May 15 2006

Page 1

Alert_DEC2011.indd 18

11/16/2011 12:26:25 PM


From The Editor

Six months ago, we started on a journey to provide senior IT executives with best-in-

Changing the Rules The journey hasn’t been easy. It’s just been worth it.

class learnings on technology management from across verticals. Thanks to your support (and the feedback that tells us so), this magazine and its companion website (www.cio.in) have been able to do that in quite some measure. We did so by changing a few ground rules. We did so by putting CIOs like you and your concerns in the spotlight. We did so by trying to figure out what India’s business leaders look for and want from their senior IT executives. We did so by looking for what makes e-governance projects tick and where the pitfalls lie. We did so by not attempting to preach technology management at you, but by looking to you and your peers for sharing your best practices, pain points and successes. And, we did so, foremost, by changing the way my team and I had looked at journalism for many years. So, we decided that our features were not going to be a bunch of quotes strung together, and that story ideas would come from you and your colleagues; from conversations with experts; from figuring out how to convert a magazine and its website into a huge platform for networking. It was reader feedback that led to the cover story on The premise of this securing management buy-in (April 1, 2006) publication has worked and it is reader feedback that has led to this because we look to you issue: the Security Special. and your peers for sharing What’s been good about your feedback is your best practices and that it’s been so overwhelmingly constructive. pain points. This is what has helped give shape and definition to this publication and helped us steady the course. It was thus time, we felt, to bring the same promise of rich content to another medium — focused events. A couple of weeks back, we began that process with the CIO Focus Security events across Mumbai, Delhi and Bangalore. They were but the commencement of a series that will highlight areas like Storage and Network Infrastructure in the months to come. Apart from conveying learnings to you from some of the sharpest brains in the CIO community, it gave my team and me the opportunity to pick the brains of many of your colleagues. And, here too your reaction to the events has been extremely encouraging. Let me know what you think of our events and especially this issue. Keep your feedback flowing to vijay_r@cio.in.

Vijay Ramachandran, Editor vijay_r@cio.in

M A Y 1 5 , 2 0 0 6 | REAL CIO WORLD

Content,Editorial,Colophone.indd8 8

Vol/1 | ISSUE/13

5/12/2006 8:07:55 PM


content MAY 15 2006‑ | ‑Vol/1‑ | ‑issue/13

How to Corral Security Consultants | 27 Set clear ground rules before you engage outside experts— or be ready to clean up a mess. Column by an anonymous CSO

19 Ways to Build Physical Security into a Data Center | 48 Data centers are among your most important assets. Here’s what to keep in mind when building security into its design. Feature by Sarah D. Scalet

Winning the Gadget Wars | 71 CIOs will need smart policies, good awareness programs and judicious enforcement to manage risks presented by the latest techno trends.

COVER STORy Armor Plating the Enterprise | 30 What does it take to make convergence happen? One secret is to sneak up on it, the way Constellation Energy did, by appearing to do something entirely different. Feature By Sarah D. Scalet

Feature by Daintry Duffy

How to Tell If You Have Bots | 77 Bots can be hard to diagnose and can turn your network into a wheezing jalopy. But as with most fast-spreading diseases, forewarned is forearmed. Feature by Scott Berinato

4 4

4 4

more »

2 4

5 8

Captain Contingency | 44

Password Palooza | 24

How to Spot a Liar | 58

MIT logistics expert Yossi Sheffi talks about what companies can do to recover quickly from almost any type of disaster.

Passwords are more secure than you think. And you can make them even better by using intelligent password management.

Interrogations in the corporate world call for such a vast set of traits that even questioners can be put to the test.

Interview by Susannah Patton

Column By Simson Garfinkel

Feature by Daintry Duffy

10

M A Y 1 5 , 2 0 0 6 | REAL CIO WORLD

Content,Editorial,Colophone.indd10 10

Vol/1 | ISSUE/13

5/12/2006 8:08:10 PM


content

(cont.) departments Trendlines | 17 Piracy | A Piracy Supply Chain Application Security | Crash Test Ratings for

Software Code Security Planning | 13 Ways to a Strategic

Security Group Travel Tips | Pass it on Banking | Balkan Bank has Two-Factor

Authentication Personal Security | Messy Desks Spill Secrets Reading | Surveillance Books Technology | Diamonds Quantum-leap into

cryptography

From the Editor | 8 Changing the Rules | The journey hasn’t been easy. It’s just been worth it By Vijay Ramachandran

Endlines |

78

The Devil’s Infosec Dictionary

Inbox | 14

R. Ramaraj, MD & CEO, Sify, believes his business model will work in other emerging markets as it has in India.

6 2

NOW ONLINE For more opinions, features, analyses and updates, log on to our companion website and discover content designed to help you and your organization deploy IT strategically. Go to www.cio.in

c o.in

Executive Expectations View From The Top |  62 R. Ramaraj, MD & CEO, Sify, believes that the company’s business model can be just as successful in other developing markets as it has been in India.

2 7

Cove r: ILLUSTRATION SASI BH ASKA R

Interview by Balaji Narasimhan

Govern Where I.T. is no Longer an Imposition |  68 Rohit Kumar Singh, IT Secretary, Rajasthan, adheres to Abraham Lincoln’s approach when it comes to implementing e-governance in the state: “If I have ten hours to cut a tree I shall spend eight hours in sharpening my axe.” For Singh, an e-government can only be successful if a conducive environment is created first. Interview by Rahul Neel Mani 12

M A Y 1 5 , 2 0 0 6 | REAL CIO WORLD

Content,Editorial,Colophone.indd12 12

Vol/1 | ISSUE/13

5/12/2006 8:08:14 PM


marketing & sales

Advertiser Index

Manage m ent

President N. Bringi Dev

COO Louis D’Mello Editorial Editor Vijay Ramachandran

Bureau Head-North Rahul Neel Mani

Special Correspondent Balaji Narasimhan

Senior Correspondent Gunjan Trivedi

Chief COPY EDITOR Kunal N. Talgeri

COPY EDITOR Sunil Shah www.C IO.IN

Editorial Director-Online R. Giridhar

Bangalore

Creative Director Jayan K Narayanan

Designers Binesh Sreedharan

Vikas Kapoor Anil V.K. Jinan K. Vijayan Unnikrishnan A.V. Sasi Bhaskar

7th Floor, Vayudooth Chambers 15 – 16, Mahatma Gandhi Road

11, 13, 15

IBM India

22, 23, 80

Nitin Walia Tel : +919811772466

Interface

51

Mahindra

39

MS

33

nitin_walia@idgindia.com

1202, Chirinjeev Towers 43, Nehru Place New Delhi — 110 019

Mumbai Swatantra Tiwari

Raritan

2

Tel : +919819804659 swatantra_tiwari@idgindia.com IDG Media Pvt. Ltd.

Photography Srivatsa Shandilya Production T.K. Karunakaran

Bandra – Kurla Complex Bandra (E)

SAS

Seaface

21

9

Mumbai – 400 051

General Manager, Sales Naveen Chand Singh Japan

Marketing Siddharth Singh

Tomoko Fujikawa

Bangalore Mahantesh Godi

Tel : +81 3 5800 4851

Santosh Malleswara

D-Link

Delhi

brand Manager Alok Anand

79

Banglore — 560 001

Canon

IDG Media Pvt. Ltd.

208, 2nd Floor “Madhava”

Marketing and Sales

4, 5

Tel : +919342578822 mahantesh_godi@idgindia.com

IDG Media Pvt. Ltd. D esign & Production

Avavya

Mahantesh Godi

Symantec

Syntaxsoft

42, 43

57

tfujikawa@idg.co.jp

Ashish Kumar

Delhi Nitin Walia

Aveek Bhose Mumbai Rupesh Sreedharan

Nagesh Pai

USA

Toshiba

3

Larry Arthur Tel : +1 4 15 243 4141 larry_arthur@idg.com

Wipro

6, 7, 35

Xerox

37

Swatantra Tiwari

Japan Tomoko Fujikawa

USA Larry Arthur

Jo Ben-Atar

Singapore Michael Mullaney UK Shane Hannam

Singapore Michael Mullaney Tel : +65 6345 8383 michael_mullaney@idg.com UK Shane Hannam Tel : +44 1784 210210 shane_hannam@idg.com

All rights reserved. No part of this publication may be reproduced by any means without prior written permission from the publisher. Address requests for customized reprints to IDG Media Private Limited, 10th Floor, Vayudooth Chambers, 15–16, Mahatma Gandhi Road, Bangalore 560 001, India. IDG Media Private Limited is an IDG (International Data Group) company.

Printed and Published by N Bringi Dev on behalf of IDG Media Private Limited, 10th Floor, Vayudooth Chambers, 15–16, Mahatma Gandhi Road, Bangalore 560 001, India. Editor: Vijay Ramachandran. Printed at Rajhans Enterprises, No. 134, 4th Main Road, Industrial Town, Rajajinagar, Bangalore 560 044, India

14

M A Y 1 5 , 2 0 0 6 | REAL CIO WORLD

Content,Editorial,Colophone.indd14 14

Vol/1 | ISSUE/13

5/12/2006 8:08:15 PM


reader feedback

“Often, teams left behind by a ‘toxic’ leader show low levels of confidence. Worse, emerging leaders use this as a model for success.” Business Double-take

cIO’s cover story on revenue optimization (Hit The Suite Spot, May 1) was interesting. The concept itself is topical, particularly for industries dealing with the issue of ‘perishable inventory'. As a concept, it’s driven by the business algorithm and can potentially be one of IT’s better applications. As part of a media group, I can easily relate to the subject and the information shared in the article. Still, most readers across different verticals must have found the story to be of interest. A very important point the article mentions is that many customer interfaces require a relook. The article also spells out the deliverables achieved from the implementation. I must compliment CIO for discussing these important concepts, and I look forward to more relevant and interesting articles like this one. Pravin Savant VP-IT, STAR India

One striking thing about CIO’s content is its relevance to the current priorities of most CIOs. Business alignment of IT is an underlying theme that nearly all of us in the CIO fraternity focus on, and CIO provides a steady stream of issues that enhance value. What I like about the magazine is its attempt to focus on in-depth analysis of key issues rather than cover just about everything and anything in IT. This focus 16

Inbox.indd 16

M A Y 1 5 , 2 0 0 6 | REAL CIO WORLD

makes for engaging reading and learning. Customer Relationship Magic (April 15,2006) was also very informative and is a good case study for anyone wanting to progress CRM in their organization. aBnaSh Singh Group CIO, Mphasis

the CrM Way I just read the editorial on CRM (Business Connect, April 15). I appreciate the view that CRM (customer relationship management) doesn't merely concern technology, but is also a strategic issue of how companies want to align their business processes to reap the benefits of CRM. I would like to add that within every organization, there are a set of functional departments—each of which represent a different set of objectives—that finally align to a common organization-wide objective. For example, sales would like to see their performance from various angles such as geography, customer profile, etcetera. Marketing tends to focus on performance from product’s feature point of view versus What Do You Think? We welcome your feedback on our articles, apart from your thoughts and suggestions. Write in to editor@cio.in. Letters may be edited for length or clarity.

editor@c o.in

customer category or geographical adoption. Service focuses on complains versus product or model. The adoption of a CRM tool would have both business and technical challenges. However, it can be easily addressed, provided organizations have a clear strategy for CRM. Organizations with ERP (enterprise resource planning) in place have a definite edge over those who don’t. Daya PrakaSh Manager IT, LG

Forging Leaders I cannot agree more with some of the observations made by Patricia Wallington's column (Toxic, May 1, 2006). I have personally seen leaders who seem to exude charisma, but who are not leaders who manage EQ well. Often, in the long run, an organization suffers because teams left behind by a ‘toxic’ leader will show low levels of confidence. Worse still, emerging leaders will use the ‘toxic’ leadership as a model for success. The challenge for organizations is to identify these traits in upcoming leaders and ensure that they are coached in the nuances of leadership. Alternatively, have them rated in such a way that it is clear they cannot be a success unless they mould their traits and change their pattern of behavior. ananD kuMar IT Lead, South Asia, Monsanto

Vol/1 | ISSUE/13


new

*

hot

*

unexpected

A PirAcy

P I R A C Y Ask a random person on the street to name the first counterfeit product that pops into his head and you’re likely to hear ‘Rolex watch’ rather than ‘Microsoft Office’. But the software industry is dealing with a counterfeiting epidemic that’s just as costly as that which confronts luxury goods. According to the Second Annual BSA and IDC Global Software Piracy Study, the piracy rate in 2004 was 35 percent worldwide in a market worth more than Rs 405,000 crore. Software piracy groups, which have a heavy presence in China, Russia, Romania, Poland and Brazil, are well-organized, says Dr Herbert Thompson, chief security strategist at Security Innovation, an application security company. “Ten years ago, it typically was a high school kid in Europe that would get the latest copy of [Microsoft] Windows, crack it and send it to his buddies. Now, these reverse-engineering groups have formed that are run almost like companies,” he points out. Thompson says these 21st-century pirates have specific roles. Couriers and suppliers, the first level, get their hands on original

copies of software. Then, crackers—highly skilled and ethically challenged geeks—are tasked with defeating a software’s defenses through reverse engineering. Packers, the next step, package the cracked software for easy distribution. The last group (before the distributors) are the testers who make sure the cracked software works like the original. Can the good guys stop reverse engineering? “It’s practically impossible to do,” says Thompson. — By Todd Datz

ILLUSTRATION by SASI bh ASkAR

SuPPly chAin Ain

CrashTest Ratings forSoftwareCode

IL LUSTRAT IO N by UNN IkRIShN AN AV

A P P L I C A T I O N S E C U R I T Y The idea behind the Application Security Industry Consortium is simple: create a way to tell software buyers about the pros and cons of the application they are evaluating. buyers tend to measure one application against the other, like auto crash test ratings. What are the vulnerabilities in this database, that e-mail program, or in any code for sale? At a recent RSA security show, a group of vendors, analysts and security professionals announced they had formed a new consortium, called AppSic for short, which hopes to do just this and

VOL/1 | ISSUE/13

Trendlines.indd 17

improve the state of application security along the way. The consortium is not a whistleblowing agency, says Ed Adams, CEO of Security Innovation. Rather, he adds, “We’re building the whistle.” Scott Charney, VP of Trustworthy Computing at Microsoft and an AppSic member, says the group differs from other industry groups because it seeks to inform software purchasing decisions by comparing performance of applications against vulnerability tests. “There’s no really good way to identify how buying a certain product or doing a certain

thing mitigates my risk in a way I can measure. At the end of the day, what gets measured gets done,” he points out. Further, application security tests will help improve the quality of software code being developed, says Mary Ann Davidson, CSO of Oracle and an AppSic member. “We have bright developers but we have to teach remedial coding because, in part, colleges don’t prescribe secure coding practices,” she says. “From my perspective, if there is any (accreditation of computer science programs), it’s pretty wussy.” — by Scott berinato REAL CIO WORLD | M A Y 1 5 , 2 0 0 6

17

5/12/2006 8:46:48 PM


to a Strategic

Security Group

Stan Gatewood, CISO of the University of Georgia, suggests the following steps to set up a new—or newly strategic—information security program.

Pass it on T R A V E L T I P S How to keep safer when traveling to unfamiliar destinations.

Alertness Counts

1

Identify executive leadership. An executive sponsor needs to champion the new strategic security program.

2

Select a point person. The CISO or another information security leader should manage day-to-day activities.

3

Define and prioritize goals. Tie business objectives to security objectives.

4

Establish a review mechanism. A process review board with executives from IT, physical security, human resources, legal, audit and information security will evaluate and approve security initiatives.

5

Assess the current state of security. Examine policies, processes, standards, guidelines, technology (hardware and software), training and education.

Blend in

6

Establish (or re-establish) the security organization. This group should focus on information security, not just the narrow confines of IT security.

Leave the gold watch and expensive clothes at home if your destination is impoverished. Don’t flaunt money. Avoid brand emblems on jackets and jerseys.

7

Revise existing policies and develop new ones as needed. This might include an acceptable-use policy and minimal security configuration for any device on a network.

8

Assemble implementation teams. Pull together cross-functional teams made up of technical and non-technical employees to hammer out plans for new policies, procedures, initiatives and tools.

9

Have the executive security review board endorse the plans. This group should consider budget, timing and prioritization.

10

Review the technical feasibility. This should be done by a technical security review board with representatives from the office of the CIO and CTO, plus operations staff, production services and support staff.

11

Assign, schedule, execute and discuss deliverables. Give individuals or teams clear responsibilities and time lines.

12

Put everyone to work on the strategic plan. Everyone in the information security department should be able to introduce strategic security objectives and explain how projects are contributing to a mutual goal.

TRENdLINES

13

Ways

Security for travelers begins with personal vigilance. Traveling workers must be aware of surroundings, facility exits, crowded spaces and local conditions. Seek out information from travel experts about crime patterns and political conditions at your destination. (Threats can vary from petty crime to kidnapping and violent political demonstrations).

Vary Routines If you’re posted to a branch office where there are safety risks, paranoia pays. Take different routes to work, and leave your hotel at different times of the day.

Hotel, not Motel Hotels are safer than motels because visitors must use a lobby. Public safety experts like to stay on the second floor because jumps from higher floors can be fatal.

Low Mileage on the Rental Car You need a car that works, not the model you love. Check for power locks, and ensure that the ac works.

Keep in Touch

Measure outcomes with metrics. IT security metrics must be based on goals and objectives to realize true decision-making and improved performance. —By Sarah D. Scalet

Stay Healthy Ensure that your health insurance is valid overseas. Carry prescription drugs in original containers and take copies of your prescriptions. Bon voyage. — CSO

18

M A Y 1 5 , 2 0 0 6 | REAL CIO WORLD

VOL /1 | ISSUE/13

IMAgIN g by ANIL V k

13

Call the office at regular intervals. Update your emergency contact list. Leave a copy of your itinerary at home and work.


TRENdLINES

Little Balkan Bank Does Two-Factor Authentication B A N K I N G By the end of this year, U.S. banks will be required to have two-factor authentication on their websites to provide a more effective means of confirming their online customers’ identities. If the experience of a small Central European bank is any indication, the process to implement such authentication systems could be challenging and costly. Gojmir Nabergoj is senior advisor for Banka Koper, a Slovenian bank based at the Adriatic Sea port of Koper. Banka Koper earned about Rs 117 crore in net profits in 2004. Nabergoj says his bank finished its successful implementation of two-factor authentication for online customers last summer after three months of work. The bank started online banking with a user ID and static PIN, then introduced a PKI-based system with a smart card reader; however, not many customers used it because of its complexity. So the bank equipped its customers with card readers at no charge. The readers allow a chip-card holder to access the bank’s services using one-time password authentication. Nabergoj says the bank also introduced customers to the onetime password device and authentication service in person, not by e-mail. Now, three months after deploying one-time password devices, Banka Koper has almost 16,000 users, or 82 percent of its online banking customers.

The system means that cards with a magnetic strip are no longer at risk for fraud or theft. Nabergoj says that replacing the magnetic strip cards with the chip cards “was very expensive,” costing between Rs 81.45 lakh to 1.08 crore. Ron Carter, director of payment solutions at identity management vendor nCipher, helped Banka Koper with its implementation. Carter says that the cost of two-factor authentication systems, including chip-cards and back-end systems, has been the main barrier to their adoption in the United States. The prevalence of chip-based smart cards in Europe makes the adoption of the systems easier there. One aspect of Banka Koper’s experience will resonate with American security executives: The most difficult part was convincing the bank’s management that it was the right thing to do. It took a successful test of the technology for them to buy into the benefits of flexibility and security, Nabergoj says. — By Margaret Locher

Messy Desks Spill Secrets

VOL/1 | ISSUE/13

Trendlines.indd 19

when not in use. Use a password-protected screen saver. Never write down passwords. Care for the fine printouts. Remove important printouts from printers before leaving the office. Shred sensitive documents when done. Clear cache files regularly from your computer and from memory devices such as printers. Watch your back. Desks and other furniture should be positioned in such a way that sensitive information is not viewable from hallways or windows. Close blinds on office windows. Erase whiteboards (or use shutters to hide their contents). Lock your office door when you’re gone for an extended period.

ILLUST RATION by UNN I kRIShN AN AV

S E C U R I T Y good intellectual property hygiene calls for clean desks. Share these ideas with colleagues to keep your secrets secret. Lock up private papers. Store day planners and important notebooks in a locked drawer (and consider taking them home at night). keep personal effects in a locked briefcase or cabinet. Guard access tools. keep cell phones and other hand-held devices with you, along with keys and access cards. Notify security if access cards or keys go missing. PC stands for personal computer. Close applications and turn off monitor when you walk away from your desk. (if it’s for a while, turn off the computer). Stow away portable media such as CDs PERSONAL

— CSO

REAL CIO WORLD | M A Y 1 5 , 2 0 0 6

19

5/12/2006 8:46:51 PM


TRENdLINES

Surveillance Books Picks for your library to take your mind off the summer's heat. It’s time to hit the books and we’re offering some brain food for your security plate. Because summer still lingers, consider our ratings system below (weighing the relative heft of these books) a way to ease in the monsoon. No Place to Hide Robert O’Harrow Jr. Free Press, 2005 Rs 1,092.00

Thriller In our age of surveillance, where anyone can buy (for less than Rs 2,250) enough information to steal your identity, and various private and public entities have increasing amounts of data about you, one thing is for sure: you are being watched. An unnerving look at just how that’s happening.

Blowing My Cover: My Life as a CIA Spy By Lindsay Moran Penguin Group, 2005 Rs 1,247.00

Memoir One 20-something’s adventures are recounted with wit and candor in this rare behind-thescenes look at life in the CIA. A fascinating and light-hearted read that exposes the disparity between what you think it’s like to be a CIA agent and what it actually is like to be a CIA agent.

Silence on the Wire: A Field Guide to Passive Reconnaissance and Indirect Attacks By Michal Zalewski No Starch Press, 2005 Rs 325.00

20

Trendlines.indd 20

M A Y 1 5 , 2 0 0 6 | REAL CIO WORLD

Infosecurity Fitness Don’t be fooled by the cute cover—this book packs in tons of information about passive reconnaissance. May be a bit dense for those new to information warfare.

Travel: Global Economy This valuable guidebook explains how to implement successful security processes in a multinational business environment. Includes a metric for quantifying security risk.

From Victim to Victor: A Step-by-Step Guide for Ending the Nightmare of Identity Theft (Second Edition) Mari J. Frank, Esq. Porpoise Press, 2004, 2005 Rs 2,097.50

The Executive Guide to Information Security: Threats, Challenges and Solutions By Mark Egan with Tim Mather Addison-Wesley Professional, 2005 Rs 1,849.50

Self-Help This book instructs readers in the actions required to combat identity theft. Includes laws, forms and resources.

Infosecurity Instruction Geared toward non-technical executives, the people, process and technology of an effective information security system are well-presented—and with a minimum of jargon.

The Incredible World of Spy-Fi: Wild and Crazy Spy Gadgets, Props, and Artifacts from TV and the Movies By Danny Biederman Chronicle Books, 2004 Rs 1,097.50

Coffee-Table Book Espionage accoutrements of the hippest and most beloved fictional spies of yesteryear are presented in colorful funky layouts. A visual treat of photos, diagrams and profiles.

Mapping Security: The Corporate Security Sourcebook for Today’s Global Economy By Tom Patterson with Scott Gleeson Blue Addison-Wesley Professional, 2005 Rs 1,849.50

Cyber Spying: Tracking Your Family’s (Sometimes) Secret Online Lives By Ted Fair, Michael Nordfelt, Sandra Ring, and Dr. Eric Cole (Technical Editor) Syngress Publishing, 2005 Rs 2,079.50

How-To: In-Home Espionage The hows and whys of cyberspying on family and friends are laid out in a step-by-step and in-depth manner. Includes a word on ethics.

Rating System : Don’t put away your beach chair just yet. Back-to-school is in the air. Prepare to fire the synapses. No need to pull an all-nighter, but serious focus is required. Read when wide awake. Have snacks nearby.

VOL /1 | ISSUE/13


Diamonds Quantum-leap into IT Security Diamond-based devices could be helping IT managers detect network snooping and prevent information theft as anti-eavesdropping technology from the University of Melbourne gets venture funding. The technology, based on quantum cryptography, uses a diamond to produce a single photon of light to stop information from being intercepted, according to Dr Shane Huntington, University of Melbourne scientist and CEO of Quantum Communications Victoria (QCV). The QCV program within the university’s School of Physics has secured a Rs 31.5-crore deal with a consortium of quantum First communication production and generation commercialization companies. products will “Eavesdropping is a be used for global problem. There is a critical need for Australia to very secure keep up with the rest of the transmissions world in Internet security,” Huntington said. Existing communications systems are not foolproof because hackers or eavesdroppers can extract information from optical links without users knowing, he added. First-generation products will be used for very secure transmission of secure datasets, like a bank’s daily off-site backup, but could serve the commodity networking market in about 20 years, Huntington said. It’s a low transfer rate but the idea is not to send data [this way] but the encryption key, so you don’t need the same transfer rate. One of the consortium’s goals is to enhance that as much as possible. If you can securely transfer the key, you can transfer the rest of that data over a standard telco line, he said. “We hope to have a prototype within three years,” Huntington said. “It’s not a stronger form of encoding; it’s a new paradigm. So if someone steals information, you definitely know. If you’re sending one photon at a time and one goes missing, you know it.” Huntington said the nascent industry already exists, but commercial systems available today don’t send one photon at a time. “The technology we’re developing is a true source of these single photons; [others] use a laser and put it through a filter, so there is approximately one,” he said. This is achieved by ‘growing’ diamonds, which are ‘usually cleaner’ than the mined gems, in QCV’s lab. The synthetic diamonds have a defect which is the source of the single photon. — By Rodney Gedda

TECHNOLOGY

like a bank’s daily off-site backup.

Vol/1 | ISSUE/13

Trendlines.indd 21

5/12/2006 8:46:58 PM


Simson Garfinkel

PRIVACY

Password Palooza Passwords are more secure than you think. And you can make them even better with intelligent password management.

M

Illust ration JAYAN K NARAYANAN

any chief security officers (CSOs) would like to eliminate passwords from their organizations and use some other technology to authenticate users. That’s because it’s easy for users to inadvertently compromise password security or intentionally share passwords with co-workers, friends, and even the enemy. (Think sticky notes on monitors.) But passwords are not going away anytime soon. They are too widespread, too easy to implement, and just too darn useful. And they really are a good authentication technology. Because CSOs will be stuck with passwords for the foreseeable future, organizations need to give their employees tools, policies and training to intelligently manage the passwords they have, while simultaneously minimizing the damage that can occur if those passwords are compromised. One of the reasons passwords are ubiquitous in today’s information-oriented society is that they are so easy for programmers to implement. Any computer system that has an input device and a little bit of memory can be rigged for password-controlled access. As a result, we have passwords not just for desktop computers and e-mail but for voice-mail systems, television v-chips (violence chips), and car computers and emission systems as well. Passwords are everywhere. Even if you restrict the discussion to the world of desktop computers, you’ll still find that passwords are everywhere! Today’s information workers must use dozens of passwords on a regular basis: to log in, to download e-mail, to access benefits systems, and so on. The purpose of passwords is to prevent information or resources from being accessed by an unauthorized individual. 24

M A Y 1 5 , 2 0 0 6 | REAL CIO WORLD

Coloumn Password.indd 24

Vol/1 | I SSUE/13

5/12/2006 8:17:51 PM


Simson Garfinkel

PRIVACY

In practice, this means that passwords need to be difficult to guess in the first place and must be changed regularly. Good password management should prevent an ex-employee from using your corporate account to set up his own conference calls or to read your e-mail.

has a vault that it uses to store website user-names and passwords: To make this system secure, you should give your browser a master password. Internet Explorer’s vault is based on the Windows log-in password.

Password Synchronization

The problem with all password vault systems is that the vault itself can become a target: a determined attacker with appropriate access can simply steal your vault—by stealing your PDA, for example—crack the master password and recover all its secrets. Password cracking requires three elements for success. First, the attacker needs to have a copy of the encrypted password vault. In practice, this means that the attacker needs to steal the PDA (in the case of GNU Keyring) or a copy of the file containing the password vault from the user’s desktop computer. Second, the attacker would need special software that can rapidly test millions upon millions of potential passwords. Finally, the attacker’s software needs to be able to immediately identify when it has guessed the right password. This kind of attack is called an offline attack because it can be done without being connected to a network. Password cracking is easiest when users pick short passwords. This is where password policies and user education can make a huge difference. If users pick master passwords that are only four letters long and if each of those letters is known to be lower case, then there are only 456,976 different possible passwords to try—to arrive at that figure, multiply 26 by itself four times. A typical desktop computer can try between 100,000 and 1 million passwords per second. As a result, such a password can be cracked almost instantly. On the other hand, if passwords are eight characters long and are drawn from an alphabet that includes both lower case letters and numbers, there are roughly 3 trillion password possibilities in play, that is, 36 multiplied by itself eight times. Trying all of these using a single computer will take an attacker between 32 days and one year, depending on the computer’s speed. This scenario gives organizations enough time to change the critical passwords in the stolen password vault. Alas, an attacker who has access to several hundred computers will be able to crack an eight-character password in just a few days. Users facing such highly motivated adversaries should choose master passwords that are at least 16 characters long. An easy way to do this is to make the password a ‘passphrase’ consisting of several words, numbers, spaces and punctuation.

To start the password management process, minimize the number of passwords employees need to know. Here, the most common approach is what’s known as password synchronization. With this method, a central server guarantees that users can access all of a company’s servers and services with a single user name and password.

The problem with password vault systems is that the vault itself can become a target: an attacker can crack the master password and recover all its secrets. The easiest way to implement password synchronization is to deploy a centralized directory that stores user names and passwords. The most common technologies here are LDAP (Lightweight Directory Access Protocol) and Radius (Remote Authentication Dial-in User Service).

Password Vaults Next, give your users a way to securely record their passwords—both your organization’s and those issued by all those websites out there on the Internet. Although some people still use sticky notes taped to monitors, I prefer programs that implement what’s known as a password vault. These programs store user names and passwords in a file that’s encrypted with a so-called master password. Thus, instead of having to memorize dozens of individual passwords, employees need to remember only one. My favorite password vault is an open-source program called GNU Keyring that runs on PalmOS (download it from http://GnuKeyring.sourceforge.net.) Keyring is easy to install and use. As an added bonus, it synchronizes with a user’s desktop, protecting his information against accidental loss and allowing him to view the file there as well. A similar program called Password Safe, which runs on Windows, is available for free from www.Schneier.com/passsafe.html. Password vaults are also built into the MacOS X operating system and into both the Firefox and Internet Explorer Web browsers. Apple’s password vault is called Keychain. If you subscribe to Apple’s dot-Mac service, you can automatically synchronize key chains among multiple computers. Firefox

Vol/1 | I SSUE/13

Coloumn Password.indd 25

Cracking the Password

Security by Proxy Another way to protect a password vault is to take it off the desktop or PDA, and put it on a special network appliance. Users connect to this network appliance using REAL CIO WORLD | M A Y 1 5 , 2 0 0 6

25

5/12/2006 8:17:52 PM


PRIVACY

M A Y 1 5 , 2 0 0 6 | REAL CIO WORLD

Coloumn Password.indd 26

RESOURCES | ESSENTIAL TECHNOLOGY

Complete Data Protection Strategy Building a robust data protection strategy is now a business requirement. IT Consolidation Drivers and Benefits Organizations are finding themselves in a position where consolidation does not necessarily The Software Risk A steel perimeter around your infrastructure isn’t enough to protect you from the real IT security threat; your software. Does your software meet your security standards? Read how the answers to seven key questions can help you. Download more web exclusive whitepapers from www.cio.in/resource

Features

| GOVERN | | COLUMNS |

26

FEATURES

University researching computer forensics and human thought.

NEWS |

Simson Garfinkel, PhD, CISSP, is spending the year at Harvard

Send feedback on this column to editor@cio.in

Resources

WebExclusive

a password, token or biometric. The applian ce then opens a second connection to the service that the user wants. When the remote service requires authentication, the appliance sends the user name, password and any other credentials. Such a device is essentially a special-purpose security proxy that understands and automates the procedure of logging in to remote systems. There are many advantages to a security proxy. For starters, a well-designed proxy is not susceptible to offline attacks because the attacker never gets a hold of the encrypted passwords. Instead, the attacker is forced to perform an online attack—that is, submit each password-cracking attack to the proxy with the hope of finding the correct one. Any proxy that’s well written will detect this attack and, after a few dozen attempts, refuse to accept passwords from the attacker. One example of a security proxy appliance is Network Vault by Cyber-Ark. RSA Security’s Enterprise Single Sign-On is another. The biggest advantage of security proxies is that they can exert a great deal of control over the users who proxy through them. For example, a security proxy can be programmed to log every command that’s typed—in order to deny certain commands from certain users—and to automatically lock people out when they are fired. This capability is especially useful for organizations that are looking for a systematic approach to managing network equipment and other kinds of telecommunications gear. To be sure, some organizations have adopted alternatives to passwords such as PKI (public-key infrastructure), hardware tokens or biometrics, with the goal of integrating all systems within the enterprise to use a single authentication infrastructure for desktop, network, e-mail and intranet applications. CIO

TOP VIEW

Simson Garfinkel

Popular Apps May Compromise Security New versions of common software used on Windows could be your machine’s Achille’s Heel High-Performance Computing: Super charging the Enterprise Thanks to lower barriers to entry, compute clusters and grids are moving out of the labs and into the mainstream. Read more of such web exclusive features at www.cio.in/features

Columns The Vision Thing The first thing this CIO of a brand-new university had to do was lay out his vision for getting IT up and running. Then, it was a race against time--and the inevitable glitches. Shopping for a Future CIOs will soon be able to pick their career paths according to their strengths as leaders and whether they want to focus on technology or business. Read more of such web exclusive columns at www.cio.in/columns

Log In Now! CIO.in

REAL WORLD 5/12/2006 8:17:52 PM


Anonymous

consultancy

How to Corral Security Consultants Set clear ground rules before you engage outside experts—or be ready to clean up a mess.

M

Illust ration BY sasi bh ask ar

y current boss, a CEO, defines a consultant as a person you pay to tell you what time it is from your own wristwatch. I like that line. Having been on both sides of the game, as a consultant and a customer, my view is that this definition is sometimes right on the money. While there are some very good consultants out there, and some very good customers, they don’t necessarily communicate very well with each other. And that opens the door to problems (and, of course, to consultant jokes). I suppose if your intent is to gain outside confirmation of your own beliefs, hiring a consultant can be useful. But be prepared for the possibility that the consultant may return with an opposing view or advice you don’t think your company would be wise to follow. A few days after I landed my present job, post-9/11, I was told that one of my performance objectives was to track the progress of the security consultants who had been hired and launched before I got here. They were brought in to “look things over and make recommendations to improve security.” Once they were through looking and we had their reports, I was to review those reports and develop plans to implement the recommendations. Sounded reasonable. Within days, however, I learned that things weren’t quite that simple: There wasn’t just one security consulting group on board; there were three, and all were nearly finished. Each had a slightly different approach, background and number of team members. Each had been hired by operations directors from different departments to perform a “comprehensive review of security,” but those hiring managers didn’t coordinate their efforts with each other or with the consultants. And, not being security professionals, the ops directors did not think themselves qualified

Vol/1 | ISSUE/13

Coloumn Corral Security.indd 27

REAL CIO WORLD | M A Y 1 5 , 2 0 0 6

27

5/12/2006 8:30:04 PM


Anonymous

consultancy

You’ll be ahead of the game if you request consultants to engineer solutions for each recommendation they make and cost these out. That way, you’ll be prepared when it is time to fight for the money. to place any restraints on the consultants, which meant that, with no useful guidance from our end, the consultants pretty much had complete freedom. That may sound bad, but wait, there’s more. These consultants had mostly Defense Department experience and little background with the private sector, which meant they had no sense for business planning around P&L (profits and loss.) When their reports came in, it was no surprise to see that they were in different formats, that they contained both different and overlapping findings, and that they made different recommendations—even in cases where the findings were the same!

Too Much Advice can be a Bad Thing I had expected some duplication. But I was not prepared for the labor-intensive development of a matrix, first to identify more than 600 findings and recommendations, and then to decide which were different, which were duplicates or contradictory. The net of all this was assimilating a little more than 100 separate findings and recommendations that may have made sense to the military, but did not translate very well to the private sector. And here is the most irksome issue when hiring security consultants. They will walk away when finished. You, however, have to live with what they leave behind. In the best of all worlds, you took the time to properly orient them to your business, your culture, your standards and your needs for their help. Then, of course, you made it clear where you are on the risk management scale. If your business is risk averse, like the Department of Defense, you may not bat an eyelid when you get the recommendation for a high-efficiency particulate air (HEPA) filter. But if your business is inclined towards risk, more in the mode of managing various risks, then you will want to see some more practical approaches to things like air quality assurance. If you haven’t managed the consultant’s goals and objectives and have not placed any constraints on them, you will find, as I did, that you are caught between the proverbial rock (the consultants’ professional opinion) and a hard place (your reality). Therefore, the key, to a successful relationship with security consultants is to clearly define what you want to achieve through their service, when you think it is reasonable for them to finish, what constraints your company imposes on any business proposal, and finally, what format their final report should be in. You’ll also be ahead of the game if you request that, for each recommendation the consultants make, they engineer the solution, cost it out and draft the budget justifications (in terms of ROI). That way, you’ll be prepared when it's time to fight for the money. Also, have them provide an estimate on the 28

M A Y 1 5 , 2 0 0 6 | REAL CIO WORLD

Coloumn Corral Security.indd 28

impact to the annual operating budget of maintaining all the systems and gadgets they recommend you buy. In our case, we pretty much created a monster. The ops directors who hired the experts had nothing but good intentions. But they gave the consultants too much freedom. This led to some equally well-intentioned recommendations that created a number of “round peg/square hole” problems for us. While 90 percent of their work was common sense and not controversial, we were quickly reminded that the final 10 percent of performance accounts for 90 percent of the cost. So when I decided to ignore some of their more outrageous suggestions, I had to do a lot of homework—some of it with the help of even more consultants— to prove that doing it their way was either silly or, in my view, flatout wrong. Remember the old proverb that says the more you pay for something, the more credibility it has? Exactly the case here. When one of the ops managers said, “What do you mean you aren’t going to follow their recommendation to install HEPA filters in our public building HVAC (Heat Ventilation and Air Conditioning) systems?” I had to explain exactly what a HEPA filter is (and its impact on standard HVAC design and our operating budget) before he stopped sniveling and listened. He had allocated a large slice of his discretionary budget to pay the consultant, so he expected us to follow their advice. All of it. But I pointed out that in a public building, a bad guy can simply walk in and spread bad things around that circumvent the filters. And since the best defense is to turn off the HVAC system to keep bad things from spreading, the filters are once again largely irrelevant. Not to mention, state building codes on the replacement of air in public buildings make HEPA filters impractical in an existing HVAC system. Even with my (I thought) lucid arguments, we unfortunately ended up hiring an engineering consultancy to study the impact and cost of installing respirator filters in a building HVAC system. The resulting study showed conclusively that it didn’t make any sense. The consultants may as well have recommended we put canary cages in the food court to warn us when we are under chemical attack! In the end, we paid the engineering consultant a lot of money to tell us that the security consultants had made a silly recommendation that we were right to ignore.

Guide Events or be Guided by Them So, OK, what is the lesson here? Never hire a consultant? No, of course not. There are times when you will want to do this, no matter how good you are yourself. But before you go that route, make sure it is a deliberate decision and that you have a big hand in shaping the course of events.

Vol/1 | ISSUE/13

5/12/2006 8:30:04 PM


Anonymous

consultAncy

First, it’s important to understand the difference between a security professional and a security practitioner. A security professional may be certified by a recognized security association and have many years of experience in security, but may not be currently responsible for the security of any enterprise. A security practitioner is someone who is responsible for all or part of the security of an enterprise, whether or not he has any expertise in security at all. The best case is when the practitioner is also a professional, and the professional has been a practitioner. With that in mind, it’s appropriate to hire a security consultant: When nobody in the company has the requisite expertise. When there may be a legitimate question of conflict of interest. If you were the champion last year of an unpopular security policy change, that change will be hard for you to look at without bias this year. When, regardless of expertise or conflicts, nobody has the time to do it. If you find yourself in one of these situations, here are some things to look into when selecting a security consultant: Get recommendations from professional contacts in your industry whom you know and trust. If they were happy with a consultant, chances are good you will be too. Require consultants to submit team member résumés with their proposal. You should look for senior team members who have been security practitioners. Since a lot of these people come out of the Defense Department or a police department, look for recent experience in your business sector. Call some former clients of the consultant and talk to them about their experience with this company; find out what they liked and disliked about the service they received. Before any work commences, make sure you get formal non-disclosure agreements signed by each person involved in the security work. Also be sure to schedule a formal meeting where you set mutual ground rules for your work together, and schedule frequent status reports. Make sure you get to see the final draft before it goes to anyone. You should have no surprises at the formal presentation of consultants’ findings or with their written reports, and you should be able to anticipate and answer questions from your boss and other higher-ups. This isn’t to suggest a whitewash; simply, it’s best that your peers and your leadership hear about security problems and solutions from you rather than from the ‘experts’. After all, you hired these people to help you get better, not to make you or your company look bad. Following this advice will enhance your experience with consultants, and ensure you present your company with a useful set of recommendations that improve security without breaking the bank or harming your credibility. CIO This column is written anonymously by a real CSO. Send feedback on this

Have The Last Word on Security The Black Book on Security is brought to you by CIO in association with its partners, Microsoft, Syntax Soft-Tech, Interface Connectronics, ISACA and PricewaterhouseCoopers. Published exclusively for attendees of the CIO Focus Security seminars recently held in Mumbai, Delhi and Bangalore, this is a great opportunity for you to gain more insight on the subject. Published in association with:

Associate Sponsors

Executive Partner

Distributed By Interface

Knowledge Partners

Mumbai Chapter

to editor@cio.in

Vol/1 | ISSu E/13

Coloumn Corral Security.indd 29

Apply for your Free Copy now! Email: alok_anand@cio.in with ‘The Black Book on Security’ in the subject line.

5/12/2006 8:30:05 PM


30

Cover story - 01.indd 30

M A Y 1 5 , 2 0 0 6 | REAL CIO WORLD

Vol/1 | ISSUE/13

5/12/2006 8:40:00 PM


Cover Story |Convergence

What does it take to make convergence happen? One secret is to sneak up on it, the way Constellation Energy did, by seeming to be doing something entirely different.

Armor plate Enterprise Your

ILLUST RATION s by Sasi Bhask ar

By Sarah D. Scalet

Vol/1 | ISSUE/13

Cover story - 01.indd 31

At first glance, the security operations center for Constellation Energy Group is exactly what you’d expect from a high-tech Fortune 500 energy company. At the front of a windowless room based 30-some kilometers from the company’s Baltimore headquarters, video monitors display office hallways, a trading floor, electrical substations and entrances to power plants. One screen is permanently tuned to CNN, which seems to be corporate REAL CIO WORLD | M A Y 1 5 , 2 0 0 6

31

5/12/2006 8:40:05 PM


Cover Story | Convergence

America’s ubiquitous intelligence source. Another shows a map of the world. Security operators are busy tracking and responding to events at facilities around the world. A smoke alarm goes off here, a door is held open too long there. The usual. But that’s not all that’s being monitored. The director of enterprise security checks his BlackBerry and then speaks in a low voice to the supervisor of the ‘information protection’ unit, previously known as information technology security. The former is a one-time Marine, with closely cropped hair and a dark suit and tie, whose background is in corporate security and executive protection. The latter sports a well-groomed mass of curly locks, a soul patch beneath his lower lip, no neck-tie, and a handkerchief jutting out his jacket pocket. Until recently, he reported to the IT department rather than corporate security. Only a few feet from where security operators are monitoring gates and guards, these two very different men are assessing the security announcements from Microsoft on this ‘patch Tuesday’. The particular workstation, before which they stand, displays not a video feed but a security-incident management system that draws together information about the company’s firewalls, intrusion-detection systems and other network operations. Welcome to a converged security operations center—a work in progress. “We haven’t made a full determination yet on how this is going to be integrated,” says John Petruzzi, the former Marine who is director of enterprise security, as he surveys the room. Right now, two workstations are used to monitor physical systems, and a separate workstation is used to monitor logical or information systems. But Petruzzi thinks that may change within the year. “We’re leaning to the fact that we can get it to a point where the console operator will be integrated,” he says. “I think we’re almost there.” That would mean that each security operator would monitor all kinds of security incidents, both physical and virtual.

There has been an increasing recognition that information security comes under risk management rather than technology. 32

Cover story - 01.indd 32

M A Y 1 5 , 2 0 0 6 | REAL CIO WORLD

Call it integration; call it convergence; call it holistic security. Whatever its name, it is budding in this room and others like it across the country. In 2006, according to Forrester Research, North American companies will spend Rs 7,650 crore on projects that combine traditional physical security and IT security—more than five times as much as they spent in 2004. And Constellation has undertaken the most ambitious type of convergence project of all: The wholesale integration of the two departments. Along the way, those involved with the project are facing political, logistical and cultural challenges, with little to guide them. “I have not seen a repeatable organizational model for a completely converged, centrally managed security operation [that includes] physical and IT security,” Forrester analyst Steve Hunt warns. (After this story was reported, Hunt resigned from Forrester to launch 4AInternational, a security consultancy that will focus on convergence strategies.) But he’s delighted that companies such as Constellation are trying. “With good management, anything is possible. There’s a chance they could succeed and save a lot of money and be much better than they ever were before at mapping security to actual business value.” What’s more, if Constellation has its way, it could even be mapping out how the next generation of security will look.

The New

Guard

At Constellation, the dramatic transformation to bring together information security and physical security can be traced straight to the top—to Mayo Shattuck III, who took over as chief executive just weeks after the terrorist attacks of Sept. 11, 2001. Shattuck could hardly have chosen a more tumultuous time to leave his post as president of Alex Brown, a Baltimorebased unit of Deutsche Bank, to take the reins at Constellation, then a Rs 17,550-crore energy generator and distributor. The energy industry had already been battered by the California energy crisis and concerns about terrorist attacks on the power grid. It was about to absorb another blow, with the collapse of Enron. And Constellation itself was in turmoil. On the heels of a failed attempt to merge with Potomac Electric Power, Constellation had just scrapped a plan to split into two companies: a regulated power distribution business and a non-regulated production and trading business. The company paid Rs 1,597 crore to Goldman Sachs, its investment partner, to get out of the deal. It was time for a regime change. It was time to focus on risk.“Coming from the banking world, I was struck by the lack of centralized risk management on day one,”

Vol/1 | ISSUE/13

5/12/2006 8:40:05 PM


Cover Story | Convergence

Shattuck says. “It was probably the afternoon of day one when I decided that I immediately needed to mirror the way in which a universal bank [approaches] risk.” As Shattuck remade his senior management team, one of the most prominent new players to emerge was John Collins, a long-time finance employee who became the company’s first chief risk officer (CRO). “Originally, we looked primarily at the financial risks— the risks around our marketing and trading operations, the risks around our loan-servicing business, commodity price movements,” Collins says. “At the same time, my vision has always been to incorporate operational risk. Both security and business continuity planning seemed to be in places in the organization where they weren’t really getting enough highprofile attention.” In late 2002, Collins officially expanded his purview. He took control of the company’s business continuity and corporate security operations, which had been part of the general services department. But information security wasn’t ready to make the move just yet. That’s because Beth Perlman, the company’s first-ever CIO, was still trying to get a handle on the piecemeal systems that had grown out of decades of the business lines operating independently. “When I came here, you could not tell that all the divisions were part of the same company,” says Perlman, who was hired in April 2002. “If I wanted to access our HR system, I had to go through firewalls. We did not have one IT security department; we had many IT security departments. The first step of convergence was formulating one IT security group. The last thing I wanted to do was just dump something that didn’t work.” By this point though, the players were all in place. Brandon Dunlap, supervisor of the information protection unit under the risk-management organization, had been hired to manage IT security. And Shattuck himself had brought aboard Petruzzi, who had worked in executive protection at Alex Brown. Shattuck trusted Petruzzi, who had accompanied him on trips to South America to coordinate his protection, and thought that Constellation would be a good spot for Petruzzi to build and broaden his career. As it turned out, Petruzzi, now just 34, would broaden a lot more than his own career.

Not Just

Another Project

“We started [at Constellation] within, what, two weeks of each other, and started meeting almost regularly right after that,” Dunlap says to Petruzzi, as Petruzzi settles 34

Cover story - 01.indd 34

M A Y 1 5 , 2 0 0 6 | REAL CIO WORLD

Those involved in convergence face political, logistical and cultural challenges, with little to guide them. into a chair in a conference room next door to the security operations center. Petruzzi has asked his three direct reports to gather here on this January afternoon to talk about how the convergence process is playing out. There’s Dunlap, with his cultivated eccentricity and deep technical know-how. (He’s on the faculty of the Institute for Applied Network Security.) There’s Frank Woods, a 25year Constellation veteran who used to be supervisor of the security operations center but is now supervisor of a new access-management unit, which will handle all requests for logical and physical access companywide. Finally, there’s Dave Feeney, the newly-promoted supervisor of the security operations center, whose emphasis has been on making sure that the operators hired to work in the center have plenty of tech savvy. (Petruzzi’s direct manager, Jack Ryan, declined to be interviewed for this story. Ryan, a 21-year Constellation employee who is head of corporate security, indicated

Vol/1 | ISSUE/13

5/12/2006 8:40:06 PM


Cover Story | Convergence

through corporate communications that ‘all bases have been covered’ by this story’s other sources.) There’s an easy banter between the three men and their new manager, and a vitality that feels more like an Internet startup than a century-plus-old energy company. Petruzzi’s crew had already dug into lunch by the time he arrived from headquarters with a reporter in tow. Dunlap makes a crack about Petruzzi still not letting him carry a gun. The conversation moves fluidly from network sensors to smart cards to concealed duress buttons that trigger alarms. Wasn’t it always this way? The convergence process didn’t start as a big explicit project—and this is key. “We didn’t have a name for it,” Dunlap says. “We didn’t call it ‘convergence’. We just thought, 'wouldn’t it be great if we could work together more closely for efficiency?'”

CIOs stand to lose the most. After all, they will have to give up employees and budget, and therefore power. 36

Cover story - 01.indd 36

M A Y 1 5 , 2 0 0 6 | REAL CIO WORLD

As at many companies that have brought together physical and information security, the evolution began with the investigations group. Because investigations were conducted by corporate security but often involved data stored on computers or passed through email, there were frequent hand-offs between corporate security and IT. At the same time, the IT department was growing its monitoring capabilities. Dunlap’s staff might notice inappropriate behavior on the network and report it to investigations. “There was never this, ‘We’re shoving this down your throat,’” Dunlap recalls. “It was more like, ‘Hey, if you’re doing that, you really should get these guys involved.’” This was driven partially by the risk-management approach that Collins was spearheading and partially by regulatory concerns. “When you look at corporate security,” Collins explains, “the evolution of it has to be with information technology security, because you won’t address the whole security environment unless you’re looking at it together. We also think that it’s the right thing to do because, otherwise, you have the IT department watching the IT security, and is that really good internal control?” There were financial incentives too. Collins believed that combining physical and IT security would simply be more efficient and effective. For instance, he thought the company could save labor costs by merging network and physical access monitoring. Simply put, Constellation wouldn’t need as many guards. By summer 2004, executives started mapping out the split. IT systems maintenance would stay within the IT department, but IT security would keep track of any maintenance required from a security perspective. IT security—renamed ‘information protection’ to distinguish it from IT—would operate as a consultant to IT. ‘Gartner lite,’ Dunlap calls it, referring to the IT consultancy. Here’s how things would play out. If a change needed to be made to a firewall, the information protection group would make a request, and the IT infrastructure department would carry it out. If there was unusual activity on a port, information protection wouldn’t disable it; they would call the network technicians. If a system needed to be patched, information protection would do the research and testing and then put the word out. Complicated? Yes. But it made sense. “We said, ‘OK, this is a segregation of duties,’” says Perlman, the CIO. “You [security] are a consumer of the tools. We [IT] deploy the tools. Checks and balances.” Gradually, as the IT security function came together and started to operate more smoothly, its staff began working more closely with security, writ large. On

Vol/1 | ISSUE/13

5/12/2006 8:40:08 PM


Cover Story | Convergence

October 1, 2004, IT security employees officially started working for corporate security. The switch was thrown.

Power Shift

As CIO, Perlman stood to lose the most. After all, she was giving up employees and budget and, therefore, power. But if this bothers her, she doesn’t let on during a meeting with a reporter in her office on the top floor of Constellation’s headquarters. Her lament instead? Now that IT isn’t directly involved with investigations, she says with a laugh, “I don’t get the dirt anymore. That’s what I miss.” In truth, Perlman didn’t lose much more than a few headaches. Only 12 IT employees and a handful of contractors made the move to corporate security— hardly denting her staff of 550 full-time employees and 150 contractors. The only part of her budget that has been moved, at least so far, is for security salaries and consultants. IT still controls the budget for everything from anti-virus software contracts to smart cards, charging back costs to the business units. And not knowing ‘the dirt’ anymore means that Perlman doesn’t have to drop everything to deal with an investigation. It also helps that she trusts Petruzzi. “If you don’t trust the person you’re giving the group to, forget it; it will never work,” Perlman says. “While we were cleaning up our own shop, we were working on building trust with each other’s groups.” Not that everything is perfect. Perlman and Petruzzi are still bringing finesse to the line between operations and security. They’re also talking about moving more of the budget over to security for the next fiscal year. And the two don’t always agree. Far from it. For instance, they’re still working out the best way for traveling employees to sign onto e-mail. Right now, employees use SecurID tokens from RSA, in addition to passwords. Perlman feels that the tokens are an expensive bother (one that her department must pay for and support), and would like to phase them out. Petruzzi’s team thinks otherwise. “The question is, is the cost of that infrastructure worth it or are there other measures we could take?” Perlman says. “That’s where we’re having an argument. [Petruzzi] thinks the other options that we’re offering are not as secure, so we’re trying to say, what’s the risk?” “We just don’t see that your cost-avoidance, by doing away with the RSA tokens, is worth the risk,” answers Petruzzi, whose information protection group put together a page-and-a-half-long report outlining arguments against the change. Gartner lite. 38

Cover story - 01.indd 38

M A Y 1 5 , 2 0 0 6 | REAL CIO WORLD

How the

Stars Aligned 1 Constellation was ripe for change, with a new CEO who had replaced most of the senior management team.

2 The

company had a new focus on enterprise risk management, overseen by a chief risk officer who is concerned with operational as well as financial risks.

3 A s a heavily-regulated company, Constellation felt an acute need to establish segregation of duties between the management and control of IT systems.

4 C onvergence

didn’t begin as a ‘project’. It started happening naturally.

5 T he CIO didn’t lose much staff or budget when she gave up control of IT security. The new information protection department operates like a consulting service to IT.

6 B oth the physical security and IT security staffs perceived their status in the organization as being elevated.

— By Sarah D. Scalet

For the time being, the two have tabled the issue until they address a new identity access and management plan next quarter. In other words, they have agreed to disagree. Their relationship is solid enough that when Perlman’s assistant can’t find her, she looks in Petruzzi’s office. The RSA tokens are still in use, and Perlman isn’t unhappy, because no one has said ‘no’ to her without offering options. “If it gets to the point where somebody says, ‘You can’t do that’, and doesn’t offer me options, that’s when the new structure isn’t wor king,” Perlman says. “You have to be good collaborators. You have to understand this is a business problem we’re trying to solve.”

The Future of

Security

For Petruzzi, who has a degree in criminal justice, it’s all part of the crash course he’s been taking since joining Constellation. He’s taken SANS Institute courses. He does outside reading. He peppers Dunlap with technical questions about solutions they are considering,

Vol/1 | ISSUE/13

5/12/2006 8:40:08 PM


Cover Story | Convergence

making sure he has a sufficient understanding of the risks involved. And he’s encouraging his staff members to do the same. In fact, he has told them that their performance will be evaluated, in part, on whether they make themselves into what he calls ‘the new breed of security specialists’. Training doesn’t have to be complicated. It might consist of a few symposiums or on-the-job training with someone who has a different kind of security background. “It doesn’t mean you have to be an expert,” he says. “It means you need to be able to stand in court or in front of executives and state things clearly.” Those who have remained at Constellation through the turmoil of the past three years say they have embraced this new strategy—largely because both IT and physical security staffs saw their positions as being elevated. Woods, who runs the new integrated access management unit, remembers “the days when corporate security existed in a basement under the general services division. It was like the cleaning personnel and then security below them. We didn’t have much authority.” Now, corporate security has a clear line to the CEO. Dunlap, too, saw convergence as an opportunity. “Before, we were kind of... I don’t want to say sequestered, but to some degree we were just another guy at the table,”

he says. “We saw coming out and working for the risk management group as a kind of independence. It’s not that we necessarily swing a bigger stick, but we have a very clear escalation path that doesn’t go to the CIO anymore. It’s not a server maintenance problem. It’s a vulnerability management problem.” As for Petruzzi, he’s getting savvier about navigating that escalation path. Collins, the CRO, has led him to approach things from a financial risk management perspective. It’s been an education. It took Petruzzi three tries to get his first business plan right. “The first-year approach was kind of going to be, let’s just let things run how they are and build a better plan instead trying to come out of the gate with this plan to consolidate, reduce costs and make a more oversightoriented business function,” Petruzzi recalls. “That didn’t fly. It was kind of like, ‘That’s not going to work. I’m a finance person. I want you to show me where you have places you can save costs by consolidation.’” Three months later, Petruzzi finally got the plan approved and along the way became conversant with the finer points between, say, cost reduction and cost avoidance. Because Collins is chief risk officer and not chief financial officer, Petruzzi says, the focus on cost savings doesn’t happen at the expense of good security.

Every Kind

Risk

of

As chief risk officer of Constellation Energy Group, John Collins has what you might call a diverse risk portfolio. Collins, whose background is in finance, started with a focus on financial and credit risks. These days, however, he spends about one-third of his time on operational risks, including physical security, information security and business continuity. We talked to Collins about what it’s like to bring together all those risks.

40

Cover story - 01.indd 40

M A Y 1 5 , 2 0 0 6 | REAL CIO WORLD

As someone with a finance background, how do you approach operational risk management? John Collins: The key is to understand your operational risk but to put it in financial terms. We look at each of our critical assets—be it a physical asset or an information technology asset—and say, “OK, what happens if we lose that asset?” If the financial implications are large, then we’re going to make sure

that we have all proper measures in place [to protect it]. We’re also going to make sure we have a business continuity plan in place, so that if we lose the asset—no matter how much protection was in place—we can continue to do business. What has the transition into managing security been like? It’s been an educational process. The teams have spent a lot of time

Vol/1 | ISSUE/13

5/12/2006 8:40:08 PM


Cover Story | Convergence

“At the same time that [Collins] is making us financially responsible, he is also saying we’re only going to go to a certain level of risk,” Petruzzi says. He speaks like a person who has transformed from someone who merely secures assets into someone who analyzes and balances risks. Could it be that at the CSO level, the ‘new breed of security specialist’ will not be a security specialist at all? As for Constellation, it’s still too early to say whether the project truly will lead to the increased efficiency and effectiveness that the company is expecting. Hunt, the analyst, doesn’t mince words about the odds Constellation is up against. “I think that most converged departments lead to a loss of efficiency, of effectiveness, or [to] utter failure. I wish it weren’t that way.” Hunt is convinced that companies will just not be able to reconcile the cultural differences between the two departments. He also suspects that in the long run, the most effective ‘convergence’ may lie not in the integration of the two departments, but in targeted, specific projects done jointly—say, the installation of a new access management system. Nevertheless, it’s hard to argue with what Shattuck has done as CEO. Under his risk-focused leadership, the company has tripled in size. On the 2004 Fortune 500 list, it jumped from position 352 to 203. Revenues

educating me on what is physical security, what is IT security— probably more on IT security. You can see and touch physical security; IT security is a little bit tougher. It’s understanding what the regulations are that drive our business, what our vulnerabilities are, how do we address our vulnerabilities, and basically, just getting a handle on it. Is managing security different somehow from managing, say, credit risk? The types of employees who are attracted to the different fields are different. You have to manage to

Vol/1 | ISSUE/13

Cover story - 01.indd 41

for 2004 topped Rs 56,250 crore, increasing from Rs 17,550 crore in 2001. And Shattuck is bullish that the new structure is already working. Every Monday, he begins his week by meeting with his risk management committee. Not only does he get a window into the company’s current financial risks, but he finds out about security vulnerabilities. He doesn’t care if they are physical or virtual, only whether they could hurt the company. “This is really a top-down perspective,” Shattuck says, “but for me [the converged approach is] the most convenient way of dealing with risks.” CIO

Reprinted with permission. Copyright 2006. CSO. Send feedback on this feature to editor@cio.in

your different employee populations. You understand what they’re good at, what they’re not good at, what their likes and dislikes are, and you then change your management style appropriately to those people. You use the same discipline in understanding corporate security or information security that you do in understanding credit risk or financial risk. The math is different; the dollars could be different, but you want to use the same approach. What we’ve done is standardize how we look at risk across the enterprise. I think that gives us better ability to go back and ask, “Was this a

good decision?” We don’t always make perfect decisions, but [the approach] gives us a pretty solid platform to evaluate our decisions.

— By Sarah D. Scalet

REAL CIO WORLD | M A Y 1 5 , 2 0 0 6

41

5/12/2006 8:40:09 PM


44

M A Y 1 5 , 2 0 0 6 | REAL CIO WORLD

Vol/1 | ISSUE/13


VOIP Management

Disaster Recovery

Captain

MIT logistics expert Yossi Sheffi talks about what companies can do to recover quickly from almost any type of disaster. B Y S U S A N N A H PAT T O N

Contingency When the South Tower of the World Trade Center collapsed on Deutsche Bank’s New York facility, the German banking giant lost its connection to the US markets. Almost immediately, however, backup systems in Ireland kicked in, and Deutsche Bank went on to clear more than $300 billion in transactions that same day.

IMAGING by b inesh sreedharan

After the September 11, 2001 attacks and, more recently, hurricanes Katrina and Rita, companies such as Deutsche Bank have been able to bounce back because they planned for the unthinkable. Yossi Sheffi, director of MIT’s Center for Transportation and Logistics, calls these organizations ‘resilient’. In his recent book, The Resilient Enterprise, Sheffi says companies and government agencies need to take a systematic approach to disaster planning. The list of things that can go wrong is endless, especially in this age of supply chains that stretch around the globe, leaving companies vulnerable to strikes, natural disasters and civil unrest far from home base. Companies not only need to start cataloging what could go wrong, but also need to examine their cultures to make sure theirs is resilient. Companies that recover in the face of devastation are those with redundant systems, but they also empower all levels

Vol/1 | ISSUE/13

Feature - Interview - 01.indd 45

REAL CIO WORLD | M A Y 1 5 , 2 0 0 6

45

5/12/2006 8:23:39 PM


Disaster Recovery of employees and create a sense of passion for work, Sheffi says. Company cultures that promote resiliency should be equipped to respond to almost any disaster. Building redundant IT systems is most important for technology-intensive industries such as financial services. But even universities and other organizations with less pressing needs for immediate backup should evaluate the types of data that are most crucial to their daily operations. It’s a simple equation, says Sheffi. “It’s better to pay something now, than to possibly lose your business in the future,” he says. Sheffi recently spoke with CIO about what makes companies resilient and how CIOs can build a case for a comprehensive plan to keep IT systems up and running when the unthinkable strikes again.

CIO: Recent disasters show that IT leaders and their companies need to prepare for the unknown. What have we learned, for instance, from Hurricane Katrina? Yossi Sheffi: We’ve learned that the fates of companies and government agencies are sealed before the disaster hits. Organizations that get ready perform well; those that don’t prepare don’t do well. Just look at FEMA (Federal Emergency Management System). They were hiring

What should companies be doing right now to emulate Wal-Mart and Home Depot?

They need to look at company culture. There is something in the DNA of resilient companies that is missing from those that falter and suffer. It goes beyond just redundancy. First of all, communication is key, and I’ve found that resilient companies communicate obsessively. The U.S. Navy is a good example. On aircraft carriers, there are lots of so-called listening networks that allow lots of people to listen to communication between pilots, the tower and the landing signal officers and others. It may sound like a lot of chatter, but everyone is listening intently, so they can react immediately if something goes wrong. Another factor is empowerment. At Toyota, for example, every worker can pull a cord and stop production if they see a quality problem. If they pull it, the line stops and a team of engineers descend to see what is going wrong instead of just letting the line keep working. This is an effort to prevent the making of bad cars. The same thing happens on a Navy carrier, where every sailor on deck has the right and responsibility to stop flight operations if they see a problem developing. This is amazing because you’re talking about what could be a 19-year-old with one year of training having the right to stop a multibillion-dollar ship with 6,000 highly trained sailors on deck. In disasters, it’s clear

“We need redundancy in all the supporting infrastructure, not just the back-up of the actual data.” people with no qualifications, and they had not set up adequate communication systems. This was happening for years. And New Orleans had not responded to warnings three days before the storm hit. On the flip side, we should look at Wal-Mart and Home Depot, which responded quickly. They have both spent years building up their emergency room and communications systems, so they can respond to any natural disaster. These companies are able to change course when conditions change abruptly. 46

M A Y 1 5 , 2 0 0 6 | REAL CIO WORLD

Feature - Interview - 01.indd 46

that you have to react immediately, and it’s possible that one sailor could see it coming. The third characteristic of good culture is a passion for work. Navy sailors, for example, don’t think about their job as driving big ships; they think of their job as defending freedom. How has globalization made companies and their IT systems more vulnerable when disaster hits?

Globalization of the supply chain is still marching on because labor costs are so low in places like China. But this trend

stretches the supply chain across the globe and makes companies vulnerable. Lead times are longer, and a lot can happen in the meantime. It takes six to eight weeks to go over the ocean and during that time, demand can change. More importantly, risks such as theft and counterfeiting rise. Also, many regimes are unstable, and there can be unpredictable events such as strikes and terrorism. All these create a more brittle supply chain. When something goes down and the transportation link breaks, the product is just not available. However, there are ways to protect yourself. When it comes to IT, the need for redundancy is obvious. The cost of an information technology outage to a major corporation from floods, terrorism, or whatever, is huge. It can put the company out of business. But the cost of back-up and redundancy in IT is relatively low, especially when you compare it to having a redundant manufacturing plant. Is there a difference between redundancy and mere back-up?

Redundancy is more than the back-up of data. Redundancy may require, for example, the ability to get more hardware in the event of a disaster. You need an agreement with Dell or HP or anyone else to get the equipment and make sure that you have the capacity, power and other infrastructure to handle the data. For example, during 9/11, Merrill Lynch not only had back-up of all its data and transactions, it also had shadow trading floors already set up in New Jersey. When the exchange reopened, Merrill Lynch was trading. They were up and running even though they were in the South Tower when the airplane hit. We need redundancy in all the supporting infrastructure, not just backup of the actual data. It’s interesting to look at Cantor Fitzgerald as well. They were the largest bond trader in the world, and they lost 657 employees on 9/11. A lot of people thought they’d never survive because it’s a very relationship-based business. But from the IT perspective, they were able to recover because all their data was backed up. Even with their infrastructure gone, they had Microsoft come in and recover their lost passwords and get their operating system back on line. A competitor let Cantor

Vol/1 | ISSUE/13

5/12/2006 8:23:39 PM


Disaster Recovery Fitzgerald use its systems while Texas Instruments rebuilt its infrastructure. They were able to recover because they had been backing up their data in real-time. It’s clear that IT-intensive companies like Cantor Fitzgerald and Merrill Lynch need a lot of redundancy and back-up. But for other companies, it may not be as clear. How does a company decide how much redundancy it needs for its IT systems?

Any large company will need a minimum, such as daily back-up. But then, the question becomes: what happens if they lose one day’s worth of transactions? For some companies, it won’t matter. It’s not a company question though; it’s a nature of the data question. At a university, for example, there are few items that need continuous back-up. When they are doing financial transactions with a vendor, buying and selling supplies and equipment, they might need that back-up. But other data, such as student information and research material, don’t change that often; so if you do it nightly, it may be fine. How should a CIO make a business case for CFOs to invest in redundant IT systems? Do you have an example?

The more a CIO can tie redundancy to the regular business, the more chance he or she will get money for it. You’ll need to go through what could happen if you go down in the same way you justify paying an insurance premium. You’ll also want to look at it as an ongoing process of evaluating the risks you’re facing. By building flexibility into any operation, you can respond better to market changes. The best way to do this is to build in redundancy that can help the business even before disaster strikes. For example, when you buy desktop computers, don’t throw the old ones out—keep them as excess capacity. CIOs have to think about how to help the main vision of the business, which is to be profitable and increase the stock price. Having this redundancy on the IT side not only gives us insurance, but also the flexibility to handle surges in demand when necessary. OK, but what happens if you’re really trying to cut costs in IT?

This is the big problem. Let’s say you get prepared and, in the best of all worlds, nothing happens. The CEO asks: ‘Why are we wasting

Vol/1 | ISSUE/13

Feature - Interview - 01.indd 47

this money?’ You’ve got to try to prove your point through benchmarking. It’s hard to do because people don’t get promoted based on cost avoidance. It doesn’t show anywhere in the books. All managers, not just CIOs, face this. You can benchmark against leaders in the industry and present the consequences of not doing this. In the end, it’s a management decision.

The truth is, you’re never sure you are prepared for the right thing. But if you build in some redundancy or flexibility, it doesn’t matter if it’s a hurricane, an earthquake or a strike. You’ll be ready for anything regardless of the problem.

“If you build in some redundancy or flexibility, you’ll be ready for anything regardless of the problem.”

Are some people investing too much in redundancy?

No, because the pressure to cut costs is so intense that you don’t see companies overdoing it. Individuals may overinsure and buy unnecessary warranties. But, most corporations tend not to do it. What’s the best way to figure out the main risks for your company?

You want to have a brainstorm of all things that could go wrong and then plot them on a probability-versus-severity axis. Some events are very likely, but don’t threaten the survival of the company. For example, demand for a product is lower or higher than we thought, or a truck has an accident. Other potential disasters require more central planning, but aren’t likely to happen, such as 9/11, Katrina or the Exxon Valdez oil spill. All these things require the company to develop redundancy even if the probability is low. You’ll have to plan for what you’ll do because you’ll also have fear among employees and customers, and the government may overreact. Even after 9/11, most of the economic damage came from the closing of our borders, not the actual attacks. Ford lost 13 percent of its fourth quarter production in 2001. They had convoys of trucks with parts coming from Canada and Mexico that couldn’t get into the country. When foot and mouth disease hit England, the government closed farms and culled livestock. To show they were in control, they also closed the countryside to tourists. Damage was 2.5 times larger to the tourism industry than to the agriculture industry.

What’s the one thing that’s keeping CIOs up at night right now?

First of all, we are still in the era of IT viruses, which is an ongoing battle. Aside from that, IT and all the other functions are tied together. If the computers are down, the supply chain won’t move. And if we can’t buy the material [from suppliers], there is nothing to sell. Companies that do risk management well usually do it with crossfunctional teams. In many cases, the CIO is leading the group because the impact of losing IT infrastructure could be so severe. But it goes beyond that. I just talked to Procter & Gamble, for example. Their Folgers plant in New Orleans got flooded after the hurricane. But their problem was not the plant—they knew how to get it up and running again. Their problem was that they didn’t have electricity, water or workers. So, they dug a well to get water to the plant. And, in general, they have expanded the way they do risk profiles to include not only IT systems, which may go down, but also the support systems outside the plant. Companies have to expand the way they look at disaster planning and start looking beyond their own facilities to the greater ecosystem around them. CIO

Send feedback on this interview to editor@cio.in

REAL CIO WORLD | M A Y 1 5 , 2 0 0 6

47

5/12/2006 8:23:39 PM


Data Security

19

Ways By Sa r a h D. S ca l e t

to Build

Physical Security Into a

Data Center They are among your most important assets. Here’s what to keep in mind when building security into their design.

48

M A Y 1 5 , 2 0 0 6 | REAL CIO WORLD

Feature - Data Security.indd 48

Vol/1 | ISSUE/13

5/12/2006 8:20:29 PM


Data Security At information-intensive companies, data centers don’t just hold the crown jewels; they are the crown jewels. Protecting them is a job for whiz-bang technologists, of course. But just as important, it’s a job for experts in physical security and business continuity. That’s because all the encryption and live backups in the world are a waste of money if someone can walk right into the data center with a pocket knife, a camera phone and bad intentions.

1 2

There are plenty of complicated documents that can guide companies through the process of designing a secure data center—from the goldstandard specs used by the federal government to build sensitive facilities like embassies, to infrastructure standards published by industry groups like the Telecommunications Industry Association, to safety requirements from the likes of the National Fire Protection Association. But what should be the CSO’s high-level

Build on the right spot. Be sure the building is some distance from headquarters (20 miles is typical) and at least 100 feet from the main road. Bad neighbors: Airports, chemical facilities, power plants. Bad news: Earthquake fault lines and (as we’ve seen all too clearly this year) areas prone to hurricanes and floods. And scrap the ‘Data C enter’ sign.

Have redundant utilities. Data centers need two sources for utilities, such as electricity, water, voice and data. Trace electricity sources back to two separate substations and water back to two different main lines. Lines should be underground and should come into different areas of the building, with water separate from other utilities. Use the data center’s anticipated power usage as leverage for getting the electric company to accommodate the building’s special needs.

Pay attention to walls. Foot-thick concrete is a cheap and effective barrier against the elements and explosive devices. For extra security, use walls lined with Kevlar.z

5 Vol/1 | ISSUE/13

Feature - Data Security.indd 49

Avoid windows. Think warehouse, not office building. If you must have windows, limit them to the break room or administrative area, and use bomb-resistant laminated glass.

Use landscaping for protection. Trees, boulders and gulleys can hide the building from passing cars, obscure security devices (like fences), and also help keep vehicles from getting too close. Oh, and they look nice too.

goals for making sure that security for the new data center is built into the designs, instead of being an expensive or ineffectual afterthought? Read below to find out how a fictional data center is designed to withstand everything from corporate espionage artists to terrorists to natural disasters. Sure, the extra precautions can be expensive. But they’re simply part of the cost of building a secure facility that also can keep humming through disasters.

Keep a 100-foot buffer zone around the site. Where landscaping does not protect the building from vehicles, use crash-proof barriers instead. Bollard planters are less conspicuous and more attractive than other devices. Use retractable crash barriers at vehicle entry points. Control access to the parking lot and loading dock with a staffed guard station that operates the retractable bollards. Use a raised gate and a green light as visual cues that the bollards are down and the driver can go forward. In situations when extra security is needed, have the barriers left up by default, and lowered only when someone has permission to pass through. Plan for bomb detection. For data centers that are especially sensitive or likely targets, have guards use mirrors to check underneath vehicles for explosives, or provide portable bomb-sniffing devices. You can respond to a raised threat by increasing the number of vehicles you check— perhaps by checking employee vehicles as well as visitors and delivery trucks. Limit entry points. Control access to the building by establishing one main entrance, plus a back one for the loading dock. This keeps costs down too. Make fire doors exit only. For exits required by fire codes, install doors that don’t have handles on the outside. When any of these doors is opened, a loud alarm should sound and trigger a response from the security command center.

6 8 9

10

REAL CIO WORLD | M A Y 1 5 , 2 0 0 6

49

5/12/2006 8:20:30 PM


Data Security

11

12

Use plenty of cameras. Surveillance cameras should be installed around the perimeter of the building, at all entrances and exits, and at every access point throughout the building. A combination of motion-detection devices, low-light cameras, pan-tilt-zoom cameras and standard fixed cameras is ideal. Footage should be digitally recorded and stored offsite.

Protect the building’s machinery. Keep the mechanical area of the building, which houses environmental systems and uninterruptible power supplies, strictly off limits. If generators are outside, use concrete walls to secure the area. For both areas, make sure all contractors and repair crews are accompanied by an employee at all times.

Plan for secure air handling. Make sure the heating, ventilating and air-conditioning systems can be set to recirculate air rather than drawing in air from the outside. This could help protect people and equipment if there were some kind of biological or chemical attack or heavy smoke spreading from a nearby fire. For added security, put devices in place to monitor the air for chemical, biological or radiological contaminant.

14

Ensure nothing can hide in the walls and ceilings. In secure areas of the data center, make sure internal walls run from the slab ceiling all the way to subflooring where wiring is typically housed. Also make sure drop-down ceilings don’t provide hidden access points.

Use two-factor authentication. Biometric identification is becoming standard for access to sensitive areas of data centers, with hand geometry or fingerprint scanners usually considered less invasive than retinal scanning. In other areas, you may be able to get away with less-expensive access cards.

50

M A Y 1 5 , 2 0 0 6 | REAL CIO WORLD

Feature - Data Security.indd 50

Harden the core with security layers. Anyone entering the most secure part of the data center will have been authenticated at least three times, including: At the outer door. Don’t forget you’ll need a way for visitors to buzz the front desk. At the inner door. Separates visitor area from general employee area. At the entrance to the ‘data’ part of the data center. Typically, this is the layer that has the strictest ‘positive control,’ meaning no piggybacking allowed. For implementation, you have two options: A floor-to-ceiling turnstile. If someone tries to sneak in behind an authenticated user, the door gently revolves in the reverse direction. (In case of a fire, the walls of the turnstile flatten to allow quick egress.) A ‘mantrap.’ Provides alternate access for equipment and for persons with disabilities. This consists of two separate doors with an airlock in between. Only one door can be opened at a time, and authentication is needed for both doors. At the door to an individual computer processing room. This is for the room where actual servers, mainframes or other critical IT equipment is located. Provide access only on an as-needed basis, and segment these rooms as much as possible in order to control and track access.

Watch the exits too. Monitor entrance and exit—not only for the main facility but for more sensitive areas of the facility as well. It’ll help you keep track of who was where when. It also helps with building evacuation if there’s a fire.

Prohibit food in the computer rooms. Provide a common area where people can eat without getting food on computer equipment.

Install visitor rest rooms. Make sure to include bathrooms for use by visitors and delivery people who don’t have access to the secure parts of the building. CIO

8 19

Reprinted with permission. Copyright 2006. CSO. Send feedback on this column to editor@cio.in

Vol/1 | ISSUE/13

5/12/2006 8:20:31 PM


Trendline_Nov11.indd 19

11/16/2011 11:56:19 AM


The Security Proposition The CIO Focus Security events showed that the future of security vendors in India depends not just on awareness of security outsourcing, but also on a better understanding of information security itself. PhotoS by Sr ivatsa Shan dilya

With vulnerability issues and risk mitigation increasingly dominating technology management, CIOs are required to oversee the safety of their organization’s assets, intellectual property and computer systems, and to identify protection objectives and metrics consistent with corporate strategic plans. Indian enterprises are increasingly under threat. At least 58 percent, according to a PricewaterhouseCoopers study, have faced between one and two security breaches. This figure tops six breaches for almost a fifth of all organizations. The study states that

Associate Sponsors

Executive Partner

Distributed By Interface 52

Events - 02.indd 52

M AY 1 5 , 2 0 0 6 |

CIO

Knowledge Partner

Mumbai Chapter

CUSTOM PUBLISHING

5/12/2006 10:06:34 PM


Kalyan Varma, Security Consultant, Secuprise

Sanjiv Mathur, Director, Enterprise Marketing, Microsoft India

Stree Naidu, Country Manager, South Asia, Tumbleweed

the vulnerabilities have shown a rate of increase of over 40 percent year-on-year. Curiously, while most enterprise architectures are designed to keep the bad guys out, they are also intended to make it easy for the good guys to get in. Is it surprising then that CIO-PwC research shows that 33 percent of all infosecurity attacks on enterprises stem from employees? Given this, how can a CIO keep an enterprise’s strategic information assets safe both from within and without? One of the ways by which CIOs (and in some cases CSOs) are tackling this is by turning to outsourcing their infosecurity needs. It was to explore this option that CIO organized panel discussions as part of the CIO Focus-Security series of events across Delhi, Mumbai and Bangalore. The opinions from the panelists and delegates were at times refreshing and sometimes startling (see graphic). “Security is the top priority for many companies because lack of security implies loss of reputation and business,” said S. ‘Kris’ Gopalakrishnan, COO, Deputy MD and Head–Technology, Infosys Technologies. And, it doesn’t get more critical than at the country’s premier bourse, the Bombay Stock Exchange (BSE). As its Chief

Technology Advisor S.B. Patankar detailed, BSE chose to adopt the outsourcing path as it realized that it couldn’t take care of its infosecurity requirements all by itself. It was also a tactical move, he said. Echoing this, S.R. Balasubramanian, Executive VP of ISG Novasoft, the IT arm of the KK Birla group, believes that the time has come when enterprises and CIOs should concentrate on their core competencies and leave the non-core areas for the experts. “Security planning and policy are the most critical areas that can help users gain control over information security. These two can be kept in-house, while the rest including deployment of security — firewalls, intrusion detection systems and anti virus/spam — and their monitoring can be outsourced,” he pointed out. With Indian companies, aspiring to become global entities and whose databases would correspondingly grow multifold, huge investments in information security may seem inevitable. In this regard, a point most fundamental to the security outsourcing debate emerged at the Mumbai forum. “There is still low understanding and appreciation of security within enterprises,” said Nandkumar

Martin Grasdal, Security Consultant

Sarvade, Director (Cybersecurity and Compliance), Nasscom. It is an observation backed by numbers. The investment made on enterprise information security in India is not more than Rs 45 crore, according to Frost & Sullivan. Juxtapose that figure against the $5.8 billion spending on IT security in other countries, according to Gartner. When read collectively, Sarvade’s observation and the India figures are a bit disheartening. But a number of panelists, especially those from IT/ITeS companies at the discussions also highlighted some of the increasing dangers to information in today’s dynamic environment: Threats exist in applications too — not just the network. One can get systems certified, but the certification only applies to the current state of the system. What if the state changes? Many companies face high attrition. How does one limit access when an employee leaves or stops turning up for work? Does the firm have a policy in place that defines what happens to the employee’s access privileges, say 24 or 48 hours after he goes missing? Putting policies in place is thus key to not only having a sane security strategy in place, but also in permitting parts of it to be run

CIO

Events - 02.indd 53

CUSTOM PUBLISHING | M A Y 1 5 , 2 0 0 6

53

5/12/2006 10:06:48 PM


by a service provider. “Before outsourcing it is critical to put one’s house in order,” said Patankar. A majority of the panelists were vehement that security policies needed to be clearly defined before an outsourcing decision is taken. Otherwise, it won’t work for either party, they reiterated. In fact, some panelists felt that all enterprises needed to concentrate on was to establish a risk management approach and leave the rest to managed security service providers. Currently, a large company’s approach might lie in “need-based outsourcing”, as Hilal Khan, IT head of Honda Siel Cars India, put it. He suggests mapping risk within the organization that can stem from people, technology and processes and then taking a decision on need-based outsourcing. “If I have enough in-house competencies, I would keep security under my control. Else, outsource it,” he said. Security outsourcing in India is still not a norm and if the user loses control over security policy and procedures, chances are that the vulnerabilities might hit you hard, he pointed out. In this context, Prof. Venugopal Iyengar, president ISACA (Mumbai Chapter), observed, “It’s not the best of security that’s important; it’s the business workflow that’s important.” Pertinently, Satish Pendse, CIO of Hindustan Construction Company, said that SLAs (service-level agreements)

How would you address concerns that stem from the business process perspective? — Sivarama Krishnan, Associate Director, Security and Technology Services, Business Solutions, PwC

must derive from business goals, and not technological ones. The success of security outsourcing solutions depends on large organizations, which have hitherto spent crores in building and monitoring security infrastructure, as much as it does on the efficacy of managed security services providers (MSSPs). But before arriving to that point of the process, can companies be expected to count on security vendors to keep their information secure? “The vendor’s reputation is also at stake here, so it could be safe to outsource security,” said Kris Gopalakrishnan. “In any case, an independent audit is important, and you need to outsource at least that part. In effect, a part of security can be outsourced, though all of it cannot,” he added.

One thing is for sure, though: whether companies outsource security or not, they must build a level of expertise security within. Gartner analysts Kelly M. Kavanagh, Mark Nicolett and John Pescatore recently pointed out that “using an MSSP for monitoring and configuration management does not eliminate the need for internal expertise”. In fact, they believe that internal expertise is imperative to monitor the effectiveness of an MSSP. “In the absence of in-house expertise, the partner can take you for a ride and this could be disastrous,” said Rajeev Seoni, VP IT, Flextronics Software Systems. Balasubramanian said that even if you agree to outsource the security to a third party it’s important to check on two very important things

Most of the panelists at the forum in Bangalore were optimistic about security outsourcing. The panel included (from left) Col. Arvind Saksena, CIO of Air Deccan, S. Gopalakrishnan, COO of Infosys, Abnash Singh, Group CIO of Mphasis, and Nataraj N., Global IT Head of Aztech Software.

54

Events - 02.indd 54

M AY 1 5 , 2 0 0 6 |

CIO

CUSTOM PUBLISHING

5/12/2006 10:07:01 PM


Events

The Mumbai panel, comprising (from left) Prof. Venugopal Iyengar, President of ISACA Mumbai Chapter, S.B. Patankar, Chief Technology Advisor of BSE, Nandkumar Sarvade, Director (Cybersecurity & Compliance) of Nasscom, and Satish Pendse, CIO of Hindustan Construction Company, asserted that security outsourcing is possible with proper in-house controls in place. – the competency of the third party and a strict way of measuring the SLA.

To Trust or Not to At the Bangalore forum, Col. Arvind Saksena, CIO of Air Deccan, stuck to his guns on the subject. “Would you ever give the keys of your house to somebody else or plant your grapes on the fence? The stakes are very high, and you cannot outsource security. You have to build the capability to manage security in-house, and you must be able to manage and monitor things on your own. Failing this, your company itself may not survive,” he asserted. However, the industry is also aware that in a competitive environment, it won’t always be feasible for companies to develop core competencies in network and information security. It’s the primary reason why they are gradually outsourcing non-critical parts of their security infrastructure without losing control over it. BSE’s Patankar agreed at the Mumbai panel discussion, “We outsourced part of our infosecurity requirements because we couldn’t do it all by ourselves.” Just as large organizations like the BSE have, companies will feel the need for expertise in information security not available in-house. Other motives, according to analysts, include faster responsiveness and avoiding additional

hiring. Significantly, reduction of current levels of spending is not a primary driver for outsourcing security functions. “The reason a company outsources security cannot be for costs. The critical question is: which vendor can support me better?” emphasized Nataraj N., Global IT Head, Aztec Software. It was a point that Kris Gopalakrishnan reiterated while delving on the factors to look out for when choosing a security vendor, “You must make sure that you go to an expert who packs certification. You must consider their capabilities, their reputation, and the investments they’ve made in the security arena.” Pointing out that outsourcing ought not to be merely transactional, Abnash Singh, Group CIO, Mphasis, had specific advice for those considering an MSSP alliance: “When you outsource security, make sure that you are dealing with a vendor who is keen on building a relationship, and not just in chasing revenues.” As of now, the biggest challenge for MSSPs is to generate awareness of what exactly they bring to the table. This was evident at the Mumbai forum. Prior to the panel discussion, a little more than 40 percent of the IT decision-makers in Mumbai were willing to outsource information security. Post discussion, the figure shot up to 78 percent. Interestingly,

the ‘can’t say’ category declined from 31 percent before the panel discussion to 12 percent after its conclusion. It has taken more than a decade for India’s IT leaders to sell the idea of IT itself and its applications to their managements. So, even before MSSPs hope to demonstrate their expertise with performance, they will have to ensure clarity of their services and capabilities to India Inc. Undoubtedly, there is a potential market for MSSPs. Apart from large enterprises for which outsourcing might prove inevitable, there are several medium-sized businesses in the country, for which in-house infosecurity – whilst critical – might not be feasible along their path of growth. Don’t forget, an internal investment on security for these businesses entails spending on specialist manpower, equipment and its maintenance, apart from legal expertise. So, at its nascent stage, the idea of security outsourcing is likely to endear itself more to organizations of their size rather than the behemoths that have a lot more critical information to protect. Yet, some companies remain circumspect of the possibilities. “We can outsource all secondary functions, but the risk has to be carefully accessed and the administration/management of security controls will be kept in-house,” said Arindam Bose, General Manager IT, LG

CIO

Events - 02.indd 55

CUSTOM PUBLISHING | M A Y 1 5 , 2 0 0 6

55

5/12/2006 10:07:13 PM


Events

The Delhi panel felt that 'need-based' security outsourcing is the way to go. It consisted of (from left) S.R. Balasubramanian, VP, ISG Novasoft, Hilal Khan, Head-IT, Honda Siel Cars India, Rajeev Seoni, Head-IT, Flextronics Software, and Arindam Bose, Head-IT, LG Electronics India.

Electronics India. Col. Saksena concurs: “You could outsource monitoring, auditing and consulting, but I’d never outsource the management of security itself.” The onus, as ISG Novasoft’s Balasubramanian noted, would be on the service level agreement. While the panel discussions did shed light on the possibilities surrounding information security, they did highlight that the outsourcing option is not yet part of companies’ long-term plans. BSE’s Patankar was among the few who noted the broad implication of security outsourcing: “The chief purpose of outsourcing is to

allow a CIO to concentrate on strategic objectives.” The companies that are mildly optimistic about security vendors are those which invariably turn to them when security demands rise beyond control. Is it too late in the process? And in such a scenario, isn’t it just as critical to develop in-house expertise to simply monitor security vendors. Hilal Khan of Honda Siel Cars India added another note of caution: “It is important to draw a line between the perceived security threats and the hype created by managed security service providers.” As was the case with IT in its nascent changes in India, the

MUMBAI

outsourcing option demands a change in mindset even before companies put their money where their mouth is insofar as security vendors are concerned. And Pendse, while recommending that the best approach to outsourcing was a cautious one, said: “Control, policies and monitoring shouldn’t be outsourced.”

DELHI

BANGALORE Before

78%

After 65%

41%

31%

28% 10%

yes

40% 35% 37%

no

49% 32%

25%

35%

31%

28% 16%

12%

maybe

7%

YES

NO

MAYBE

YES

NO

MAYBE

'Should Results of delegate pollv before and after the CIO Focus Security panel discussion. | CIO CUSTOM 56 MSecurity A Y 1 5 , 2 be 0 0 6Outsourced?' PUBLISHING

Events - 02.indd 56

5/12/2006 10:07:15 PM


Trendline_Nov11.indd 19

11/16/2011 11:56:19 AM


58

M A Y 1 5 , 2 0 0 6 | REAL CIO WORLD

Feature - How to Spot a Liar.ind58 58

Vol/1 | ISSUE/13

5/12/2006 8:04:09 PM


VOIP Management

Investigation

How to

Interviews and interrogations in the corporate world call for such a vast set of traits that even questioners can be put to the test in drawing out information — sometimes even confessions — from employees.

Spot

Liar

a

By Da i n t ry D u f f y

ILLUSTRATION by b inesh sreedharan

We’re used to seeing interrogation scenes on TV—the bare lightbulb, the sweaty, hostile detective, you know the drill. But how do investigations play out in the corporate world, when the questioner wears a suit rather than a gun holster, and the chilling environs of a police room are replaced by the bland layout of a corporate office? Here are four things to know about conducting interviews and interrogations that yield results.

Vol/1 | ISSUE/13

Feature - How to Spot a Liar.ind59 59

REAL CIO WORLD | M A Y 1 5 , 2 0 0 6

59

5/12/2006 8:04:09 PM


Investigation Know What You’re Stepping Into An interview and an interrogation serve very different purposes, so treat them differently. In an interview, the questioner is still gathering information. The investigation is ongoing. In an interrogation (like the made-for-TV vignette ), an investigator believes he already knows what the subject did. The goal is to get a confession or a confirmation from the subject about what happened. Mixing inter viewing with interrogation is a common mistake even among seasoned law enforcement professionals, says Nathan J. Gordon, co-author of Effective Interviewing And Interrogation Techniques, who trains police and security officers on interviewing skills as director of the Academy for Scientific Investigative Training in Philadelphia. During an interview, the investigator asks questions but lets the subject do most of the talking. An interview should last no more than 20 or 30 minutes, the length of the average person’s keen attention span. The mood should be non-accusatory. “Once you become accusatory in an interview, you have biased everything you are collecting. And when you ask informational questions in an interrogation, you’re saying that you don’t know whether that person did it,” says Gordon. “You’re looking at a disaster.” An interrogation on the other hand goes as long as is necessary. You do 95 percent of the talking, presenting your evidence and coaxing a confession from the subject. To be successful, you have to recognize the battle going on within a guilty subject and use it to your advantage. Subjects are torn between the desire to relieve their conscience by confessing and the fear of punishment. If you take a non-threatening approach, you can diminish a subject’s fear of punishment and increase his desire to confess. “My concept of an interrogation is that I know you did it and I’m here to 60

M A Y 1 5 , 2 0 0 6 | REAL CIO WORLD

Feature - How to Spot a Liar.ind60 60

help you,” Gordon says. “I don’t believe in yelling, screaming or threatening.”

Watch What They Say— and How They Say It It’s a given that most employees who are brought into an investigative interview are going to be nervous, whether or not they have done something wrong. (Remember, they have also seen the cop shows on TV, and may have expectations—or if they have something to hide, seek to avert attention from themselves.) Asking simple questions like name, address, marital status, schooling and so on, gives you a chance to analyze the subject’s truthful behavior in this heightened state and establish your own authority. You should also take this opportunity to create some rapport with the subject and make a little conversation. Maybe

questions, like “What is this interview and investigation about?” and “When the person who did this is caught, what do you think should happen to him or her?” These questions allow you to analyze common verbal cues, so that you can be alert for signs of deceptive behavior. Truthful people are usually more helpful and talkative and will try to narrow the investigation. For example, suppose a large sum of money goes missing from an employee’s desk. During interviews, two employees are asked who they think took the money. Employee 1 says, “Several of us had the opportunity, including me, I guess. Betty is the only person who couldn’t have done it; she was out sick.” Employee 2 says, “I didn’t see anything, but anyone could have taken it, even someone from outside the department. I was with Tom all day, so

You have to be aware of your body posture during an interview. Often, people will subconsciously mimic the body posture of a superior to curry favor.

you both went to the same school or live in the same town. “People who are alike, like,” says Gordon. If you can get the subject to relax early on, it will make any stressful or deceptive behavior she exhibits later all the more clear. Gordon developed the Forensic Assessment Interview and Integrated Interrogation Technique, or FAINT, a test composed of approximately 30 questions that can fit almost any investigative interview. The format gives interviewers the chance to analyze a subject’s verbal and non-verbal responses for truthful or deceptive behavior. As you progress further into the interview, start asking more projective

it couldn’t have been me.” The second employee’s response has some common earmarks of deceptive behavior. A person seeking to mislead a questioner often claims to have no information and will try to broaden the investigation to create as many subjects as possible, says Gordon. Truthful people will often admit that they had the opportunity, but will exclude others whom they know to be innocent. Deceptive people often make broad statements to exclude themselves from suspicion, but rarely exclude others. Your demeanor as an interviewer influences the outcome. If the interviewer seems competent, a truthful

Vol/1 | ISSUE/13

5/12/2006 8:04:10 PM


Investigation person will become less nervous as his fear of being wrongly accused dissipates. In that same situation, a guilty person becomes increasingly nervous as his fear of being correctly identified as the culprit increases. When asked what should happen to the culprit, a truthful person will often make a strong decisive response: “He should be fired, required to repay the money and serve time in jail.” A deceptive person usually responds in vaguer terms: “Well, that’s not up to me. It depends on why he did it.”

Watch What They Do A subject’s physical behavior during an interview can also provide you with a great deal of information. The nonthreatening questions that you used to open the interview are critical because they give you a chance to make a baseline observation of a subject’s physical demeanor and record any changes that take place as the questions get more sensitive. Gordon breaks physical behaviors down into three categories: e m b l e m s , illustrators and ad ap t o r s . An emblem is a nonverbal response that expresses a person’s complete feelings with no words required. For example, when asked how he feels about being interviewed, the subject puts a hand to his face and scratches his nose with the middle finger extended. He may not be conscious of the message he has sent, but the raised middle finger means the same thing here that it means when he does it on the highway at rush hour. “Emblems are very accurate to a person’s true feelings,” says Gordon. Illustrators and adaptors are nonverbal responses that accompany a verbal response. Illustrators enhance the listener’s ability to understand the

Vol/1 | ISSUE/13

Feature - How to Spot a Liar.ind61 61

meaning of the verbal message. Adaptors distract from it. When a subject puts his hand on his heart and says, “I didn’t do it!” that physical gesture reinforces his statement. Illustrators are generally a sign of honesty. If that same subject professed his innocence while wiping his hand over his mouth, that would be an example of an adaptor. This physical response makes his verbal message harder to understand. In this case, this would be a sign of deception. By observing a subject’s body language during an interview, you can glean quite a bit of information. Truthful people tend to present an open posture, while deceptive people will cross their arms defensively or stretch out their legs to increase the distance between them and you. A subject who gestures away from her body while speaking may be subconsciously trying to distract you from herself as the topic of conversation. Stressed people often pat themselves on the leg or stroke their own arm for tactile comfort. The crossing and uncrossing of legs can be a sign of discomfort. Yawning also can signal a person’s stress as the fight-orflight response kicks in and a nervous subject’s body requires more oxygen. (A yawn can also mean fatigue, or convey a defensive posture, the way a lion bares its teeth when threatened.) It’s also important to be aware of how cultural differences can affect a subject’s physical gestures and their interpretation. Gordon points out that lack of eye contact, or changes in eye contact, are generally interpreted as a sign of deception in US business culture. But in the Hispanic community, for example, it is considered disrespectful to stare in the eyes of a superior. Finally, you have to be aware of your own body posture during an interview. People will often subconsciously mimic the body posture of a superior to curry favor—putting their hands in their pockets or crossing their arms when their boss does because they want to project that “I’m like you”. Make sure you present an open body

posture during the interview. This does two things. First, it prevents a subject from accidentally mimicking a defensive posture. Second, if a subject deviates from truthful posturing to a deceptive posture, it makes that change more meaningful.

Pick the Right Setting The location of the encounter can also contribute greatly to its success. Again, it’s important to know what kind of question-and-answer session is appropriate. Interrogations should always take place in your office, never at a subject’s home or office where he feels more secure and is less apt to confess to wrongdoing. The location of an interview, on the other hand, may vary. Here are some more tips for designing an appropriate interview space: room should be non-threatening The and not too small. Gordon suggests a 9-by-9 space. The room should contain a desk, a few chairs and bland artwork. There should be nothing on the wall that the subject will face. Two chairs should be set up with nothing between them so that the subject has no physical barrier to reduce stress. You can also thus view the subject’s entire body language. The chairs should be a social distance apart (3-4 feet) for an interview. For an interrogation, use chairs on casters, so that you can move into the subject’s personal space. Your chair should be higher than the subject’s chair to create a sense of superiority. Also, if you have others in the interview room—whether it’s a subject’s supervisor, or a representative from legal or HR— have those people sit quietly behind the interview subject so as not to be a distraction, says Gordon. CIO

Reprinted with permission. Copyright 2006. CSO. Send feedback on this feature to editor@cio.in

REAL CIO WORLD | M A Y 1 5 , 2 0 0 6

61

5/12/2006 8:04:11 PM


VIEW

from the TOP

R. Ramaraj, MD & CEO, Sify, believes that the company’s business model can be just as successful in other developing markets as it has been in India.

Broadening the Base

By Balaji Narasimhan Unlike IT companies that specialize in portals, connectivity, or corporate services, the Rs 468-crore Sify has played a hand in shaping all three domains. While such an approach may seem unfocused, MD & CEO of Sify, R. Ramaraj, avers that it represents a solid convergence of capabilities, which have stemmed from Sify being an early mover. It got into the ISP space to expand the market for its portal, and then made its foray into corporate services based on the tools it developed to administer its internal activities. The company is convinced that this is the right way forward, and all its plans revolve around this mantra.

CIO: Why do you think broadband has been slow to take off in India?

View from the top is a series of interviews with CEOs and other C-level executives about the role of IT in their companies and what they expect from their CIOs. Coming June 1: A. M. Naik, Chairman & MD, Larsen & Toubro 62

View from the Top.indd 62

MAY 1 5 , 2 0 0 6 | REAL CIO WORLD

R. Ramaraj: Broadband has been successful in places where its penetration into homes is in the 70 to 80 percent range. You will find this in places like Korea or Japan because the existing infrastructure has been leveraged for multiple applications—what they call unbundling of the last mile. Look at the success of the cable industry—we have close to 70 million cable homes. This is because there are so many small players who have gone and rolled out all these services. If

you had regulated it, we would have had a big challenge in terms of penetration. Entrepreneurship, reach, innovation— these have got us cable. Everybody knows the impact broadband can have on small and medium enterprises (SMEs) and homes. Yet, somewhere, we have been ostrich-like and missed the opportunity of unbundling. Our objective as a nation is to have at least 20 million connections by 2010. If this has to happen, one of the areas to be addressed has to be unbundling. Since the last mile is not available, we decided to work with the people who have access to that last mile and

Vol/1 | ISSUE/13

5/12/2006 8:49:31 PM


R. Ramaraj, MD and CEO, Sify, expects I.T. to: Reach out to the youth with broadband applications Handle connectivity, portals and managed services

PhotoS by Chan droo

Globalize the reach of the company

make sure that their technologies are robust. We are working with the cable operators. We have asked them to lay a fresh Ethernet cable into homes. We gave them certain specifications and wherever they have followed them, citizens have found enormous quality of service improvements. We have done the same with our own networks. This is how, today, we are the largest private high-speed connectivity company in the country. We are ahead of Airtel and only the BSNLMTNL combination is ahead of us.

Vol/1 | ISSUE/13

View from the Top.indd 63

It was predicted that broadband would revolutionize the use of IT by SMEs, particularly in non-metro locations. What’s the prognosis now? Whoever has taken broadband has seen the benefits, not just in India but even abroad. It is proven that productivity increases with good quality connectivity. Take phones, for instance. At one time, we

checked phones for a dial tone. Today, we take that for granted. Today, as we travel, we don’t stand in lines to book trunk calls. To pick up a phone, connect to anybody and get your job done is something that is taken for granted. Connectivity, therefore, is critical to productivity for small and big enterprises alike. Big enterprises can take leased lines and VPNs (Virtual Private Networks). For smaller companies, broadband connectivity would help connect to their principals and agents, by which they

REAL CIO WORLD | MAY 1 5 , 2 0 0 6

63

5/12/2006 8:49:34 PM


View from the Top

can communicate better. All these have a serious impact. For instance, we found that some of these people wanted their IT managed because they can’t hire and keep a CIO. What they were looking for was things like storing emails and documents digitally. SMEs find this very useful because all they want to do is sit in front of a PC, send their emails, and then forget about it. When they need to retrieve something, all that data is stored, indexed and filed by us.

Why is there so much dark fiber in India? As with a road, I think that we need to have the highways in position. Many of the large telephone companies and others like the railways have done yeoman’s service by getting the fiber in the ground. After this come applications. A lot of the usage going on today is on just regular voice. I think that usage can go up significantly if VoIP is allowed. Today, an ISP cannot provide VoIP within the country; they can only do it internationally. You open this out, and that itself will take care of things. The second challenge is that if you allow the last mile to be opened up, you will get far more customers. The moment you have customers, you have enough entrepreneurs who will come up with applications. The restriction on applications and services is the main reason why there is no adequate usage.

What’s been the response to SifyMax? First of all, all our iWays have broadband. Additionally, we have high-speed connectivity piped into homes. Since there is so much broadband connectivity available, people are looking for video, both locally and internationally. SifyMax is all about video. We had, for example, cricket streaming for the India-England series live on SifyMax. People have also appreciated out video scorecard because they can see the highlights of the day on video. We are also pushing ahead with reality shows like Indian Idol. We find 64

View from the Top.indd 64

M A Y 1 5 , 2 0 0 6 | REAL CIO WORLD

being in the infrastructure side can, by itself, be a significant value addition to the customer. We have ended up being the first private builder of IP networks in the country. By then, we already had Sify.com, the portal, because we wanted to be on the content side.

“Our vision statement is to make the Internet work for you, and that is not limited to either enterprise or consumers.” — R. Ramaraj

that youth from rural India, many of whom want to participate, look at these shows. They are able to look at the archives to see where somebody said the right thing and where they goofed up. They use SifyMax to learn these lessons, so that they can come better prepared to participate. We find that a lot of youngsters like such services.

Sify’s operations cover portals, retail connectivity and technology services. Why this diversity? When we started Sify, one of the things we found was that there was not good infrastructure in the country. Therefore, we decided to get into the infrastructure business. In a developing market like this,

What we have always looked for is: is there a synergy in the businesses that we are in? Our vision statement is to make the Internet work for you, and that is not limited to either enterprise or consumers. Bandwidth is the most expensive item in our cost lines, and we found that we could use this bandwidth very effectively with the enterprise customers between 9 AM and 5 PM and the home customers from 5 PM to 9 AM. We also found that many tools that we developed on the consumer side of the business could be used in the enterprise, and vice versa. For example, we have done remote monitoring and management of our iWay PCs. We have nearly 30,000 PCs, and a team of about 18 can monitor and manage these desktops from Chennai. Eighty percent of all problems are resolved centrally and remotely. It is only when there is a physical breakdown that we send our personnel. We are able to use the same system for the enterprise side now, where we are offering remote monitoring and management.

Do you intend to change this mix? We have leadership in these businesses— very clear leadership. I think that the market in India is lagging behind China by a few years and therefore we think there should be explosive growth of the Internet in India if a few things could happen. All these tools and the skill sets that we have can be taken globally into similar markets because we have global delivery capabilities. We have international customers for our remote management services. We could even take the iWays to places like Brazil, Vietnam or the Philippines. Looking at it, I think we will

Vol/1 | ISSUE/13

5/12/2006 8:49:34 PM


View from the Top

stay with these three businesses. We will try and grow them faster, based on opportunities, both i n India and internationally.

iWay cafes have expanded from 95 to 153 cities. How do you manage scaling up? Actually, a lot of the effort was made in the past. There were a number of companies in the business of cyber cafes that were not even ISPs. All of them had the concepts right, but I don’t think they had the correct focus on the technologies in which they’d made the investments. Even today, IMRB studies say that around 70 percent of Net users come go to cyber cafes, which means that there is still a huge demand for good connectivity. We have to reach as many people as we can, and we have to scale up for this. Going into more cities becomes important. The only way in which this can happen is if we successfully franchise iWays, and also have the technologies to manage them. With this, the customer experience becomes predictable and controlled centrally—not left to the franchisee. Towards this, the first thing we did was start a few iWays of our own to test. But 3,300 iWays are franchised. Here, everything is standardized—the look, feel and design. The franchisee makes the investment and we provide the skill sets required to get knowhow and connectivity because the quality of the connectivity is a key factor of the user experience. We collect all the money because this makes roaming possible. You come into an iWay and use Rs 20; the balance can be used in any other iWay in the country. A lot of business people and students find this useful. If we didn’t have the ability to monitor and manage, we couldn’t have done it. Take anti-viruses for instance. If we just left it to the franchisee, it probably wouldn’t be updated frequently. Since everything is pushed centrally, we don’t have this problem. The central management also helps us with other things like ensuring that all iWays have only legal software.

Vol/1 | ISSUE/13

View from the Top.indd 65

Sify’s iTest has been used by banks and other entities for online tests. How do you push innovative ways of maximizing backbone use?

SNAPSHOT

for business efficiency, risk management and delivery management purposes. This is the metric that gets reviewed and analyzed during the business meetings.

SIFY TURNOVER:

Rs 468 crore (2004-2005) EMPLOYEES:

1,910

Points of presence:

171

iWays:

Where do you see Sify in a decade?

3,300 Bankers and insurance Our focus has always been RETAIL companies are using this on how to make the Internet SUBSCRIBERS: feature. I think that we have work. Today, for the year that 8, 90,000 (Dialup over 3 lakh people tested. In a has just ended in March, we and broadband) way, we are like the Unilever have crossed well over Rs CORPORATE of the virtual world. We are 450 crore in revenue and CUSTOMERS: 1,500 plus equivalent to it with our have generated a net profit distribution strength in the for the first time, though CTO: Rustom Irani electronic world. If you look we have been profitable at a at the strength of Unilever’s cash level for nine quarters. great brands, it is their We have cash in the bank enormous distribution. Similarly, we have worth Rs 283.5 crore and no debt. We have that distribution today, the reach across a fantastic platform for growth. so many locations in the electronic world. We will look at opportunities not just We have done a lot of things like movie in India, but globally. Ten years from releases or pushing the Indian Idol reality now, Sify will be a truly global company, show as I mentioned earlier. continuing to focus on the Internet space. And hopefully, we will have the same kind of leadership that we enjoy today. How did IT help you attain We have over 43 percent market share in Maturity Level 5 of CMMIthe enterprise side. In many things we do, SW version 1.1? we are number one. And we hope that 10 Being an IT company, we drive years down the line, we will have that kind efficiencies using IT for everything we of leadership globally in the markets we do, be it capability building, maturity, are in. All this will be possible because of our focus. CIO certification or customer delivery. Our internal IT teams developed and deployed software that integrated the entire delivery flow—from customer requirement gathering (at the pre-sales stage), project management and change management (at the delivery stage) to payment collection after deployment. The data collected by these software systems are valuable in measuring our process capability and satisfying our CMM assessors. It must be remembered that this automation Special Correspondent Balaji Narasimhan can be and data collection was being done purely reached at balaji_n@cio.in

REAL CIO WORLD | M A Y 1 5 , 2 0 0 6

65

5/12/2006 8:49:35 PM


Rohit Kumar Singh, IT Secretary, Rajasthan, adheres to Abraham Lincoln’s approach when it comes to implementing e-governance in the state: “If I have ten hours to cut a tree, I shall spend eight hours in sharpening my axe.” For Singh, an e-government can only be successful if a conducive environment is created first. CIO: Rajasthan is regarded as a state with low literacy levels and scanty industrialization. How does e-governance help?

P hotoS: BhAGIRAt h

ROhIt KumaR SIngh: These observations were true about a decade ago. We certainly missed the bus and haven’t been able to catch up with the likes of Kerala, Maharashtra and West Bengal. But, being a late starter in IT has worked to our advantage. We have access to the best of new and cost-effective technologies, which others haven’t 68

M A Y 1 5 , 2 0 0 6 | REAL CIO WORLD

been able to benefit from. We leapfrogged past the stage of having to carry the burden of legacy systems. I’ll say it firmly: we, as a state, are making a virtue out of necessity. So far, IT has not only given us automation and an online presence for various departments, but has also provided us with a different way of working. Process reengineering and change management have had an impact largely because of a very subtle vision of IT that we have implemented in the state.

Vol/1 | ISSUE/13


Interview | R.K. Singh

Where IT is no Longer an

Imposition BY Rahul Neel MaNi

So far, what has e-governance given Rajasthan?

We are working with a three-fold, multi-pronged egovernance strategy. Investment promotion is the first prong of this strategy. Our state is traditionally known for tourism, and its income is limited to activities around this. But by taking advantage of the national scenario where ‘IT cities’ are getting clogged, we want to promote Rajasthan as the next best IT destination. Jaipur is poised to become the next IT-enabled services destination and we will see that through. Special Economic Zones have been created to that end. These will introduce plug-and-play infrastructure to encourage IT companies to move here. Secondly, we are looking to upgrade the skills of human resources. Our talks with companies pointed to a lack of skilled human resources. Still, companies like Wipro have shown interest in setting shop here. And third comes what I call e-government, as opposed to e-governance, because it’s not about governing

Vol/1 | ISSUE/13

electronically but about e-enabling the government. In states like Rajasthan that started late, you need to push the ecosystem both from the demand and the supply side. We have to create a demand for IT in this state. If there is demand and market forces can take care of supply, then e-government will be successful. We, in the IT Department, work as catalysts. We explain to various departments how effective IT could be if it is used wisely. This is also another way of creating ‘buy-in’ from the user departments. What has your success rate been?

I’d say, we are at 55-60 percent in terms of success. The critical parameter is leadership from the departments. They need to become more proactive in adopting IT. My measure of success, however, is slightly different. Success in IT solutions is measured by the drop in hassles for your clients—both citizens and businesses. For example, we have 200 e-mitra (common services) REAL CIO WORLD | M A Y 1 5 , 2 0 0 6

69


Interview | R.K. Singh kiosks running in the state. They have made a huge difference in terms of utility bill payments and other services. It surprises many people that we’ve collected Rs 15 crore in utility payments from 10 kiosks in Jaipur, which is huge by any standards. Our municipal corporations is another success story. I also head the Rajasthan Urban Infrastructure Development Project (RUIDP), and we are involved in a massive e-government project for six of the largest municipal corporations (MCs) in Rajasthan. There is an issue of house tax within these MCs. The departments don’t know who is liable to pay house tax and who’s not. Even before we talked about computerization, we told the MCs to conduct a survey of the houses which come under these areas. Then we created a database of these houses and, from January to March 2006, we saw an increase of over 30 percent in tax collection over the previous year. So, we have infused IT-enablement as well as process change in government departments. You talked of change management. How effective has it been?

With change management, process reengineering is also important. In a bureaucracy, we tend to get caught up in following rules and forget that they are a means to achieve outcomes. When departments understand that processes need

this fiscal. Change management is not easy in the government sector, but it isn’t as bad as people think. It’s a matter of effectively communicating the benefits of using IT, and then it’s not difficult to change mindsets. Instead of imposing IT on them, we encourage them to demand it. What is the status of project Aarakhi, which is meant to track crime records?

Project Aarakhi tracks criminal cases from cradle to grave. It encompasses lodging an FIR, monitoring investigations, and a database of both stolen properties and criminals. It was piloted in north Jaipur and, after its success, we are rolling it out in other parts of the capital city. It has helped a department that has not found too many good IT implementations across the

In states like Rajasthan, which started late, you need to push the ecosystem both from the demand and the supply side. to be changed before IT-enablement, then we can reach the efficiency levels we planned for. Systems, by themselves, cannot bring about change. We have decided to hire a business process reengineering consultant to improve processes in 15 critical departments which involve higher levels of public interaction. Our roadmap is based on where ITenablement projects stand today and what’s needed for them to advance quickly. For this year, we have asked every department to identify three services that deal directly with citizens. These will be IT-enabled during 70

M A Y 1 5 , 2 0 0 6 | REAL CIO WORLD

Govern Interview.indd 70

country. The efficacy of the criminal justice system has improved. That was the most important parameter and we have been able to achieve it. This database is linked (offline) with the National Crime Records Bureau. What are some of the other initiatives that you’ve taken?

As I have mentioned, I also head the RUIDP, as part of the development of urban infrastructure program. We have received funding worth Rs 1,700 crore for infrastructure projects, including water

supply, sewer lines, hospitals, flyovers, etcetera. We have 200 such jobs queued up. There is a need for IT to monitor processes, including payments to contractors and procurement of material electronically. We have about five departments from where we procure electronically, and we’ve had close to 10 tenders worth Rs 100 crore. Now, the contractors also want to procure using IT. We’ve developed a model for e-auctions that’ll facilitate auctions online in real-time, and we’re getting more and more departments to use e-procurement. What’s your mission for 2007?

With funding worth Rs 10 crore from NABARD (National Bank for Agriculture and Rural Development), we will create 1,000 IT kiosks in rural areas; these will be operated by women entrepreneurs only. It’s a good step to take in Rajasthan, where the gender divide needs to be proactively addressed. We are working out a model for it and have tied up with a reputed university called Vanasthali Vidhyapeeth to train 50 women in 32 districts. We have trained close to 1,600 women so far. We have also launched a Rs 25-crore project called CARISMA (Computerisation & Refinement of Integrated System of Management and Accounts). This will connect 1,100 Panchayats through Asia’s largest wireless network; 182 are already connected. Mission 2007 is to have at least one IT facility in every village of Rajasthan for citizens to access essential services. CIO

Bureau Head North Rahul Neel Mani can be reached at rahul_m@cio.in

Vol/1 | ISSUE/13

5/12/2006 9:06:49 PM


Essential

technology Illustration by unn ikrishnan AV

From Inception to Implementation — I.T. That Matters

CIOs will need smart policies, good awareness programs and judicious enforcement to manage risks presented by the latest techno trends.

Vol/1 | I SSUE/13

Essentisl Tec.indd 71

WinningtheGadgetWars By Daintry Duffy DEVICES | A double-sided painting by Wassily Kandinsky plays a prominent role in John Guare’s play Six Degrees of Separation. One side, called ‘Chaos’, is a vivid mix of color; all splashes and slashes of paint. The flip side of the painting, titled ‘Control’, is dour, geometric and restrained. The canvas is designed to be set at an angle and spun so that the viewer experiences it as a single work. In one scene, the painting’s owner spins it for a guest, chanting, ‘Chaos, Control, Chaos, Control.’ This mantra should feel familiar to CIOs because it’s a spin cycle that they are all too frequently stuck in. Technologies—particularly those marketed to the individual—are evolving rapidly and in unpredictable ways. Cellphones have morphed into multi-function devices incorporating PDAs, cameras and MP3 players, leaving a trail of obsolete acceptableuse policies in their wake. This places security executives in the uncomfortable position of trying to set controls on a constantly shifting and mutating target. The trickiest aspect of the problem is that many of these technologies are valuable business tools when used with the appropriate security controls. However, all too often, eager employees purchase, download or otherwise acquire these groovy gadgets and REAL CIO WORLD | M AY 1 5 , 2 0 0 6

71

5/12/2006 8:14:47 PM


essential technology

programs, and enthusiastically integrate them into their work environment, heedless of the holes they are punching in the company’s security net. Take Skype, the free, downloadable Internet telephony system launched in August 2003. Skype users can make free phone calls to other computers all over the world. A great idea, right? Not if you work in security, because Skype encrypts all of its traffic and skirts firewalls. That’s a bonus for users, but a nightmare for CIOs who can neither monitor nor stop the traffic. In the 51 days following Skype’s launch, the company registered an impressive 1.5 million downloads and 100,000 simultaneous users. When programs like this catch on, they spread like dandelions in spring. At its one-year anniversary, Skype boasted approximately 9.5 million subscribers and 1.5 million users per day. So how does a CIO kill the weeds without burning the grass? We took a look at four rowdy technologies: camera

an interesting presentation slide—wouldn’t raise an eyebrow. At Cardinal Health, cell phones equipped with cameras are a physical security threat. Cardinal Health has its hand in almost every facet of a drug’s lifecycle—from development, manufacturing, packaging and delivery to pharmaceutical distribution. To allow photographs of how valuable drugs move through these stages could create security vulnerabilities. Cardinal Health also handles personal medical information that falls under Health Insurance Portability and Accountability Act regulations. “To allow cameras anywhere near the process, from when we receive [the product] to when we deliver it to the end-users, would be a huge vulnerability, and it’s not one we’re willing to accept,” says Tim Gladura, the company’s CSO. That said, camera phones are particularly challenging to contain because they’re not connected to any platform that the company controls.

Research suggests that by 2009, 89 percent of all cellphones will include cameras.And it will get harder to tell which phones can take snapshots. phones, portable data storage devices, wireless computing, and the joint threat posed by peer-to-peer technologies (P2P) and Web-based services. They are wellmeaning and widely-used tools that can be office assets, but can also wreak havoc when used carelessly or maliciously. We sought the advice of security executives and other experts on the best steps to take to establish some control in the midst of the chaos.

Prying Eyes At many companies, a camera phone—great for office party snapshots or for capturing 72

Essentisl Tec.indd 72

M AY 1 5 , 2 0 0 6 | REAL CIO WORLD

Gladura says that a ‘no cameras’ policy and an ongoing awareness campaign that conscripts employees into the security ranks works best. “I’d rather have 55,000 sets of eyes out there than just my department,” he notes. But even that is not enough. His department has also enacted other policies that help to keep cameras out of sensitive areas. For example, employees at the distribution facilities are discouraged from taking lunch in the parking lot—to allow security to better discern if other, unauthorized individuals are sitting in the lot to observe loading dock operations. The doors that cover

employee lockers are grated, offering security personnel a view of the contents. And random security searches are not unheard of. At Tommy Hilfiger USA, camera phones pose a different kind of threat: The potential loss of intellectual property. David Jones, vice-president of corporate loss prevention and security, worries about visitors who enter the company’s design studios. “For anyone in our business, the design patents are the innovations that the company lives off,” says Jones. A covertly snapped picture of a dress for the new fall line that is e-mailed to a competitor represents a real loss. Jones also relies on a no-camera policy to protect the design areas, but he worries about the increasing prevalence of camera phones and their shrinking forms. His fears are well-founded. According to InfoTrends/Cap Ventures, research suggests that by 2009, 89 percent of all new mobile phone handsets will include a camera. And the technology is advancing so quickly that it is harder and harder to tell which cell phones can take snapshots. “On older phones you could tell if there was a camera; now you can hardly tell. So, we have a policy that we can’t really enforce beyond awareness and training,” says Jones. He adds that to his knowledge, a theft by camera phone has not yet occurred, “but the threat is always there for it to happen”. CIOs also need to worry about protecting their employees’ privacy when camera phones are around. One security executive, who declined to be identified because of the sensitivity of the situation, recounted a case where employees using the company’s shower facilities after lunchtime workouts became concerned about a man who always seemed to be talking on his cellphone in the changing area. Public locker rooms and gyms frequently have ‘no cell phone’ rules, and locker rooms provided by an employer should be no different. “ I n f o r m at i o n ab o u t people

Vo l/1 | I SSUE/13

5/12/2006 8:14:48 PM


essential technology

[photographic or personal data] is way more valuable than information about anything else,” says Stephen Cobb, author of Privacy For Business, which offers advice to executives on safeguarding privacy of customer data. “Companies often focus on protecting financial secrets, but information about people can cost the company more.” At First Data, which specializes in money transfers and credit card processing, CISO (chief information security officer) Phil Mellinger has an employee dedicated to examining mobile devices and other technologies that employees want to bring into work, and who gives written approval from security

Phoenix-based Cellbusters—are gaining traction in corporate markets. The CellBuster device can detect a cell phone that is switched on (even if it is not in use) within a range of 90 feet, and it issues an audio alert that tells the user to shut off her phone. It can also operate in a silent mode, alerting security personnel with a flashing light. This kind of product is ideal for companies that have certain targeted areas within their facility that should be camera phone-free, whether it’s the boardroom or the locker room.

Data A-Go-Go The threat posed by USB mini-drives has burgeoned during the past year. Plug one

and Security (CERIAS) to study iPod forensics. “You can have an entire bootable drive on your iPod, and depending on the operating system, you can carry your entire workstation around with you,” he says. “Also a lot of times, if you hook an iPod to your system, it’s not going to show up on the network. Because it’s at the local machine level, it doesn’t get an IP address. Only if [security] is doing active probing 24/7 might they find that extra storage device.” Rogers notes that the iPod comes with the Windows file system, so the problem isn’t limited to Apple systems. “USB has absolutely exploded in the last year,” says Michele Lange, a staff attorney with Kroll Ontrack, which

The emergence of new, small, multi-function devices is happening so rapidly that companies must ensure that their policies are broad enough to include emerging technologies. If the policy is too device-specific, the CSO will end up having to rewrite the rules every few months. where appropriate. Without that approval, the device is banned. “We used to approve general security configurations,” says Mellinger. “For example, if someone used a wireless device, there were two approved configurations for security. But now, each device has its own security configuration, so we have to get down to the device level.” Mellinger also notes that camera phones are not just a security issue but an HR issue and a procurement issue as well. “You have to get so many different entities in the company focused on the problem and approach it from different perspectives, but it is a massive problem,” he says. According to industry sources, the Pentagon and defense contractors have long had cellular detection equipment, but that kind of technology is now going mainstream. Companies that offer cell phone detection technologies—such as

Vol/1 | I SSUE/13

Essentisl Tec.indd 73

of these keychain-size storage devices into a USB port and any information you can access just became portable. Employees can download gigabytes of data off your network and simply walk out the front door. Just 1 GB of data is roughly comparable to a pickup truck loaded with documents, notes Dan Geer, vice-president and chief scientist at data security vendor Verdasys. Some of these devices can hold up to 60 GB. But thumb drives aren’t the only form of digital storage media giving security executives heartburn. MP3 players and even iPods, the ubiquitous cool gadget of the moment, can be used to download and store any kind of file (not just music). Marcus Rogers, an associate professor in the Department of Computer Technology at Purdue University, works with the Center for Education and Research in Information Assurance

offers software and services for data forensics and electronic discovery. “I’ve been doing this about four or five years,” says Lange, “and I would say that [USB storage devices] are now an issue in a large majority of our cases.” Lange adds that most of those cases are employmentrelated situations where an employee has tried to harm a company by stealing trade secrets. Of course, intellectual property leakage can happen just as easily when one of these tiny drives is lost or stolen. However, there are steps CIOs can take. The first is to practice rigorous file security; employees should have access only to the information that they need. But since many employees have access to valuable information, companies have taken steps to deal with the issue more emphatically. Some have chosen to disable all of the USB ports on every system at the BIOS level (the PC processor’s basic input/output system) and REAL CIO WORLD | M AY 1 5 , 2 0 0 6

73

5/12/2006 8:14:48 PM


essential technology

have taken away administrative privileges. so that savvy users can’t re-enable the ports. Cobb, the privacy book author, says he knows companies that have a lockeddown configuration and don’t allow the user to change anything. “This can be quite effective on two levels: on a practical level, and on a psychological level by making it clear that computers can only be used for company business and won’t work if you try to use them for anything else.” Some companies have taken more drastic steps. Geer recounts a story of one company that tried to address the problem by filling each USB port with hot epoxy glue (before eventually realizing the impracticality of the strategy—most notably that it would take forever). CIOs have to ensure they’re not preventing employees from conducting their regular business duties. USB ports are, after all, there for a reason. USB flash drives are not all bad news either. They can be incredibly useful tools and some are available with advanced encryption standard, or AES, data protection. For an executive who can’t live without his USB drive, the best solution might be to provide him with one that's hand-picked by the security team. Policy also has a role to play here. Dev Bhatt, director of corporate security for Airlines Reporting Corp. (ARC)—an airline-owned company that handles aspects of ticketing as well as data and analytical services—has crafted his company’s acceptable use and enterprise security policies to focus on the forbidden acts of removing corporate data or connecting an unapproved device, rather than on the device itself.

Roaming Hazard It’s a sign of the times that in some cases, security teams have to behave like hackers to be successful. Sniffing out ad hoc wireless networks in a ‘no wireless allowed’ work environment is one such case. Most of the security executives CIO spoke with have found unauthorized 74

Essentisl Tec.indd 74

M AY 1 5 , 2 0 0 6 | REAL CIO WORLD

Wireless computing is so liberating that few employees can resist the lure of a coffee shop access point. But unless they are educated, they could be laying the corporate network bare. wireless networks at their companies. These networks are so cheap and easy to set up that they will continue to be a problem in many companies. But detecting a clandestine Wi-Fi network two floors down is a breeze compared to the problem security executives encounter when their employees utilize wireless networks outside the office. Wi-Fi is built into most laptops, and wireless computing is so liberating that few untethered employees can resist the lure of a coffee shop or hotel access point. But unless users are educated about the specifics of wireless security, they could be laying the corporate network bare to any curious or malicious bystander. Security policies must spell out who can access the network, how, when, and where. A software-based firewall and encryption technology—whether it is wired equivalency protocol (WEP), Wi-Fi Protected Access (WPA) or ideally WPA2 (the latest version of 802.11i)—must be used to ensure that casual roamers aren’t hopping aboard. Employees also need education about the different scams that can affect wireless users. Christopher Faulkner, founder and chief executive of Web hosting firm C I Host, has also launched ‘The Wi-Fi Guy’, a travel blog that tracks Wi-Fi and cultural information in cities across America. He warns CIOs, in particular, about the dangers of ‘evil twin’ wireless networks. An evil twin is a rogue wireless access point that a hacker-type sets up near a legitimate Wi-Fi access point. Unwary wireless users can wind up with their

computers connecting to the strongest signal available; in the evil twin scenario, the users think they’re on the legitimate network but are actually connected to the hacker’s machine, allowing him to capture whatever data they transmit. “I tried this at an airport and, within four minutes, had three people connected to my laptop doing unsecured computing in plain text,” says Faulkner. In a variation of that scenario—a sort of Wi-phishing—a hacker sets up another access point near a legitimate one, lures a user to connect and then prompts him for his user-name and password. When that info doesn’t lead the user to a connection, he/she usually reboots and logs onto the real network; but the hacker has already siphoned off what he wanted. Later he’ll be able to log onto the network with the user’s ID. These kinds of scams frequently snare people who are in a hurry, and will disregard something that looks a little unusual in their haste to get online. Educate employees to use wireless carefully and to avoid sending company confidential or sensitive information over wireless unless it is absolutely necessary and the system’s safeguards have been approved by corporate security.

The casualties of convenience Peer-to-Peer (P2P) technologies and Webbased services are different animals, but they have three important qualities in common. These tools and programs are easily downloaded by employees; they frequently offer what workers see as a useful

Vo l/1 | I SSUE/13

5/12/2006 8:14:48 PM


essential technology

productivity-enhancing service; and most of them tunnel right through the corporate firewall, bypassing all security measures. Take GoToMyPC, a Web-based service owned by Citrix Online. An employee can download the GoToMyPC software to his office PC, and it allows him to access the contents of his office workstation remotely from any PC connected to the Internet by typing in a user-name and password. The GoToMyPC folks have published a 10-page white paper touting their security, but some basic control issues exist that should concern IT executives. First, no matter how secure the program is, the security and network data are out of the CIO’s direct control. Second, security executives have no control over the machine that the employee uses to remotely access the corporate network. It could be an Internet café where a hacker has installed keystroke loggers, or it could be a home PC using an unsecured wireless network. P2P technologies such as Instant Messenger and Skype are just as alluring and raise the same questions. At First Data, Mellinger uses a proxy server from Blue Coat Systems to limit these kinds of external connections. Blue Coat enables Mellinger to control certain kinds of connections and provide appropriate warnings for others. Of course, Mellinger doesn’t want to interfere with the regular course of business, so he cautions that you have to work through the kinks with any product to ensure that employees can still access all the tools they need. “We have lawyers who need to go out and look at certain sites that we would otherwise not allow employees to visit,” he says. Mellinger and his team are fine-tuning Blue Coat to match their exact needs. At ARC, Bhatt has found that communicating with his employees is an effective way to deal with a lot of the P2P and Web activity. “Almost 100 percent of the time, people are just trying to get something done,” says Bhatt. He tells employees that he wants them to feel comfortable asking questions about new 76

Essentisl Tec.indd 76

M AY 1 5 , 2 0 0 6 | REAL CIO WORLD

Companies tend to go overboard with overly draconian security measures when a trend takes them by surprise. But the object is to stay ahead of the people who aren’t doing anything malicious, who just have no security awareness at all. products and online services without fear that they will be frowned on. If there is a cool new service that an employee wants to use, security will check it out; if they’re not comfortable with that system, they’ll seek a secure alternative. If there is none, security will explain why not and why that kind of activity puts the company at risk. “When users know what the danger is, it works well,” says Bhatt. First Data has also taken an added step which Mellinger believes, insulates the company from many of the problems that these services can let in. The company has separate firewalls protecting each of its business units so that if a virus or breach occurs in one unit, it can be easily unplugged from the others to prevent the damage from spreading. “A lot of times, a company looks at itself as a monolithic entity,” says Mellinger, “and we don’t want to put ourselves in a position where anything that makes it into the company can impact the whole company. We use the same security controls between business units that we use between business units and the outside world.”

when a trend takes them by surprise. “There’s a line of sensibility here,” says Mellinger. “The object is to stay ahead of the people who aren’t doing anything [malicious], who just have no security awareness at all. As long as I can stay ahead of that crowd, I’m in good shape.” Security leaders should also keep in mind that you can’t blame it all on the bits and bytes. “This is about synergy and multi-function,” says Purdue’s Rogers. Recalling the security concerns that email raised when it first came into general usage, he cautions CIOs to remember that, “the technology is neutral. It’s not good or bad. It can be used in novel ways. But if we survived e-mail, we’ll survive this evolutionary process too.” CIO

Stay on Top of the Trends One key to dealing with all of these developments is for CIOs and their security teams to commit themselves to an ongoing learning process focused on new in which tools and technologies and novel ways they will affect corporate security. Companies tend to go overboard with overly draconian security measures

Reprinted with permission. Copyright 2006. CSO. Send feedback on this feature to editor@cio.in

Vo l/1 | I SSUE/13

5/12/2006 8:14:48 PM


Pundit

essential technology

How toTell if you Have Bots Bots can be hard to diagnose and turn your network into a wheezing jalopy. But like most fast-spreading diseases, forewarned is forearmed. By Scott Berinato anti-virus | Bots use malicious code to infect network hosts, and are transmitted by malicious people and previously infected hosts. They are often precipitated by unsecured, always-on broadband connections that allow it to spread. Bots insert themselves on the hosts and then execute commands sent from a remote location. The commands range from relaying unwanted spam to using the host’s bandwidth as part of a distributed denialof-service (DDoS) attack. Bots have infected

hard to diagnose. A strain of bots can infect the operating system kernel and mask its own symptoms, making it harder to identify.

addresses can be matched against network activity to determine if bots are present.

Diagnosis

Preventive: Network activity should be baselined, whether or not the network is suspected of having bots. This allows you to track traffic rates and transaction types for each network host. The baseline will be used to measure against unusual traffic flows. If the network is infected, the baseline will show what traffic flow looks like when the

Analyzing traffic may be enough to determine if bots are present. Unusually high rates of outgoing traffic could signal the presence of bots. Traffic flowing through Port 6667, used for Internet Relay Chat (IRC), is usually a strong indication, as bots often receive instructions on how to act from a ‘master bot’

Treatment

Ordinary bot symptoms include network sluggishness, periodic unavailability of network resources and unusual traffic spikes.In acute cases,computers cease to operate. millions of hosts. Basic strains, like ‘sdbot’, one of the most effective bots known to mutate often, have 4,000 or more variants. DDoS attacks using bots have reached nearly 10 GB of aggregate attack bandwidth. Individual infected hosts often don’t know they’re infected or that they’re infecting others.

Symptoms Ordinary bot symptoms include network sluggishness, periodic unavailability of network resources and unusual traffic spikes. In acute cases, computers cease to operate or the Internet becomes unavailable. These symptoms also describe normal, far less serious network disruptions, making bots

Vol/1 | I SSUE/13

ET-Pundit.indd 77

communicating through IRC. Other ports to watch include Port 25 (e-mail or spam relay) and Port 1080 (often used for proxy servers, such as Socks). Traffic saturation attacks (Syn floods and User Datagram Protocol floods) are evidence of the presence of bots. Many of these symptoms can be diagnosed using the DOS prompt ‘Netstat -an’, which will show all network activity from the host. Network sniffers can be used to this end too. Those who suspect bots should run anti-spyware programs against their hosts, though newer bot variants may not yet be covered by those programs. Analysis of firewall logs could also help. Published lists of malicious IP addresses like the Bogons list of non-legitimate IP

network is infected. Honeypots can be used to capture and analyze malicious traffic in an environment where it can’t do damage to the ‘real’ part of the network. A highly segmented network will help contain the spread of bots, as long as security policies are enforced between network segments. Reactive: Deleting malicious code is challenging and sometimes impossible, as some bots will regenerate. Treatment often entails re-imaging machines to eradicate bots (and losing data on those machines). You need vigilant back-up and disaster recovery practices to prevent serious data loss and a pandemic outbreak of bots. CIO Send feedback on this column to editor@cio.in

REAL CIO WORLD | M AY 1 5 , 2 0 0 6

77

5/12/2006 8:10:09 PM


By H. A. Ker

It’s a battlefIeld out there.

the devil’s

Infosec dictionary Access Control List The operating system file that gives users access to files and programs they have no good reason to access Analyst, security A mercenary paid vast sums of money to tell you that your systems can’t be secured Back door A hacker’s front door Back-up A process you don’t need until you don’t do it BC/DR (Business Continuity/Disaster Recovery Planning) An alternate spelling for ‘CISO’ Biometrics Strong authentication mechanism that streamlines insider attacks Bot See ‘Zombie’ Business case A creative writing project, the quality of which is directly proportional to your security budget Client/server Two types of easily hacked computers Clean desk policy What document users admit to ignoring during your intellectual property theft investigation Confidentiality, integrity and availability Three great myths of the Internet Age Crackers Hackers

78

M A y 1 5 , 2 0 0 6 | real CIo World

Distributed Denial of Service See ‘Bot’ Downtime Refers to computer systems’natural state; the opposite of anticipated downtime e-Commerce A historical fad from the late 1990s meant to generate crores in new profits; the inciting factor that generated crores being spent on security products

OS hardening An attempt to secure your operating system against the next hack by closing the hole used by the previous one Passwords Authentication tool that, when properly implemented, drives growth at the help desk Patching A mandatory fool’s errand

Firewalls Speed bumps

Pharming and phishing Ways to obtain phood

Hackers Self-righteous crackers

PKI (Public-Key Infrastructure) A system designed to transfer all the complexities of strong authentication onto end-users

Help desk A place where rude people read instruction manuals to confused people over the phone, for a fee Identity theft The transfer of your personally identifying information from corporations that want to exploit it to hackers who want to exploit it Intrusion Detection Systems (IDS) Log file generators JOOTT (‘jute’) adj. Acronym for Just One Of Those Things; the primary explanation for most information security problems Laptop A computer designed to allow employees to easily store vast amounts of data in the backseat of a taxicab

Regression testing The process by which you learn how the patches that fixed your system also broke yovur system Total Cost of Ownership (TCO) In security, an incalculable number always equal to or greater than the budget Upgrade The process by which you introduce new vulnerabilities into software Virus Sort of like a worm, but not exactly Worm Similar to a virus, but different Zombie See ‘Distributed Denial of Service’

ILLUSTRAT IO N by UNN Ik RIShN AN AV

24/7 adj. The window of time in which systems are most vulnerable to attack

Logging The practice of filling shelves with printouts Logical security A goal; also, an oxymoron Mission critical adj. Term used to help hackers identify their targets

VOL/1 | ISSUE/13

5/12/2006 8:11:19 PM


Turn static files into dynamic content formats.

Create a flipbook
Issuu converts static files into: digital portfolios, online yearbooks, online catalogs, digital photo albums and more. Sign up and create your flipbook.