Today’s increasingly hostile IT environment is forcing companies to come up with new strategies to defend their data, according to participants at a security roundtable held in Toronto last month.
The statistics back up this apparent increase in malicious code. There have been more level three and level four (out of five) worms, Trojans and viruses in the first six months of 2004 than all of 2003, according to both Symantec Corp. and McAfee Inc.
As Canadian companies acquire more and more technology, they will have to learn of ways to “devolve” security from an entity traditionally owned by corporate security to one where it is controlled by individual job roles, said Robert Garigue, chief information security officer with BMO Financial Group.
Garigue said firewalls, for example, have “devolved” from a security appliance to a network appliance issue, one no longer controlled by the security arm of a company. Acceptable firewall parameters are still dictated by security, but network administrators control the day-to-day operations. It is important for security best practices to become an operational issue and “part of the textures of the (job) routines,” he said. In order to do this, Canadian banks are creating a foundation for knowledge transfer, so best practices become routine, he said. Garigue is the chairman of a group of financial institution vice-presidents who work together to achieve this goal.
Another security strategy increasingly used by corporations, according to both John Weigelt and Jack Sebbag, is the notion of defence in depth. This strategy involves both an increased relationship between policies, procedures and products in the corporation as well as a noted consolidation of vendor technology in the market, where one vendor offers many layers of defence.
“We are seeing [companies] focus on the complete picture,” said John Weigelt, chief security advisor with Microsoft Canada Co. Customers are taking an indepth look at that happens when one component fails within a system and how other technologies and procedures seamlessly take up the work load when a system fails, he said.
This is a good strategy since “there is no 100 per cent security,” agreed Sebbag, the Canadian general manager of McAfee Inc. Sebbag also pointed to a confluence within the security vendor market, as a bit of buying spree is going on. Larger players are buying smaller, niche, security companies to round out their offerings. McAfee recently bought Foundstone, a vulnerability management company.
Garigue also said technology “vendors recognize that they have to share a lot more information” with their clients about their technologies so that companies can get “policies at all levels to talk to each other.” For security to work, “that whole stack...from mainframe to consumer...has to be aligned,” he said. Both Sebbag and Weigelt agreed that improved communication between vendor and client is needed. Microsoft often points to the fact that last year’s Blaster worm was successful because systems were not patched, though a patch was available. To streamline the communication between vendors and clients, and to simplify the process, Microsoft has limited patch releases to the first Tuesday of each month.
The participants had some disagreement over the role of government in creating IT security regulations. Both Weigelt and Sebbag said they were against it: the IT industry, with organizations like OASIS (the e-business standards organization with the likes of IBM Corp., Microsoft and SAP AG on board) can take care of itself.
But Garigue said it is a moot point to some extent since governments have a mandate to protect citizens’ privacy. The creation of rules around the sharing of private information in the form of privacy laws will force “new types of systems architectures” in reaction to the legislation, he said.