Securing the Enterprise

In case you missed the announcement last month, I'm Bob Worrall, the new CIO of Sun Microsystems and the new executive sponsor of the Sun Inner Circle newsletter. Over the coming months I hope to use my letter in this forum to offer insights into Sun's technology vision, as well as share my commentary on the latest industry developments.

When I assumed my responsibilities as CIO a few months ago, I woke up one morning, and scribbled all of my top concerns on a scrap of paper. At the top of that list — security. Ask any CIO about what keeps him or her up at night — or, in my case, what wakes me up in the morning — and they'll tell you it's enterprise security.

In order to judge Sun's understanding of the challenges and ability to respond, I promptly scheduled a meeting Sun Chief Information Security Officer Mark Connelly. I found my meeting with Mark so enlightening that I invited him to share his insights on enterprise security with you in this venue.

Worrall: Welcome to the Sun Inner Circle, Mark. Your timing couldn't be better, as it seems that the industry is confronting new viruses and security threats all the time. From your vantage point as chief information security officer, what are some of the challenges you face?

Connelly: For a very long time, people have been attempting to communicate in a secure manner, and other interests have been intent on breaking the security measures. The difference between now and times past is that today security professionals are trying to protect global enterprises and international economies. For instance, the security team at Sun is charged with securing the information assets of a company that employs over 38,000 people spread across 170 countries. Plus, due to the way people work today, Sun has to provide the secure access to information on any device, anywhere, at any time.

Worrall: What are some of the primary threats to enterprise security?

Connelly: The complexity of threats is ever evolving, but, in general, the volume of the threat matrix is changing from the classic intrusions like spam to very elaborate schemes by people who are doing sophisticated reconnaissance to find the weak points in an enterprise's security. Threats span the spectrum, from kids who have nothing else to do but cause trouble, to criminally driven economic espionage, as well as everything in between.

Worrall: Traditionally, castle-and-moat security efforts focused on protecting the walls (or firewalls) of an enterprise to keep out the bad guys, but it seems like you're saying that the threats are evolving beyond that strategy?

Connelly: Yes. One of the things that I'm most concerned about is social engineering — the means by which people simply go around the defenses you mention. Anybody who studies warfare will say that it makes more sense to attack weaknesses rather than strengths. Kevin Mitnick, the pre-eminent social engineer, wrote a book called The Art of Intrusion, in which he described how he was able to use social engineering to penetrate organizational defenses. Once a threat is inside the castle, enterprises may not even know they have been penetrated and significant IP loss could ensue.

Worrall: Aside from malicious behavior, it seems like there are security challenges inherent in simply doing business?

Connelly: Absolutely. Global partners, new business models, geographic legal requirements, etcetera, all contribute to the growing complexity of the security challenge. With respect to regulatory requirements, Sun does business in more than 170 countries, with sometimes different regulations and we take into consideration all of this regulations in our planning. In addition, even though Sun is dedicated to open sourcing all of its software, Sun is very much of an intellectual property-based enterprise. Therefore, security has to protect its IP and comply with all pertinent regulations. Fortunately, we have great Sun technologies and solutions that we provide to customers that help significantly in that effort. Finally, working in coordination with risk management, we have a comprehensive disaster recovery plan in effect to mitigate any risk to business operations in case of a natural catastrophe.

Worrall: From an organizational perspective, what are the challenges security professionals face within an enterprise?

Connelly: One area is the value proposition. CEOs often ask the "expense" question when they need to ask the "investment" question. Many CISOs and CSOs I talk with have to be business-aware. It is very difficult for security professionals to prove the value of their work. Ask any chief information security officer, and they have value statements, threat matrixes, and other documents that help explain to executive management the value of the infrastructure that protect an organization. Unfortunately, humans tend to be reactive; they prefer to take action after something happens. Just the same, it is incumbent upon security professionals to put security information in front of the executives (and the board of directors), so the enterprise can accurately evaluate the real value of acting ahead of time.

The second, organizational issue is skilled security professionals. They are the heart and soul of any security management team. My advice: Keep them skilled and support all training necessary. Third, build a comprehensive security management system that includes metrics that clearly indicate the performance of your investments and the risks your system has mitigated. Finally, ensure that the executive management team is an active supporter to the security program you have in place.

Worrall: At a 38,000-plus person enterprise like Sun, it seems almost impossible to manage security down to the individual person, so how does an information security officer determine an appropriate risk profile in order to manage security for such a large workforce?

Connelly: You said it — it's all about risk. Fundamentally, enterprises need to make investments based upon the severity of the threats, as well as the probability that those threats may actually come to fruition. Any information security officer will say that it's very hard to ascribe an absolute numerical risk factor to a specific threat. For instance, a breach of privacy information will certainly come with a market capitalization cost for a publicly traded company, but how does one determine the exact dollar amount of the lost shareholder value? So, to be proactive, most security professionals will cite the fact that prevention expenses — I mean "investments" — are typically 100 times less than the related remediation costs. It's good for the employees, customers, and the business.

Worrall: What are some of the strategies that enterprises rely on to keep information safe and secure?

Connelly: Anchor on strong security policies. All enterprises need a strong set of policies. These policies govern how an enterprise implements a security strategy and the operational procedures around that strategy going forward. Plus, the policies need to built on top of best-of-breed industry standards. Once an enterprise has a security policy, it needs to implement it and monitor its implementation using those industry standards. This is particularly important come audit time. During an audit, an auditor will first ask if there is a policy in place and whether it is being implemented. The next question will be about if you have adopted any industry standard. If the answer to those inquiries is "yes," you will be in better shape.

Worrall: What else do security professionals need to have in their tool belt?

Connelly: Another important tool is to deploy a multi-layered defense. If an enterprise has multiple layers of defense, it is harder to penetrate. Also, the defense needs to be not just multi-layered but also multi-vendor. If someone penetrates one layer, it's harder to crack the other layers, especially if it is based on different vendors' technologies.

Worrall: And from a products and services perspective, what does Sun do to help ensure its own enterprise security?

Connelly: A lot! Sun does quite a bit of partnering, whether it's in our channel strategy or our sourcing of vendors in IT. Sun partners operate our datacenters and networks, as well as perform virus and spam filtering. Sun has employed a best-of-breed strategy to help lower costs, improve flexibility, and make enterprise security more scalable. Also, Sun deploys its own security products, such as Identity Manager, Access Manager, and directory services. Sun offers customers a vast array of hardware, software, and services, so naturally we use those assets internally.

Worrall: What specifically is Sun doing in terms of spam filtering, virus filtering and intrusion detection — the types of challenges that virtually all enterprises face?

Connelly: Sun filters out over 40 million spam messages a day and two to three million viruses per day. Sun puts virus and spam filters on the networks, as well as on the gateways within Sun to prevent viruses from spreading. Sun also involves the certification team and their peers to help monitor the networks 24x7. Whenever there's an incident, it's immediately reported and acted upon. Plus, Sun deploys network-based intrusion sensors, so if somebody is trying to penetrate our networks, our team is on top of it. Sun is very vigilant in terms of protecting the perimeter of its networks.

Worrall: We talked about social engineering, spam, and viruses. What do you see as the next big challenge?

Connelly: From a security perspective, Sun is constantly wrestling with the proliferation of devices. It's not just a matter of fat or thin clients, either. There are many new portable and wireless devices, and all of them connect to the network. Sun works with its chief privacy officer to do everything possible to mitigate the risk of a loss of private information. While losing a bit of IP would be traumatic, if Sun loses personal information, or even if it suspects that there has been a breach of private information, it has to report it, and there could be significant penalties. Companies need to pay attention to new devices, manage them carefully, put defenses in place, and educate employees on their proper use.

Worrall: What would be your advice to your peers at enterprises that are smaller than Sun who are struggling with where to focus their security efforts?

Connelly: Just like larger organizations, smaller enterprises need to develop a strong set of security policies, base the security management system they develop on industry standards, and align around the business goals. If an enterprise doesn't have tons of money and resources — or even if they do — one of the most effective actions security professionals can take is have a security awareness program as part of the security management system. It is clearly a program that is beneficial and cost-effective.

Worrall: How does security awareness pay off?

Connelly: At Sun, all of the 38,000-plus employees need to think about security all of the time. It reduces costs. It helps protect our employees and shareholder value. It is a prerequisite to business in some cases. It creates new business opportunities and is not just an expense — it is possible to grow business with "security built in."

Worrall: Any last piece of advice?

Connelly: As I have mentioned a couple of times, the implementation of a complete security management system across the entire organization is key to any successful security policy. The IT organization is a concept that represents a unification of all aspects of security for the enterprise. At Sun, I work with the person in charge of physical security, the people in the product groups, the chief privacy officer, legal and audit professionals, and export control personnel. All these aspects of security need to be united in purpose and aligned to support the business objectives. Our jobs are to do it in a risk-based, secure manner.