Protect and survive
Security vendors are upbeat about getting resellers more involved in policy management. Ken Young reports in the final part of our security series
Most firms know they need to have clear procedures and rules for employing staff. Without them they can end up dealing with an unfair dismissal claim, or finding it hard to hire new staff because potential recruits don't want to work for a company that doesn't practice good HR.
But when it comes to protecting the integrity of company data, good practice based on industry standards is for the most part the preserve of large firms. In smaller businesses, standard procedures relating to policy management are all too often left to staff that do not have the skills to implement them or the political sway to enforce them. According to research commissioned by Message-Labs and unveiled at Infosec 2005, 40 per cent of UK firms have no formal risk policy in place.
This lack of clear procedures is seen as a plus by security vendors eager to help resellers leverage new business from their clients. They see policy management as a way of helping customers adopt a more cohesive approach to installing security kit and services, as well as a means of gaining opportunities for ongoing sales.
But doesn't policy management mean different things to different people? Won't revenue models have to be redesigned for different vendors? Yes and no. At the upper level, there is general agreement over what it entails; the devil is, of course, in the detail of how it is implemented.
Richard Keighley, principal consultant at the BT security practice, says: "An IT security policy is a set of statements containing the specific requirements or rules that must be met to protect an organisation's IT assets. It should be part of the organisation's wider information security policy which mandates how information should be protected across the business and where it can be exchanged with other parties."
Keighley says there are three main drivers for IT security, and hence security policies. The first is the need to manage operational risk; the second is to use security policies as a business enabler; finally, policy should allow companies to comply with legal, statutory, regulatory or contract requirements.
It seems fairly simple, so where's the rub? "The opening up of IT infrastructures and systems to suppliers, customers and employees, the growth of remote working and mobile devices, globalisation, and the 24/7 economy are all leading to increased vulnerability and complexity in today's IT infrastructure," says Keighley.
As well as these pressures, organisations are increasingly required to comply with regulations and legislation, such as the Data Protection Act, the Freedom of Information Act, Basel II, and, for companies traded on the New York Stock Exchange, the Sarbanes-Oxley Act.
But, in practice, experts remark that most resellers are used to selling discrete devices to customers, rather than helping to create an overarching security policy.
Ian Kilpatrick, chairman of distributor Wick Hill Group, says: "The norm is to sell integrated applications in a device, but in reality security is much more complex. Ten years ago, having a firewall was probably enough, but now even email needs a policy in relation to regulations, protecting confidential information and compliance.
"For us, policies are crucial to the success of a sale. Customers shouldn't really buy kit until they know what their policy is. But a reseller can't just go in and try to get the customer to build policy from the top. I advise them to pick a high-risk area which is a nice easy kill. You can show them how a policy applies there, and then build on it. Don't be overambitious. Ultimately, a policy is about how you manage risk. It's important to remember that."
But Kilpatrick warns against aiming at board level. "You can't turn them into 'policy bunnies' overnight. It's better if you come up with a solution that you can install and manage. That's easier to sell, and once you have buy-in, it's a matter of what you might call 'mission creep' as they apply it more widely," he says.
David Ellis, director of e-security at distributor Unipalm, says resellers need a more professional approach to protect sales. "Policy is a good opportunity to offer consultancy and can be quite lucrative, as well as helping to bind in product sales," he says.
"Without a broader view, you will be drawn into a price war over products, and you have to protect against that with ongoing business built around a clear policy. It helps create 'lock-in' too. In many cases a network and any existing security will have evolved over time. A good way of opening up the business is by offering a vulnerability or penetration test. Resellers can show their clients that a network is continually evolving with users, applications, data, wireless links and so on being added or removed."
Ellis maintains that testing services will help the reseller (and customer) locate where information is stored, understand the security measures that are currently in place to guard that information, and identify areas of weakness and suspect configurations that place information at risk.
If it is possible to look for hotspots that help introduce the idea of policy management to a customer, it is perhaps also possible to focus on discrete areas of activity. Alyn Hockey, technical director at vendor Clearswift, believes this is possible when considering email and web content filtering.
"We focus on understanding the customer's business and looking for areas of weakness," says Hockey. "For example, every organisation has some kind of payroll, and it is important to make sure that the kind of information that is sent from that department is authorised. Similarly, you can set policy that ensures that sales information can leave the building only when authorised."
Graham Cluley, senior technical consultant at security vendor Sophos, concurs. "The channel can tailor virus disinfection or spam quarantine policies for customers, as well as arranging offensive content filtering and corporate policy compliance. Firms need policies that monitor email communication and information access rights," he says.
Hockey adds that the key for resellers is to help customers create rules that govern what is confidential and what happens when a member of staff tries to send confidential information out of the premises. "We can even monitor web email accounts such as Hotmail to make sure they are not being used in a way that threatens company confidentiality," he says.
All vendors advise resellers to get up to speed with the compliance issues of Sarbanes-Oxley and the like. "You can then inform a customer about the importance of good practice in relation to compliance," says Hockey.
If a company is large enough, then it may consider following the British Standard (BS) 7799, relating to information security management, and its international counterpart, ISO/IEC 17799. These comprehensive standards address all aspects of information security, and provide a framework for identifying security needs for both technical and non-technical control. The international standard is being revised, with the new version due later this year.
If waking up customers with talk of standards is not enough, a stronger line may be appropriate. "Many companies are still selling security using the 'fear factor', citing high-profile cases where companies have been hacked," says Ellis. "For a VAR to get to a senior member of staff, this could well be a valid tactic, if an attack means that an organisation's corporate image could be tarnished or its stock value affected."
Ellis says that recent reports have also helped, such as the Turnbull report, which concludes that public quoted companies must have a risk management strategy in place to protect shareholders from unnecessary dangers.
Ellis adds: "There has also been a lot of recent publicity about Sarbanes-Oxley for US-listed companies, and about Basel II."
Another approach is to highlight the importance of staff training and awareness. Colin Bradley, business development director for Dimension Data's security business unit, says firms often do not keep up to date.
"There are still a large number of organisations that either do not have an adequate security policy in place, or have failed to update their security policy so that it truly reflects the changing nature of their business," says Bradley.
"The biggest challenge for most security officers remains the education of users about the potential risks that arise from ignoring a security policy. Although new tools are available to assist with the implementation and monitoring of security policies, it is only when the users start to play their part that firms can get the benefits."
For staff to take things seriously, Kilpatrick says it is also important for the reseller to help the customer ensure there is high-level buy-in. "It's no good if policy is the domain of the IT department, but it doesn't have the power to enforce rules across other departments," he says. "It must get complete board-level agreement, and must be able to stop the use of things such USB keys, which can be used so easily to steal data from hard disks."
Resellers can also a play a part in ensuring that policy is widely available within a firm. Sue Beesley, commercial director at VAR Network Defence, says the days of paper-based policy documents are over. "It has to be electronic so that it can be easily updated and presented to staff on the desktop; an intranet is ideal," she says.
The firm is a reseller of Extend Technologies PolicyManager, a means of presenting a test to staff at regular intervals to see if they are conversant with policies. Those who fail the test are locked out of the network.
"It's a pretty unique offering," says Beesley. "You can do similar things with scripting, but let's face it, we all glaze over after having to respond to a basic script when we are signing on, so it's just not enough to do that."
Beesley believes it is difficult to leverage policy issues without senior level buy-in because there are so many key issues to consider.
"Firms have to think about liability as well as risk," she says. "For example, they have to protect themselves against harassment claims, if they are deemed to be not protecting staff from offensive material in emails or on the web. They must also avoid falling foul of the Computer Misuse Act and ensure that staff are not using network access to download hacking tools."
Many experts see mobile workers as the greatest weakness in policy management, a weakness that presents another big opportunity for resellers. The fear is that a member of staff can come back from a holiday and connect a laptop that may not be fully updated. Products such as iPass Endpoint Policy Manager are seen as an effective means of ensuring that such threats are better managed.
David MacFarlane, business development director of virtual network operator Sirocom, says: "Endpoint Policy Management has been developed specifically to let IT staff enforce the proper configuration and use of security software, automatically update operating system security patches and anti-virus definition files on remote devices, and centrally manage policy enforcement. Laptops that present any threat are not allowed access to the network."
With the growth of phishing, denial-of-service attacks, malware and spyware, it looks likely that the potential to add value through policy management consultancy and products is here for some time to come.