Security Beyond Your Borders

One month after the federal government warned that the nation's IT infrastructure could become a target of terrorist attacks meant to disrupt or disable businesses, many companies say it's become practically a patriotic duty to review internal IT security procedures and take steps to bolster these operations. But they may be overlooking potential sources of vulnerability-flawed IT security policies, procedures, and technologies of business partners that have access to their systems.

It's a sobering thought, considering the growing emphasis on online collaboration. According to an InformationWeek Research survey of 375 IT managers conducted in the spring, 67% say supply-chain collaboration has increased in the past year. The Internet has made it easier for companies to share inventory and sales forecasts, integrate back-office systems, collaborate on product designs, and complete transactions with suppliers, customers, and other trusted partners. Yet only 21% of 4,500 security professionals worldwide surveyed recently by InformationWeek Research say their security policies include procedures for partners and suppliers.

Even when companies do institute security procedures for collaborative efforts, they often take the form of merely providing partners a checklist of requirements and asking them to comply. Few businesses really know or regularly monitor whether their partners follow those policies, IT security experts say.

Big problems can occur when partners fail to follow those rules inside their companies, even if secure technologies, such as virtual private networks, are deployed for collaboration. After all, there have been cases of computers at one end of a VPN being compromised and used to hack into partners' systems via a Trojan horse, a program that appears benign but lets attackers take control of a computer. InformationWeek Research also discovered that 20% of 375 IT managers have experienced security problems and have had secrets compromised as a result of online collaboration.

Cardinal Health Inc., a $48 billion pharmaceutical and medical-supply wholesaler in Dublin, Ohio, has been operating at a higher state of alert since the Sept. 11 attacks, closely monitoring its own firewalls, Internet gateways, and intrusion-detection systems. As critical as internal security is, making sure the systems of partners that have access to Cardinal's systems and data are secure is equally important, says John Hartmann, VP of security in corporate services for the company. "We visit their infrastructure. We'll look down into their intrusion-detection systems, firewalls, how they encrypt important data. We work together to make sure the best security practices are in place," he says.

A wise move, says Clint Kreitner, CEO of the Center for Internet Security, a nonprofit organization that provides security benchmarks and scoring tools so businesses can determine their own and their business partners' security status. "When you hook someone's systems to your systems, their security status suddenly becomes yours," he says. "When you put a circle around your network, you know your status. When you expand that to your partners' systems, it should be of great concern what their security status is."

The issue of partners' security practices becomes even more pressing given the secrecy with which companies shroud their security lapses-according to InformationWeek Research, only 15% of 437 U.S. security professionals alert business partners after experiencing security breaches. And 40% don't report incidents to any agency or organization at all (see chart, p. 44).

Not all companies have the resources to conduct security audits themselves or to pay a consulting firm tens of thousands of dollars to perform an in-depth security audit for them. A number of firms, such as Deloitte & Touche, Internet Security Systems, and PricewaterhouseCoopers, provide security audits. But only the most basic services-such as performing remote-vulnerability scans and providing follow-up recommendations-are covered at ISS's low-end prices of $3,000 to $4,000. More-in-depth engagements can run $40,000 or more. For companies doing business with hundreds of partners over the Web, auditing everyone isn't a realistic strategy.

No independent organization or industry consortium has come up with what's urgently needed-an accepted set of standard IT security practices and a way to score or measure compliance with them, says Alan Paller, director of research at the SANS Institute, an IT security research and education organization. The Center for Internet Security, the Information Systems Audit and Control Association, the International Organization for Standardization, and others are developing such standards, including the ISO 17799 certification and CIS's Internet-security benchmarks, but it will be some time before they're widely adopted.

The lack of widely accepted and agreed-upon security standards is a problem for ArvinMeritor Inc., a $5.15 billion-a-year automotive components supplier in Troy, Mich. The company operates several extranet sites for its suppliers and customers, which pull information from its inventory and order-management systems to let partners check the status of orders and collect invoices. Suppliers can E-mail advance shipping notices to the sites. ArvinMeritor wants to eventually assess its partners' vulnerability to viruses and hackers, but it's struggling to define a minimum level of Internet security to require of them. "We're looking at what's adequate, and we're not sure what that is at this point," says Mark McHolland, director of network services at the company.

ArvinMeritor isn't alone in navigating these murky waters. Dow Chemical Co., which expects to do more than $1 billion in sales through its customer-service Web site MyAccount@ Dow.com and online marketplaces such as Omnexus, TradeRanger, and Elemica, also sees the need for standard practices in the chemical industry for Internet security. Dow is backing a set of XML standards developed by the Industry Chemical Industry Data Exchange, but Dave Kepler, Dow CIO and VP for E-business, urges the chemical industry to move beyond messaging standards and establish standard business processes for E-commerce, including Internet security measures. "Putting the bridge [such as an E-marketplace] in place only works if people know how to drive across it, how to change their work processes," Kepler said during a keynote address at last month's chemical-industry conference EyeforChem.

While the security community and various industries work out standards, many companies say one of their first lines of defense is the common practice of keeping application servers and databases that run core transaction systems clear of activities that take place in their "demilitarized zones" in order to limit the amount of damage that can occur if partner access is misused; DMZs are the most accessible portions of a company's Internet system, typically a Web server. ArvinMeritor has taken this approach. The company uses Web servers from Information Builders Inc. for its customer extranet, which exchanges data with an IBM mainframe that runs its order-management system. Between them sit several layers of firewall as well as encryption and virus-detection software. "We dictate what [partners] can access and how they can access it," says Kent Barth, senior director of Web development at the company.

Also in the defense toolkit: advanced authentication and authorization systems-tools to ensure that the people who access a system are who they say they are and that once in, they have access to only the data and applications they're allowed to use. As a result of the Sept. 11 attacks, analysts expect companies already researching or piloting security technologies such as smart cards, tokens, biometrics, and public key infrastructure to accelerate these implementations. But they don't expect others will rush to implement new security programs. "If you'd already seen value in new security implementations, Sept. 11 helped to validate that value. But I don't think companies who weren't interested in PKI implementations prior to the attacks are going to run out and make those investments now," says Frank Prince, a security analyst with Forrester Research.

CheMatch.com found that its members aren't jumping into the fray to upgrade security since Sept. 11. The Houston E-marketplace for bulk chemicals is implementing an online-payment and authentication system from Cavio Corp. that uses biometric scanning. It will allow CheMatch members to execute multimillion-dollar payment transactions on the exchange for the first time. CheMatch said last month that it would urge its more than 800 members to adopt the authenticated logon feature of the system to do even basic trades on the exchange, in part because of heightened security concerns since the attacks.

But Michael Ereli, VP of technology for the exchange, says early discussions with members have elicited tepid responses to using biometrics to secure basic transactions. Ereli figures biometric authentication would decrease the danger of rogue trading. The trade-off is that because biometric authentication requires a specific piece of hardware to be attached to the user's PC, it defeats the purpose of having an exchange on the Internet, which should let traders conduct transactions from any computer. Initial alarm over cybersecurity was a little overblown, Ereli concludes. "Everyone's realizing that Sept. 11 was extraordinary circumstances. We may need to tighten a few things up, but we're not completely vulnerable," he says.

Nor are companies rushing to move information off the Internet and onto dedicated private lines, a tactic suggested by Richard Clarke, special adviser to the president for cyberspace security. Brad Lontz, director of E-business at Cummins Inc., an engine manufacturer in Columbus, Ind., with $6.6 billion in annual sales, says business executives understand the benefits of collaboration in light of its potential risks. "The Web hasn't increased that risk," he says. "It's easier to walk out of the building with a sensitive CAD document than it is to take it off of an IT system over the Web."

The federal government says it will undertake a project to build an ultrasecure network, parallel but not connected to the Internet, for most government activity. But Govnet, as the project has been dubbed, will cost billions of dollars and take years to build. A key congressional aide, Melissa Wojciak, staff director of the House Subcommittee on Technology and Procurement Policy, which reviews governmental IT programs, says Congress will need to weigh it against other government initiatives. It's no model for corporate America, which has adopted the Internet as a communications tool precisely because it's cheaper, faster, and easier than alternatives. The cost of a private line can run a company six times as much as access to the Internet. "Companies are going to say, 'I don't care what Clarke says, I'm not going to do that unless the government subsidizes it,'" says Allen Vance, VP of offer development at Internet Security Systems.

VPNs, which are cheaper than private leased lines because they use the Internet's infrastructure but add a layer of encryption to create a private tunnel of information between parties, may prove a more-attractive option. Investment in the technology was already rising before the terrorist attacks, and Cahners In-Stat Group says the market will reach $2.9 billion by 2005. Quaker Chemical Corp., a $267.6 million specialty-chemical maker in Conshohocken, Pa., may be one of the companies fueling its growth.

"I worry more about a college freshman writing a stupid virus than terrorists," says Irving Tyler, CIO of Quaker Chemical. The company might replace its frame relay network, which links 15 corporate sites worldwide, with an Internet-based VPN. When Quaker Chemical implemented its worldwide frame relay network several years ago, VPN technology was in its infancy and its security unproven, Tyler says. Quaker Chemical plans soon to establish VPN links with offices in China, where broadband Web access is available and frame relay links are financially prohibitive. At the moment, those offices link up via dial-up connections. "Site-to-site VPN has come a long way in the past year," Tyler says. "It's crazy to think we'd be forced back to more expensive, less flexible approaches to business."

If the information being exchanged among external partners is deemed critical enough, however, some companies may be willing to try alternatives to the Internet. Detroit Medical Center, which operates seven hospitals in southeast Michigan, uses a private network run by ANX eBusiness Corp. The network is completely separate from the Internet but uses Internet protocols and Web standards to communicate. The nonprofit health-care company began using the ANX Network in April to exchange patient data with insurance companies such as Blue Cross Blue Shield of Michigan and also uses it to exchange information with banks and medical suppliers.

Detroit Medical chose ANX instead of the Web to let it comply with Health Insurance Portability and Accountability Act privacy regulations and to replace point-to-point private lines with insurers. But it's not cheap. For T1 connectivity, the nonprofit is paying $9,000 the first year and $6,800 every subsequent year. Plus, it invested $36,000 in new networking equipment, such as routers. Mike Gruich, a project manager at Detroit Medical, says his company wouldn't use the public Internet or VPNs for transactions with insurers, which involves the exchange of patient data pertaining to co-payments and deductibles. "There are too many horror stories out there about stuff leaking out," Gruich says. "This information is too sensitive."

ANX, which began as a communication hub for the automotive industry, is free from distributed denial-of-service attacks and, for the most part, viruses, says Erik Naugle, VP and chief technology officer of ANX. Naugle believes the tragedies of Sept. 11 won't stop companies from using the Internet, but "there's room for more, for a private coexisting network alongside the Internet."

Companies that plan to take their chances on the public Internet or a VPN may ultimately turn to the law to ensure that their partners comply with IT security. Litigation in this area has been scant so far, because most companies don't want to draw public attention to breaches in security. It's also often hard to quantify damages and prove who was at fault. But some security experts believe it's only a matter of time before companies start taking conflicts to court. "There's a lot of speculation that the big lawsuit is coming any day," Internet Security Systems' Vance says.

While the path to collaboration on the Internet is fraught with dangers, few companies perceive those dangers as being greater now than before Sept. 11. Potential terrorist attacks on the nation's information infrastructure wouldn't be as potent as attacks on buildings, says Hal Varian, dean of the School of Information Management at the University of California at Berkeley. "Because of redundancy in the system," he says, "we could have a hit on our telecom system, costing us only a few days of disruption and a few million dollars-nowhere near the costs of these property attacks we've experienced."

Even fewer companies believe the risks of online collaboration will ever outweigh the benefits. Companies are charging ahead because alternatives such as fax and electronic data interchange are slower and more expensive and don't meet customers' needs. "The only thing that's bullet proof is to not use the Internet," says McHolland of ArvinMeritor. And for most companies, that's simply not an option. -with Eric Chabrow and George V. Hulme