Modern threats to business come in all shapes and sizes. Each time there is a new technology to counter these threats, there are new risks. To protect their businesses, CIOs must foresee and react to potential threats and understand the tools being developed to counter them. Here we look at the IT security landscape for 2005.
A new role for IT security in corporate governance: new regulations for corporate governance and transparency of operation, such as the US Sarbanes-Oxley Act, require new approaches. Security techniques for assuring confidentiality, integrity, availability and accountability of IT systems will now also be used to assure the reliability of business processes and internal business controls. This will help position security as a business enabling, rather than business inhibiting, function.
Process control security has become an issue for industrial organisations. Historically, the systems supporting the automation of plant and production processes have been based on proprietary technologies. But the demands of management information and the standardisation of technology means these systems are now exposed to the same security threats that the IT department has been facing for some years.
Radio frequency identification (RFID) technology allows assets to be tagged with an almost undetectable tag that can be queried remotely. It is generally agreed that tags should be deactivated once a product has been sold, but there are concerns they may not deactivate. Experiments have also shown that it is possible to detect RFID at greater distances than required for point-of-sale checks. RFID applications will require careful design to ensure they are effective yet do not make owners of tagged items vulnerable to invasion of privacy.
MP3 players are generally personal devices used predominantly to play music, but they can also connect to desktop systems using USB, and can be used as removable data storage devices. Many have a 40 gigabyte capacity, meaning 40 gigabytes of sensitive corporate information could walk out of the organisation.
Risks and countermeasure effectiveness: most risk assessments rely on qualitative measures (high, medium, low) of risk with little evidence on how this measure came about. To provide effective business cases for investment in security, this will have to be improved. Formal, traceable, methods providing quantitative risk measures need to be developed, together with a similar evaluation of the effectiveness of countermeasures.
Perimeter-free infrastructures: to reduce costs and increase flexibility, some organisations have removed fixed infrastructure from offices and allow users to connect to wireless hubs, connecting the office to corporate data centres over the internet. This blurs the boundary of the organisation's infrastructure to the point where it almost disappears and this presents significant security issues.
Inquisitive infrastructures: rather than relying on barriers to prevent unauthorised entry, the inquisitive infrastructure collects information on user activity (and any attempts to become users) from multiple sources, correlating activities and comparing this with the activities of the user's peers. The infrastructure acts as a security control by constantly looking out for any actions not in keeping with a user's authorised role.
Overlapping boundaries: outsourcing and managed hosting services mean the boundary of one organisation's business systems overlaps with the boundary of another. Close partnerships between organisations can result in assets belonging to one partner being hosted on the other's infrastructure.
Identity theft: as the threat here increases, so too do the measures to combat it. These include improvements to personal privacy and the provision of identity authentication. The debate between personal privacy and the use of identity cards will continue and could lead to some creative suggestions on how to deter identify theft.
Over-hyping security technology: security risks are often seen as being created by technology, and we rely on more technology to manage those risks. In fact, many risks are created by poor operational procedures, management and administration processes and a lack of security culture in the workforce. Organisations need to stop looking to technology to solve security issues and take a more holistic approach to manage security.
