As central control of IT diminishes, whither security? Security of corporate assets has never been more important and yet, paradoxically, never more under threat than today.
The high-profile breaches of giants like Sony and the antics of hacker groups such as Lulzsec and Anonymous show that considerable reputational and financial damage can still be suffered by organisations with poor or slapdash security processes.
What is the future of security in today's always-on, cloud-enabled, mobile IT landscape? Are the basics still important? Herbert Kunzmann, systems integration and technology consultant at Accenture, says yes.
"The basics are more important than ever. If you look at the recent hacks, what was exploited was basic. None of them have been complex hacks, but vulnerabilities in simple things."
Samresh Ramjith, GM of technology and operations for security solutions at Dimension Data, says although some of the components are now commoditised, they still need watching.
"We have conversations with clients and they say anti-virus and firewalls are commodities. Yes they are, from a business perspective; it's the plumbing. But if you don't manage those systems and make sure they're a solid platform, you're not going to be able to move to the next level when encrypting voice, for example."
But malware is also a commodity today, notes Jeremy Matthews, country manager of Panda Security.
"In the anti-malware space, the traditional solutions aren't doing the job. That's why you see people performing traditional hacks because all of the technology we have isn't working against the current generation of malware. The other thing to keep in mind is that malware is available to buy: anti-malware and firewalls may be a commodity but so is malware today."
The other reason is the technical barrier that still exists between boardroom and techie. Rudi Raath, country manager for TS Consulting at HP SA, points out that security has always been a technical discipline.
"Very few people have the ability to seriously question what the security people tell them: if you have anti-virus and a firewall, you think you're okay and have no need to doubt or question what you're told. There's no way for them to establish their real security posture."
This is part of a deeper problem, says Ockert Cameron, country manager for Dell SA's infrastructure consulting service.
"Two interesting things have happened in the past two years. Firstly, security as a line item in the budget has disappeared. Today you no longer talk about security per se; it's now incorporated or split between different areas in the business. I think that's part of the reason why traditional hacks and traditional breaches are much more common, because there's no single ownership. The second thing is that corporates have become complacent. They've tried, because of globalisation pressures, to split different stacks off to different businesses for cost recovery purposes. Five or six years ago, there was a proposal for a chief security officer role from Gartner. That role, a board member with single ownership, has disappeared."
Very few people have the ability to seriously question what security people tell them.
Rudi Raath, HP
And although individual products and services may be secure, it's where they interact that holes are found. Blame for this all-too-common state of affairs should fall on the vendors, says Cary de Sousa, enterprise relationship manager at Citrix SA.
"Every vendor selling a solution to a customer pushes their vision of secure by design and that lulls people into a false sense of security. The point is they don't look at the big picture or security from end-to-end."
Tackling the problem
So how do companies approach the problem holistically? Dimension Data's Ramjith says there needs to be more communication between different areas of the business from a risk perspective.
"Risk management in the South African market appears to be mainly business risk management. There's no integration between IT risk and operational risk. Security is seen as an IT function. That means if people are led by OS vendors, they will focus on patch management. If they are dependent on infrastructure vendors, they will focus on configuration. There needs to be a meeting point where the common risk is discussed."
Accenture's Kunzmann agrees.
"A lot of companies that have a risk management strategy do try to jump through the hoops to satisfy the auditors. They have a checklist and once they've ticked it, they're happy. But that is no guarantee of the effectiveness of any control that is in place.
“A lot of security is box-ticking specifically because of the huge disconnect between the checkbox and the actual IT implementation. The managers and the board are happy when they see the checklist because they then assume the IT behind it is effective. Generally, that isn't the case."
Philip Gerber, technical director at Magix Security, says it's about architecture.
"There needs to be discipline about security architecture. Individual systems may be secure but where those different systems intersect, there needs to be quality assurance and a sense of the big picture, and too often that doesn't exist. Internal guys do their own security and others do theirs and hope that somewhere along the line, things are secure."
HP's Raath says he's often seen correct implementations but the maintenance didn't happen and so a previously secure setup deteriorated.
"Nine times out of ten, the basic plumbing was there and working but the basic operational processes and governance to keep it working fell by the wayside. If someone doesn't see something on a day-to-day basis, it's not a problem."
Panda Security's Matthews also identifies with nine times out of ten.
"What I bump into is that 90% of the time it's bad management, not bad technology and I wonder why three or four years later, we have the same discussion: that it's all about strategy and policy and operations. In other words, it's about execution rather than technology."
That's an ongoing problem, says Ugan Naidoo, MD of security at CA Africa.
"Throughout the entire value chain, we find that very few companies follow through from policy to operations. We have fantastic policy writers but the execution is lacking. We need to see more monitoring of policies - what the architects are saying is being done and those are the guys that have to be making sure it is done. Another problem is that a policy gets written and then never gets updated."
Security as a budget line item has disappeared.
Ockert Cameron, Dell
Scott Martin, director at Infoprotect, says vendors themselves are part of the execution problem.
"I think we know the right approach to security is policy and process, but, having said that, not all of us are unbiased. Some of us have a technology or a brand to which we have to be loyal and we lead with that. An organisation like Sony tries to be impartial but is susceptible to the approach of a company or even an individual with a tarnished approach that may mislead them into thinking what they might need."
But some networks, including Sony's, are undoubtedly becoming more complex and thus harder to manage and secure. Tareque Choudhury, chief security officer at BT EMEA, says: "Some of the reality is that modern companies are becoming more multinational so the networks are becoming much more complex. Sony, for example, has 100 million users on the PlayStation Network, which is a behemoth to manage, let alone secure. Plus, it's very difficult to control borders when your users are everywhere, and that means the basics are hard to stick to."
Mobile questions
Also, users are everywhere today, so much so that traditional security measures such as physical access control and desktop PC authentication devices are threatened with obsolescence as everyone takes their mobile phones and tablets and moves into the cloud. Citrix's De Sousa says that will force a rethink.
"If a Web site is the gateway into a cloud infrastructure and it can be hacked, then it's going to be a big issue. What organisations are going to need to start doing is contemplate how they will bridge that and how will they get access to their backend resources.
“It's one thing for us to educate them but I think the technology will force them to a point where it will drive that awareness: someone's details will become a very important thing and will determine how they protect customer information."
Chris Norton, VMWare's regional director for Southern Africa, says the security perimeter isn't dying.
"It's shifting. With the advent of cloud and when the data centre becomes the core, there will be an edge in there where there will be security. There will also be some end-point security. But what people need to get their minds around is that we won't be installing applications to devices anymore but to profiles that are accessible from any device. At that point identity management becomes critical."
The smart device needs be a view into the world, not the whole world.
Ugan Naidoo, CA
And for mobile devices themselves? Christiaan Brand, CTO at Entersect Mobile, says the approach to security on mobiles is siloed by necessity.
"There are siloed approaches on mobiles because there are myriad different platforms," he says. "If you want to have a solution that works on all operating systems, you have to be sure the underlying platform secures it. And you have to make sure that all the bits and bytes transferred must be secured as well."
CA's Naidoo says the smart device should be a view into the world - not the whole world.
"Yes, the boundaries have been disappearing but we still have to get to the stage where the applications are secure rather than getting the underlying provider secure. We find a major disconnect between application development and what can be securely deployed.
“If you want to secure a particular device as well as every other operating system that comes along, then you will have a major challenge ahead. So we've seen customers Web-enabling their applications with the right level of authentication and authorisation and the right level of accounting in the back end."
Julie Tomlinson, senior practice director at Sybase, says ultimately everything will be on the mobile browser, but we're not there yet.
“Now the devices have arrived - 2010 was unquestionably the year of the device - and that's been followed by a huge demand for applications. It's gone beyond e-mail to where everyone wants enterprise information on their phone or tablet or whatever it is. I don't want to have to sit at my desktop to have to access SAP and approve a purchase order.
“I think the ideal situation, which we'll get to in time, is that everything will run inside the mobile browser. But there will be niche applications in particular scenarios that will require code and data to sit on the device. iPad apps need to behave like native iPad apps and when an app sits on a device, it does need to be secured."
Which again brings us back to the question of the basics. Says Infoprotect's Martin: "We're all in the business of protecting digital data and that means protecting all the phases: in use, in transport or on a device. There are multiple links in a security chain and it's our responsibility to advise our customers that we have to secure every step of the way. If we don't, there will be a vulnerability that will be exploited."
Share