Information Technology Security. Advice from Experts

The most effective security systems are architected and deployed in multiple layers to create a sustainable barrier against multiple, and different, types of attacks. For large organizations with multiple public Web portals, employee dial-in access points and supplier support networks, developing a multi-level barrier usually requires a multimillion dollar engineering, purchase, deployment and operational investment.

Typical technical approaches to building a multi-level security system involve:

• A foundation level that requires the user to have a minimal level of security to access (even a publicly known and shared password)

• A second tier that identifies and validates the computer or terminal they are using to the network (through a cookie or ID token)

• A third tier that limits access to known users (users that can provide some type of authentication that has not been shared with other people)

• A fourth tier that further limits access computer and user access without correct responses to a computer and user challenge question that only that computer and user would have. The computer could provide an encrypted key that was sent to it the last time it was connected to the network, and the user would be asked what their last password was.

• A fifth tier requires a biometric identifier from the user, such as their fingerprint , voiceprint, faceprint, retinal scan or signature sample. One ” or a combination of two ” of these factors would provide a very high level of confidence that the person logging in really was the correct person.

From a senior management perspective, all of this security costs a lot of money with little visible benefit or tangible return to the organization. However, the cost of not protecting information assets, systems and networks from malicious attack can be extraordinary as calculated by different private and government organizations (in the summer of 2003, private businesses suffered a loss of over $3.5 billion dollars recovering from worms and viruses [CERT, 2003]). Even if the calculations are off by a factor of five (i.e., are 20% correct) it is clear that the cumulative financial costs are very, very large.

So how does all of this information tie back to building multi-level barriers? Each organization must examine the value of its information assets and systems and determine how much investment is reasonable to protect it. For a small organization, the investment threshold may be very low, and dependent upon outsource suppliers to provide virus and worm network filters, combined with one or two levels of user identification verification.

For a medium to large organization that has hundreds or thousands of computers and users, calculating how many, and what type of barriers and fallback systems should be purchased can take several months and a team of dedicated security experts looking at the existing equipment and user policies. Once the costs have been identified, senior managers and executives can make a business decision on the costs, schedules, policies and enforcement mechanisms that make sense for their information assets, employees , customers, suppliers and shareholders.