Prioritizing Internet Security.

Navigation: Main page

Author: Demers, Marie Eve

Internet security could very well become one of the biggest and most intricate issues of the new millennium.

Everyday an increasing amount of data is flowing through the Web and consumers are seeing a greater need to protect their privacy as they shop online and submit personal and financial information. Businesses need to protect confidential information when conducting business electronically and establishing massive collaborative networks with suppliers and customers. Even the government has to protect its vulnerable IT networks, in order to keep hackers from revealing sensitive information about itself and the citizens of this country. Cyber attacks can potentially affect each one of us, as individuals, groups, companies or a society.

Accenture, a New York-based consultancy formerly known as Andersen Consulting, recently released a document named Security Call to Action, the result of a security specialists' roundtable at which 15 security experts participated, including people from Sun Microsystems, Cisco Systems, Intel and Microsoft. The event was co-sponsored by Purdue University's Center for Education and Research in Information and Assurance Security (CERIAS).

According to these experts, extraordinary changes in the way we do business and lead our lives in the ever-connected world of the future will create tremendous security challenges.

The threat of a major disaster was high on the list of concerns. Although we can have no clear idea of what that disaster might consist of, the amount of damage it could do, or what can be done today to prevent it, the possibility of an Internet calamity hangs over us like Damocles' sword.

Also high on the list of potential problems is the impact of poor-quality software widely distributed on the Internet and the high potential for harm when software weaknesses are exploited en masse.

Many factors make security a hard objective to attain. In general, the report found that there is a proliferation of connectivity of systems that was never designed to be secure. Many of the operating systems and applications that exist today, or are being developed, either possess security holes or simply cannot be adequately secured, the report says. In addition, electronic information is easily copied and transported and it does not have a limited lifetime, which makes it difficult to protect; information can be easily corrupted or utilized to misrepresent facts.

Virtual businesses also contribute to increasing security risks. Many factors are driving businesses to look for outsourcing relationships as they move into e-commerce. New relationships are being created by businesses that integrate, combine and resell the services of multiple players in an industry. "This move toward outsourcing will create a huge increase in the number and complexity of business relationships that are created. Without proper precautions, there will be a noticeable lack of visibility and control around the outsourced business functions. This outsourcing trend will make it difficult for an industry to enforce its own business security policy on a process handled by multiple players. Business processes could be subject to third-party failures, in some cases, without even knowing about the dependency. This transition of trust will create a very complex value chain," the report warns.

The sheer magnitude of the problem makes it difficult to achieve security. "Our ability to deploy and manage systems is not keeping up with the threat," says the CERIAS report.

The experts also noted that public policy is not keeping up with technology. "Laws and regulations are often ineffective and inconsistent between countries, and do not address critical issues adequately."

Time-to-market -- which is crucial in the high-tech industry --increases pressure to sacrifice security and quality of software.

In their call to action, the experts listed the most critical issues to address, with the No. 1 item being to improve software quality and prevent the distribution of weak products.

As a second issue, they identified the lack of properly trained people and suggested the development of an educational program on security. Raising awareness about Internet security is also important; the next generation should be educated on such matters.

Implementing the best practices came next. As an example, even brilliantly conceived software can only be as good as the way it is implemented. The experts suggest using the best practices to ensure that security is done right in development, implementation, testing, business processes and consumer practices.

The approach suggested by the team is to take into account the many facets of the problem including the business-related, social, technical and governmental aspects. "We have to take the holistic approach and address this from many dimensions," the experts wrote.

This article is the first in a two-part series.

~~~~~~~~

By Marie Eve Demers