Devil's Advocate: When business gets in the way of security

Everyone wants secure networks but too often business demands make it difficult to deliver them, says Martin Brampton. Is there any way around this conundrum?

Security issues consistently top polls of senior IT professionals. Combined with the related topic of business continuity, it is a major headache for IT management. The other top concerns are keeping costs under control and interacting with the business.

Yet it is the business that is creating the contradictory pressures for unlimited flexibility without cost penalties. We are all fascinated by the tantalising possibilities that open up as a result of cheap, widespread communications. And many businesses have plans to exploit this, often in a variety of different ways.

Organisations want to link together to build flexible, low-cost supply chains. However, the security implications of doing so are not always considered. Nor is the increased demand on business continuity. Our conception of efficiency involves systems being pared down to the point that they are almost failing. But that means any failure to achieve planned levels of service is liable to have a dramatic effect.

This leads to arguments that justify substantial spending on business continuity and security, on the grounds of the high cost of downtime. Superficially, that makes sense. However, if the costs have not been factored into the business model for the process, profitability may be threatened. In practice, the extent of the costs is frequently underestimated and risks are often taken.

Simple projects can be wrapped up and the cost justified. For example, provided an acceptable service level can be achieved, the internet may well provide a financially attractive communications channel. The technology is available to secure such a link, and the costs can be established and compared with alternative services. In fact, since the services provided by carriers are often shared in the backbones, it may well be desirable to secure most communications links, whether they are nominally private or public.

It is when projects create more general problems that the costs often surface long after the new service is committed. This is where the mismatch between what the vendors can easily offer and what the customers want becomes apparent. The best understood security is around the perimeter of organisations. More strictly, it is about the perimeter of individual locations.

Perimeters are often in arbitrary places, though, when we look at how people behave. Mobility is increasingly valued, while continuous connectivity is expected. Businesses want to set up and take down links in a dynamic way, often involving other organisations. Impermeable barriers are a serious constraint on the flexibility people want, and maintenance of perimeter security is increasingly hazardous and costly.

That brings us to the realisation that we need to secure individual logical facilities, not just physical locations. At the same time, we need to be able to identify the users of those facilities without placing too many difficulties in their way. Since we cannot easily tell what part of our infrastructure will be involved, we are faced with the need for a security capability that permeates all of our networks.

Not only is that liable to generate significant costs across all our IT activities, we have little experience of doing it, and few tools that can be deployed without significant difficulty. The vast majority of our existing software was developed to work in what was always assumed to be a friendly environment. Changing the assumption to allow that we are not sure who is attempting to access a service creates new and difficult problems.

It also takes us into the fraught area of proprietary versus open standards. If security is to be ubiquitous, then we face the prospect of either establishing public standards for all the key technologies or becoming ever more locked into a small number of suppliers. Given the high stakes, vendors are bound to make strenuous efforts to draw their customers into security mechanisms that are controlled by the vendors.

So are we going to slow down the rate at which new and relatively untested software is deployed, while we ensure that higher standards of design and security are implemented? Or are we going to see a rash of IT-related disasters? Probably both.