IT Security and Privacy

The effort to secure information systems and consumer privacy — reports of computer viruses, sophisticated software attacks and lost data on laptops surface regularly — requires a lot of technology, but security is still largely a people problem.

"Social engineering remains the most important thing about IT security and privacy," says Gregg Vesonder, Adjunct Professor of Computer and Information Science in the Executive Master's in Technology Management program and Director of the Communication Software Research Department at AT&T Labs Research. "Technology is just part of it. Security is also about process, how humans are taught to interact and take responsibility. You can have the best locked door in the world, but people get in if it's left opened."

The social aspect of security and privacy is a key takeaway from an 'EMTM Presents' lecture given November 16 by Vesonder in Washington, DC. Vesonder is a teaching a new course on security and privacy that will address issues such as securing data, limiting access and setting up procedures that balance usability for the worker with security based on business needs.

The course is timely, say EMTM alumni and students, who hail from companies such as storage company EMC, which recently acquired security vendor RSA Security, AT&T and consulting firms such as IBM. Overall, security is a balancing act between generating a return, complying with a host of regulations on the federal and state level and protecting corporate and customer information. The approaches to security vary by industry — and most EMTM alumni viewed financial services and healthcare as sectors most focused on security due to a bevy of regulations.

But Vesonder notes that "all industries have security and privacy issues." Eric Hagen, EMTM'08, Solutions Architect for storage giant EMC, says "heavily regulated industries such as finance and pharma have looked to security solutions that will help them comply with regulators at the lowest total cost. However, new regulations are starting to make other industries take a more proactive approach to their security as well."

Unfortunately, IT security and privacy policies and procedures are a lot like life insurance — you don't appreciate them until it's too late. In general, people tend to learn lessons the hard way. "The companies most sensitive to information security controls are organizations that have already had breaches," says Atif Ghauri, EMTM'08, Managing Consultant for IBM's Security and Privacy Services Practice. "Many companies react more to security if they've been breached or hacked. The ones that haven't are not as cautious."

Here is a look at the key issues in IT security and privacy:

The Balancing Act

Security has a series of trade-offs and one of the biggest is return on investment. Anthony Troy, EMTM'07, Principal of Diamond Management and Technology Consulting, cooks the issue down to two questions: How much should I spend for protection and how much is enough? "The answer to those questions is different for every company," says Troy. "It comes down to risk percentages and putting a dollar value on the risk."

Of course that's easier said than done with budget constraints. "Industries today are squeezing costs everywhere and some can't justify a lot of spending on technology and process until something happens," says Vesonder.

Usability is another key tradeoff. Procedures have to be designed so workers can use them. Too many restrictions mean security procedures will be ignored. Ghauri says technology companies are working to make security more transparent to the end user. If that transparency is achieved, security and privacy controls will run in the background unnoticed. Ghauri adds that the use of biometric devices such as fingerprint readers, iris scanners, and smart-cards is becoming more common because users avoid the need to remember so many passwords, which is often the weakest link in the security chain.

And finally there's a tradeoff between privacy and security. National identification cards, data mining and video surveillance are all techniques that could improve security, but spark debate. "There are a lot of issues with the tradeoff between personal privacy and security," says Vesonder.

The Processes

Those tradeoffs between security, usability and returns were recently managed by Michael Mira, EMTM'01, Director of Financial Integrity and Internal Controls for AT&T's business division. Mira just completed a two-year project that tightened controls around applications and created a system to verify access.

Mira's challenge: Create a process and tool that could grant access to multiple applications and leave a trail for auditors to track. The project, which was prompted by the Sarbanes-Oxley legislation, now allows workers to request access to applications and be verified by gatekeepers. "We had to balance control, financial benefit and make sure the lock on the door wasn't too big," says Mira.

To tackle the problem Mira worked with program group manager Lisette Mendez, a 1990 graduate from Penn Engineering with a BS in Bioengineering, to build a Web-based tool and processes that could provide access to the 1,400 applications in question. The tool authorizes access, tracks requests and designates a manager to review requests. With the system, AT&T knows who had access on a system, when and why. Another security perk: the tool cuts off former employee access.

Vesonder says processes are critical to restricting data access, especially since companies are pack rats when it comes to information. "The problem is data is easy to collect and cheap to keep. The flip side is keeping all this data can get me in trouble," says Vesonder. "For every bit of data there needs to be a policy for it."

"Traditionally, security has been a matter of building perimeters (like firewalls) around sensitive information," says Hagen. "Although this kind of 'medieval castle' approach is a necessary start, it is insufficient. More and more organizations are realizing that information is dynamic — in order for it to have value, it will need to move between people, systems, and organizations throughout the course of its lifecycle."

Progress thus far

So has security improved over the last five years? Ghauri says while information security programs have grown, so have the threats and vulnerabilities, thus "you could argue we are more insecure now." The reason: Technology is so pervasive that the areas ripe for attack have multiplied, he says.

Troy agrees. He says it's quite possible a security breach could start from a local coffee shop, given that many workers go there to connect to the Internet. "It's really an arms race," says Troy. "We may be a bit safer, but the threats are evolving."

While the state of security is debatable, the stakes today are higher. What used to be a dozen stolen credit card numbers obtained via carbon copies found in a dumpster today is now thousands of hacked numbers, explains Vesonder. On the bright side, Vesonder says it's promising that awareness about security has increased. For instance, there are more high level executives focused solely on information security. "It's better to have someone who has security in his face all the time," says Vesonder. "And with the CSO (chief security officer) there's one throat to choke."

Ghauri adds that changes in technology architecture also hold promise. Two key developments are layered security arrangements, which would require a hacker to bust through five or six layers to get to data, and models that make it easier to manage identities and passwords across multiple applications.

And then there are new developments such as biometrics, which promise to rid the world of having to remember multiple passwords. But even if customers start using fingerprints to access computers and networks, there is no magic bullet, says Vesonder. "Biometrics are better than passwords, but remember they are digitally encoded and can be hacked," he says. "It's not a slam dunk on security."

In fact, there is no slam dunk. Hagen notes that there are plenty of low-tech ways around high-tech security and that's why people and processes matter so much. For instance, a thief could walk off with a back up tape instead of hacking into a network, especially if another worker left a door to a secure area open, says Hagen. "Creative people will always be able to find ways around security perimeters, which is why it is so important to be able to provide security at the information level as well," says Hagen.

Meanwhile, security ultimately comes down to the computer user. Vesonder often asks his audiences of technology professionals whether they back up their own data. In most cases, that answer is no. "And if they aren't doing it chances are pretty good you're not either," he says.

EMTM Course: IT Security
& Privacy

(Read the course description) Companies need executive-level leaders who can manage complex decisions about security and privacy vulnerabilities — taking into account emerging technologies, existing information infrastructure, corporate policies and procedures, client requirements and preferences and international law and regulation. EMTM's course is designed to elevate corporate competence with security and privacy so that it brings value to a business.

Gregg Vesonder

“Social engineering remains the most important thing about IT security and privacy... You can have the best locked door in the world, but people get in if it's left opened.”

Gregg Vesonder
Adjunct Professor of Computer and Information Science
Penn Engineering,
Director, Communication Software Research Department
AT&T Labs-Research

“The answer... is different for every company. It comes down to risk percentages and putting a dollar value on the risk.”

Anthony Troy, EMTM'07
Diamond Management and Technology Consulting

“We had to balance control, financial benefit and make sure the lock on the door wasn't too big.”

Michael Mira, EMTM'01
Director of Financial Integrity and Internal Controls,
AT&T Business Division

“You could argue we are more insecure now.”

Atif Ghauri, EMTM'08
Managing Consultant, Security and Privacy Services Practice

“Creative people will always be able to find ways around security perimeters, which is why it is so important to be able to provide security at the information level as well.”

Eric Hagen, EMTM'08
Solutions Architect

spacer spacer

© 2007 University of Pennsylvania. All Rights Reserved. | Sitemap