Up the StackBy Baselinemag | Posted 2006-11-21 Email Print
Modernizing Authentication — What It Takes to Transform Secure Access
High-profile data breaches have apparently caught the attention of corporate America. Most big companies expect to boost security spending in 2007.
Up the Stack
Another area where companies say they'll spend money in 2007 is network-access control measures, to provide an extra layer of security between sensitive applications and users who have been granted behind-the-firewall access.
Today, the underlying, network-based piece of the security infrastructure has matured to the point that security professionals are increasingly looking for ways to protect applications rather than devices like servers, according to David Arbo, director of network security at APL, a $3.4 billion shipping company in Oakland, Calif., with 12,000 employees worldwide.
"We're clearly putting more focus on applications, understanding protocol communications and access controls," Arbo says. As part of that initiative, APL's security team is using Arbor Networks' intrusion-prevention appliances to create a "virtual perimeter" that walls off new applications from employees or partners who would otherwise be able to access those systems over the network. "Users get creative," Arbo explains. "They can do ad-hoc things that we didn't anticipate."
Most security breaches still result from spyware and other malware such as viruses, according to the CIO Insight survey. But 23% of respondents at companies that have experienced a breach in the last 12 months say that the security violation was a data theft or attack carried out by employees or ex-employees.
Says Warner Bros.' Walker: "Most businesses are still not aware that their biggest threats come from inside the enterprise."
For Walker, a big issue is that "the vendors don't have the tools" to prevent the data leakage that Warner Bros. is most concerned about: video finding its way out of the company and onto the Internet. The company uses watermarkinga technique of embedding a unique identifier in a piece of digital content to identify the source of a specific digital filebut, as Walker explains, "The technology is just not there to be able to tell you, 'You've got a data leakage going on.'"
One of the difficulties in addressing application-level security comprehensively is that the setup of such applications in midsize to large organizations is typically very complex. For example, Kettering Medical Center Network, which operates four major hospitals in and around Dayton, Ohio, deals with more than 300 different application vendors, says Bob Burritt, director of networking and technology.
"The application vendors do a lot of [security-related] development, but it's on their own schedule, so sometimes our hands are tied in terms of the security levels," he says.
To strengthen application authentication measures, Kettering is rolling out a centralized electronic medical records system from Sentillion. Burritt says the system, expected to be more than 80% deployed by the end of 2007, includes fingerprint readers from Identix that let nurses, doctors or other personnel log in to the system by simply swiping their finger. That will replace the need for health-care workers to remember passwordsin some cases, up to 12 characters longthat could change every 60 days.
Burritt expects the fingerprint reader to enhance security, because it's tied to a personal identifier theoretically impossible to duplicate and because it's easier to use than typing in an alphanumeric password. As he puts it: "We're pretty comfortable that if the log shows your fingerprint signing in at this location at this time, that's in fact you."