Does tamper-proof technology really exist, or is tamper-resistant the best you can expect?
Many organisations mistakenly believe that they are secure, but little do they know that what they believe to be tamper-proof security technologies are at best merely tamper-resistant. Tamper-proof is the stuff that myths are made of. The basic tenet of security holds true in the physical and the digital worlds: if you try hard enough or for long enough, any security measures can be overcome.
Enhancing security and confidentiality in a digital age where information flow is a sought-after commodity does impose security and confidentiality risks. Technologists have invented methods for controlling these risks, but just as in the physical world, in the world of digital security the best protection comes from layers of complexity to slow down and confuse the attempts of would-be crackers. Holograms, software copyright protection, network access control, digital certificate authentication and trusted security centres are all examples of what people believe to be tamper-proof, but in reality they simply provide layers of resistance to tampering. They serve to slow down information traders and system crackers, as well as those who steal intellectual property on physical digital media.
More could be done, but at what cost? Applying 'layers of depth' to achieve a degree of 'tamper-proofing' for a server environment in a trusted centre means having a root key to derive digital certificates containing public and private keys signed by three sources with three locks, no network connection, contained inside a safe with no windows and a door that requires three people to be present to open it! This level of layering may be justifiable in the case of a trusted centre, but is simply not practical nor economically viable in most everyday business environments.
Nonetheless, the principle remains sound. Layered, in-depth levels of security will work for you when you apply the rules. A minimum of three levels of testing or checking is a prerequisite, depending on the value of the asset being secured. For example, at a basic level, securing against poor or faulty data capture would see a data capture process performed by two clerks and tied back to manual and system hash totals.
At the security planning level, organisations need to know the risks they are trying to mitigate before designing and implementing layered security. Typically these risks arise around:
* The increased risk when implementing new technologies.
* The risk of legal consequences.
* The risk of ignorance or lack of awareness.
* The risk of no security management at all.
Where do you start taking care of these? Ask yourself four questions: which technologies; why; where; and how do I know if they are working? If you struggle with the answers to these then you may have a serious problem with a lack of policies, rules, process and system, which all adds up to no security governance.
That means starting at the top and following a structured approach such as the following:
* Policies, structures, organisation, processes, technology, tools.
Control and measure
* Collect key performance indicators (KPIs) for all departments.
* Benchmarking against industry standard and company targets.
* Balance cost savings and acceptable risk.
* Measure return on investment.
* Independent review by internal audit or outside group.
Establishing effective security goes beyond following four high-level and easily interpreted steps listed in a magazine article. It requires a commitment from the stakeholders of the organisation, through vision and strategy development to create a top-level security policy in line with CobiT, which was issued by the IT Governance Institute and developed as a generally applicable and accepted framework for IT governance. It requires good IT security and control practices that provide a sense of order and comfort to management, users, and IS audit, control and security practitioners.
A recommended approach to delivering the levels of security required is to adopt a standard such as ISO 17799, to create an Information Security Management System and security management organisation which will prescribe and measure a recurring security review.
ISO 17799 is the most widely recognised security standard in the world. Although it was originally published in the mid-'90s, it was the revision of May 1999 that really put it on to the world stage. Ultimately, it evolved into BS EN ISO 17799 in December 2000. ISO 17799 is comprehensive in its coverage of security issues, containing a significant number of control requirements. Compliance with it is consequently a far from trivial task, even for the most security-conscious of organisations.
Mitigating risks begins with implementing tamper-resistant technologies in accordance with policies and rules of an established security system, managed by a security organisation with the right skills and experience and to be effective they need to be based on good quality governance principles.
Unisys is a worldwide information technology services and solutions company. Our people combine expertise in consulting, systems integration, outsourcing, infrastructure and server technology with precision thinking and relentless execution to help clients, in more than 100 countries, quickly and efficiently achieve competitive advantage.