Today’s increasingly hostile IT environment is forcing companies to come up with new strategies to defend their data, according to participants at a security roundtable held in Toronto on Wednesday.
The statistics back up this dramatic increase in malicious code. There have been more level three and level four (out of five) worms, Trojans and viruses in the first six months of 2004 than all of 2003, according to both Symantec Corp. and McAfee Inc.
As Canadian companies acquire more and more technology they will have to learn of ways to “devolve” security from an entity traditionally owned by corporate security to one where it is controlled by individual job roles, said Robert Garigue, chief information security officer with BMO Financial Group. Garigue said firewalls, for example, have “devolved” from a security appliance to a network appliance issue, one no longer controlled by the security arm of a company.
Acceptable firewall parameters are still dictated by security, but the day-to-day operations are controlled by the network administrators. It is important for security best practices to become an operational issue and “part of the textures of the (job) routines,” he said. In order to do this, Canadian banks are creating a foundation for knowledge transfer, so best practices become routine, he said. Garigue is the chairman of a group of financial institution vice-presidents who work together to achieve this goal.
Another security strategy increasingly used by corporations, according to both John Weigelt and Jack Sebbag, is the notion of defence in depth. This strategy involves both an increased relationship between policies, procedures and products as well as the consolidation of vendor technology in the market.
“We are seeing [companies] focus on the complete picture,” said Weigelt, chief security advisor with Microsoft Canada Co. Customers are taking an in depth look at that happens when one component fails within a system and how other technologies and procedures seamlessly take up the work load when a system fails, he said.
This is a good strategy since “code writers are getting better and better at their craft (and)…there is no 100 per cent security,” agreed Sebbag, the Canadian general manager of McAfee Inc. Sebagg also pointed to a confluence within the security vendor market, as a bit of buying spree is going on. Larger players are buying smaller, niche, security companies to round out their offerings. McAfee recently bought Foundstone, a vulnerability management company.
Garigue also said technology “vendors recognize that they have to share a lot more information” with their clients about their technologies so that companies can get “policies at all levels to talk to each other.” For security to work, “that whole stack…from mainframe to consumer…has to be aligned,” he said. Both Sebbag and Weigelt agreed that improved communication between vendor and client is needed. Microsoft often points to the fact that last year’s Blaster worm was successful because systems were not patched, though a patch was available. In order streamline the communication between vendors and clients, and to simplify the patching process, Microsoft has limited patch releases to the first Tuesday of each month.
Where the participants had some disagreement was over the role of government in creating IT security regulations. Both Weigelt and Sebagg said they were against it — that the IT industry, with organizations like OASIS (the e-business standards organization with the likes of IBM Corp., Microsoft and SAP AG on board) can take care of itself.
But Garigue said it is a moot point to some extent since governments have a mandate to protect citizens’ privacy. The creation of rules around the sharing of private information in the form of privacy laws will force “new types of systems architectures” in reaction to the legislation, he said.
Garigue also pointed to the Office of Critical Infrastructure Protection and Emergency Preparedness (OCIPEP) as an emerging institution uniquely able to understand — at a more granular level than industry is capable of — the interdependent nature of those areas of the Canadian economy which rely heavily on technology such as utilities and telecom.
Regardless, all participants agreed that IT security is at a “tipping point,” where technology will no longer drive the security debate. “You are not going to get a strategic advantage around technology anymore,” Garigue said, noting it will change “from a technology debate to an information management debate.” In the future, security will be about trusting data — looking at if it has been modified or not — not the technology surrounding the data.