PRETEND YOU WERE THE CHIEF SECURITY Officer of a Fortune 500 corporation in 1993. What was your threat environment like? You had the comfort of knowing that most commerce consisted of B2H2B or B2H2C, i.e. you had the human ‘H’ as a buffer between your systems and the outside world. You did worry about rogue insiders, you were starting to worry about viruses and you spent money on “war dialing” to discover those modems left connected to PCs against your policy. Let’s call this the 1993 threat environment. And you had a 1993security budget for defense.

Fast forward to 2003, every computer in your organization is networked to the Internet. The H is fast disappearing and B2C and B2B make your internal systems accessible to the outside world. The viruses have grown stronger and spread faster. To add to the bestiary you have worms and horses (Trojans) to worry about. With a decrease in long-term employer-employee relationships your threat of insider attacks has grown even larger. And, oh yes, you now also have to worry about cyber terrorism. We would say that in your 2003 threat environment the risks have gone up at least a hundredfold. This is the first big security mega trend we need to contend with: increasing threats, internal and external.

One may react to the first mega trend by saying, “There go the alarmists again. If all this was true, we’d be experiencing a lot more incidents than we seem to be.” Fair point, but, you need to be aware of the second big mega-trend: The closing of the gap between potential crime and actual crime. The simple truth is that until very recently, computer crime was the largely the province of young men proving their manhood from behind a terminal and exulting in the adulation of a bulletin board. The new computer criminal seeks not glory, but seeks either to steal your money or cause you harm. Such “traditional” criminals until recently had much richer pickings in the physical world, and did not need to turn to the wide open poorly secured Internet. But as that changes and serious criminals and terrorists turn their attention to the cyber world, they will be able to take advantage of the very weak defenses we have deployed. The second mega trend is the increasing professionalism of attacks.

The next two mega trends come from the business side. The realities of electronic commerce are causing our security perimeters to disappear. The relative safety of enterprise computers behind a boundary of firewalls begins to crumble as economic and market pressures drive us to open our systems for the benefit of consumers and business partners. Enterprises cannot pass up on the convenience and cost savings offered by B2B and B2C systems. Yet the security vulnerabilities of opening holes in the perimeter raise concerns that hold us back. Along with the disappearing perimeter, the nature of the constituency is changing. Users are no longer just employees of the company, but they are increasingly business partners and customers. The ease of use and quality of service provided to external users is necessarily different from what employees will tolerate and accept. Also, there is lesser control of the computing environment of such users. The third and fourth mega trends are the disappearing perimeter and increasing population of external users. These two mega trends require security professionals to make adjustments in traditional security doctrine as they adjust to new business realities.

Given all these challenges, will the next mega trend be a huge increase in security spending? The answer is no, it will always be the case that spending on security will be between 5-10% (depending on the industry) of IT budgets. Somehow each security dollar will have to work a lot harder. The fifth mega trend is that security budgets are likely to remain flat.

Our sixth and final mega trend is the shrinking security expertise within organizations. As the security landscape becomes more demanding and as security becomes a more business-driven goal, it will be harder for the enterprise to maintain top-notch in-house expertise. So not only do our security dollars need to work harder, they need to factor the decreasing in-house expertise we have for their careful use.

In a nutshell the Chief Security Officer of the next decade is going to be asked to do more with less. This presents a problem and an opportunity to which the market is reacting, even as we speak. Outsourcing of IT, and of security in particular, is a possible part of the solution. But outsourcing shifts the problem to the service provider, who still needs to do more with less.

We can see three technical responses in the market in light of these mega trends. First, there is the emergence of security appliances to provide cost, operability, performance and security benefits. Builders of first generation firewalls recognized that a security and mission critical service such as a firewall must be run on dedicated hardware from which extraneous services and user accounts are eliminated. To have the security and system administrators do this at their individual enterprises is not very effective. Over time, we saw the emergence of firewall appliances which came pre-installed on hardware and were managed by their own interfaces without any access to the underlying operating system. Today we see a variety of security appliances in the market and can expect to see more in the future. The market has appliances for secure web servers, virtual private networks, public key infrastructure, user authentication, identity management and rights and privilege administration available for purchase today.

The second technical response is the emergence of reusable and evolvable security infrastructure. A different authentication and authorization solution for each application is no longer viable. Instead we are seeing the use of uniform mechanisms for access to multiple web sites and, possibly, legacy applications. We are also seeing the emergence of technologies that allow multiple strengths of authentication to co-exist. For instance, the vast majority of users may be authenticated based on passwords while a small fraction require the use of smartcards. Technologies that allow both of these to coexist in a single integrated infrastructure are likely to resonate in the market.

The third technical response is to address the internal threats by means of well-known security principles such as least privilege, separation of duties and role-based access control. While these principles have been known and practiced for some time, there is a counter culture of the operating system superuser and the database administrator who have become accustomed to complete and absolute access to every part of their systems. Enforcement of strict internal controls, perhaps aided by the appliance architecture, is an effective way to address and contain the insider threat.

In terms of policy responses we, are likely to see a trend towards less build and more buy. Security is a difficult thing to get right and building security components internally in an organization is an increasingly risky prospect. The Chief Security Officer and his staff in an enterprise will need to focus on understanding the enterprise’s business needs for security, and how best to achieve these with as much buy and as little build as possible. In particular, security professionals often overreach. They are schooled in a doctrine of “more is always better.” Security professionals need to adjust to a new doctrine where more security cannot be justified for its own sake and must be clearly grounded in business needs. In fact, more security can be harmful because if it gets in the way the business users will find a way around it and the net result will be less security. This has been empirically established on numerous occasions. Secure but hard-to-use operating systems have always lost in the market to function-rich but less secure systems.

To conclude, in terms of mega responses to mega trends we can see the following.

• Security appliances to reduce cost while increasing performance, operability and security
• A drive towards reusable and evolvable security infrastructure
• Strong internal controls to address the insider threat.
• Less build and more buy
• Recognition that “more security” is not always better

Ravi Sandhu is Chief Scientist of NSD Security Inc, a U.S. company established by NSD Japan, a leading Japanese system integrator and a member of the NSD Group. He is the principal designer of NSD Security's Secure Identity Appliance built using SingleSignOn.Net technology. He earned his B.Tech. and M.Tech. degrees from IIT Bombay and Delhi respectively and M.S. and Ph.D. from Rutgers University.

Ravi Ganesan serves as Chairman of SingleSignOn.Net Inc and Chief Advisor of NSD Security Inc. He previously served as CTO and then Vice Chair of CheckFree Corporation, the largest electronic billing and payment provider in the U.S. Prior to CheckFree he served in various positions at Verizon Communications including Vice President of Distributed Operations.