This article is not about the people in helmets who drive armored bank cars. I'm not talking about APIs and DLLs. The security drivers I want to focus on in are the forces which drive an organization to achieve certain standards of security. The Security Mix Security standards are used, by both managers and technicians, to answer the vexing question: "How much security is enough?" Not enough security and your information is compromised; too much security and you have a negative impact on both productivity and the bottom line.

Getting the security mix just right is an important part of being competitive in today's heavily IT-oriented economy. If you have less security than your competitors you run a very real risk of losing data, or losing face (for example, when your web site is very publicly hacked). On the other hand, spending more on security than your competitors carries the risk that you will be less profitable than they. Deciding on the right amount of security is also a challenge for technicians. Adding security features tends to increase product complexity and can negatively impact areas such as cross-platform compatibility and user-friendliness. Furthermore, you may face the daunting task of proving that security you features you incorporate into your product or solution are indeed secure.

For example, if you are developing a web interface to a back-end database, your customer can tell very quickly whether or not the solution you have provided delivers the required functionality; but few customers are well-equipped to test whether or not what you have built for them is truly secure. Security standards can help resolve these questions. For example, if you can point to a standard and say "this is the level of information security management we have to meet" or "this is the standard which security products of type X must meet." However, such standards are only just emerging, which can lead to problems when you are faced with this question: "Why should we spend money on security?"

If you are either responsible for the security of your organization's information systems, or responsible for developing security products and services, there's a good chance that you have had to deal with this question. Unfortunately, many of us in the security business are so close to our work that we assume the answer is obvious. When challenged to justify security spending, we tend to say things like "Because it is the right thing to do." The fact is, every spending decision an organization makes needs to be justified, often to people far removed from the area of expertise in which the spending request originates.

Suppose you think there should be a new firewall between the company web site and the internal network, in addition to the existing one in front of the web site. You should be prepared to make the case. For example, you might say that the new firewall will reduce the risk of intruders penetrating the company's internal network. There are documented cases of company networks being compromised via the Web and you can cite these in order to make your point. But accurate statistics about such cases are hard to come by. So what happens if management's response is: "We'll accept the current level of risk and stick with the current configuration."

This is called risk tolerance or risk acceptance and it can vary between organizations. For example, a multimedia start-up might have a higher risk tolerance than a well-established bank. The important point about risk tolerance for all types of organizations is that it needs to be based on an accurate assessment and understanding of the risk. This involves both technical and non-technical issues. These days, many of the technical issues, such as the vulnerabilities in operating systems and Web technologies, are well documented. On the non-technical side, you have a fluctuating array of factors that I call security drivers. These are factors which influence the extent to which certain information needs to be protected. These include the profit motive, since a major security breach can negatively impact the bottom line, and the reputation motive, because a highly-publicized security incident can dent an organization's reputation. But there is one driver that will take the lead in 2000: privacy.

This year, the commitment which organizations make to protecting confidential information will face unprecedented scrutiny, from a public that is more computer literate than ever, and more concerned than ever about limiting access to their private data. If you are not convinced, or you need help convincing someone else, consider the following three data points.

Higher, Wider, and HIPAA

First of all, in January, the highest court in the US ruled unanimously that states can be barred from disclosing the personal information which drivers provide in order to obtain a license. In the case of Reno v. Condon, the justices upheld a six year-old federal law (the Driver's Privacy Protection Act, or DPPA) that forbids states from selling addresses, telephone numbers and other information which drivers put on license applications. Both privacy advocates and members of the direct-marketing industry agreed that the ruling will make it easier for Congress to pass similar laws to restrict the interstate sale of records on land ownership, housing sales, occupational and recreational licenses and other information. Congress was motivated to pass the DPPA in part by the death of actress Rebecca Schaeffer, who was killed at her California home by a stalker who had traced her address through the motor vehicles division. Since the DPPA bars states from disclosing personal information without drivers' consent, the implication is that failure to protect such information will have serious legal consequences. We can expect more legislation in the next Congress to broaden the current protection.

Secondly, consumer privacy provisions contained in last year's landmark financial services bill appear to be wider than expected. Although the legislation was aimed at deregulating the banking industry, it actually applies to a broad range of companies which are involved in the money-transfer business, including department stores, car rental companies, automakers and computer software companies. Ironically, lawmakers were criticized by privacy groups at the time the bill was passed, because the privacy rules, designed to make it more difficult for banks, insurance companies and securities firms to share private information with unaffiliated third parties, such as telemarketers, were seen as too weak. But government officials now say that the new law has significant implications for other, previously unregulated industries, which engage in related financial activities, such as realty appraisers, collection agencies, check-guarantee firms or any entity that transmits or handles consumer financial transactions.

Thirdly, the time has come for the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Otherwise known as Public Law 104-191, HIPAA mandates the creation of privacy standards for health care information. Since Congress has failed to legislate such standards, the Secretary of Health and Human Services must lay down the rules. These go into effect shortly. They have been phrased in a positive manner: "to allow health information to be used and shared easily for the treatment and for payment of health care; allow health information to be disclosed without an individual's authorization for certain national priority purposes (such as research, public health and oversight)." However, this is where the limitations start to appear, requiring this disclosure be done: "only under defined circumstances. and require written authorization for use and disclosure of health information for other purposes." Furthermore, the rules require

"a set of fair information practices to inform people of how their information is used and disclosed, ensure that they have access to information about them, and require health plans and providers to maintain administrative and physical safeguards to protect the confidentiality of health information and protect against unauthorized access."

Conclusions

In other words, appropriate protection of data is on the lips of everyone from the Supreme Court to Congress and the federal government. Any organization which continues to think minimal protection of sensitive information is a low-risk strategy is living in the past. If that new firewall between the company web site and the internal network significantly decreases the chances of private data on the internal network being exposed to the outside world, it makes sense to install it. As time goes by there will be less and less sympathy for organizations which respond to data leaks by pleading "We had no idea people would get so upset." The standard of information security which the public expects organizations to maintain is rising, and we had better get used to it.

Updated Spring, 2002 by webloke © Stephen Cobb
Some article content reprinted by permission.
Article content copyright named author(s).