Baffled by arcane security lingo? We're here to help Thinking about information security can seem a bit paralysing. If you're too paranoid about protecting your company's data, you can spend all of your time learning about and deploying security technologies. If you're not paranoid enough, you'll spend your time cleaning up after attacks.
To relieve the burden, some CIOs turn to chief security officers, consultants or outside companies for help. But they still need to know what's out there, and they definitely need to know the lingo, from SSL to PKI to VPNs.
Luckily, security technology is not as complicated as it seems. It breaks down into these four categories:
User authentication. Simply put, this is all about verifying an alleged identity. A user presents an ID, then supplies another piece of information to verify that he is, in fact, that person.
Encryption. Sometimes called scrambling or cryptography, encryption uses algorithms to translate data into unreadable code so that only authorised people can view it. Decryption requires an algorithm that reverses the process.
Access control. These are systems that govern which servers a user can access on a network and what that user is allowed to do while there. Security types like to refer to these systems in military terms. Access control software helps create the perimeter that separates the demilitarised and militarised zones, and within the militarised zone, software allows the system administrator to keep an eye on users and prevent them from accessing unauthorised areas.
Physical security. This is another kind of access control. Essentially, you don't want to constantly worry about how a hacker will come in through the network, and then find out that he has walked into your headquarters and somehow made off with your data (or servers).
Of course, technology isn't everything. A good security strategy has many other aspects, such as educating employees about proper practices. "As the old adage goes, the weak link in the chain always gets broken," says Charles Cresson Wood, an independent security consultant with California-based Infosecurity Infrastructure, and the author of Information Security Policies Made Easy (PentaSafe Security Technologies, 2001).
A sound security policy and architecture will incorporate technologies from all of the above categories to create a base level of security. "You have to establish a minimum level of security across your network, wherever information may go," Wood says. "And the information should be protected consistent with its sensitivity, criticality and value."
Once the system is set up, test it to see what holes you can find, and plug, yourself. Try running some vulnerability assessment software, which crawls through the network looking for holes, or hire an outside consultant to try to hack into the system. Some companies also hire these types of consultants whenever they deploy a new technology to make sure it isn't compromising security.
"We have one independent consultant review the design of the product, if we built it or even if we bought it," says Gordon Zacrep, information security manager at the Vanguard Group, a mutual funds company in Pennsylvania. "And then we hire another company to scan that product and try to penetrate it."
Without further ado, here's an introduction to the major security technologies.
Security category: Access control
How it works: This software lives at certain points on the network (on individual PCs, servers and firewalls) and automatically scans all incoming data for viruses.
Why you need it: A common hacker tactic is to send an e-mail message with a virus attached that can do everything from destroying data to opening holes that allow the hacker into the network.
Problems and pitfalls: Hackers design new viruses, or "worms", every day, so the software needs to be updated regularly to include code to destroy the latest ones. The solution is to set the software throughout the company to automatically and regularly update its virus database.
Security category: Access control
How it works: Users want access to information stored on your servers. Once they're authenticated, they request information (such as account balances), and the company's enterprise server checks a set of authorisation rules to make sure the user is allowed to access that information.
Why you need it: Servers often contain information that's available to the public as well as information that is restricted to a handful of users. Authorisation software helps control which users see what information.
Problems and pitfalls: "Every vendor wants to do [authorisation] differently," says Wood. And because different systems use different protocols, or rules, it makes it difficult to establish a minimum normalised amount of security.
Future developments: Some companies are starting to bring authorisation rules together into centralised databases called enterprise security management systems. In this kind of set-up, authorisation software at various points on the network will check with the database to verify whether a user is authorised, but because the information is centralised, it can be more easily managed.
Security categories: User authentication, physical security How it works: A database stores a unique piece of information about a user's physical characteristics, such as an image of the user's fingerprint. At the access point, the user will pass his thumb over a reader, and if it matches the scan in the database, the user is authenticated. Some systems store scans of users' irises or digital representation of their standard speech patterns.
Why you need it: Physical characteristics are much more reliable than passwords, keys or key cards because they cannot be reproduced easily.
Problems and pitfalls: "Sometimes it works too well," says Todd Beebe, CIO at Texas-based SecureLogix, who has stationed biometric technology at the entrances to the company's server room. "Kevin [Davis, the company's IT director] had a scrape on his thumb, and it wouldn't allow him in." In addition, as with any door access system, employees can compromise security by getting lazy and propping doors open.
Future developments: Biometric technologies are becoming more robust. For example, some new systems have you sign your name, and recognise the pressure you use with the pen and how long you take. Eventually these technologies will be incorporated into desktop systems.
Security category: Access control
How they work: A firewall is a piece of software stationed at nodes of the network that looks for streams of irregular data-multiple attempts to access a network, for example. The firewall software prevents the individual sending those data streams from accessing the network, server or desktop computer. A firewall can also be set to prevent specific users from accessing specific computers. "The firewall says which machines on the outside of the firewall are allowed to talk to which other machines on the inside," says Rand Hoven, chief technical officer at Boston-based Redwood Investment Systems.
Why you need them: Firewalls are a first defence against hackers. "The firewall can be configured to cut off certain kinds of traffic," Zacrep says. Firewalls, along with router and gateway software, perform intrusion detection, immediately alerting system administrators when an attack occurs.
Problems and pitfalls: It's easy to go overboard with firewalls and install too many of them, which may keep the people you want to be able to get into the network out. In the end, if a user can't get the information they want, they may not be your customer much longer.
Key Cards and Radio Frequency Identification (RFID) Cards Security category: Physical security How they work: When an individual wants to gain physical access to a building, floor or particular room, he or she swipes or enters a key card into a reader by the door or waves an RFID card in front of an RFID card reader. In both cases, the readers communicate with a central database, which grants or denies access based on whether that card is valid.
Why you need them: Both card systems are much better than standard key systems. Employees can easily make copies of a standard key, but can't do the same with a key card or RFID card. Also, a system administrator no longer has to get a departing employee to return the key - instead, the administrator can simply deactivate that card from the central database (this can also be done in cases of theft).
Problems and pitfalls: If a key card is stolen but the employee does not immediately notify the administrator, the thief can gain access to the building.
Passwords, Fixed and Dynamic
Security category: User authentication
How they work: Fixed passwords are the kind you're accustomed to using (combinations of eight letters and numbers, in many cases). A server-based database looks up the user ID and password, and if they match the database, access is granted. Dynamic passwords are randomly generated and relayed to a user, either via e-mail or a personal wireless device. They are changed on a regular basis.
Why you need them: Password systems are easy to manage and inexpensive.
Problems and pitfalls: Users sometimes give out or write down their passwords, opening up the possibility that unauthorised people might find them and thereby gain access to a network. Some systems also allow fixed passwords to be remembered by an Internet browser or computer, which means an individual who gains access to a building may be able to gain access to the network without running a password crack program.
Public Key Infrastructure (PKI)
Security categories: User authentication, encryption How it works: PKI serves two main purposes, and both are dependent on PKI's underlying technology-digital certificates and signatures. The first purpose is as an authentication mechanism. By passing a digital certificate, which is actually just a few lines of code, to another user with the actual content, the user knows that you really sent it. The second purpose is encryption. PKI encryption uses two packets of code - called a public key and a private key. Both describe an encryption and decryption scheme and allow two users to pass encrypted content to each other using a unique encryption scheme.
Why you need it: Previously if a hacker cracked a company's encryption scheme, he could read all data being sent to and from that company's server. But with PKI, each set of keys uses a unique encryption scheme, which means hackers have to crack encryption schemes every time they encounter new sets of keys.
Problems and pitfalls: "It's very complex, and takes a significant amount of expert assistance" to both install and operate, Wood says. "This has scared a lot of people away." Even so, some companies are considering implementing PKI, and many already have. "We're looking at it," Zacrep says. "We're reviewing it on the basis of, Do the clients want it?' For us, it's less of a security issue and more of a business issue."
Future developments: "It's becoming a lot more user friendly," Wood says. New software will manage keys and make it easier to deactivate them.
Router and Gateway Logic
Security category: Access control
How they work: Routers and gateways pass data between computers and networks. Using internal logic systems, both devices can pass log data to analysis software, which, like firewall software, looks for abnormal activity and alerts administrators.
Why you need them: These technologies are essential to the network's capabilities of passing data between computers. Using them as intrusion detection checkpoints is a simple expansion of their functionality.
Problems and pitfalls: Some systems are less automated and require administrators to manually review complex log information to determine the nature of attacks.
Secure Socket Layer (SSL), 40-bit and 128-bit Security category: Encryption How it works: SSL, the technology used to pass credit card and account information through Web browsers, is a protocol embedded in the browser. Servers running SSL create an SSL session with the user's browser and transmit the encrypted information between the two computers. Accordingly, 40-bit encryption is less robust than 128-bit encryption.
Why you need it: This technology is accepted by the e-commerce community and provides high-level encryption without much work on the CIO's end.
Problems and pitfalls: "The critical issue here is to make sure that the level of encryption matches the sensitivity of the information," Zacrep says. "Encryption using 40-and 56-bit encryption has been broken but still may be sufficient depending on the data."
Two-Factor Authentication Devices
Security category: User authentication
How they work: A device plugged into a computer provides a digital certificate that serves as a second form of authentication (the first could be a password or other authentication method). Examples include a smart card that's inserted into a reader connected to your laptop's expansion slot or a universal serial bus (USB) plug, both of which are being tested by Microsoft security officials for employees who access its corporate network remotely.
Why you need them: These devices are portable, and dual authentication increases the system's security because the chances are greater that a person supplying both forms of authentication is actually the person he says he is.
Problems and pitfalls: If these devices are the only kind of authorisation used, a network can be compromised if the device is lost or stolen (although administrators could invalidate the certificate carried by the device).
Virtual Private Networks (VPNs)
Security category: Encryption
How they work: A VPN creates a virtual tunnel between two computers and sends the data directly through that tunnel. The VPN protocols actually hide the data while it is being transferred, so hackers have no chance to intercept the data.
Why you need them: Currently, if you send data over a network (especially the Internet), you can't control the route it takes. That's dangerous, because the data can easily be intercepted, and even a simple e-mail can contain crucial company information. When Howard Schmidt, corporate security officer at Microsoft, travels overseas and wants to log in to his corporate e-mail at headquarters, he logs in to Microsoft's MSN Europe network and creates a VPN using the Layer Two Tunnelling Protocol (L2TP), an open standards VPN protocol. "And then I am virtually sitting at my desktop," he says.
Problems and pitfalls: VPNs require that special software be installed on each machine that needs a virtual tunnel to the home network - a problem easily avoided by installing the software on laptops that employees use while travelling. Still, Wood recommends that companies use VPNs with an authentication component so that if a hacker gets his hands on that laptop, he can't access the corporate network without also working to compromise the authentication mechanism.
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.