The Changing Role of IT Security in an Internet World

A Business Perspective

 

Dr. Hannes P. Lubich: Bank Julius Baer, Hohlstr. 602, CH-8010 Zurich, Switzerland

Abstract

IT security has come a long way since networks were first used to gain unauthorised access to computers, or distribute viruses by e-mail. While IT security was considered a nuisance and an obstacle to the free exchange of information at first, it has now moved centre-stage, defending business-critical systems from unauthorised access. However, we must re-visit the role of IT security once again, because all too often, IT security managers find themselves in the hopeless situation of trying to uphold a maximum of security, as requested from management, while at the same time they are considered an obstacle in the way of developing and introducing new applications into industrial, business and government network environments. Within this paper, some of the difficulties of providing a sustainable and acceptable level of IT security will be discussed in more detail, and elements of an organisational IT security framework will be described.

Keywords

IT Security, Security Framework, Security Management, Risk Management

1. Introduction

The following section introduces some basic concepts of IT security, namely security properties (i.e. "values" that need to be protected), and the corresponding security treats. For a more complete discussion of IT and network security methodology, see e.g. [1] and [2].

1.1 IT Security Properties

On a very general level, the "mission statement" of IT security is rather simple, namely to introduce measures that help assess and maintain an acceptable level of security for IT resources (systems, networks, databases, development environments etc). The usual security properties that need to be addressed in this context are:

While these definitions appear straightforward at first sight, and while sufficient measures such as strong encryption (in particular public key encryption as introduced by Diffie and Hellman, see [3]), and high-quality digital signatures exist, a large number of conceptual and technical problems make it difficult and sometimes infeasible to introduce and maintain such protection mechanisms in real world network environments – in particular, when these environments do not operate in isolation, but are required to interoperate.

1.2 IT Security Threats

The assessment of security threats can be based on a variety of classifications such as active/passive, internal/external, ongoing/planned etc, which will not be discussed further within this contribution, since their use may vary, depending on the type of organisation or property under attack. However, at the core of any threat, one or more of four basic elements can be found, as shown in figure 1:

Figure 1: Classification of IT Security Threats

2. A Methodology of IT Security Problems and Pitfalls

Although many security frameworks and techniques are available today, the overall security situation in many, networked organisations is far from acceptable. Consequently, a growing number of security incidents and criminal acts involving IT systems and networks indicates that substantial problems exist concerning proper planning, deployment and enhancement of IT security measures. The following sections explore some of these problems.

2.1 Technological Shortcomings

Many shortcomings of IT security elements have their roots in technological problems. The most commonly perceived problems are:

  1. There are too many non-interoperable encryption systems and products, with more to come. It is almost impossible for an organisation with a deployed, inhomogeneous operating system and network infrastructure to provide one standard (i.e. the corresponding products) over all platforms, or to obtain sufficient interworking between a range of (unharmonised) products.
  2. A generally available public key infrastructure is still missing. While corresponding standards have been available for some time, a common PKI is not yet been provided on the Internet, while many of the regulations concerning digital certificates are still pending. In addition, interworking problems have plagued the rollout of PKI’s and corresponding directories as well as "PKI-ready" products provided by different vendors.
  3. There is an open debate as to which security services should be provided by which functional layer (network, operating system, middleware, application, presentation). While some have championed IP v6 and its security elements as the end of all security problems on the Internet, it is still unknown (and consequently not reflected in the deployed IT base) which security service elements will be provided (and accepted by the market) as part of the networking base, the operating system, or application services.
  4. The interworking of a large number of components and the corresponding dependencies create an additional level of complexity, which has hampered deployment of common security platforms. A subtle change in one operating system covered by a security framework, for instance, may imply the upgrade of the security framework (or parts of it), which may in turn imply upgrades in other deployed platforms or upgrades of middleware components and/or applications on these platforms.
  5. Externally supplied frameworks (such as SAP®) utilise their own "embedded" security modules and methods, which may or may not be compatible with the security model and systems already installed. In some cases, it is almost impossible to obtain enough information about the inner workings of these systems to assess whether the embedded security is up to the standards required from all other systems and applications in the organisation.
  6. The complexity and openness of interfaces between the organisation and entities in the outside (i.e. untrusted) world poses another problem for a coherent IT security environment., While one financial information vendor, for instance, may give customers a choice to separate a financial data stream from an e-mail channel (i.e. to block any unwanted e-mail gatewaying between the organisation and the Internet through the financial service provider), another provider may opt to code all these functions into one proprietary data stream, thus making it virtually impossible to selectively block e-mail gatewaying.
  7. Many organisations suffer from severe integration problems when it comes to deploying "just one" IT security framework. Although it has become popular in the IT community (especially in the sales force) to generally term all systems sold and paid for as "legacy" in order to boost next year’s sales, a large number of business-critical systems in the mainframe and midrange area have their own, well-built but incompatible security environments, while they are still perfectly suited to run the organisations business applications. No head of IT would be able to justify the replacement of these investments "just because of IT security".
  8. As in every software area, bugs and deficiencies also exist in IT security software, as well as in particular configurations. While the IT industry as a whole has learned a lesson with respect to covering up security holes (also thanks to the self-organisation of the Internet community into CERTs and other security communities, see [4]), such security holes still exist and will continue to exist as the corresponding software becomes even more complex.

2.2 Business / Organisational Aspects

Integrating IT security into the organisational framework and business process can also lead to challenges, which may in turn influence the acceptance and performance of IT security:

  1. The role of IT security is often perceived as an obstacle for the implementation of new business applications (some have even argued that the only useful role of an IT security officer is to be the scapegoat after things have gone wrong).
  2. The non-delegable responsibility of organisation’s executive boards as defined in many corporate laws makes senior managers over-sensitive in terms of decision making (in such cases, IT security is usually requested to guarantee 100% security, even for applications and business processes yet unknown).
  3. Many organisations do not delegate sufficient executive powers for the IT security organisation to "pull the plug" if necessary. As the IT security officer is not allowed to take responsibility for an interruption of the organisation’s service due to a perceived security problem, the organisation faces sluggish response time and inappropriate escalation procedures.
  4. The outsourcing of parts of the IT service (such as the operation of a company’s PC’s or the data network) adds to the complexity of detecting and repairing security problems, since both the outsourcing provider and the outsourcing client treat their respective environments as "black boxes" with little or no information being available to allow effective problem tracing.
  5. There is a growing need for IT security specialists (i.e. persons being able to find the "right" level of specialisation and business understanding). In order to increase the interest of employees and educational facilities in this field, active marketing efforts concerning employment opportunities and career development must be made.
  6. While financial, environmental and other risks have been addressed by many organisations as part of their business, a professional approach towards operational risk management has yet to be deployed on a large-scale basis. Many operational risks (such as the decision whether to stay operational during an on-going hacker break-in, or to shut down as a preventive measure) are currently taken without a formalised decision-making basis.

2.3 Legal / Regulatory Pitfalls

In addition to technical and organisational shortcomings, legal and regulatory issues add another layer of complexity to the provision of a coherent IT security environment:

  1. Data protection and audit requirements may complicate IT security provision in an international company, e.g. if backoffice or computing services are provided through a centralised service centre which may be located in one jurisdiction, but may be regulated by the jurisdiction imposed by the country where the processed data is originating from.
  2. Export/import controls on security technology have delayed the introduction of high-quality security products in many IT markets. Although these regulations tend to disappear, they are still stumbling blocks for many organisations. Many software environments, such as the current export version of Lotus Notes®, still use with low-grade encryption, while others, such as the popular Netscape® browser, require active changes by the end user to be able to process high-quality encryption keys., Along the same lines, escrow issues (in particular the mandatory depositing of encryption keys or key information used for third party decryption) have influenced many IT security products (and deployment decisions by customers)
  3. Another field of legal dispute is centred around certificate authorities and their role as a providers of legally binding electronic signatures. (National) debates in this area range from the acceptance of electronic signatures on formal documents to the content of a certificate (i.e. should the issuer of a certificate be visible in the certificate, or just the certifying authority – this may for instance be a crucial point for banks wishing to deploy digital certificates to their customers, while retaining banking secrecy).

2.4 Societal Issues

Finally, matters of social acceptance and consensus influence IT security as well:

  1. In many countries, there is an open debate on issues of informational self control versus the right for extensive "data mining" by companies using (and extending) their customer information bases by exchanging them with other companies or marketing organisations.
  2. It is difficult for many people to determine an acceptable level and consistent method of risk-taking – many operational IT risks do not compare well to risks known to the average person, thus making it difficult to build the required expertise (based on inevitable but expensive errors and misjudgements).

3. A Proposed Definition of IT Security Services

The gap between documented IT security "theory" on the one hand, and the concrete problems of daily life on the other hand, shows the need for a concise, well-defined and well-executed IT security definition and realisation plan, for any organisation that wishes to go beyond the daily fire-fighting style of IT security. The following sections discuss the individual elements of such a service, as well as their interworking.

3.1 Basic Principles

In view of the growth and innovation rate of IT systems and products, it is neither possible nor economically useful to provide maximum IT security against all threats outlined above. Instead, IT security must be focussed on pragmatic, yet concise, asset protection goals and mechanisms:

3.2 Realisation through a Suitable Security Management

The basis for all protection mechanisms is the existence and organisational imbedding of an appropriate IT security organisation. The mere existence of an IT security officer is however still no guarantee for the proper functioning of the IT security management. Essential for the proper functioning are the following aspects (see also [8]):

3.3 Realisation Elements and Phases

In order to set up a suitable IT security management, a sequence of inter-related activities must be initiated, which are discussed in more detail in the following sections. Depending on business area and protection need of the respective organisation, the weighting can be different, as well as the sequence and repetition rate of these activities.

Clear Mandate by Senior Management

IT security operates in a permanent tension area between the desire of customers and employees for extensive functionality and usage comfort, and the necessity to enforce IT security related restrictions. Without clear objectives and instructions from senior management and the appropriate cover also for the enforcement of necessary unpopular measures, the set-up of an IT security management is doomed to failure, since with the occurrence of a conflict between business benefit and security issues, usually an unreflected decision is made in favour of the potential benefit, without a proper risk evaluation and – if necessary – an explicit acceptance of the risk by the appropriate decision makers. If IT security problems occur because of such implicitly taken decisions, the danger exists that the responsibility is shifted onto the IT security responsible, without that person having been able to bring in his/her opinion with the necessary emphasis.

In addition, it must be noted that it is not the task of the IT security organisation to already make a balanced consideration of business opportunity and IT risks. This balance and the resulting decisions are a non-delegable task of senior decision makers – IT security only has the task to supply their consolidated views and appropriate reasoning, while the responsible business units, which are usually willing to take a risk on favour of a business opportunity, will supply an opinion from their point of view (This does of course not imply that IT security may operate without in-depth knowledge about the underlying business processes, or may pose unfulfillable IT security requirements.)

The key to sufficient and sustainable support by senior management is the ability to show the additional benefit and business opportunity of a concise IT security management and it’s coherent application. If the IT security organisation succeeds in reaching acceptance in the sense of added value creation, corresponding support by senior management is easier to obtain. Vice versa, missing management support for IT security issues should be interpreted as a clear warning sign both for employees and for customers and suppliers.

Definition of Security Goals

At the start-up of the security management process, goals and milestones to reach these goals must be defined. Since these goals must be accepted by the whole organisation, it is of utmost importance to secure the co-operation and active participation of all business units. Acceptance of the security goals and the necessary measures cannot be reached through directives alone, but requires the active integration of all parties involved. The structure and granularity of the formal security goals may vary, depending on the type of organisation and business area. In general, however, the following sets of questions need to be addressed:

Depending on the level of abstraction of the security goals, they are more or less permanently defined. However, long-lasting goals should be re-evaluated after some period of time, or whenever drastic changes are made to the business activities to which they apply.

Provision of a Risk Analysis

Based on the security goals described above, the current state as well as foreseeable risks must be detected and analysed (see e.g. [9] for a list of risk-related online resources). Such an evaluation cannot be conducted monolithically for the organisation as a whole, but must be focussed on individual fields of activity and with the active participation of the responsible level of management, as well as external specialists, of needed. The typical risk classes, which need to be addressed, are structured as follows:

Depending on the volatility of the security goals or the analysed organisation and it’s activities, this analysis – if necessary separated in sub-activities – must be repeated and adapted cyclically.

Development of the Security Concept

In the next refinement step, it must be determined in which way which objects (systems, components, networks, data collections etc., as well as abstract objects such as processes and characteristics) are to be protected against specified threats. In this step the respective "owners" of these objects (i.e. both IT and business units) must be involved, in order to achieve both a correct representation and as high an acceptance of the measures as possible. Additionally, corporate functions such as legal services, compliance office, internal audit, continued education units etc. must be involved in the discussion and the decision process. However, it must be noted that the role of these units is increasingly limited on supplying decision bases for senior management and not on obligatory sanctioning or forbidding of fully known business processes and operations. The security concept or the collection of information, which detail the concept, is substantially more volatile than the collection of the superordinate security goals. Contents must be adjusted whenever either the superordinate goals or substantial elements of the organisation are changed (changes in the business activity, mergers etc., or changes to the IT architecture e.g. through outsourcing).

Realisation through a Security Organisation and Guidelines

The IT security organisation, which is responsible for the realisation of the security guidelines, consists of different elements, whose co-operation is essential for success. Members of the IT security organisation usually are:

The described security process, the competencies and the instructions resulting from it must be fixed in writing, be formally accepted by the decision makers of the organisation and issued as binding guidelines. Typically the security goals are issued in form of general security guiding principles by management, while the IT organisation is responsible for all subordinated documents (usually a central IT security manual as well as subordinate technical documentation and collections of security-relevant material). All documents such as work instructions, check lists, decisions etc. intended for daily work, as well as material required for training purposes should be accessible to all employees in electronic form - if necessary protected by selective access rights.

Integration of IT Security into Quality Management

Supervising the observance of instructions and regulations concerning IT security hardly differs in principle from supervising the adherence to other regulations(see e.g. [10] for the application of quality assurance methods to IT Security). If a quality management system is already in use in the organisation, it is beneficial to merge the supervision and improvement of IT security with the existing quality assurance measures and testing methods (e.g. by guidance during project phases, provision of phase reports with co-ordinated checkpoints, and IT security check lists etc. for projects and procurements). If quality circles, review boards or other quality assessment bodies exist, which are charged with supervising the further development of the IT strategy or IT architecture, IT security should be integrated into these activities as well.

Measures for Continuous Supervision and Improvement

IT security measures must be adapted constantly to innovations and changed interior and exterior conditions. A security methodology becomes outdated as quickly as the IT base it is to protect. The permanent improvement and updating of methods as well as the tools is thus a substantial part of a well-defined IT security process. It is the role of the IT security organisation to continuously carry out this self-check and self-improvement – however, this process must be accompanied by cyclic external examination of the security organisation and documentation (e.g. by external audits or other external specialists). Additionally, improvement suggestions of the employees and the management play a substantial role, as well as constant updating to the "Best Business Practice" and constant comparison with competition organisations in the market.

4. Conclusions

By intention, this paper has given a rather gloomy view of IT security - while many dedicated individuals struggle to maintain what they assume to be the optimum between security requirements and business opportunities, a large number of problems and pitfalls currently hinders the development of a common understanding of what IT security can do, and what it can’t do.

To this end, this paper has tried to outline elements of an IT security framework and their interdependencies, as the basis for discussion in organisations striving to adhere to the stringent security standards which will be expected from customers and counterparts alike in the near future.

5. References

[1] C. Kaufman et al., Network Security, Prentice Hall, Englewood Cliffs, 1995

[2] W. Stallings, Network and Internetwork Security, Prentice Hall, Englewood Cliffs, 1995

[3] W. Diffie, M. E. Hellman, New Directions in Cryptography, IEEE Transactions on Information Theory, No. 6 (1976), 644 – 654

[4] http://www.first.org

[5] Deutsches Bundesamt für Sicherheit in der Informationstechnik – IT Grundschutzhandbuch: http://www.bsi.bund.de

[6] http://www.intiss.com/islinks.html

[7] http://www.geocities.com/CollegePark/Center/8086/computercrime.html

[8] ISO/IEC 13335 – Information Technology – Security Techniques – Guidelines for the Management of IT Security (GMITS)

[9] http://rmisweb.com

[10] ISO/IEC 15443 – Information Technology – Security Techniques – Security Evaluation Criteria – A Framework for Information Technology Security Assurance

Vitae