Identity and Access Management (IAM)

In 2006, the UK House of Lords undertook a far ranging study of the problem of internet crime and the resultant impact to individuals, businesses, and the economy as a whole. On August 10^th 2007, the results of the study were published under the title of “The House of Lords Science and Technology Committee. 5th Report of Session 2006–07. Personal Internet Security”. The link to this report is:  http://news.bbc.co.uk/1/hi/technology/6938796.stm

The report recognizes the invidious and criminal nature of modern cyber crime, and it’s far reaching impact in terms of economic costs, and impacts to the personal lives of those individuals affected. Even if measured solely on these points, the report would score highly for taking such an honest and accurate view of the nature and impact of the problem.

The report makes a number of recommendations and calls for action from a wide range of bodies- including government; the law enforcement community including police and the judiciary; ISPs; and hardware and software developers. These recommendations are worthy of consideration and comment.

The reports states that “The IT industry has not historically made security a priority.” While noting that “This is gradually changing” the report also calls for a more urgent and regulated push for change, calling for “software vendors (to) make the development of more secure technologies their top design priority.”. While recognizing the positive role of self regulation and codes of best practice, the report also “recommend(s) that the (UK) Government explore, at European level, the introduction of the principle of vendor liability within the IT industry. In the short term we recommend that such liability should be imposed on vendors (that is, software and hardware manufacturers), notwithstanding end user licensing agreements, in circumstances where negligence can be demonstrated.”

While it is admirable that security issues and ID theft are being recognised as serious issues requiring an improvement in the security state of business systems, we do not believe that the proposed measure (to make software vendor’s liable) would be the best way forward. All software developers clearly need to strive toward improving the ‘secureness’ of the software they author. CA, like many other significant software providers, places considerable effort toward this goal, and we improve our practices as best practices and new findings emerge. After all, as the report correctly acknowledges, security failures do not solely result from inherent software faults and it is important to take into consideration other areas of concern.

User error resulting from mistakes, ignorance or being scammed/tricked play a large role. So too can errors in architecture, implementation and configuration of the SW affect the security state. Software writers have no, or at best, little control over how their products are implemented and maintained. Even if a flaw is found and a fix issued, the software vendor has no way of forcing a company to implement the fix in a timely manner. Deliberate subversion of the security environment in order to meet business deadlines, cut costs, or to provide a higher degree of convenience for the end user can also play a role. In other words, sometimes the best intentioned efforts are subverted not because data theft is the goal, but for other reasons. As a result of the subversion however the door is left open to more nefarious attackers who’s goal is information theft or other criminal behavior. It must also be recognized that IT is also not the sole custodian of information, and the key problem is really information security failure, not IT security failure. Critical information in printed form, or on backup media such as tapes are significant sources of information that has leaked inappropriately in the past years. All these factors are not addressed by the House of Lords’ call for software companies to bear the financial brunt of the responsibility.

What would make a significant difference is a six pronged approach;

1. a focus on improving SW quality. This will require further education for the SW developer community - remembering that SW is developed on a global basis. If the UK government wishes to demonstrate a leadership role in this regard, funding and supporting education for secure SW developers would be a great start. Hand in hand with this should be an effort to make the ‘secureness’ of software and hardware a desirable characteristic for the buyer. Indeed, the report notes that today software and hardware makers do not have sufficient economic incentive to focus on security – this is because buyers often do not rate this characteristic as being a differentiator when making buying decisions. This needs to change at many levels
2. A push for every company's information governance practices to accredited to an internationally recognised standard such as ISO27001 (nee ISO17799). . Businesses must make it a priority to ensure that when implementing technology, project deadlines need to include adequate time for building security into the systems up-front. “Do it quick” and “Do it cheap” need to be reprioritized after “Do it securely”. To achieve this will actually require changing the expectations of company owners and shareholders too.
3. Improving end user education - including starting now with the next generation of users, our children. Providers of home computing platforms need to change how they market their products such that the user recognizes the risks associated with the product’s use. A home computer is not a TV set that instantly and forevermore will work “out of the box” without any care and feeding beyond a quick dust and dry-wipe of the keyboard. To purloin a phrase well known to pet owners “A secure computer is for life, not just for Christmas”.
4. As the report recognizes, mandatory breach disclosure requirements for companies which have information security breaches continue to be a part of the global solution. Again it is important to recognise the globally distributed nature of IT systems in the modern world. Breach disclosure must be enforceable regardless of where the information is processed, and regardless of under which jurisdiction the breach occurred.
5. Appropriate funding to provide for adequate levels of policing effort must be provided. Whilst the efforts of SOCA are admirable, I do not believe that enough trained police resources are available to meet the challenges of the fight against cyber crime, nor that the agencies have enough funding to support their efforts.
6. A demonstration by the government of best practices in information governance through ensuring that UK government IT (at all departmental and regional levels) is architected, implemented, and operated at the highest state of excellence. UK government should be a positive example to all businesses and citizens.

We should all welcome and applaud the effort the UK government has demonstrated in taking on this investigation and the resulting issuing of this report. Without a doubt the status quo must be challenged and it is important that all aspects of the problem are addressed in an even and comprehensive manner.