|Issue:||Latin America III 2000|
|Topic:||How much Security is Necessary?|
|Author:||Herbert Arturo Molina|
|Title:||Vice-President & General Manager|
|Organisation:||Latin America, Network Associates|
The need for active security management has never been greater. As companies continue to open up their computing infrastructures to outsiders, business integrity is at significant risk. An active approach to security management is required to adequately secure these open and dynamic environments. As the Senior Director of MIS at a large multinational bank organisation based in Brazil once stated to me in a business planning meeting, security as such was a non-existent matter 5 years ago,… now we cannot exist without it.
As companies build tighter and tighter relationships with their suppliers, partners, and customers, their traditional corporate walls are beginning to crumble. Because of the increased need for constant communications outside corporate walls, companies will be required to have the innate ability to conduct business electronically with their partners, suppliers, and customers, as well as their remote employees. With all these users approaching the enterprise from different points of entry, it will become increasingly difficult to determine where one company ends and the next begins. The more virtual a company becomes, the greater its chances are of responding to market demands and succeeding competitively. The downside, of course, is that a virtual corporation can be dangerously insecure. “it is important that the e-Business technologies a company selects are flexible enough to move into the future with the organisation.” In an effort to become more nimble, corporations are replacing legacy applications with packaged applications, such as SAP R/3. They are also developing e-Business applications that extend their ability to do business. Electronic commerce has undergone an incredible transformation over the past two years. What began as a few web sites selling books and other small goods online has exploded into a network of business-to-business and business-to-consumer transactions. E-Commerce transactions have become only one component of a much more complex infrastructure of communications and relationships among businesses. Many companies have built applications that enable communication among partners, suppliers, distributors, and customers. These applications must connect disparate IT environments and often exchange data between heterogeneous systems. Protecting electronic business This is where electronic business comes into play. Specifically, companies are using the Web and web-based technologies to connect with their various constituents and build new applications. These new applications are a combination of existing applications and repositories that contain rich information on customers, products, channels, and sales. Before making a decision to build an e-Business application on top of the Internet backbone, it is critical for an organisation to understand the security ramifications. And, because this market is moving so quickly, it is important that the e-Business technologies a company selects are flexible enough to move into the future with the organisation. The traditional business structure is comprised of three components: management, enterprise resources, and production line departments. Layered on top of each department in the production line are the six types of e-Business applications that will dominate the market over the coming year: e-Marketing, e-Sales, e-Service, e-Support, e-Supply, and e-Engineering. E-Marketing applications are the basic web-identity sites that almost every company is implementing today. From there, most companies make the foray into an e-Sales application through which they hope to sell their products and services over the Internet. To further differentiate their companys offerings, many companies then venture into providing e-Service applications and e-Support applications. Many companies are even looking to develop e-Supply applications through which they can build an integrated supply chain with their suppliers and their customers. Some have gone so far as to build e-Engineering applications that allow collaborative product development between corporate engineering organisations across their respective firewalls. The ANX e-Commerce initiative undertaken by Chrysler, GM and Ford to standardise parts and suppliers worldwide in order to reduce TCOs (Total Costs of Ownership) worldwide is a good example for this article. Latin America e-Commerce and Internet status Improved telecommunications infrastructures, increased PC usage, and an overall upturned economy will generate monumental growth in Latin Americas Internet services market in the coming years, according to a study released last month. ISPs generated a total of US$1.18 billion in revenue in 1999 in the region, a 67 percent increase over 1998. The market is expected to grow at a compound annual rate of 58 percent through 2005, when revenue will total US$17.4 billion, according to a report from market researcher Frost & Sullivan. “Despite the consolidation, small providers will be able to survive…” The spread and enthusiastic adoption of free Internet access throughout the region is forcing ISPs to generate revenue from services and sources other than access, such as Web hosting and advertising. For example, in Brazil, 90 per cent of the markets revenue is expected to come from non-access sources in 2005, up from 30 percent last year, according to the report. Although the ISP market is currently crowded with competitors, consolidation in the coming years will “continue until each country is dominated by a few major companies”, the report states. Despite the consolidation, small providers will be able to survive and even thrive if they target niche segments, such as services related to e commerce and to large corporations. Factors that could derail the markets projected growth include future economic instability, high local-phone rates, tepid e-Commerce growth, and political turmoil. The number of Internet users in Latin America is growing at a 41 percent compound annual rate – the fastest in the world and is expected to reach 29.4 million in 2003, according to market research firm International Data Corp. (IDC), in Framingham, Mass. For example, in an effort to build a critical mass of electronic commerce in Latin America, several of the regions biggest companies are creating an online marketplace for businesses. The new venture, Latinexus, is owned by Cemex SA and Alfa SA, both of Mexico; the Bradespar unit of Brazils Bradesco Group; and Votorantim Group, also of Brazil. The founders are in talks to bring as many as 20 large Latin firms, from a broad range of industries, into the partnership. “Most companies still deal directly with their suppliers through faxed requests for proposals and phone calls.” Latinexus Web site will initially be a forum for the sale of electronics, office supplies, parts and maintenance equipment that are not specific to any industry. It will eventually expand by sector and add pay services like shipping and customs handling. Ariba Inc. of Mountain View, Calif., will provide the technology. Latin America is at the beginning stages of electronic commerce. Most companies still deal directly with their suppliers through faxed “requests for proposals” and phone calls, notes Clifford Dyer, former President of Merisel Latin America, which used to be based out of Miami. Both buyers and sellers complain that the slow, often opaque process is inefficient and leaves room for corruption. Cemex is among the worlds largest cement companies; Bradespar is the non financial arm of the group that owns Brazils biggest private bank, Banco Bradesco SA; Alfa and Votorantim are both large industrial conglomerates. “Eventually these type of initiatives will lead to replace all those faxes coming and going”, Mr. Dyer says. He estimates that the market for general-purpose business goods in Latin America will reach US$700 billion by 2003 and that 10% of that will be transacted on-line. Security As the globalisation phenomenon continues to grow and the Internet and e-Commerce applications grow in different areas and number daily, all corporate and regular end-users need to be aware of what a real security management system can do for them. Security is closely tied to other core technologies such as Networking, Wireless / Broadband & Storage Management. In fact, there is something, which I call the second Internet wave, or the Fourth Industrial Revolution. This is the interaction of technologies, to enable the integration of voice, sound and video. Only a few years ago this was seen as something very difficult to do, requiring what some then called the Super Highway, now it is an everyday reality. “Any organisation, independent of size or industry, is now required to implement security policies to protect its IT system integrity.” Since the main purpose of this article is to make the corporate community aware of how important security is when dealing with Internet and e-Commerce applications, lets make something clear: on-line security starts from within. Security can not continue to be thought of as simply having anti-virus software and a firewall in place. Any organisation, independent of size or industry, is now required to implement security policies to protect its IT systems integrity from external and internal attacks. In February, we saw an unprecedented salvo of denial-of-service attacks against major e-Commerce sites, including Yahoo Inc., Ebay Inc. and Amazon.com Inc. These attacks have cost millions of dollars in lost revenue and have had an intangible, but significant, impact on customer confidence. In fact, one estimate is that the cumulative damages may total as much as US$1.2 billion. The underlying technical method of attack is not new. The Internet community has seen similar attacks for at least the past five years, and the theoretical basis for the attack has been known for decades. With tools that allow for distributed attacks, there is little that a diligent system administrator can do to avoid becoming a victim of a distributed denial-of-service attack. However, in their concern about becoming a victim, many operations are missing the larger issue: They could become a facilitator of an attack against another organisation. When the dust settles, the real issue is downstream liability. These distributed denial-of-service attacks are only successful because the attacker is able to compromise numerous systems and install “zombie” software that will be used in a co-ordinated attack. This means that compromised hosts have become part of a distributed-attack platform. Did the owners of these compromised hosts practice due diligence with respect to their security? If they are not being diligent, they may be liable for damages resulting from the attack. “The best mechanism for determining the vulnerability of your enterprise is to have periodic full-scale vulnerability audits.” Here are some steps that organisations can take to achieve a minimal level of diligence and insure that your systems are not used as an attack vehicle against somebody else. Every organisation should: · Establish a formal security programme: A dedicated security programme, operating with the support of senior management, is needed to create dynamic, well managed, security policies that evaluate risk, implement procedures, provide training and promote employee awareness of the problem. · Keep software and systems current: Make sure your company is running current versions of all operating systems and software. A majority of intrusions are conducted using known vulnerabilities that could have been easily mitigated by installing a vendor patch. Your information technology staff should diligently monitor vendor web sites and e-mail lists to ensure that they are not running insecure software versions. · Perform periodic vulnerability assessments: The best mechanism for determining the vulnerability of your enterprise is to have periodic full-scale vulnerability audits. Make sure that the company conducting the vulnerability assessment is not also under contract to provide products or implementation support. · Recognise the value and limitations of information security tools: In many companies too much emphasis is placed upon the use of buzzword security fixes like firewalls, virtual private networks and intrusion detection. While security tools are vital, they need to be a part of a comprehensive security program and must be configured to match the organisations security policies. Every organisation connecting to the Internet has an obligation to maintain an appropriate level of due diligence for information security and management. At the end, any security policy in place is aimed to reduce total ownership costs (TCOs) throughout the organisation. Summary Improving an information security strategy must take into account business needs and corporate culture, and must gain support at all levels of the organisation to be effective. For business, the issue of security could not be more acute. Between risk and fraud and growing awareness of privacy issues among customers and partners, businesses face an uphill battle to define security policies that protect not only the data and the systems, but also the company from changes of negligence. Conclusion Enterprises of every size share many of the same problems in developing a security policy. Security is not a profit centre, even if you are in the security business. Most companies focus on securing against external attacks, but it has been clear for years that they are more vulnerable to penetration by deliberate or negligent acts of employees and trusted contractors than they are by hostile, external, sources. Security is not a property of a product, it is a property of an environment. At the end, perhaps, security means never having to say, “I Love You”.