Security and Standards

Sound practices in information security
Information Technology is penetrating all walks of life. With the advent of Internet and the web technologies, we can see and feel the reorientation of business transformations, business deliveries and electronic transactions handled and Electronic Delivery Systems undergoing massive transformation. The organizations have become more dependent on the networks and business transactions, external data sharing and simple day-to-day communications. These needs drive the networks not only to be more transparent and accessible but also protected from illegal access and abuse. Today, the current security solutions are basically comprised of multi-point products designed for an isolated task (such as detecting a virus, preventing an intrusion).

This results in lack of interoperability, unmanageability and a higher cost of ownership. So integrated security is emerging as an effective approach to address the new challenges. This integrates multiple security technologies such as anti-virus, firewall intrusion and combines policy compliance management, service and support, and advance research for more complete protection. Through holistic approach to security at each tier of the network (i.e. client, server, gateway), the organizations are able to reduce cost, improve manageability, enhance performance, tighten security and reduce risk exposure.

The executive goals for reducing the total cost of ownership with improved security are as follows:

  • Implementing solutions that ensure openly robust but yet secure network infrastructures to protect information assets and to ensure business continuity.
  • Keeping pace with changing requirements of e-business for example (high-network availability, data integrity and privacy) under corresponding security threats.
  • Meeting, logging, reporting, auditing and compliance requirements.
  • Facing challenges with limited resources at lowest cost.
  • Solutions that maximize employee productivity including that of IT department (for example ease of security solutions administration and management).

The integrated security, a new network approach, is essential for integrity of various security challenges and exposure to various threats to be minimized by increasing security posture, operation efficiency of security functions, minimized impact of business and reducing total cost of ownership for providing more comprehensive secure information processing solutions for the business needs. This paper covers certain aspects of information security management, security technologies management, engineering security and assurance and also talks about the current standards being evolved in the international and national standard making bodies.

We make impossible demands of our security systems. On the one hand, we expect to be able to find anything, anywhere, anytime, easily; while on the other, we want privacy and security. The information security industry faces an enormous challenge. It must manage the conflicting demands of a totally open design and secure, trusted transactions, at a time of explosive growth in the numbers of users, while facing a future in which always connected means always vulnerable. Efforts to make today’s networks and enterprises secure are often at odds with the convenience of users.

Prior to the Internet explosion, information security was defined as ‘the preservation of confidentiality, integrity and availability of information’. Today, we realize that this is a dangerous oversimplification. In a mere ten years time, the number of generic threats to our information had doubled.

These new threats are the result of ubiquitous access to information, the portability of computing devices, inherent system complexity, and the public and media interest in IT issues. Today’s information security framework should prepare for at

least six loss scenarios, each with possible variations:

  • Loss of availability
  • Loss of utility, for example in denial ofservice attacks or the loss of encryption keys
  • Loss of integrity, or the perception that integrity is lost
  • Loss of authenticity, as in the Emulex press release debacle
  • Loss of confidentiality
  • Loss of possession, such as the theft of unique information on a notebook computer

A challenge of perfect security is not practical, economical, or achievable