Security tradeoffs are par for the course when it comes to enterprise information systems. Maximizing IT processes and efficiencies and minimizing costs seem to be at polar opposites with battening down the hatches. Savvy business technology executives, however, are catching on that security and IT don’t have to be at odds. In fact, a change in perspective about security may be the first and most important step toward aligning security with broader business goals.
“We’re always dealing with three things that influence each other: cost, ease of use, and security,” says Sachar Paulus, chief security officer at SAP AG, the enterprise software maker. Ultimately, he notes, you can have two of the three elements at the same time but never all three. “Two elements work together on behalf of producing benefits from the third element,” he says. So, for example, “Organizations have to face the fact that if they want usability and security, they’ll have to bear the cost.” Finding a balance is key to coming to terms with security tradeoffs. One of the most visible tradeoffs involves security, user convenience and productivity. Ideally, users want to be able to move seamlessly across the computing environment without being slowed down by passwords, for example. This leads to the perverse tradeoff between good security practice, such as requiring users to change passwords regularly, and users writing passwords down. “Security can’t be so cumbersome, or too rigid, that it turns users off,” says Andrew Jaquith, program manager for the Yankee Group’s Enabling Technologies Enterprise group. “A lot of people implement hardware in the form of glue, such as locking down USB drives or CD-ROMs. It doesn’t help employees share data.”
Looking to maximize security, increase system usability and user productivity, Alstom, a French manufacturer of high-speed railroad infrastructure, power equipment and power services, is on the cusp of deploying smart card technology to 60,000 employees in 70 countries. Until now, Alstom required employees to remember more than half a dozen frequently changing passwords to access their computers and applications.
Two years in the works, the company’s new security project uses public key encryption and single sign-on on a smart card platform. Not only will the smart cards eliminate the need for users to remember multiple passwords, but they’ll allow safe hard drive decryption, domain login, application access and Wi-Fi access.
For Wi-Fi access, Alstom uses WPA2—a class of systems designed to secure Wi-FI computer networks—for encryption, and Remote Authentication Dial In User Service (RADIUS)—a protocol that uses a certificate on the smart card—for authentication.
The challenge with most new security systems is getting users on board. “Without users there’s no security,” says Nikk Gilbert, Alstom’s IT security and telecom director.
But Alstom employees are clamoring for the smart cards, thanks to a company incentive: The new smart card technology has Wi-Fi certification built in, so the smart card adopters get wireless network access previously denied due to security concerns. “Now users are lining up to get their names on the smart card list,” Gilbert says.
When enterprise software behemoth SAP AG traded off user convenience for security, the company saw the use of 10,000 BlackBerry devices plummet. That occurred several years ago, when company policy dictated that confidential e-mails get flagged and not sent to users’ BlackBerries. “IT got a lot of calls from users complaining about the flagging and that they were less productive,” chief security officer Paulus says.
The company recently reached into its pockets, making an initial investment of approximately $90 an employee, to roll out e-mail encryption for all 50,000 users. Product support includes encryption for e-mail sent to users’ BlackBerries. “IT gets few calls and users are happy because they can receive e-mails on their BlackBerry devices and be more productive,” Paulus says.