Features - Striking the balance

.Home
.Product news
.Events
.WOW!
.Special reports
.Test drive
.Case studies
.Jargon busters
.Features
.Opinion
.Techtalk
.MCSE help!
.Exploring 2000
.Glossary
.About Us
.Advertising
.Newsletters

.Feedback

Features - February 1999 - Striking the balance
Phil Manchester assesses the competing demands of security and openness
.

The pressure to provide more open networks

More open, less secure?

NT is complex and therefore vulnerable

Risk assessment

Building a secure environment in NT

Using the systems and network management scheme

It’s official; the Internet makes IT systems vulnerable. A survey published by the FBI in March 1998 revealed that 64% of US companies had experienced some sort of security breach in the previous 12 months, and 54% cited the Internet as a ‘point of attack’. In another survey, published by The Knowledge Group in January 1998, it was found that 33% of UK network managers saw security as their main concern. And a survey from anti-virus specialist Sophos records that the number of viruses worldwide increased from 9,315 to 13,000 during 1997.

The pressure to provide more open networks

Network security is undoubtedly a pressing problem. The shift to open networked systems as the basis for modern commerce comes with an inevitable price tag as businesses find that their networks are becoming increasingly exposed to the outside world. The race to offer Internet connectivity and increased use of electronic mail are just two examples of the pressures to open up networks to a wider community - both within the company and externally. More open networks place a greater burden on security systems and leave businesses open to serious breaches of security. The shift to electronic commerce will add to this burden as businesses move towards communicating with their suppliers and customers electronically. The cost reductions and marketing opportunities promised by electronic commerce are only beginning to become apparent; as they gain momentum, the pressure to open up networks and access to corporate data will mount.

More open, less secure?

As networks grow technically more complex, embracing many different operating platforms and software regimes, security policies become much more difficult to build for an environment that spans thirty years of technological development - taking in mainframes, ‘Wintel’ PCs, Unix-based minicomputers and a huge number of software application products. But, while security is an obvious priority, it must be balanced with accessibility, an issue that must be addressed in order to encourage people to use the network. The Internet and intranets are widely accepted as key technologies for maintaining a competitive edge and improving IT services - and the main purpose of both technologies is to improve accessibility. Opening up the network to meet these demands also exposes it, and precious corporate data, to the growing security threats from viruses and unauthorised access by criminals.

Security is not, however, just about denying access and protecting data. It is also about ensuring that important transactions are fulfilled and have a genuine legal basis as a contract between two parties. This aspect of security is well established in traditional centralised mainframe systems where it is relatively easy to control. But the same criteria also apply to distributed client/server systems like Unix and Windows NT. Every company, therefore, must consider its security policies and the tools it uses to enforce them or, risk a major security breach.

NT is complex and therefore vulnerable

Microsoft’s Windows NT is vulnerable - not necessarily because it is lacking the appropriate security mechanisms, but because it is now as large and complex as any mainframe operating system. The greater the complexity, the greater the vulnerability. "There is much more to security than encryption and access control," says Dominic Storey, technical director at Security Dynamics; "it reaches right into the heart of the business now. As far as NT is concerned, it is simply that Microsoft is not a security company, it is in the business of applications - and anyway it can’t deal with security issues outside its own technology. In the end it is about the business - the content in the data."

He goes on to say, that, despite its vulnerability, there is a wide range of strategies which will help to protect NT from outside interference - starting with a high-level approach based on the risk to the business: "You have to start by assessing the current state of security within the network and understand where the weak spots are. Then you can start to formulate an enforcement plan to ensure a secure environment. But it does not stop there - you must monitor security procedures because, as the network grows, the needs will change." Ian White, a senior consultant at security specialist Zergo agrees with this approach: "You have to start with what you are trying to achieve - are you going into full electronic commerce or just providing limited access to a stand-alone web server. There is little point in putting in security where you don’t need it. In the end, security is just another way of coping with operational risk - so you have to determine what the risk is and then decide what you are going to do to avoid it." White goes on to say that companies must begin by looking at their data and establish what risk is involved if people are able to access it - either to view sensitive information or to change it.

Risk assessment

Terry Pudwell, managing director of ISS in the UK also agrees that the assessment of risk is the starting point for any security policy: "You have to start with practical research into the potential risk areas and this is going to vary enormously from one company to another. There is no prescriptive level of security - you have to find out what is going to be appropriate to the business conditions, the technology that is being used and the trade off between good, secure systems and accessibility."

Securing NT is likely to be one of the main priorities, however. As Storey of Security Dynamics points out, Microsoft is ‘not a security company’ and while it has included a wide range of security features to control access and to provide encryption, he likens it to ‘a home with no locks on the ground floor’: "NT is certainly insecure on its own. With something like L0phtCrack, for example, it is relatively easy to break it. The password system is a particular area of weakness. But it is something that can be remedied and there are a number of products which can help." Storey goes on to say that one particular weakness of NT is that it does not limit the number of attempts to gain unauthorised access: "With most systems you expect ‘a three strikes and you’re out’ approach. With NT you can go on trying different combinations indefinitely. And once you have access to the admin account you have the keys to the kingdom. Our approach is to build a central administration structure that means users only get a single point of sign on regardless of the application. This simplifies things enormously and makes the system more secure. It is about defeating Murphy’s Law - the less a user has to do, the less complex the system is and the more secure we can make it."

Building a secure environment in NT

White of Zergo also sees NT as particularly vulnerable, due in the main to its complexity. A former IBM systems engineer, he sees NT’s growing complexity as the main barrier to making it secure: "It takes a fair bit of effort to make NT secure because there is so much in there. It is similar in many ways to a mainframe operating system in its scope - but, unlike the mainframe, it is distributed. This makes it much harder to control administration of the system - particularly when it comes to security policies."

He says that the openness of NT, while providing it with flexibility, makes it vulnerable: "Theoretically, almost anyone can get access to the access control list if NT is not set up properly. It is possible to centralise some of the administration functions - but not the files, for example. It would not make sense given the nature of the NT environment - but you have to be able to put safeguards in to prevent security breaches." He goes on to say that NT has many of the features needed to build a secure environment - but they are not necessarily easy to find: "It is quite hard to know what to fix in NT without causing performance problems with applications. There is a lot of work involved in setting up file permissions, for example. Microsoft could help by offering a secure installation version of NT with the default setting to ensure security." Whilst acknowledging that the nature of NT and its applications makes this difficult, he recommends a number of approaches for coping with the problem - starting with a ‘baseline’ security level which can be ‘cloned’ from one NT system to another: "Products like Ghost, for example, let you clone an entire NT environment and replicate the security base level. You have to make changes - like the security identity of the environment - but at least it sets up a basic secure environment," says White.

Using the systems and network management scheme

The approach favoured by larger users is to adopt a security system based on their systems and network management regime. Computer Associates and Tivoli Systems, the two leading large systems management vendors, both advocate a framework approach with security as one component in a battery of systems management modules.

Many larger companies increasingly see security as one of a range of functions and services that are necessary to sustain a network. It follows, therefore, that the best place to find a solution to security problems is within the broader scope of systems/network management. Logically, this is the best place to deal with security in open, heterogeneous networks. It allows central control over resources and access and reduces the administrative burden.

The trend in network management over the last year or two has shifted away from the low-level concerns of managing the telecommunications transport system to accommodating higher-level, system-wide issues like security. Modern network management tools can help companies fulfil their security needs in the context of managing the network - rather than using a band-aid approach. Tools can also bring security policy under central control alongside other system management functions, but they do not necessarily yield all of the security functions alone. Ian White of Zergo again: "Tivoli and Computer Associates can help in a multi platform environment because they can centralise admin and feed systems data back, including security problems, to a single console. But although they make it easier to administrate - they don’t necessarily mean you have a secure environment. You need other things, like monitoring, to be sure of that." Pudwell of ISS agrees: "You need a mixture really. The network management vendors have much to offer and must include built-in security, of course. But you need a process outside this to enforce security policies and to monitor changes."

There is an obvious dilemma in the concept of a ‘secure network’. On the one hand businesses want to be sure their corporate networks are secure - their very survival depends upon it. But on the other hand, the main business virtue of networks and electronic commerce is their ability to provide easy access to information; too much ‘security’ can create a barrier to access and companies must find ways to balance the two.

A flexible approach to security

A flexible approach to security is, therefore, essential. Companies must be able specify the parts of the network, the databases and the application processes they want to make available and to whom. They want to be able to do this quickly and easily without the need for expensive technologists to cope with the complexity. At the same time, organisations must be able to relate the level of security they need, and the cost of implementing it, to the bottom line. Some applications, government contracts or commercially sensitive collaborations with third parties for example, will need a high level of security protection because they have a higher associated risk. An Internet application which deals only with public access to data might not need any access security at all. A transaction-based Web application may only require encryption of the customer’s credit card number.

The experts all agree that the growing number of NT sites face a new set of security problems - not just because NT itself is a relatively new operating system which has grown in complexity very quickly, but because it is being implemented in an open, multiple-system world. Even assuming the security of NT was unimpeachable - which it isn’t - it would still be connected to the Internet or some other outside network. And this makes every system vulnerable.