Matthew MBy John McCormick | Posted 2006-05-15 Email Print
Modernizing Authentication — What It Takes to Transform Secure Access
Five top computer security experts offer advice on pervasive computing, ever-more-sophisticated hacker attacks, and corporate security resources.
Matthew M. Speare
Group Vice President, Corporate Information
Security Officer, M&T Bank
1 - How does the notion of pervasive computing (where computers are deeply integrated throughout a corporate environment rather than being distinct objects) impact security and privacy?
Pervasive computing provides new challenges to security and privacy. Organizations must thoroughly examine how they control rights to sensitive information resources and limit the ability to conduct common tasks such as printing, attaching and e-mailing. Digitial Rights Management, a methodology to allow users to define these parameters for information resources, will require a cultural change and enhanced understanding of personal responsibility and accountability for information rights, yet provides the best opportunity to mitigate the risks associated with pervasive computing.
2 - Would a more proactive approach to security—working to ensure that stronger software security is built into software applications—work any better than the reactive approaches, such as patches and external software safeguards?
Proactive security is a more sustainable model than reactive security for providing reliable, secure application services. This is not to discount the additional requirement for monitoring and response, which will continue to be absolutely necessary for secure computing.
The greatest hurdle to achieving this proactive model is to require software vendors to adhere to security standards based on a common model. Unfortunately, until customers speak with their wallets concerning unsecured applications, there is little economic incentive for software providers to change.
3 - Do you think computer attacks are getting more sophisticated or less sophisticated? Why?
Attacks are becoming more sophisticated and financially driven.
The overall sophistication of viruses continues to lapse, while we have seen the rise of incredible complex malware infestations that are economically driven.
4 - Do corporations today have the financial and human resources they need to protect their computing environments?
You can never have enough. However, organizations need to balance the need for resources against the risk to their environments and take prudent steps to mitigate the risks appropriately.
5 - What are the top two or three things companies can do to manage security risks?
1. Assess the risks to understand which threats pose the greatest likelihood of harm.
2. Mitigate the high-probability, high-impact risks first and then continue to work down the list.
3. Measure the effects of your mitigation solutions and modify your plan in response to a change threat environment.