Many companies are spending on corporate security in a fragmented and often directionless way, partly because of the bewildering complexity of security solutions.
As a result, many are investing money into each application and every corner of their corporate network. With budgets being restricted, IT managers need to reconsider how they approach information security and understand how to assess and protect their business critical applications so they can spend effectively.
Why secure applications?
With the use of electronic systems still growing, companies are dealing with an increasing amount of data that is vital to the business. Knowing which applications contain the most business-critical information, and who has access to them, is fundamental to implementing a cost-effective security strategy. The importance of this is highlighted in a survey conducted by the Internet Security Alliance which found that 88 percent of information security professionals believe that protecting information is essential to their company's long-term survival. However, I believe that many businesses have failed in the past in securing applications and the information they contain.
So why is this? For a start, one of the key criticisms leveled at companies with regard to deploying information security solutions is that it is often done in a piecemeal way. For example, instead of identifying which applications are most important, many companies are having a knee-jerk reaction to reports of high profile threats from viruses, hacking and such like. The result is a mix-and-match mess of solutions, often with an overemphasis on certain elements and gaping holes in others. So, in essence, their security infrastructure has grown up by default rather than design.
The first step is to identify which applications are critical to the organization. IT managers need to ask themselves whether all their applications need to have the same level of security. To measure this, a risk assessment program is required to determine where extra layers of security may need to be implemented. Having identified what is most important in terms of potential cost of a security breach or information loss, the company can then ensure the appropriate level of security is given to each application. There is no point in protecting a £100 horse with a £1,000 fence - the investment into security should reflect the value of the asset being protected.
What should be included in a risk assessment?
The areas covered by a risk assessment will vary depending on the organization. Key areas it should address are:
- Identifying which applications are critical to the business. There are some core applications that an organization relies on to survive, while others are peripheral.
- Who is entitled to use them? There are two things to consider here. Firstly, the nature of the data contained in the application. HR and payroll applications hold sensitive information and may therefore require restricted access, whereas everyone usually has the right to use email systems. Secondly, the role of the user and the level of access this requires. For example, a customer relationship management system allows people working within sales and marketing to add data, while employees in other departments will only be able to read the information it holds.
- Where users will be accessing these applications from. With the rise of teleworking, many employees are logging onto corporate networks remotely. As a result, companies will need to consider how to protect core applications that are being accessed from outside the corporate firewall. According to the European Commission there are 10 million teleworkers in Europe, and research from independent analysts IDC predicts the number of mobile workers in Western Europe is set to increase to more than 80 million by 2007. These statistics show this is an increasingly important element of the overall security strategy.
- The devices used to access the applications. Mobile workers access applications from a wide variety of devices - laptops, PDAs and smartphones. Depending on the nature of the applications being used, companies will need to consider the security measures being deployed.
- How application security fits into the corporate business continuity plan. It is often the case that a firm needs uninterrupted access to certain applications in order to survive. To prevent any downtime, additional resilience measures may need to be taken. These applications will differ from business to business, but may include CRM systems (such as customer order tracking/handling systems) or transaction-based services.
Companies also need to ask themselves how they will cope if critical applications go down for several days, how much money it would cost the company in lost sales or customers, and who is liable for such losses. This is something that in my experience many companies have overlooked, in some cases until it is too late.
So, once an organization has ensured it has a robust risk assessment strategy in place, enabling it to understand where its most valuable assets and applications lie, what does it need to do next in order to implement an appropriate security policy protecting its business-critical applications?
As discussed above, one of the key things that businesses need to address is knowing who is accessing applications and what they are allowed to do with them, i.e. authorization, administration and authentication.
Currently, the use of passwords is the main form of identifying employees and providing them with access to applications. However, recent reports have shown that most organizations are failing to implement them successfully, which results in them being a weak link in the overall corporate security strategy. In some cases, an extra layer of security is necessary - such as digital certificates, public key infrastructure (PKI) and biometrics - depending on what it is they are securing. Again, it is very much a case of balancing the risk of application security being breached against the cost of adding extra security to that application, and in some cases offsetting the benefit against loss of performance.
Putting the jigsaw together
While it is all very well to carry out a risk assessment and identify the right technologies to implement, organizations need to undertake this activity as part of a holistic security program. Securing applications in isolation from the larger security strategy will only encourage security to continue to be approached in a piecemeal way. With new applications coming online, regular upgrades taking place, a continual turnover of staff and constant new threats being exposed, protecting a company needs to be an ongoing consideration.
Furthermore, and as part of the holistic approach, I believe that companies need to have a robust security policy in place, where a concerted effort to train individual employees is an integral ingredient. This is particularly important, as security measures are often seen as an additional chore rather than as a benefit to the company as a whole. Staff need to understand the importance of their input and role in corporate security. Companies should make a concerted effort to train and educate individuals on security policies and how to react to breaches.
All of this may sound rather daunting. So organizations must consider whether they have the resources necessary to implement and maintain the security they require or whether they need a partner to help them. Drawing on the skills of a trusted third party brings with it the benefits of reduced cost of hiring, retaining and training the right staff, and also gives access to 24x7 performance monitoring, vulnerability scanning and service response. In addition, managed security services providers may have access to international intelligence on cybercrime. In the U.K., BT, for example, gains early warning of threats or access to patches through membership of organizations such as Computer Emergency Response Team (CERT) and Forum of Incident Response and Security Teams (FIRST).
Whether companies address security on their own or with help, the increasing need for businesses to protect their applications is indisputable. Spending budgets on securing whole networks with expensive and complex solutions is not feasible. If companies follow the steps outlined above they will ensure they are protecting their businesses in the right places, with the appropriate solutions and at the right price. IT managers must understand that securing business-critical applications is not the end of protecting their company's assets, but gives them a very solid foundation to ensure budgets are spent efficiently and effectively.
Mike Lee is security specialist at BT Ignite, BT's business services and solutions division (www.btignite.com).