Bruce Schneier sells services that protect corporate networks, but he isn't promising any miracles when it comes to the behaviour of your business partners. "Do business with people you trust," says Schneier, founder and CTO at Counterpane Internet Security. "Don't do business with people you don't trust. It's no different than the world's been for centuries."
CSOs such as Steve Haydostian may find that chestnut a tad simplistic. He is chief information security officer at Health Net, a $US10 billion managed health-care company. For Fortune 500 companies like Health Net — and even for much smaller ones — the complexity of the global network and the pervasiveness of e-commerce has increased information security risks by orders of magnitude. And in the current lacklustre economy, many money-saving business moves — from outsourcing manufacturing to collaborative planning — are making companies still more vulnerable. Michael Rasmussen, security analyst at Giga Information Group, sums it up elegantly: "Companies are scared their business partners are their liability, the doorway of compromise into their environment."
So for the security officer who has too many e-commerce partners to do business on a handshake-and-backslap basis, what can improve the security odds? CSOs interviewed for this article offer up a mélange of approaches toward securing e-commerce networks. Often, these strategies seem more like works in progress than steadfast plans. Yet many CSOs are cobbling together strategies that mix old infosecurity standbys (savvier use of outsourcing, a host of intrusion and virus detection software, tighter network management, improved policies, better employee training) with reliance on a growing crop of regulations and industry standards that add complexity but at least provide relief by enabling business partners to communicate using a common language.
Even when every preventive item on the IT list is checked, can a company still be certain that its partnerships are 100 per cent bulletproof? No. But while CSOs can't eliminate all the risk from e-commerce, they can borrow ideas and best practices methods for protecting critical data. So where's a company to start?
1. Know Thy Relationships
First, understand what you manage by taking inventory, not only of your own network but also of your business connections and partnerships. This gets tricky for companies that have scores of subsidiaries or have gone through mergers and acquisitions. But doing so will create a baseline from which to measure progress, says Ted DeZabala, a principal in Deloitte & Touche's enterprise security services group who advises the Fortune 500 on security policy. A CSO who doesn't have this basic knowledge "won't be around for long," he says.
Any network inventory should include a rock-solid list of outsiders who have access. Consider this blunder: In March, a government agency Rasmussen worked with discovered it still had a live connection to a banking partner it no longer did business with. "They weren't aware of it," he says. "They had a legacy connection that was never taken down." It sounds obvious, but businesses get caught unaware all the time. In fact, up to 20 per cent of network routers are providing inappropriate access to corporate networks, systems, applications and data over the Internet, according to the Aberdeen Group.
Various tools and services can help speed up this inventory process. Dave Cullinane, CISO at Washington Mutual, a Seattle-based bank with 2500 offices, mentions services provided by Lumeta as an example. Lumeta creates maps that help companies understand how their global network connects to their partners and to the Internet. Companies use the maps to identify previously unknown routes into the network or to see where users are making unauthorised connections. This kind of work doesn't come cheap — pricing for Lumeta's IPsonar service starts at $US21,500 for a one-time scan and limited license — but should be weighed against the potential cost of a breach. "Network mapping is essential," Cullinane says. "Ideally, it should show how to segment the network — so if an attack occurs in sector A, you can prevent it from spreading to the other sectors."
This inventory and mapping chore never really ends. Albert Oriol, privacy and data security officer at The Children's Hospital in Denver, is finding that a sound e-commerce security map is a work in progress. When Oriol started at the hospital in 2001, he first had some internal security gaps to close. Only after he and his team implemented redundant firewalls, invested in an intrusion detection system and deployed antivirus software to all servers, did Oriol start finding time to look outside his own network. Now, he's helping security officers from the hospital's five affiliates understand how patient data flows through the network and addressing issues such as standardising remote access and e-mail encryption. Those needs don't sit still. "We're trying to get the things that need to flow through on the network, and the things that don't off it," he says. "We keep refining it. It's a never-ending process."
2. Mete Out Access
Once they complete an inventory, companies need to understand what applications and parts of the network will be shared and how to share them. Frequently, one business partner wants more than the other is willing to give.
The key step in defining partner access levels is to weigh risk against the need to share information. One example is a Fortune 100 company using three security levels to segment its 2500 suppliers. These levels, determined by a team of technical managers and businesspeople, are documented and defined according to each partner's need for access. The manufacturer, with its staunch policies that include not speaking on the record to the press about security, leaves little to chance.
The three levels are defined as follows. For a supplier with simple data requirements, a five to 10 minute simple dial-up connection will do. The manufacturer audits these connections and conducts parameter logging. For suppliers that need to get their hands on a wider breadth of information, such as a large manufacturing report to help better plan production, the company uses a wider bandwidth connection with a firewall at each end. For heavy-duty users, it offers a standing, perpetual connection over a virtual private network with firewalls. Both sides agree on how each end is monitored, and to ensure security for both parties, either side can shut down at any time if there are security issues, according to the CSO.
To better control requests for network access, according to Washington Mutual's Cullinane, any new network connection that doesn't adhere to an established policy should require the signature of both the CSO and a senior executive in the business unit requesting access. Any request that's approved should be for a limited period of time, he says.
3. Share Standards
Another way to boost e-commerce security is to ensure your company's policies make their way to every person within the supply chain. Evolving standards and guidelines from organisations such as the International Organization for Standardization (commonly known as ISO) and National Institute of Standards and Technology (NIST) are helping to simplify this process by creating common terminology and requirements.
Charles Ryan, director of information security at Molex, a $US1.7 billion electronics manufacturer with 55 locations, frets over the amount of data that his company sends over the Internet. Keeping that data safe is critical to ensuring on-time delivery, which is a top priority for Molex, a huge supplier to auto and consumer electronics companies. Ryan is building the company's information security policy around ISO 17799, a detailed security guideline. He says it has simplified his job immensely, especially during a recent meeting with a big business partner. Ryan thought the meeting would be a deal breaker because of the complexity involved with ensuring security. Not so. "When we mentioned ISO was our standard, the conversation stopped right there," he explains. "They said, 'Yeah, we accept that as the way going forward.' It was a big surprise to us. Right off the bat we came up with common ground."
Ryan recently used a questionnaire he drafted using ISO 17799 to audit Molex's security at a Singapore corporate office. He hopes to make the audit, which ranks companies on a 1-to-5 scale (5 being "best practice"), part of the standard process Molex will use in the future with partners. While the policy provides some security, a drawback exists: There's not yet a way to certify a company as ISO 17799 compliant, so companies must take each other's word. Ryan admits his efforts are a work in progress. "We're not at the stage yet where we have a firm process and security to reject someone," he says. "This is pretty much a maturing standard."
Like Ryan, Health Net's Haydostian has developed requirements for business partners based on federal mandates. The company typically asks whether its partners comply with the Health Insurance Portability and Accountability Act (HIPAA) and guidelines from ISO, the National Security Agency and NIST. When necessary, Haydostian refers partners to the standards with which they must comply. He asks questions, such as whether the company has an information security officer and published security standards that are enforced. "You may be linking up to anybody, and you have to ask what security level they have," he says.
4. Ask for Audits
For added security, some companies are turning to auditing their business partners more often. However, this approach is more dicey. Bigger companies often have the upper hand when it comes to demanding audits and view them as a necessary part of doing business. Yet the audited parties sometimes view the audit as, at best, a necessary evil. For good reasons, they don't want the headache of allowing a bunch of outsiders to nose around their network. Some businesses — such as banks and big insurance companies — reject audits because they allow unwanted access by potential competitors in this ever-merging environment. Washington Mutual's Cullinane, for one, refuses audits outright. "We don't feel that's something we want to share with the world for competitive reasons," he says. The bank, however, does comply with federal rules that mandate certain breaches be reported.
To sidestep audits, some companies with clout contractually require business partners to retain a certain security level — and then still treat them as "nontrusted partners" by installing a firewall and limiting access, says Andy Toner, a partner at PricewaterhouseCoopers. Health Net's Haydostian has a documented plan for auditing partners. First, he asks if the partner has conducted penetration tests for both the internal and external networks. If any high risks are identified, he asks when the problems will be corrected and when the next test is scheduled. Aside from a HIPAA business agreement, the company requires that partners sign a document allowing Health Net to conduct unannounced site visits to audit their facilities. They also sign confidentiality agreements.
Others are more open to letting their business partners audit them, even viewing the process as helpful. Molex's Ryan says he agrees to audits because he understands the company's vulnerabilities at any given time and is always working to fix them. He claims he'd be let down if partners auditing Molex didn't alert him to these problems. That would mean they weren't doing a good job auditing on their end.
Some companies treat partner audits on a case-by-case basis. Paul Sheahan, an information security manager at an online retail business, typically comes to an agreement with a partner about whether his company can remotely audit from time to time. Nothing is mandated. But if the partner agrees, Sheahan's company uses different types of vulnerability and port scanners to audit the partner network. "They have to agree beforehand," Sheahan says. "We can't just scan them without permission. We can usually come to some sort of agreement."
Sheahan, like many CSOs, is struggling to create uniformity when doing business with 25 partners. "Everyone knows a process should have been in place," he says. But "it always fell through the cracks."
5. Offer Education
Aside from training their own employees, should CSOs be responsible for training their partners too? "We do this to a certain degree," says Rick Ensenbach, director of information security at Conseco Finance. "People on the other end are competent. We don't do anything complicated." The company offers its partners user handbooks and guides that explain its processes. Conseco, like all financial institutions, makes partners sign a high-level contract that mandates they protect customer information according to federal and state regulations.
To make sure that Conseco's own systems are secure, Ensenbach works with the company's technology staff, which uses tools such as BindView, Nessus and Snort to do technical audits within its divisions. He's planning to hire consultants to conduct an independent annual security audit that meets the requirements for banks included in the Gramm-Leach-Bliley Act. Ensenbach says the company would not share audit information with any other company without first making sure a nondisclosure agreement or some type of confidentiality contract is in place.
"I see this practice continuing and probably increasing because people like myself don't have the time or resources to audit business partners," he wrote in an e-mail. "There comes a point where you have to put trust in your partners."
And that brings us full circle. Just as security guru Bruce Schneier says, e-commerce remains an act of faith — not completely blind faith, but faith nonetheless. So far, CSOs haven't woven together a net of technology and policy safeguards strong enough to replace good old-fashioned trust.
SIDEBAR: Small Company, Big TroubleThink the little guys are safe from e-commerce-induced vulnerabilities?
Consider the case of Jesus Oquendo, who in 2000 worked as a computer security specialist at now-defunct Collegeboardwalk.com. Oquendo, who shared an office with Manhattan-based Five Partners Asset Management, altered commands on the company network to automatically route the password file from Five Partners' system to his e-mail account every time the company's system rebooted. After Collegeboardwalk went belly up, Oquendo continued to access those passwords remotely using a shell account he illegally installed on the victim's network. He started hacking programs and other information in an electronic directory no longer used by Five Partners. He also installed a sniffer program that intercepted and recorded electronic traffic on Five Partners' network.
Oquendo didn't stop with Five Partners. Using a sniffer, he obtained the password of a Five Partners employee who had an account belonging to computer wholesaler RCS Computer Experience. Oquendo eventually used his illicit access to delete RCS's entire database, costing RCS approximately $US60,000 to repair. He left the company a glib message: "Hello, I have just hacked into your system. Have a nice day."
Although he denied the charges, Oquendo was convicted in 2001 of computer hacking and electronic eavesdropping. He was sentenced to 27 months in a minimum-security federal jail. — Kim Girard