From Cuneiform to Binary: Security Counts
Author: Jerry Benton

Business accounting and communications has a history that dates as far back as 3500 B.C. In ancient times, the Sumerians used seals to identify ownership and kept their valuable clay tablets in secured locations. Today, we use digital signatures and firewalls. The methods differ, but the concepts remain the same. The one direct characteristic that they do share in common is the need for some type of security.

Just as the Sumerians saw the need for some form of security in their own time, we too have the need for policies and procedures to protect our own interests and assets. Where we greatly differ from our ancestors is the sheer volume of information and the potential avenues of access to our information. In ancient times the Sumerian merchant possessed much less information to guard and was mainly concerned with the physical security of his records. Today, the information we have the potential of holding on a single system would dwarf all writings from all of the ancient worlds combined. We also hold the burden of not only physical security, but also the virtual security of our assets. Where the ancients were only concerned with local threats with rudimentary methods, we must consider an entire world armed with a sophisticated arsenal of tools.

In today’s terminology we define the securing of information as Information Assurance, or IA. There is no magical solution or black box for IA. Also, IA differs from one entity to another in policy, implementation, and format. However, the common goal of IA is to provide timely and accurate information to authorized individuals. The concept is known as CIA, which stands for confidentiality, integrity, and availability. These three basic branches cover a wide spectrum and are designed to be flexible for your organizational needs. They are in no way absolutes, but rather conceptual roots to grow your organization’s own policy and procedure.

Since the Internet went public in 1994, it has experienced explosive growth. Traditional efforts to make computers smaller, faster, and better are now coupled with making these systems “connectable”. With the ability to join the Internet, the intrinsic value of personal computers is astounding considering the return on investment. With an Internet enabled system, you now literally have access to the entire world’s wealth of knowledge. Needless to say, this is an amazing capability from a business perspective. Now do you not only have access to all of this free information, but you can also share your own information and promote your own business. A small town business can become a global competitor overnight.

However, with this tremendous capability comes significant risk in the hands of the unknowing. Even though the Internet has experienced explosive growth in a vast array of subjects, one subject that has fallen behind is security. With the desire to get new features and capabilities to market a top priority, security was often held in low regards and sometimes totally ignored. One reason for this is that security increases time line for development. Another argument is that security can hinder or eliminate so many of those new features the public wants, or so it seems. The truth is that the same advanced features and technologies can be enjoyed with IA involved; they just take longer to develop. In the long term doing things the right way always pays off. Many sectors of today’s industry are now just realizing this, and the cost and effort to undo or fix what should have been “done right” in the first place has proven to be even more costly.

Where your IA plans and goals will have the biggest direct impact on your organization is in the beginning. Implementing a policy and setting the tone for the culture of your information infrastructure from the beginning will start your organization down the right path. This will eliminate trying to change the culture of your user base as well as plugging holes with ad hoc solutions forced to fit your current design. It is always easier and less expensive to build IA into your infrastructure from the start, but it can also be implemented mid-stream if required.

For example, Widgets Software had a 4,000-user network that was built in June of 2000. The network was online for less than one month when it was first penetrated by hackers. Although this company had spent nearly USD $50,000 on equipment, they failed to spend a single dollar on security equipment. Additionally, little or no time was devoted to security policy during development. By the time someone figured out what was going on, half of the network was down. Eventually the other half had to be taken down, which effectively shut down this company for two weeks. The full two weeks was not spent on getting systems back online, but rather developing and implementing an IA solution to prevent hacker penetration from happening again. In the end, Widgets Software lost an estimated $200,000 in sales and labor hours due to the outage. If Widgets Software would have implemented a well-planned IA solution in the beginning, the cost to them would have been about USD $5,000. The loss from the “ripple” of being down for two weeks cannot be calculated accurately. However, a significant amount of the customer base was lost.

Another example that involves location and not technical aspects is Data Center XYZ. Data Center XYZ was a very well planned and structured facility. Its IA solutions were no less than outstanding, since its founder was an Information Assurance professional. Systems were secure, policies were well documented and well known, the staff was well educated, and maintenance cycles of not only operational equipment, but also security devices were executed religiously. The facility’s major flaw was not in operation. Data Center XYZ failed to incorporate their environment into their plan. When the power went out on that dismal day, battery backup systems held the line until the generators kicked in. The generator system ran flawlessly, until they were submerged under twenty feet of water. The loss was catastrophic. Every piece of equipment was destroyed. Every customer of Data Center XYZ moved on to other businesses to provide their needs. Only somewhere during the flood did it occur that perhaps the data center should have been on the second floor.

Hopefully, you can see where IA is not something that “we will worry about later”. In the latter example above, a clearer picture would have prevented a house of cards from being built in the first place. As it has been throughout the ages, information is power. However, in today’s world just having access to information is not sufficient. Maintaining the confidentiality, the integrity, and the availability of that information is vital to an organization’s survival. IA is the mechanism that will help achieve this goal. Remember, it’s not if bad things will happen, but simply a matter of when and how prepared you will be when it does.

Back to Articles and Tutorials