In the lead-up to the industrial revolution, many European cities stopped relying on walls that for centuries kept them safe from marauding armies. Cities weighed up the risks and decided trade and collaboration were more important to survival than defence, so expanded beyond the city perimeter.
Businesses today face a similar predicament when it comes to securing computer networks, says Paul Dorey, chief information security officer (CISO) at energy giant BP.
With the growth of outsourcing, managed services, remote working and joint-ventures changing the business landscape, companies can no longer adopt a siege mentality when protecting corporate IT networks, he says.
“Outsourcers, contractors and third parties need to access corporate information. At the same time new technologies, such as wireless and instant messaging, are providing a security headache for those guarding the network perimeter.” Instead of repelling hackers and viruses using firewalls at the network edge, Mr Dorey, and other CISOs from companies including HSBC, ICI, Rolls- Royce and Royal Mail, advocate businesses re-think their security.
They have formed the Jericho Forum, an international pressure group aimed at making vendors listen to user requirements. It plans to lobby for product design changes so companies can trade securely over the internet. By doing so, it hopes businesses will not see electronic assets pillaged or destroyed to the biblical proportions its namesake did.
“The easiest model is something akin to internet banking where you access corporate systems through a highly secure web-portal, using authentication,” says Mr Dorey. “Sensitive data is encrypted and there is a demilitarised zone, so even if one person accessing the system is compromised, the whole system is not,” he says.
Pharmaceutical company AstraZeneca is looking at this. In 2004 it spent $3.8bn (£2.15bn) on drugs research and development through collaboration with research organisations, universities and biotechnology partners. With dozens of organisations and 11,900 employees communicating in the R&D process over multiple networks, protection of intellectual property (IP) was not feasible through a “walled castle” approach to security. So last year it replaced an in-house collaboration system with electronic vaulting technology from IT security company Cyber-Ark, says Patrick Meehan, lead technical architect at AstraZeneca. The original system had high costs and hindered collaboration, because the virtual private network on which it relied needed software installed on every user’s system. By transporting data in an “electronic safe” AstraZeneca is guarding intellectual property using inbuilt authentication, encryption and firewalls.
Enterprise rights management (ERM) software to restrict who can access, print and e-mail sensitive documents is also used. Paul Stamp, security analyst at Forrester Research believes protecting data assets is an improvement on the “fortress approach,” but current proprietary technologies and differences in global legislation could hamper progress. “It’s not going to happen overnight,” he says. “The Jericho Forum is pushing for open-standards and that’s going to be tough for the likes of Microsoft and Cisco to achieve from the very beginning.”
And with countries such as China, Israel, Russia and Saudi Arabia restricting the use of strong data encryption products, ERM is not immediately workable globally, he says.
Steve Wylie, EMEA managing partner at Accenture’s security practice, adds that investment in encryption and ERM software could be costly in time spent managing user privileges. “The negative impact of leaked R&D into drugs will justify the investment, but if employees spend time setting up access rights every time they produce documents like a company newsletter then it could hamper productivity,” he says. But while Mr Dorey admits re-defining a company’s electronic boundaries has problems, advances in networking and business practices may force the IT industry’s hand.