Security and Standards

A global challenge and integrated enterprise

K Subramanian Deputy Director General National Informatics Centre Government of India

Through holistic approach to security at each tier of the network the organizations are able to reduce cost, improve manageability, enhance performance, tighten security and reduce risk exposure

Sound practices in information security Information Technology is penetrating all walks of life. With the advent of Internet and the web technologies, we can see and feel the reorientation of business transformations, business deliveries and electronic transactions handled and Electronic Delivery Systems undergoing massive transformation. The organizations have become more dependent on the networks and business transactions, external data sharing and simple day-to-day communications. These needs drive the networks not only to be more transparent and accessible but also protected from illegal access and abuse. Today, the current security solutions are basically comprised of multi-point products designed for an isolated task (such as detecting a virus, preventing an intrusion). This results in lack of interoperability, unmanageability and a higher cost of ownership. So integrated security is emerging as an effective approach to address the new challenges. This integrates multiple security technologies such as anti-virus, firewall intrusion and combines policy compliance management, service and support, and advance research for more complete protection. Through holistic approach to security at each tier of the network (i.e. client, server, gateway), the organizations are able to reduce cost, improve manageability, enhance performance, tighten security and reduce risk exposure.

The executive goals for reducing the total cost of ownership with improved security are as follows:

• Implementing solutions that ensure openly robust but yet secure network infrastructures to protect information assets and to ensure business continuity.
• Keeping pace with changing requirements of e-business for example (high-network availability, data integrity and privacy) under corresponding security threats.
• Meeting, logging, reporting, auditing and compliance requirements.
• Facing challenges with limited resources at lowest cost.
• Solutions that maximize employee productivity including that of IT department (for example ease of security solutions administration and management).

The integrated security, a new network approach, is essential for integrity of various security challenges and exposure to various threats to be minimized by increasing security posture, operation efficiency of security functions, minimized impact of business and reducing total cost of ownership for providing more comprehensive secure information processing solutions for the business needs. This paper covers certain aspects of information security management, security technologies management, engineering security and assurance and also talks about the current standards being evolved in the international and national standard making bodies.

We make impossible demands of our security systems. On the one hand, we expect to be able to find anything, anywhere, anytime, easily; while on the other, we want privacy and security. The information security industry faces an enormous challenge. It must manage the conflicting demands of a totally open design and secure, trusted transactions, at a time of explosive growth in the numbers of users, while facing a future in which always connected means always vulnerable. Efforts to make today’s networks and enterprises secure are often at odds with the convenience of users.

Prior to the Internet explosion, information security was defined as ‘the preservation of confidentiality, integrity and availability of information’. Today, we realize that this is a dangerous oversimplification. In a mere ten years time, the number of generic threats to our information had doubled.

These new threats are the result of ubiquitous access to information, the portability of computing devices, inherent system complexity, and the public and media interest in IT issues. Today’s information security framework should prepare for at

least six loss scenarios, each with possible variations:

• Loss of availability
• Loss of utility, for example in denial ofservice attacks or the loss of encryption keys
• Loss of integrity, or the perception that integrity is lost
• Loss of authenticity, as in the Emulex press release debacle
• Loss of confidentiality
• Loss of possession, such as the theft of unique information on a notebook computer

A challenge of perfect security is not practical, economical, or achievable—Sound practices, not best practices, will prevail.

The perfectly secure information system is also perfectly inaccessible. The measures we would need to implement to achieve perfect security in today’s interconnected world are expensive and complex beyond belief.

Instead, we need to take a risk management approach to information security. The level of security will depend on the level of risk an enterprise is willing to take. The first step is to identify the potential risks. Once we know the risks to our networked system, we need to decide which ones are most likely to occur and which would cause the largest impact. The impact could be measured in money, time, lost productivity, safety, regulatory impact, loss of market share, customers, reputation or some combination. With a prioritized list of risks and an effective plan to mitigate them, we can construct a plan of action – which has also to account for changes and surprises that introduce new risks.

Since the technology and business environment is highly dynamic, we also need mechanisms for identifying the critical information assets as conditions change, and to adjust where we invest time and energy to upgrade security. The real challenges of the highly secure organization require leveraging a holistic approach.

Today’s audit and evaluation products tend to focus on the underlying system and network technologies without considering the organizational concerns (such as policies and procedures) and human aspects (management, culture, knowledge and skills, incentives, and so on). As a result, incomplete or point solutions are implemented with the expectation that they will completely solve the problem. The focus also has a tendency to be inward, and yet the business world is interconnected. The elements of any holistic model need to address culture, policy and procedures, technology, alliances, harmonized legislation, and trusted enterprise challenges.

Culture
The most perfect of security policies, technologies, and other arrangements are useless if the people in the organization ignore them or circumvent them as a matter of routine in order to avoid inconvenience. The security culture has to be pervasive throughout the enterprise, not just within the IT organization.

Policy and procedures
Policies carry executive support and endorsement and are the cornerstone of effective security management. Without a clear understanding of the organization’s policies and their scope, individuals do not have a good basis for making decisions about information security issues. Most security breaches can be traced to inappropriate processes based on non-existent or unclear policies.

Technology
Attacks on information security can often be detected, countered, and healed by appropriate technology. The tools to achieve this are developing rapidly-but so are the weapons of attack. The fundamental fallacy in total reliance on technology is that the number of ways to attack a system is always much greater than the number of ways to defend against attacks.

Alliances
Organizations are beginning to create formal and informal alliances and coping mechanisms to gather knowledge, prevent attacks, and share defensive mechanisms. There is strength in numbers; however, there are also risks. Although the benefits of sharing should outweigh the risks of exposure, we need policies that are carefully formulated and rigorously enforced.

Harmonized legislation
Legislation within and between countries is often inconsistent and sometimes contradictory. There is an urgent need to (at least) achieve a common understanding upon which sound practices can then be built.

Trusted enterprises
Myopic views will potentially allow some level of security within a single enterprise. However, such views do not lend itself to today’s dynamics of ever changing business processes or prepare for the new digital business world of collaborative commerce. The new security strategy needs to mirror this propensity for the integrated enterprises to conduct e-business. The integrity of the single enterprise instance could be compromised by a weaker less secure partner.

Security assurance in a dynamic environment
Security management involves tradeoffs and Indian security management standards. The information assurance policies and procedures you implement should reflect the tradeoff between your aversion to risks and how much it costs to do something about them. You want that tradeoff analysis to be both rigorous and well reasoned to get the most for your money. The System Security Engineering Capability Maturity Model ISO/IEC DIS 21827, is being modified to suit Indian scenario is to be launched in January 2004 as a national Standard for Security Engineering Practices covering:

• Project lifecycles, including development, operation, maintenance, and decommissioning activities.
• Entire organizations, including management, organizational, and engineering activities.
• Concurrent interactions with other disciplines, such as system, software, hardware, human factors, test engineering, system management, operation, and maintenance.
• Interactions with other organizations, including acquisition, system management, certification, accreditation, and evaluation.
• (SSE-CMM), provides an excellent framework for conducting those tradeoffs.

The eSAC model of security

System security engineering capability maturity model
The SSE-CMM is a construct for analyzing your security needs. It is not an automated tool. It is both a model and a process. The model is owned by a community of 50 companies / agencies led by the U.S. National Security Agency (NSA) and the Canadian Communications Security Establishment (CSE). The model presents security engineering as a defined, mature, and measurable discipline.

The model and appraisal method enable:

Capability-based assurance, that is, security/trustworthiness inferred from the maturity of processes.

Focused investment in security engineering tools, training, process definition, management practices, and improvements based on risk assessment and available resources.

Qualifying vendors, suppliers, and organizations to connect to a system.

Five maturity levels
There are five maturity levels of capability in the SSE-CMM. First level is the lowest level of maturity of capability and fifth level is the highest. In order to sustain a higher level of maturity of capability, all the requirements for the lower levels must also be sustained.

The Indian National Standards body (BIS) has been working for adapting/developing information security standards for the last few years. India has evolved a new security management requirements standard that is also harmonized with the latest quality management standards in November’2002. This is one of the world-class standards along with the information classification standard, adapted from the international standard IS14990 which talks about trusted secured systems classification and services requirements, will enable the users to classify the information systems etc., on secure classification and also get it certified for the same using the information management certification standard IS15150. The government of India has been requested to amend the Information Technology Act 2000 to include the above two standards as a requirement for mandatory compliance with regard to government and public systems. This will enable a new certification industry to come up, which is of world class certification, as a part of information technology services in which India is trying to lead the international market. This will provide protection of information bases/systems upto desired security levels, which are third party certified. It will be especially very useful for financial, medical and government records management, security and electronic stocks management, etc.


Stages of evolution of information security

Security research
The information systems security research is one of the visions of the government to concentrate on in the next few years to develop security techniques, security technologies and products to be used for facing new challenges using open media for transactions pertaining to government, industry and business covering commercial, financial and administrative aspects. The security requirements are a dynamic phenomena and not a static phenomenon. The security management is no longer technology oriented but management oriented for effective implementation as well as, ascertaining information and systems as an asset of the organization. The information assurance involves people, processes and technology. The information assurance is risk management and not risk avoidance. It has to be customized for every organization based on various requirements which are static and dynamic and depending upon the risk and challenges they are facing is conducting, managing and transacting businesses within the country and across the globe. In this article, I have discussed an overview of various aspects of e-security in terms of technological challenges, management challenges, the engineering challenges and assurance challenges that every organization is facing and also supported by evolving appropriate security standards and supportive cyber laws whose jurisdiction may have to be agreed to in term of universality of protection and also cooperation and investigation and evidence collection.

The integrated security, a new network approach is essential for integrity of various security challenges. The exposure to various threats has to be minimized by increasing security posture, operational efficiency of security functions, minimized impact of business and reducing total cost of ownership for providing more comprehensive secure information processing solutions for the business needs.

Amnesty seeks nominations for global journalism award
Here comes another opportunity to explore your ability to pen down noble ideas and opinions in equally noble words. Amnesty International is seeking nomination for global journalism award for reporting on Human Rights. It invites non-government organizations (NGO) to submit nominations for the 2004 Global Award for Human Rights Journalism. The award aims to recognize the best article written in any part of the world that strives to raise awareness about and understanding of human right issues at all the levels that is local, national or international level.

Each NGO can submit a maximum of three entries of which one article must be published in a newspaper, magazine, journal or on the Internet between 1 March 2003 and 19 February 2004.

The articles can be in any language. But the English translation should also be send along with. A copy of the article in its original published form should be included. If sent by e-mail, precise details of publication should be included. An international panel of experts will judge the entries. The winner will be announced at the Amnesty International Media Awards in London, England, on 13 May 2004. Entries from journalists, newspapers or other media will not be accepted.

Deadline
The deadline for nominations is 20 February 2004.

Contact
Alex Grace
Amnesty International Media Awards
99-119 Rosebery Avenue, London EC1R 4RE
E-mail: alex.grace@amnesty.org.uk
Web link: www.ifex.org/en/content/view/full/56163/