Tip

New risks, roles for security professionals



We may be coming out of the downturn, but in many industries -- such as information technology, travel and manufacturing -- every dollar of revenue and expense is crucial and will be for some time. That means that more than ever, security managers need to think like business people.

I've recently come across two examples of this new thinking. The first is the use of access control software not only to protect data, but also to make sure new employees have phones, computers and security badges their first day on the job. The second is the need to learn not only about the mechanics of Web-based security, but also to identify the movers and shakers who set the key security standards in your industry.

Example one comes from Mike Hager, vice president of network and disaster recovery at Oppenheimer Funds. I was asking him which tools he used to "provision" his users with the proper access rights to corporate data. But Mike was thinking about wider issues. Just as a vice president and an accounts payable clerk get access to different types of corporate data, he figured, they also get different types of phone service, computers or other gear such as cell phones. The common link: Both their access rights and the physical gear they were issued depended on their responsibilities and job title. Why not combine the "provisioning" of access rights with the "provisioning" of phones and security badges?

Hager is using the provisioning agents

    Requires Free Membership to View

in enRole from Access 360 to not only grant new employees the proper access to applications and systems, but also to alert the IT support and telecom staffs about the new employee's needs. Right now, the automation is fairly low-level, in that Access 360 can only fire off an e-mail to the telecom manager rather than automatically reprogram the PBX to issue the new employee an extension. But Hager hopes to further automate the process to save his employer time and money.

The second example of new thinking is about how to secure Web services, which is the emerging standards-based method for linking applications over the Web. One of the promises of Web services is it makes it easier to cut costs by giving customers, suppliers and distributors access to your production and sales forecasts. But as soon as you deploy Web services outside the firewall, you're trusting your business partners to hand out (and take back) the digital certificates that identify the sender or recipient of the message and encrypt and decrypt their messages. If you're a subcontractor designing parts for Boeing or GM, you're depending on those giant customers to confirm the identity of their users and cancel their certificates if needed.

To manage these risks, security managers must think about not only technology but also about the "trust relationships" within their industry, says Benjamin Renaud, a director within the office of the chief technology officer at BEA Systems Inc. Which business partners does your employer trust, and how much do they trust them? What legal safeguards should you build into contracts to protect you from a sloppy business partner passing you bogus certificates? And if you're a 50-person company doing business with a Fortune 500 firm, how do you force that 500-pound gorilla to agree to such indemnification?

To answer such questions, security managers must understand the strategies of key online trading networks, consortia and key suppliers and customers within their industry. Is there a dominant customer or alliance of customers whose direction you should follow because they are setting key legal or technical security standards? Are their trade groups you should join because they are drawing up key legislation or legal standards in your vertical market? Are there any changes in your relationship with key customers that would give you more, or less, leverage to protect your security interests in a Web services world?

These are the new questions, and answers that can help you as a security manager boost the bottom line even in a downturn.

About the author
Robert L. Scheier writes Scheier's Security Product Roundup from Boylston, Mass. He can be reached at rscheier@charter.net.


This was first published in April 2002

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.