The Right Type of Profiling

Aberdeen Group recommends organizations determine their Internet profile for customer sales and service, procurement and sourcing, and distribution and fulfilment. Then conduct a revenue loss assessment based on historical data, and identify customers and value chain partners, and the likelihood that their systems and people may cause downtime to their own business operations. It also says organizations should

• conduct a needs assessment based on business strategy, enablers and available technologies
• determine best practices from references and available information, and
• clearly identify a primary strategy for overcoming Internet business disruptions as well as determining and agreeing upon the performance metrics to be used for measuring "improvements" from current practices.

And the research company says all organizations should consider using complementary technology controls to reduce and eliminate revenue loss from Internet business disruptions.

Gartner is urging companies to put pressure on vendors to build more secure software as well as to drive their own IT teams to ensure less vulnerability in in-house software. It says companies should also follow base software architecture on security standards and try to incorporate mechanisms to limit the "attack surface" of applications directly exposed to the Web.

These findings are a part of Gartner's recent strategic planning report: "Building a Sound Security Infrastructure: New Defences for a New World of Threats". The report provides a comprehensive guidance on implementation plans and best practices for developing successful information security strategies.

Bittinger says the real message for organizations is to understand what architecture will provide the greatest level of security. And he reiterates his concerns that security is built in from the beginning. "If you take for instance the basic principle of total quality management, it basically says you get the perfect result because you've created the perfect process. You don't have a bunch of inspectors standing at the end of the line looking to see if there are any flaws in the cars; you try to create the perfect process so you know the perfect car or the perfect product or service is rolling off the end of the production line.

"So we have to focus more upstream, rather than sort of bolting security on at the back end. It has to be absolutely one of the foundation stones of the architecture of business services or products that we're creating." There are positive signs of just that, Bittinger adds. Microsoft is starting to work with Intel very closely on their "Son of Palladium" Trusted Computing Initiative, which is trying to build security in at the deepest levels of the operating system kernel, and the deepest levels of the microprocessors. Many similar initiatives are also on the way.

Bittinger says Gartner has noticed that over the past couple of years it has gained much more serious traction in the IT industry in asking the question: What does a fundamental security architecture look like? Solutions like SAML (the Security Assertion Mark-up Language, an XML-based framework for exchanging security information under development by the OASIS XML-Based Security Services Technical Committee), federated identities, and identity and access management, are the foundations of such a security architecture, he says.

Back Up and Then Back Up Again

Organizations facing damage from Internet business disruptions must also back up their server. Carter Burden, CEO of Logicworks, a New York City-based managed hosting firm, says that companies managing their servers in-house should back up all data on a second site, which may be outsourced to a hosting provider. While not a particularly surprising sentiment given the services his company provides, Burden does go on to say that if an organization uses hosted servers, it is important that any hosting provider trusted with that organization's servers, and consequently all of their data, have backup facilities of their own.

Further, businesses must realize that even backup facilities can fail. For this reason, companies should have a set plan in case even their alternative strategy fails. For instance, Burden says many backup hosting facilities can run on a battery for a half hour or so, or on a diesel generator that can run for days without interruption.

"The biggest lesson that companies must learn is to be diversified in their backup and disaster recovery (DR) strategies," Burden says. "If you have your hosting outsourced, check out that company's DR plan. Choose a provider with independent locations, as city-wide power outages are not uncommon. Never rely entirely on one system - have multiple contingency plans. Even Logicworks, which hosts the servers and data of many large companies, does not rely solely on one strategy. All backups are performed to a separate external location, from where they are then copied to tape and rotated off-site once more by an off-site data protection provider. Consider hot backups, near-line and off-line solutions, and choose the one that is right for you."

Even after all of this preparation, businesses must realize that there still exists a possibility that all of their backup strategies will fail and that they will have to deal with an Internet disruption. The key here is first to get the server and the data available as soon as possible and then deal with the problem that led to the failure in the first place.

The bottom line? Servers will fail and important data can be lost. Be prepared with diverse backup strategies and a disaster recovery plan if even that fails.