IT Security and Privacy
The effort to secure information systems and consumer privacy reports of computer viruses, sophisticated
software attacks and lost data on laptops surface regularly requires a lot of technology, but security
is still largely a people problem.
"Social engineering remains the most important thing about IT security and privacy," says Gregg Vesonder, Adjunct
Professor of Computer and Information Science in the Executive Master's in Technology Management program
and Director of the Communication Software Research Department at AT&T Labs Research. "Technology is just part of
it. Security is also about process, how humans are taught to interact and take responsibility. You can have the
best locked door in the world, but people get in if it's left opened."
The social aspect of security and privacy is a key takeaway from an 'EMTM Presents' lecture given November 16
by Vesonder in Washington, DC. Vesonder is a teaching a new course on security and privacy that will address
issues such as securing data, limiting access and setting up procedures that balance usability for the worker
with security based on business needs.
The course is timely, say EMTM alumni and students, who hail from companies such as storage company EMC, which
recently acquired security vendor RSA Security, AT&T and consulting firms such as IBM. Overall, security is a
balancing act between generating a return, complying with a host of regulations on the federal and state level
and protecting corporate and customer information. The approaches to security vary by industry and most
EMTM alumni viewed financial services and healthcare as sectors most focused on security due to a bevy of regulations.
But Vesonder notes that "all industries have security and privacy issues." Eric Hagen, EMTM'08, Solutions
Architect for storage giant EMC, says "heavily regulated industries such as finance and pharma have looked to
security solutions that will help them comply with regulators at the lowest total cost. However, new regulations
are starting to make other industries take a more proactive approach to their security as well."
Unfortunately, IT security and privacy policies and procedures are a lot like life insurance you don't
appreciate them until it's too late. In general, people tend to learn lessons the hard way. "The companies
most sensitive to information security controls are organizations that have already had breaches," says Atif Ghauri,
EMTM'08, Managing Consultant for IBM's Security and Privacy Services Practice. "Many companies react more
to security if they've been breached or hacked. The ones that haven't are not as cautious."
Here is a look at the key issues in IT security and privacy:
The Balancing Act
Security has a series of trade-offs and one of the biggest is return on investment. Anthony Troy, EMTM'07, Principal
of Diamond Management and Technology Consulting, cooks the issue down to two questions: How much should I spend for protection
and how much is enough? "The answer to those questions is different for every company," says Troy. "It comes down to risk
percentages and putting a dollar value on the risk."
Of course that's easier said than done with budget constraints. "Industries today are squeezing costs everywhere and
some can't justify a lot of spending on technology and process until something happens," says Vesonder.
Usability is another key tradeoff. Procedures have to be designed so workers can use them. Too many restrictions mean
security procedures will be ignored. Ghauri says technology companies are working to make security more transparent to
the end user. If that transparency is achieved, security and privacy controls will run in the background unnoticed.
Ghauri adds that the use of biometric devices such as fingerprint readers, iris scanners, and smart-cards is becoming
more common because users avoid the need to remember so many passwords, which is often the weakest link in the security chain.
And finally there's a tradeoff between privacy and security. National identification cards, data mining and video
surveillance are all techniques that could improve security, but spark debate. "There are a lot of issues with the tradeoff
between personal privacy and security," says Vesonder.
Those tradeoffs between security, usability and returns were recently managed by Michael Mira, EMTM'01, Director of Financial
Integrity and Internal Controls for AT&T's business division. Mira just completed a two-year project that tightened controls
around applications and created a system to verify access.
Mira's challenge: Create a process and tool that could grant access to multiple applications and leave a trail for auditors
to track. The project, which was prompted by the Sarbanes-Oxley legislation, now allows workers to request access to applications
and be verified by gatekeepers. "We had to balance control, financial benefit and make sure the lock on the door wasn't too big,"
To tackle the problem Mira worked with program group manager Lisette Mendez, a 1990 graduate from Penn Engineering with a BS
in Bioengineering, to build a Web-based tool and processes that could provide access to the 1,400 applications in question.
The tool authorizes access, tracks requests and designates a manager to review requests. With the system, AT&T knows who had
access on a system, when and why. Another security perk: the tool cuts off former employee access.
Vesonder says processes are critical to restricting data access, especially since companies are pack rats when it comes to
information. "The problem is data is easy to collect and cheap to keep. The flip side is keeping all this data can get me in
trouble," says Vesonder. "For every bit of data there needs to be a policy for it."
"Traditionally, security has been a matter of building perimeters (like firewalls) around sensitive information," says Hagen.
"Although this kind of 'medieval castle' approach is a necessary start, it is insufficient. More and more organizations are
realizing that information is dynamic in order for it to have value, it will need to move between people, systems, and
organizations throughout the course of its lifecycle."
Progress thus far
So has security improved over the last five years? Ghauri says while information security programs have grown, so have
the threats and vulnerabilities, thus "you could argue we are more insecure now." The reason: Technology is so pervasive
that the areas ripe for attack have multiplied, he says.
Troy agrees. He says it's quite possible a security breach could start from a local coffee shop, given that many workers go
there to connect to the Internet. "It's really an arms race," says Troy. "We may be a bit safer, but the threats are evolving."
While the state of security is debatable, the stakes today are higher. What used to be a dozen stolen credit card numbers
obtained via carbon copies found in a dumpster today is now thousands of hacked numbers, explains Vesonder. On the bright
side, Vesonder says it's promising that awareness about security has increased. For instance, there are more high level
executives focused solely on information security. "It's better to have someone who has security in his face all the time,"
says Vesonder. "And with the CSO (chief security officer) there's one throat to choke."
Ghauri adds that changes in technology architecture also hold promise. Two key developments are layered security arrangements,
which would require a hacker to bust through five or six layers to get to data, and models that make it easier to manage
identities and passwords across multiple applications.
And then there are new developments such as biometrics, which promise to rid the world of having to remember multiple passwords.
But even if customers start using fingerprints to access computers and networks, there is no magic bullet, says Vesonder.
"Biometrics are better than passwords, but remember they are digitally encoded and can be hacked," he says. "It's not a slam
dunk on security."
In fact, there is no slam dunk. Hagen notes that there are plenty of low-tech ways around high-tech security and that's why
people and processes matter so much. For instance, a thief could walk off with a back up tape instead of hacking into a network,
especially if another worker left a door to a secure area open, says Hagen. "Creative people will always be able to find ways
around security perimeters, which is why it is so important to be able to provide security at the information level as well,"
Meanwhile, security ultimately comes down to the computer user. Vesonder often asks his audiences of technology professionals
whether they back up their own data. In most cases, that answer is no. "And if they aren't doing it chances are pretty good
you're not either," he says.
EMTM Course: IT Security
“Social engineering remains the most important thing about IT security and privacy... You can have the best locked door
in the world, but people get in if it's left opened.”
Adjunct Professor of Computer and Information Science
Director, Communication Software Research Department
“The answer... is different for every company. It comes down to risk percentages and putting a dollar value on the risk.”
Anthony Troy, EMTM'07
Diamond Management and Technology Consulting
“We had to balance control, financial benefit and make sure the lock on the door wasn't too big.”
Michael Mira, EMTM'01
Director of Financial Integrity and Internal Controls,
AT&T Business Division
“You could argue we are more insecure now.”
Atif Ghauri, EMTM'08
Managing Consultant, Security and Privacy Services Practice
“Creative people will always be able to find ways around security perimeters, which is why it is so important to be
able to provide security at the information level as well.”
Eric Hagen, EMTM'08