Security managers are becoming more and more aware that some of the most devastating attacks on their networks may come not from outside their company, but from inside. David Fowler, vice president of sales and marketing at Gradient Technologies, sat down with IDG's Matthew Nelson to discuss authentication and access, why it's an important issue, and how security managers can convince their employers to finance such measuresIDG: What are the biggest security threats currently facing companies?
Fowler: A number of studies have been done and the largest financial impact actually comes from breaches inside the organisation, people who already have access rights to get into the networks and get into the systems, but are actually accessing information and applications that they're not supposed to have access to. And so these are people that would be employees of the company, business partners, and consultants working for the company.
How worried should IT managers be about these internal security threats?
Since the greatest financial impact to organisations is actually associated with people who are inside the organisation, it's likely that the IT department is going to be blamed when those security breaches take place.
As Web technology comes into play and you start to put in extranets and intranets, allowing customers and business partners to come into your networks, they now become co-opted into individuals who have valid access to your networks, but not necessarily everything that's in your networks. So being able to control what they can and can't get to is really important.
The real issue associated with going after these kinds of problems is to try to get the problems out of the way by putting the infrastructure in place ahead of time, so that you can prevent them from happening as opposed to reacting to them afterwards.
How would you give IT managers some advice on convincing their chief financial officers?
The first thing I would do is tell them they really need to do a security audit to understand where they currently are. They also need to look ahead at who they're going to open up those systems to. As a good example of this, we have a number of accounts that are opening up their employee relations - the human resources systems - to all employees so they can access directly how many vacation days they have, etc. When they open up these systems, the IT manager has to be able to control, right down to the field level, who has access to what.
What steps should companies take to reduce the risk of a security breach?
The number one risk is really the risk associated with someone from outside the organisation getting access to your systems, to your networks. And so, clearly, the firewalls and the remote-access devices and the virtual private network technology to keep your information private when it's communicated outside your company are very important.
The next step is to worry about the systems and applications that you're actually running internally. So if you allow someone onto your network, then you need to protect it from having them access applications that they should not be accessing.
There's several ways to do that. One is to actually program that technology directly into the application itself, but that is very painful because if you make a change, you have to get the programmer, drag him over, and have him make the security change.
The alternative is to actually have them program some standard interfaces or standard routines, and actually have the security management done outside of the application itself. So the coder of the application makes some standard calls out to a security infrastructure, and then the security infrastructure is managed separately.
What are some of the greatest causes for concern for IT managers?
The real threat, of course, is that they're being held responsible for the systems that are being put up in your organisation, whether they're putting them up or not. The IT department, even in making its best efforts to protect the information in the company, doesn't necessarily control all the entry points into the organisation. What they tend to control, however, is access to the information and the systems themselves. So they do have much tighter control over the information. And that's the place where they can stop most of the attacks.