Overcoming The Security/Business Conflict

By Lynn Haber  |  Posted 05-18-2007

Overcoming The Security/Business Conflict

Security tradeoffs are par for the course when it comes to enterprise information systems. Maximizing IT processes and efficiencies and minimizing costs seem to be at polar opposites with battening down the hatches. Savvy business technology executives, however, are catching on that security and IT don't have to be at odds. In fact, a change in perspective about security may be the first and most important step toward aligning security with broader business goals.

"We're always dealing with three things that influence each other: cost, ease of use, and security," says Sachar Paulus, chief security officer at SAP AG, the enterprise software maker. Ultimately, he notes, you can have two of the three elements at the same time but never all three. "Two elements work together on behalf of producing benefits from the third element," he says. So, for example, "Organizations have to face the fact that if they want usability and security, they'll have to bear the cost."

Finding a balance is key to coming to terms with security tradeoffs. One of the most visible tradeoffs involves security, user convenience and productivity. Ideally, users want to be able to move seamlessly across the computing environment without being slowed down by passwords, for example. This leads to the perverse tradeoff between good security practice, such as requiring users to change passwords regularly, and users writing passwords down. "Security can't be so cumbersome, or too rigid, that it turns users off," says Andrew Jaquith, program manager for the Yankee Group's Enabling Technologies Enterprise group. "A lot of people implement hardware in the form of glue, such as locking down USB drives or CD-ROMs. It doesn't help employees share data."

Looking to maximize security, increase system usability and user productivity, Alstom, a French manufacturer of high-speed railroad infrastructure, power equipment and power services, is on the cusp of deploying smart card technology to 60,000 employees in 70 countries. Until now, Alstom required employees to remember more than half a dozen frequently changing passwords to access their computers and applications.

Two years in the works, the company's new security project uses public key encryption and single sign-on on a smart card platform. Not only will the smart cards eliminate the need for users to remember multiple passwords, but they'll allow safe hard drive decryption, domain login, application access and Wi-Fi access.

For Wi-Fi access, Alstom uses WPA2—a class of systems designed to secure Wi-FI computer networks—for encryption, and Remote Authentication Dial In User Service (RADIUS)—a protocol that uses a certificate on the smart card—for authentication.

The challenge with most new security systems is getting users on board. "Without users there's no security," says Nikk Gilbert, Alstom's IT security and telecom director.

But Alstom employees are clamoring for the smart cards, thanks to a company incentive: The new smart card technology has Wi-Fi certification built in, so the smart card adopters get wireless network access previously denied due to security concerns. "Now users are lining up to get their names on the smart card list," Gilbert says.

When enterprise software behemoth SAP AG traded off user convenience for security, the company saw the use of 10,000 BlackBerry devices plummet. That occurred several years ago, when company policy dictated that confidential e-mails get flagged and not sent to users' BlackBerries. "IT got a lot of calls from users complaining about the flagging and that they were less productive," chief security officer Paulus says.

The company recently reached into its pockets, making an initial investment of approximately $90 an employee, to roll out e-mail encryption for all 50,000 users. Product support includes encryption for e-mail sent to users' BlackBerries. "IT gets few calls and users are happy because they can receive e-mails on their BlackBerry devices and be more productive," Paulus says.

Next Page: Look First, Then Leap

Look First, Then Leap

Look First, Then Leap

User inconvenience and security shortsightedness come into play when corporate decision makers fall into what Ed Adams, CEO of consultancy Security Innovation, calls the "Recency Trap." "This is when organizations panic at some perceived immediate threat and hastily change their security procedures, only to leave themselves open to more serious but unrecognized risks," he says.

Rather than spending money on quick fixes, CIOs should look at the broader corporate picture and make expenditures that target higher-priority threats. "Employees will continue to make lifestyle choices about the technology they use, such as laptops or cell phones, for example," Yankee Group's Jaquith says. "It's a knee-jerk reaction to ban them."

That's an issue for James Wilson at OnBoard LLC. The director of technology at the five-year-old real estate information company in New York City concedes that his security policy has gaps that must be addressed. Yet he's reluctant to impose severe restrictions given that OnBoard boasts a relaxed corporate culture, with some employees connecting wirelessly to the company network from their homes or other remote sites.

OnBoard hasn't lost any corporate data. Still, Wilson recognizes that employees who work remotely using wireless Internet connections put business data at risk. "I don't want to impose security that's so strict as to not be able to attract the very best workers," he says. Taking what he characterizes as a measured approach to IT security, OnBoard bans connecting from heavily traveled venues such as Starbucks but permits wireless linking from homes and less traversed public locales.

Next Page: Secure Code From the Get-Go

Secure Code From the

Get-Go">

Secure Code From the Get-Go

Orange County, Calif., is discovering that, when planned properly, IT security doesn't interfere with the business of government. With the county seat in Santa Ana, the county that's home to Disneyland shows how one organization revisited IT security and business processes, made changes and is reaping benefits. Thanks to a virtualization project driven by the need for server consolidation, developers no longer trade off application development for secure code. "We now enable business processes by creating secure code during the development process rather than tacking it on at the end of the process," says Tony Lucich, division manager of network services for the county, with a population of some 3 million residents. As a result, application development time has been cut by at least one-third, he says. "Security no longer puts us in conflict with the business processes," he says.

Prior to the new virtual environment and a move to a service-oriented architecture, developers from different agencies created their own application environments. "They worked in silos and didn't communicate with one another," Lucich says. Lack of coordination ultimately resulted in actual or potential security breaches.

Security came into conflict with business processes in the county, for example, when a law enforcement agency developing a new case management system wrote the specs, purchased the equipment and prepared to write the code without consulting the central IT organization.

"We found out that the developers, who worked in a silo, didn't separate outside services (i.e., Web services) from inside services(i.e., database services) which meant the application wasn't secure," Lucich says. "A security breach was inevitable."

In the virtual environment, the county created a portal that includes best practices, training videos and tools to assist developers in generating efficient, secure code. The process has been streamlined. "All developers now share a pool of developer workstations from where they can log into the portal and share the same tools," Lucich says. That resulted in quicker prototyping of applications and faster deployments in a more secure environment. "It used to be okay to be on a three-year development cycle; not any more," Lucich says. "With services and applications, we're now on a three-month development cycle."

One of the first recommendations security consultants typically make is to address security up front. Unfortunately, however, only 10 percent to 20 percent of organizations implement security correctly during application development, according to John Pescatore, vice president of Internet security at Gartner, Inc. "The other 80 to 90 percent operate in a reactive mode," he says, fixing holes later—and paying the price.

Don't Go It Alone

Given the inevitability of tradeoffs when it comes to security and business, SAP's Paulus insists only senior managers can decide how to weigh the three interdependent elements—cost, ease of use and security. "Some organizational cultures have upper management make every decision," he says. "Others rely on senior management to develop guidelines that are implemented by lower management."

Either way, getting buy-in and policy guidance from top corporate executives is also critical to finding balance when it comes to security tradeoffs. But that balance can indeed be found—you just have to do your homework.