Columns

Balancing security and flexibility

• By John D. Williams
• November 1, 2001

The events of September 11 have changed the way we view the world, and given us an opportunity to reassess the role of IT in helping organizations avoid and overcome disastrous situations. Typically, pain is a stimulus for change. This seems like a truism when it comes to change in IT. Like the bones in the body, we grow along lines of stress. Similarly, IT organizations have an opportunity to learn and grow from this new pain point. We no longer believe we are immune to disaster. Issues of disaster recovery and security have taken on a new importance in many organizations. What can you do when your business infrastructure is vaporized? Even without a physical assault, there are electronic challenges we must confront to protect the business. Is it simply a good thing to strengthen our security, or are there unwelcome side effects for the business?

The New York Board of Trade (NYBOT), the fourth largest commodities exchange in the world, had its offices at 4 World Trade Center. The exchange is an IT-intensive business. Less than a week after the disaster that destroyed its IT infrastructure, the NYBOT was up and running again. How did they pull off this amazing feat? They had a dark recovery site—a scaled-down version of their normal trading floor—ready and waiting. While there were glitches in making the transition, they were minor compared to not being in business at all. Why were they prepared? The NYBOT put its disaster recovery plans in place after the 1993 World Trade Center bombing. As a result, they were able to transition to the recovery facility when disaster struck again. The cost—$250,000 per year.

Other businesses were not so fortunate. The tragic loss of life was an unrecoverable blow to several of the 14,000 businesses located in the WTC. There are no automated recovery centers that will help with that kind of tragedy. Other companies found both their digital and paper records destroyed. As I listened to the TV, I heard business owners describe the loss of contracts, invoices and checks from customers. How is a company to cope with this kind of disaster? Not every company can afford to have a recovery facility ready and waiting. Still, the discipline of daily backups and having copies of important documents stored offsite can provide some measure of recovery capability to even the smallest of businesses. But this discipline must be practiced to be effective.

I remember helping a small business set up its first inventory system. Since this was before the advent of hard drives for microcomputers, the company made a practice of daily backups on floppies. This turned out to be a good practice, because an employee was found to be stealing inventory to set himself up in a competing business. To cover the missing inventory, he would take the working copies of the inventory floppies, crumple them into a ball and throw them into the trash. Fortunately, the backups allowed the company to quickly recover their information, identify the stolen inventory and fire the thief.

Clearly, a false sense of security or naive complacency can lead to disaster. There is no excuse for even the smallest business not implementing some type of disaster recovery process.

Another area to consider, as part of a solution to avoiding physical disaster, is distributed computing. By this, I do not mean applications distributed across multiple machines at the same site. Instead, consider geographically distributing your computing. This is not a simple solution. The main advantage to geographically distributing your computing is eliminating a given site as a single point of failure. The military has recognized the value in this approach, and has worked to make it a reality. Think about the considerations behind the DARPA experiment that became the Internet. With the Internet, we have no single point of failure. One node going down won't shut down the whole Internet. But this may be problematic for businesses. There may be unacceptable performance impacts that come from distributing applications. You may have no other places to which you can distribute computing. It is not an ideal solution, but in certain circumstances, it could be a beneficial option.

We're all aware of electronic threats to business. Denial of service attacks, viruses and hacking are not new words in our vocabulary. However, September's tragedy has again heightened our awareness. Are you prepared for an assault by network vulnerability scanners? Tools such as Nessus, SATAN, SAINT and Firewalk are readily available. These tools look for exploitable CGI scripts, open ports, or in the case of Firewalk, firewall rule sets. New viruses seem to appear in a constant stream. Lately, we've been fighting off an infestation of the Nimda virus and before that, the Code Red virus was making its rounds. Tales of script kiddies and other hackers defacing Web sites fill the news. The problem has increased as hackers on different sides of political issues attack their opponent's sites.

Protect yourself
There are some commonsense things IT organizations can do to protect themselves. First of all, understand how your system normally operates. Things happening outside the norm should raise a red flag. You can also configure your routers for egress filtering. This will help you to foil IP spoofing attacks. Finally, configure your firewalls with only the necessary ports open and all others blocked. While these are simple things, you'd be surprised at how many organizations don't even do this much. For those who want to be more thorough, there are always additional tools you can purchase to monitor your firewall and thwart hackers.

On the other hand, some hackers take a much lower-tech approach. They may look over your shoulder while you type in your password. They may try various social engineering techniques to get you to give them your password. It is much easier to hack a system when you start from the inside. This is why social engineering techniques are so popular. Your system is only as secure as the dumbest mistake made by the least security-conscious user of your system. Do they leave passwords taped to their monitors? Do they use birthdays or common names and words as passwords? Can they be spoofed into e-mailing their password to someone in "support"? Social engineering probably represents a much greater threat to organizations than many realize. Only a heightened awareness of security issues among all users can help overcome this problem.

Is there a cost to all this security? Of course there is. Remember, the New York Board of Trade spent $250,000 a year to have a disaster recovery site available. Tools to protect Web sites and corporate intranets also have costs associated with them. Programs to raise user awareness of security issues can also cost money. However, there can be a hidden cost that many information technology organizations don't think about. Consider the changes in airport security that quickly followed the reopening of our nation's airports. Enhanced security procedures mean it takes longer to get to the gate. We find both our cars and baggage checked thoroughly. The increase in security has led to less flexibility. I can no longer get away with that last minute dash to the airport to catch a plane. I also have to watch what I pack because of the new carry-on restrictions.

In the IT domain, increased security also leads to reduced flexibility. For example, closing certain ports on the firewall means you can't use IIOP or DCOM over the firewall. Having said this, there are very good reasons for implementing a wide range of security capabilities. What we need to realize is that there will always be a balance we must strike between flexibility and security. The events of September 11 have heightened our awareness of the importance of security and disaster recovery. We now have an opportunity to provide our companies with an informed assessment of the risks they face. In this light, we can re-evaluate security issues and help our companies make informed decisions about the most responsible security measures we should take.