Creating a secure corporate Internet infrastructure

Internet access can make or break a company. With customers, suppliers, partners and employees all needing unhindered, secure access, designing an efficient and effective Internet access control strategy is of paramount importance. ComputerWorld Canada senior writer, Chris Conrath, recently spoke with Peiyin Pai, Computer Associates’ eTrust brand manager, about keeping corporate sites secure and centralizing the access control infrastructure.

CWC: Are companies paying enough attention to security?

Pai: The first thing a company has to think about with new technology is to make money. You wouldn’t want to create super security before you start making money. So security generally wouldn’t be the first thing companies consider. However, with the headlines nowadays security awareness is much, much improved. So I am really pleased to see that as well. I would say security awareness is really high when compared to some other (business) components. People hack into really high profile sites like Yahoo but other places are equally venerable in this situation, so midsize and smaller companies need to have awareness that they are sometimes targeted.

CWC: Smaller companies tend to think they are less likely to be hacked. Is there any truth to this?

Pai: I know of several midsize companies with a presence on the Web that have had their databases hacked into. Their database information was stolen and organized crime, in these cases, demanded ransom for the information. So this kind (of breach) may not get reported. An FBI report said that a little bit above half of security incidences are being reported. That means that a substantial amount is not being reported. So [small companies] need to be aware that this is a potential risk. Because nowadays [hacking] technology is so prevalent, on the Internet you can download hacking tools…all these companies need to be aware.

I think education and awareness needs to be set into their business practices and it has to come from higher management. The end user can say that they have security issues but the issues can not be addressed until the higher ups say we need to implement it or until the entire company culture is built up (to understand the risks of non compliance). There is one Web site (Pai didn’t want single it out) that was hacked and I think it brought down almost the entire company. So that kind of incidence doesn’t show up in the New York Times or some other paper, but they do happen. We are not trying to scare people saying you are going to be hacked so you have to do this or that, but that [security] is more of an enabler in that you want to protect what you have.

CWC: Why are certain industries seemingly doing a better job with security than others?

Pai: History (financial institutions have a long security tradition) is one attribute but the other is just simply the demand of the government regulations. If your company can not practice safe transactions then your company is going to be fined. The HIPAA (Health Insurance Portability and Accountability

Act) requirement says to the medical field, if you disclose your information you are going to be fined and it is going to be a huge amount. So all of this pushes those key industries to be security aware and they are actively engaging with security companies like us. Other consumer or more commercial types of businesses are following. I see that security is maturing. It is still in the growing process but it is maturing. So say in maybe the next few years it will be mature enough that it is just part of standard (business) practice.

CWC: Today there are millions of remote workers with access to corporate data. The VPN is also a favourite access point for hackers. How do companies get mobile workers onboard security policies?

Pai: I think that it is really coming down to the (corporate) culture again. The technology in the (VPN) area is more mature than in other areas. However, how do you make sure your internal policies work like (having employees) not making a password too easy to guess or them forgetting to close their access? (It is important) that employees know that when they go through a VNP, even though it is encrypted, they are still going through the Internet. The company needs to set up policies…as well as educating employees. The first step is risk assessment to find where the vulnerabilities are, where the weaknesses are and then to address them. Then, at the end, you need to do auditing and monitoring, so if you see incidences of abnormal behaviour or activities you will be able to react quickly.

CWC: Will the Internet ever get to the point we don’t have to remember 20 passwords?

Pai: I would really hope so. I think we are getting really close with both sophisticated technology as well as poor man’s technology. Technology is maturing but it is still a climbing curve to get there.

CWC: What about our access being controlled by smart cards, USB keys or some other sort of hardware?

Pai: I think it will be lead by some key industries like financials. Those are the early adopters of technology for security. For regular users, if they lose their account on or eBay, they don’t care, they will create another one. So at that level I am not sure (hardware solutions) will be there. The security demands are lower and in return, technology may not grow as sophisticated as some other critical transactions. From the users’ point of view they don’t lose anything as long as they keep the critical e-mails and addresses and from the vendor’s point of view eventually it will become a cycle where the average user creates three accounts. Either storage or bandwidth will not become a critical concern because eventually access will become so pervasive and the business intelligence will be built in.

CWC: Today often Internet access is broken down into specific groupings such as customers, partners, employees and suppliers. Where can IT start streamlining so that the process becomes a little less complicated?

Pai: They are sharing the same bandwidth and the technology should be smart enough to differentiate the access. For instance (Computer Associates’) eTrust Web Access Control can be set to allow administrators to do these things and vendors or partners can do those and the customers can do those. They are all sharing the same technology. To a degree you want the information integrated so you can identify a problem and where it is coming from. You don’t want disparate systems and then (having users) trying to visualize what is going on across different systems. Technology itself should be able to provide this capability. There are major vendors, like Computer Associates, that have the Web access technology. Beyond that it is how well the Web access control is integrated. To do simple authentication and authorization is easy and has been done already, but how do you make sure this piece of technology works with all the others? That will really become the next focus. Web access is not a stand alone or an isolated technology.

CWC: Who decides security levels – is it still driven by the business people rather than the security people?

Pai: People are becoming more security aware. Security is becoming part of the business because people realize that if they don’t have a secure environment of protection of their customer’s privacy then they may not have a business. So I would say…that is part of the business decision.

CWC: How can security be viewed as an enabler and not an inhibitor?

Pai: When I talk about Internet access I emphasize more on the enablement rather than protection. If you still need to jump through one firewall to another instead of going directly from one page to the next, then there is something wrong. The banking industry goes beyond you putting money in the bank and getting interest, (now) it is “I can pay bills for you.” It is enabling you. Say (your company) has gold card member access (to certain limited functionality). It needs security to be implemented. Now (your Web site) is an enabler, so gold card members have five options and silver card members have three. That capability is enabled by security. So it is going beyond the traditional security concepts (that) say that I want protection, it is more e-business…you can access here and not there.