e., business requirements for control). Control objectives are implemented by specific security controls and drive the selection of risk mitigation strategies, including security principles, policies and procedures, application security services, and physical security mechanisms.

From an architectural perspective, we can define a set of security principles to achieve our control objectives and drive the policies, procedures, services, and devices. Here are some sample security principles for today's enterprises:

• Make the scope of protection consistent with the risk assessment and ensure acceptable levels of protection for the assets at risk, taking into account business value and impact, as well as threat and vulnerability.

• Apply a defense-in-depth strategy. No single security control by itself will provide sufficient risk mitigation. Always assume that security controls will fail. However, a single breach will not result in a loss if other systems take over from an alternate perspective. Have backup, overlapping, and redundant systems in place. Secure the application and data at every layer of the stack, not just from the network or perimeter.

• Implement security mechanisms that are pervasive, simple, scalable, and easy to manage. Security controls should be designed so that doing the secure thing is the path of least resistance.

• Understand de-perimeterization. Do not assume that the internal network or any environment is secure or safe.

• Secure data appropriately when stored, in transit, and in use. Access to data should be controlled by security attributes of the data itself.

• See that all devices are capable of maintaining their security on an untrusted network. Devices and applications must communicate using open, secure, standard protocols.

• Ensure that authentication, authorization, and accountability mechanisms interoperate with customers and partners outside of your area of control.

IN THIS ISSUE

While the traditional fundamentals, principles, and approaches to security still hold true, in this issue of Cutter IT Journal we discuss new risks posed by the connected environment and new approaches to risk mitigation. Our four articles present four different perspectives on the issues and solutions.

In our first article, Eric Kreinar and Tim Virtue provide an overview of the new security landscape. They discuss three pillars of security required for the modern enterprise: identity management, policy compliance, and cyber security architecture. Identity management will be a recurring theme with our other authors as well. Kreinar and Virtue make the case that while traversing cyberspace, social networking platforms, and the cloud, user identity should transcend the need for multiple identity assertions. But they also note that "federated trust is difficult to establish without a foundational policy that specifies how a user's credentials pass from system to service."

They go on to argue that security is now a business driver and not a subset of technology. We therefore need to change our thinking to embrace the cultural and technical changes associated with cloud and service-driven architectures, because we are now delegating control -- often outside the enterprise. One successful approach they describe is designing and building modular, standalone security components that can be mixed, matched, and extended to provide a flexible security architecture.

Next, Jason Stradley digs into the details of one of the new security threats in his article "How DDoS Attacks Defy Conventional Security Wisdom." A distributed denial of service (DDoS) attack attempts to make a target unavailable to would-be users by coordinating the activities of multiple systems to inundate the target with so much traffic that it effectively shuts down. The motivation for such attacks is typically either political (i.e., "hacktivism") or financial, as when cyber crime groups use DDoS attacks to extort money from organizations or as a diversionary tactic to conceal theft or fraud by other means. But not to worry -- Stradley describes three techniques for combating such attacks and leaves us with the advice that the most effective solution is "to develop a holistic approach to defending against DDoS attacks that is not overly dependent on any single solution or technology."

Our third author, John Tibbetts, describes a solution to identity management based on his experience with electronic textbook publishing. In the new world, online education is big-time business, where, as Tibbetts observes, "things like tuition payments, lab fees, textbook rentals, grades, credits, and diplomas are in play. This means some serious security around rights management, copyright protection, electronic payment processing, and identity management." Identity management has two primary tasks, authentication and authorization, and while you may have thought you understood this before, his article provides new insight and clarity into the important distinction.

Again, keeping with a common theme, Tibbetts talks about the new thinking and solutions needed to address the issues surrounding identity management. For example, while many organizations may try an initial implementation using LDAP, they quickly find that LDAP is only a security solution inside the firewall. Here, Tibbetts compares and contrasts three approaches that organizations are taking to implement identity management solutions and examines their applicability in higher education and in general.

Finally, Karen Neville and Leona O'Brien describe the role of biometrics in the future of banking and the opportunities, challenges, and potential solutions biometrics present with regard to identity management. The authors argue that mobile banking (m-banking) and biometrics are currently creating profound changes in the financial services landscape. Now anyone with access to a cell phone has a place to keep his or her savings without needing a traditional bank account, and an increasing number of people without traditional bank accounts are in need of financial services. For example, the growing number of migrant workers globally has spawned a related increase in the number of remittances being regularly sent home. Some estimates are that 100 million users globally will use their mobile phones to make international money transfers by next year. And guess what? Security will be a big issue.

Biometrics offer a promising solution. Biometrics enable the authentication of a living person based on his or her unique physical traits (e.g., thumbprint, retina scan) or behavioral characteristics (e.g., gait, voice). As Neville and O'Brien note, "Combining biometrics with mobile phones for authentication is an obvious solution to the challenge of binding the user to a transaction, as mobile phones are equipped with voice capture capability and have the added potential of using inbuilt cameras." Because biometrics are integrated into business processes (rather than being merely an add-on), they enable a transparent, seamless security layer. While challenges remain for biometrics adoption in m-banking -- including public skepticism and the need to adhere to local and international standards and regulations -- there is enormous potential in this market for financial services organizations and mobile operators.

So that's it -- an overview of the new security issues and threats, along with a closer look at some of the new approaches and solutions. We hope this issue of Cutter IT Journal provides new tools and insights for helping you address enterprise security.

ABOUT THE AUTHOR