Turning security into an asset
RSA Conference sponsors speak out.
By Bryan Betts, Techworld | Published: 21:00, 07 August 2007
With RSA Conference Europe just a couple of months away, Techworld recently took the opportunity to talk with some of the event's top sponsors - RSA itself (now owned by EMC), Oracle, SafeBoot and Microsoft, plus an analyst - to find out what they believe should be top of the agenda for the conference, and where they're currently focusing their security efforts.
A major issue for all was the secrecy that currently surrounds security breaches, and whether Europe needs a mandatory disclosure law, as is already in place in parts of the US. Most of those present agreed that it does, though not always for the same reasons.
To disclose or not to disclose
"Mandatory disclosure is a good idea provided the breach is significant - it has to be assessed," said Patrick McLaughlin, Oracle's EMEA security director. "I would like to see the Data Protection Office in each country able to decide if the breach is significant enough to warrant public disclosure. You could tell the individuals affected."
"It has to be a good thing, as it will make companies think about how they protect their customers," agreed Richard Nichols, EMEA business development manager at RSA. "Organisations that want to collaborate and use the Internet have to take responsibility for that."
Even the dissenting voices acknowledged that keeping disclosure voluntary would cause even more problems than not mandating it does today. Among them was Microsoft UK's chief security advisor Ed Gibson, who argued that while breaches should be disclosed, the same was not always true of security vulnerabilities.
"I would prefer voluntary disclosure," he said. "But not everyone would volunteer because brand protection will always come first, so to provide a level playing field it has to be legislated."
He added that while open vulnerability reporting has the advantages of collaborative fixing and testing, the downside is that it also publicises it. He therefore repeated the line that many (though not all) security researchers have held for some time now - that if you find a fault, you don't tell everyone, you start off just telling the supplier.
And he pooh-poohed allegations that large software companies sometimes ignore reports from third-parties, leaving vulnerabilities unpatched for weeks or even months, claiming that "all the big vendors have ways of handling problem reports," and it's just a matter of finding and using the correct channels.
The threat is criminal - and financial
So why is breach disclosure so important? One reason is, quite simply, that secrecy makes it harder for the industry as a whole to assess where the threats are coming from - and in particular, that the biggest risk now is of being targeted by criminals, not merely nosey staffers or amateurs out to make a name for themselves.
"60 percent of hacks are kept secret", said Oracle's McLaughlin. "The number one threat now is professional hackers, and it has been for some time. Others bring up the internal threat - it can be people with a grudge, but in some cases information is sold on," so it's still professional, he added.
"Insiders have always been an issue," agreed Tony Lock, an analyst with Freeform Dynamics. "It's who guards the guardians, and that's people and processes."
He added that while there are both malicious and non-malicious direct internal threats, there are indirect threats too. Staff could reveal sensitive information accidentally, or as a result of social engineering.
"People who are not trained are vulnerable," he explained. "People do things that they don't think about the consequences of, such as prepare or answer RFPs on a laptop on a plane, where other passengers can look in."
But is the risk a serious one?
All agreed that a major challenge for organisations is knowing what to protect - and how much to spend on protecting it. The temptation for IT staff may be to protect everything, just in case, but that is usually going to be both expensive and counter-productive - if security gets in the way of users' daily work, they will find ways to circumvent it, rendering it useless.
The added complexity of working relationships with outsourcing, subcontracting, extranets, collaboration and so on, has made it even more of a problem to balance the need for access to systems and information with the need for security, said RSA's Richard Nichols. In particular, it makes it more important than ever to understand the value of information and control which users have access to it.
"Security has always been a bolt-on - it was a perimeter model," he said. "But that doesn't help us collaborate with partners, so the perimeter was complemented with identity security, but arguably that's not enough so now organisations are having to take a more proactive response - they have a perimeter and identity in place, but also build something into the application to identify data and classify it."
Oracle's McLaughlin agreed, warning that it is no longer a simple matter of roles-based access. "It's one thing to say 'X can access the payroll', but which salaries can he see? It's orthogonal," he said.
And he pointed out that it is not just a matter of losing or exposing valuable information or secrets. Regulatory issues must also be considered, as must the risk of damage to an organisation's public standing or credibility.
"People are starting to look and classify their data according to the greatest risk or embarrassment, for instance protecting the board of directors' communications," he said. "I think the risk management message is finally getting through."
The fact that some organisations have already been hit with penalties for security failures is also helping here - although it is not proving as persuasive in Europe as in the US. As a result, organisations are at last taking laptop data encryption seriously, said SafeBoot marketing director Tom de Jongh.
"People can now imagine from the SEC fine how much it could cost them not to do it," he said. "Their top concern though is the value of the brand, and then regulatory compliance."
Security on the balance sheet
The other problem identified by our speakers was that security is seen as a burden, and one which - in a different world - organisations would prefer to do without altogether. Too few calculate the reward that it brings if you come under attack, said Tony Lock.
"People measure the cost of security, not the value of doing it - or rather, the value of not doing it,"he added. "That is changing, but slowly. There's a lot of work still needed though - most SMBs don't regard IT as the key thing in their business."
The need to invest in security is in effect an insurance policy. It is a cost without any pay-back or revenue, but it is one that is intended to save you from incurring and even greater cost elsewhere, and it needs to be calculated as such.
In the longer term though, there are security measures that could actually generate pay-back, in terms of cost savings even if not direct revenue. Key ones here are identity management and single sign-on, said Oracle's McLaughlin.
"Things like single-sign on (SSO) can save money and increase security," he said. "It means there's fewer passwords to protect and simpler provisioning; also, pushing [password re-set] self-service to the users can increase productivity."
"Identity management takes that out of the individual applications and makes it a re-usable service, and that ties into business agility, which is more of a concern in Europe than compliance."