In the face of increasing and changing security threats to ICT infrastructure, authorisation for deep access to systems may increasingly be handed out on a temporary basis and “checked back in” once its immediate purpose has been served, says Brendan Hannigan, general manager of the newly centralised security systems unit in IBM’s software group.
Root access to a server or network of servers is a very powerful tool, so today’s computer attackers especially target the individuals that have such privileges, says Hannigan. If they can assume such a power-user’s identity, they can enter many more parts of the system and the data stored there, than by attacking a random staffer’s account or random point of the network, he says.
“No one needs those privileges all the time,” Hannigan said in an interview with Computerworld at the IBM Interconnect 2012 conference in Singapore earlier this month. “You may need them for the next hour” to do something essential to the system, so you’ll be given those privileges for that time only and at the end you’ll check them back in.” This leaves a much smaller and more mobile target to be attacked, he says.
He acknowledges that a move to put shackles on the very kind of senior and highly skilled, highly valued members of staff who have these access privileges may be stoutly resisted as an attack on their organisational status. “No doubt some administrators will say that [such complexity of access control] is not necessary,” he acknowledges, but he adds that such sentiments should not be allowed to compromise security. “We don’t allow the bank manager to walk home with the keys to the safe any more.”
It is now a truism that perimeter protection is no longer the whole solution, Hannigan says, but that’s historically been recognised chiefly among security specialists and technically skilled staff. Now awareness of threats not involving penetration of a firewall, such as compromising of identity and poisoning of trusted applications, is seeping up to management levels. This means greater organisational authority being brought to bear to enforce security precautions that may be controversial.
A growing amount of the security threat comes from compromised applications, Hannigan says. Simple techniques such as SQL injection are still used with a surprising amount of success, he says. The only answer is a rigorous screening of apps before they are allowed anywhere near the company network.
Also surprising, says Hannigan, is the lack of any work in many organisations to prioritise data by its importance to the business and tailor the security applied to each data item appropriately. “Many companies don’t even have a full inventory of their data and where it is.”
IBM, Hannigan says, now finds itself talking security not only to the technical experts in terms of vulnerabilities, but increasingly to higher echelons of management in terms of business risk. “Our customers’ chief information security officers are asked more often to speak to the board; and it is more common that they report to the chief legal officer or chief financial officer rather than the CIO.”
This means that a different repertoire of skills is required in the people IBM employs to talk to its customers about security.
“IBM had security products years ago, but the expertise was not centralised,” he says. Now the company looks on it with a consistent organisation-wide perspective, he says. “We have created a single division and a single product strategy.”
The emphasis of IBM’s approach is on analysis of behaviour and its relationship to claimed identity rather than keeping a watch on specific gateways. “We can identify a behaviour that increases risk for the company and block it” or identify an unusual nexus of behaviour and identity, “so we can say: ‘that person shouldn’t be doing that’ and look at whether the staff member is behaving suspiciously or whether his/her identity may have been compromised,” says Hanningan.
A sceptical attitude to more complex and more intrusive intelligence gathering and controls on security may be expected at first, but will quickly disappear when the frequency of security incidents plummets, Hannigan says.
• Bell attended the IBM Interconnect conference in Singapore as a guest of IBM.