Specifications
PC MAGAZINE SEPTEMBER 16, 2003 www.pcmag.com
116
A
lthough the tech industry has languished in the past few
years, recent events, threats, and legislation have buoyed
the area of information security. The events of September
11, 2001, highlighted the importance of business continuity planning.
Code Red and Nimda demonstrated vulnerabilities in commonly
used products. And violations of privacy and shareholder trust have
led to increased government regulation. These factors have resulted
in widespread calls for increased accountability among senior
management throughout the corporate world.
This is in turn pushing network and information security in new
directions. The recent California State Bill 1386—among many other
state and federal acts and laws—will have far-reaching consequences
for
IT departments and networking in general. For example, Bill 1386
in particular protects California residents’ personal information and
requires any organization with such data in computerized format to
disclose security breaches. This law is likely to foster similar legisla-
tion throughout the nation.
The burden to comply with or at least track new government
requirements falls on the shoulders of IT administrators. They must
ensure that access control, information security, and audit systems
are built into the applications and processes their companies use.
And many organizations have also begun to require certification for
information security professionals, most commonly
CISSP certifica-
tion from (
ISC)
2
(www.isc2.org) or GIAC certification from The SANS
Institute (www.giac.org).
As the frequency of information theft or vandalism increases, so
does the scope of responsibility in protecting a network. More and
more organizations are establishing the role of a chief security
officer (
CSO) or chief information security officer (CISO), responsi-
ble for managing risk for an entire corporation. That role should
eventually carry as much clout as other executive offices.
The need for centralized security management tools and report-
ing capabilities is spawning many new and diverse management
products. Application-level filtering products (for Web, e-mail,
instant messaging) will be used more widely to track employee
activities and will be crucial for auditing the flow of corporate
information to protect corporate assets and to adhere to govern-
ment regulations.
While government regulations and privacy issues are shaping
trends at the highest levels of information security, many specific
threats will remain unchanged.
“As a security professional, my number-one issue is the vulnera-
bilities that ship with commercial software,” says Bruce Brody,
CISO
for the Office of Veterans Affairs. “There’s not enough time in the
day for the amount of patching, hardening, and configuration man-
agement that we face in an enterprise of more than 200,000 users.”
Dealing with such vulnerabilities will remain an IT burden for
organizations of all sizes. Also high on Brody’s list of future perils for
network administrators is the possibility of attack from outside an
organization. “Making sure we know the external boundary of our
enterprise very well, determining how many connections there are
into and out of the enterprise, reducing the number of gateways, and
hardening and centrally managing the few gateways that will remain
in our enterprise are key,” he says.—Matthew D. Sarrel
“Think of climbing Mount Everest and being at
sea level right now, and then when you reach
the summit, you find that wasn’t your objec-
tive at all, because you still have to go to the
moon.” To Bruce Brody,
CISO for the Office of
Veterans Affairs, this analogy epitomizes the
future of network security—a constantly
evolving uphill battle.
Authentication and identity management will
play a huge role. As every device becomes part
of an interconnected mesh network, verifying
that a device and its user are what and who
they claim to be becomes paramount. Unique
identifiers will be built into hardware and soft-
ware for authentication and digital-rights man-
agement. Every device will probably include a
dedicated encryption processor, and most
network communications will be encrypted and
digitally signed. Centralization of security
controls and policies will be critical, and bio-
metrics will become more commonplace. The
primary focus will shift from the network
perimeter to individual devices that require
application-layer security.
Ron Baklarz,
CISO for the American Red
Cross, suggests that in five to ten years we still
will be facing many of the same threats: “If you
look at how the Internet has progressed over
the last six or seven years, you see many of the
same problems, only they’re magnified 1,000
times because people have gotten better at
being malicious—a trend that will grow even
more worrisome, because e-mail as a vector
(and the killer app of our day) remains so
tantalizingly attractive to hackers.”
In a few years more
New regulations and threats will force companies to rethink their ideas about IT.
Security