Security: It's Not Just About
Keeping the Bad Guys Out

By Dean Adams
Security & Electronic Commerce
The Open Group

Where is the enemy?

Forget the headline-grabbing stories about hackers on the Internet.Although some of these reports may tell of real break-in incidents involving clever ways of monitoring and getting into your business, these represent only a small proportion of security incidents.The majority of security breaches are inside jobs, and because those on the inside know more about your business and IT infrastructure than those on the outside, the costs associated with these breaches can be much higher, and the incidents more damaging.

This is not to say that you should ignore threats from the Internet,but if you concentrate on technologies such as firewalls to protect you from external attack, confident that you are adequately protected,you may be overlooking many of your most serious risks.

So who are these people on the inside, and why could they pose a threat?

Some of the most common ways in which security is being threatened from the inside are:

If the company is to permit staff to have intimate knowledge of its most private affairs and daily business, it needs to protect itself. The first thing that any company needs to secure its business operations is a security policy that clearly defines what is to be protected and why, and what responsibilities lie with which staff. This is then supported by company standards for the protection of particular business assets or covering particular technology areas such as connections to the Internet.

To properly secure business operations, adequate controls and protective measures are needed in three broad areas. The company's connection to the Internet must offer protection from unauthorized outsiders wanting to get in, or unauthorized information being sent out. The enterprise network should be properly supported by security services that enable secure, distributed application processing and help to further subdivide the enterprise network into business-defined security domains. Finally, all computing platforms should offer adequate and consistent security features to ensure that important resources and assets are protected,and all users are made accountable for their actions.

Money, money, money

Most companies are not in the business of "doing security," but are in the business of doing business. Consequently, expenditure to improve security competes against a multitude of other proposals that have nothing to do with security, but show a clear positive impact on the "bottom line." In the past, technical and sales professionals have tried to justify security expenditure by telling horror stories of what could happen, usually unsuccessfully. Business managers understand and respond to risk assessments and cost benefit projections.

If the costs associated with annual expected losses, plus the costs associated with recovery from them, is greater than the cost of protective measures installed to avoid them, amortized over the expected lifetime of the protective measure, then there is a clear business case.

Standard security

Security contributes to the bottom line in other ways, particularly if standards are involved. Standards ensure that costly custom-made patches, required to ensure different components interoperate, and which support cost-reducing application portability, are reduced. The consistency offered by standardization helps to make administration across the organization easier and cheaper, since fewer expensive product-specific consultants are required.

I'll sue!

Real business on the Internet (i.e. exchanging contracts, buying and selling goods and services),is not viable unless an entirely new set of facilities are made available. These include confidentiality and integrity protection and digital signatures.

For the Internet to replace the paper shuffle and provide a new method of doing business, it must be capable of providing evidence that a particular transaction has occurred and that particular entities were involved in a transaction. If this evidence cannot be provided to the satisfaction of a court of law, then electronic transactions cannot be counted on to meet the needs of business.Hence, the provision of security services on the Internet has as much to do with supporting the legal requirements of business as with keeping the bad guys out of your company.

Trust standards

A business may question why it should base its IT infrastructure on security standards. It may think that adopting custom or unique security measures from everyone else would be a more effective form of security. This type of thinking, termed "security through obscurity," does not work because organizations have to communicate.Business information systems are increasingly


interconnected because they have to communicate vital information such as invoices,payments, correspondence, proposals, etc. In fact, almost anything that can be written, designed, photographed or recorded is sent from one computer to another. As businesses consider the cost-effectiveness offered by electronic commerce, the requirement for business systems that are compatible with business partners increases further.

It is also very difficult for a business to gauge the strength of the security measures it uses. As a result, it could be operating its business with technology that has an unknown gaping security hole.

The answer is to use security measures that have been developed in an open, public forum. Measures that are still able to resist attacks even after the details of their operation have been scrutinized in public are safe. Clear examples that demonstrate the effectiveness of this approach are in the establishment of the DES and RSA encryption standards. A potential attacker will not be able to breach the security barrier even if the security measure is well known.

The Open Group is developing, with its members, a set of de facto,open security standards for the computing industry that enforce a new superior level of security capabilities for distributed systems. Products conforming to these standards are backed by the guarantee offered by the X/Open brand.

These standards start with Baseline Security 96, backed by over150 of the world's largest customer companies and defining a standard set of security facilities for operating systems, as well as default settings that are in place at installation. Secure Communications Services is a standard based on the IETF (Internet Engineering Task Force) GSS-API and provides mutual authentication between software components in a distributed environment, protecting against masquerading attacks and then protecting the ongoing communication between them. The Generic Cryptographic Services provides business applications with access to cryptographic tools, while allowing portability across differing cryptographic algorithms.

More standards are underway, completing a range of security services for the enterprise-wide network, including Single Sign-On, Distributed Auditing and Secure Backup and Restore. In addition, standards that support business operations on the Internet are also on the way, including Internet Firewall, and standards for a Public key Infrastructure. This latter piece of work is being done in cooperation with the IETF and other organizations to ensure that companies worldwide can conduct business interoperably, securely,and with the necessary features to support legal and regulatory frameworks.