printer friendly version

The threat from within - challenges of managing internal information security risks

Companies are investing in information security to protect networks against external threats. But anti-virus solutions, firewalls and virtual private networks (VPNs) – collectively referred to as perimeter security – can only provide security if the internal network can be trusted.

Strong evidence suggests that internal networks cannot be trusted and that business-critical information is sent unprotected through corporate intranets. Traditionally, companies have put their information security efforts in perimeter security, protecting only the outer walls of the corporate networks. Internal information security has been a matter of trusting the employees.

Most security breaches do not originate from external hackers, viruses or worms, but from employees who, according to Gartner, commit more than 70% of unauthorised access to information systems. They are responsible for more than 95% of intrusions^[1]. According to the Computer Security Institute and the FBI, an insider attack causes an average of 2,1 million Euros in damages, whereas the average outside attack costs 45 000 Euros^[2].

The risks

The most obvious risk is the human factor. People having access to internal networks is always a threat that is very difficult to manage. The responsibility of attack should not be put on the shoulders of an individual employee.

It is fairly easy to create a small piece of software that will attack the internal network once it is planted on any computer system within the corporate network. Distributing the program can easily be done by anyone, without any special computer skills. In most cases, the person who installs the malicious software, is not aware of it.

Once a malicious program has been installed, it can cause harm in various ways. The most typical ways are:

1. Gaining user access and pretending to be a legitimate user taking actions.

2. Capturing confidential data for industrial espionage or other purposes.

3. Destroying corporate data for creating financial damage.

4. Causing network and system shortages to paralyse the company's operation.

Security threats arising from within are increasing the operational risks of businesses:

1. Potential loss of reputation in the face of customers, partners, investors.

2. Risk of business interruption.

3. Violation of legal and regulatory requirements to protect sensitive customer information.

Attacks on the information of company and its assets has tremendous effect on the reputation of the company. If the personnel are involved in the attack, directly or indirectly, this puts the credibility of the company at risk.

It is known that many companies have left these attacks unnotified, suffering the damages in the fear of losing reputation.

Also, managing internal security has been considered expensive and resource-consuming, and therefore left without much attention.

The solution

Protecting against the threats arising from internal networks require proactive actions in multiple areas:

1. Security policy must take internal security into consideration.

2. All critical data in the computers must be protected.

3. All users using critical data must be authenticated and authorised.

4. All critical data communications must be encrypted end-to-end.

If all of the above is not taken into consideration, the overall protection will not work in reality.

In addition, internal information security needs to be affordable enough to be able to cover all critical applications.

From the critical areas above, encrypted data communications is the least addressed in today's corporate networks.

The alternatives

Information security should be an integral part of operational risk management, which covers areas such as human resources, physical security and general security. Managing internal security effectively involves implementation of confidentiality, data integrity, authentication and authorisation to mission-critical business applications as part of the corporate security policy.

Figure 1 presents a generic architecture of a corporate IT environment, including the supporting infrastructure and individual business applications.

Secure communications can be implemented in different layers of this architecture. Perimeter security solutions are often based on embedding security features in the IT infrastructure or business applications. Neither one of these approaches allow for end-to-end security. Integrated infrastructure security requires expensive and complex re-engineering projects and often involves dedicated hardware in front of the servers that need to be secured.

Figure 1. Corporate IT architecture

Embedding encryption and authentication in business applications requires code modifications to each business application. For enterprises this is rarely a viable option, given the amount and variety of client/server applications in use.

A new concept

A new category of information security solutions, managed security middleware, has the potential to overcome the limitations of network level and application integrated information security approaches.

Managed security middleware operates between the underlying IT infrastructure and the actual business applications as illustrated in Figure 2.

Figure 2. Managed security middleware provides end-to-end secure communications to applications

This category does not rely on specific security functionality embedded in the IT infrastructure or business applications. This means the complexity related to interoperability, overall system management and maintenance is reduced and that centrally managed communications security can be brought to almost any client/server application.

Managed security middleware provides considerable cost savings by not requiring infrastructure or application changes. Also, the centralised management capabilities eliminate labour related to operating the security system.

When communications security is extended to end-user workstations, new challenges arise in the form of training and helpdesk costs. Managed security middleware is a transparent security layer involving invisible security software in the user desktops. This minimises user interaction, training needs and helpdesk costs, giving an attractive return on investment. As well as protecting application communications, managed security middleware helps organisations implement cost-effective, technical countermeasures to improve operational risk management. Compared to traditional perimeter security alternatives, this new approach significantly reduces total cost of ownership and improves the return on security investment.

References

[1] Gartner, 2003 ( http://security1.gartner.com/story.php.id.12.s.1.jsp).

[2] Computer Crime and Security Survey by CSI/FBI, 2002.

About the author: Janne Saarikko is director of global marketing for SSH Communications Security, a supplier of managed security middleware for businesses, financial institutions and governments worldwide. For more information, visit www.ssh.com. Contact +358 20 500 7030.

Share this article:

Further reading: