There is a computer security mantra which says that the basic issues to manage are “ports, passwords and patches”.
By managing these, organisations are able to address the majority of vulnerabilities - the provision of unnecessary or vulnerable services, weak user authentication in the form of guessable passwords and other avoidable flaws in the system. If organisations can get these fundamental points right, they are well on the way to preventing and/or containing a security incident.
The emergence of enterprise management systems complicates the picture. With the issue of corporate governance currently dominating the IT agenda, many organisations are looking to enterprise management to improve the way systems are monitored and the efficiency with which they are operated. Unfortunately, while enterprise management is undoubtedly powerful and useful, security has often been neglected as a priority during the development process, with the emphasis being on functionality. This leads to headaches for security specialists looking to make enterprise management safe.
Put simply, enterprise management is so powerful a tool that it means greater damage can be done if it is abused. When systems are so closely integrated it may be easier for a breach to effect the whole of a business, rather than just isolated applications or programmes. Is it a matter of trading new benefits for new risks? Or can organisations remain in control?
In principle, increasing security in information systems is a simple concept. The objective is to put in place processes and controls to ensure the integrity, confidentiality, availability and legality of data, for the benefit of both users and organisations. In practice, these controls must be integrated so that they can work together to prevent, deter, detect, contain and recover from security incidents, which is a far more complicated and costly task. It is important to get the balance right, as the effort and cost involved in implementing security controls must not outweigh the benefits gained by preventing security related incidents.
One of the benefits must be detecting possible security risks before they cause damage. The early detection of a possible incident is a big challenge with bigger benefits. Many systems are built using components from many different suppliers, all of which bring their own different risks to the table as well as posing problems of integration. Intelligent enterprise management can help with early detection by interpreting the combined significance of many incoming communications from different systems and picking up the proverbial "Mayday" call. This enables IT managers to detect early symptoms and prevent escalating problems, whilst maintaining full IT service to users.
In reality, users pose the biggest threat to the security of information systems. They may be authorised users who are misusing their privilege or who make a mistake; equally, they could be unauthorised users who have gained access to the system. An effective enterprise management system can help manage user accounts, particularly by identifying dormant and unused accounts which can be vulnerable points in the system. It also allows organisations to manage activities so that complex tasks can be carried out remotely on behalf of users, thereby limiting users' abilities to inflict damage and taking the risk out of their hands.
However, enterprise management can be a double-edged sword. As the software needs to be extremely powerful to carry out these demanding tasks, it also grows to be a greater risk. This means that if its security is breached the effects can be greater. There are several key security issues that need investigation, to ensure that the benefits you gain aren't undermined by new difficulties.
The first subject to be taken into consideration is the susceptibility of the enterprise management infrastructure to attacks. Enterprise management systems act as entities in their own right, and if they are subverted can cause enormous damage throughout the IT infrastructure. Put simply, enterprise management can be used as a launch pad for attacks. The IT department should carry out a technical review to identify any inherent weaknesses or vulnerabilities, ensuring that they have enough security expertise within the team.
The review must establish how the products work, how they communicate with the target systems and understand what services and privileges they require. This information needs to be assessed to determine whether one is introducing new vulnerabilities that could be exploited by a miscreant wishing to compromise security.
The key to preventing misuse is to make certain that the authentication model used for enterprise management is tough enough. The people able to access enterprise management must be strictly limited - to key system administrators and IT experts - and their identities must be ascertained with certainty, using the latest and most up to date authentication procedures.
A natural extension of this security-consciousness is to ensure full accountability for misuse of the system. Most systems are built from different applications and systems brought in and owned by different people within the organisation, massively complicating the picture of who is finally accountable, so it is the task of the IT department to simplify this picture. Where the functionality of the system does not allow for increased auditing, the risk must be mitigated by establishing good practice.
Perhaps the most important task of all is guaranteeing confidentiality of information in the system. Enterprise management systems store configuration data, account names and even passwords to enable them to carry out their tasks. This creates an inherent risk, one not always anticipated by designers of enterprise management systems. Access control and encryption must be as good as those used elsewhere in the system, a task which may consume time and energy but which is essential to the maintenance of security.
To conclude, managing the security of modern information systems is a huge technical and operational challenge. There are many dedicated security products but truly effective security management is only possible if it has complete coverage of the system. Enterprise management can be an invaluable tool in this sense, but must be prevented from opening up new vulnerabilities if it is to succeed in its objectives.
John Alcock is principal security consultant at Fujitsu Services.