More than at any other time in the history of the industrialised world, the health of the corporation is directly related to the security of its data.Now, thanks to a new Australia Defence Signals Directorate program that provides independent evaluation, IT buyers can be confident that certified products deliver required levels of securityWhen it comes to IT&T security, two truisms come to mind: You never know how secure your systems are until the day someone tries to break in and, relying on faulty security can be worse than having no security at all.
Taken together, these truisms present IT managers with some interesting challenges, particularly in light of the industry's track record of major security exposures being discovered only well after release of a security product to market.
Take the security flaws within Netscape Communications' Navigator browser and SunSoft's Java code discovered by graduate students at Princeton University last May, or the theoretical security defect discovered within implementations of smart cards by computer scientists at Bell Corp last September.
If they tell you anything, such incidents tell you no one can take security on trust any more.
But if the best personality trait an IT security manager can have is paranoia, how can such a manager ever hope to believe in his or her security vendors? Indeed, how can any organisation rely on products to provide the promised security? How can they ever be sure developers of the product have covered all the eventualities? The simple fact is, users must be confident of the security of the system they use, and that confidence can only come from having a yardstick with which to compare the security capabilities of IT products they are thinking of purchasing. Ideally, this yardstick will come through an impartial assessment by an independent body, against objective and well-defined security evaluation criteria, and resulting in certification by a body capable of confirming the evaluation has been properly conducted.
Fortunately, in Australia that yardstick just got a whole lot better. A new Australia Defence Signals Directorate (DSD) program - the Australian Information Security Evaluation Programme (AISEP) - will give Australian IT security managers new levels of assurance about the products they buy.
Until 1995, all Australian IT security evaluations were conducted by the Defence Signals Directorate (DSD), acting as the National Computer Security Advisory Authority. Under pressure of increased demand, DSD has decided to introduce an entirely new scheme, relying on carefully vetted private companies to evaluate products.
The new scheme sees evaluations performed by impartial companies against the internationally recognised ITSEC (Information Technology Security Evaluation Criteria (ITSEC). A European computer security classification adopted for Australian Government organisations, ITSEC rates security products against agreed security and quality-control parameters. DSD will rigorously oversee all evaluations and certify the results only when they have followed the criteria in all aspects.
The program will consider a wide range of security products, from secure operating systems and sub-systems through identification and authentication products, to encryption products and firewalls.
More flexible than other security evaluation schemes in place around the world, ITSEC leaves those commissioning the evaluation free to specify the functionality they want evaluated, rather than binding them to particular functionality sets. The other advantage is that commercial enterprises, including vendors and users, will be free to commission evaluations as required, rather than waiting for a government agency to call for one.
According to National Computer Security Advisory Authority (NCSAA) senior manager Guy Hanson, the evaluations will give Australian IT buyers renewed confidence that certified products will provide the required level of security.
"The importance of protecting sensitive and privileged government data cannot be emphasised enough," says Hanson. "There's certainly been a bit of a track record of products having problems, and often those things are pretty late in being publicised, and by that stage someone has probably used that vulnerability to get into your system.
"The intention behind the scheme is to provide the widest possible range of certified, independently evaluated products for use by government departments in protecting their classified or official information. It is also there to provide a mechanism whereby the IT&T security industry can get products or developments evaluated to ITSEC standards in the most efficient and hopefully cost effective manner possible.
"And if non-government people want to use the evaluation that result from our scheme we're quite happy for that to occur," he adds.
Only companies known as AISEF - Australian Information Security Evaluation Facilities - will be able to perform evaluations. Licensed by DSD, AISEFs must prove they meet the strictest possible standards of technical expertise, quality control and commercial integrity. So far only Admiral Computing (Australia) and CSC Australia have been licensed as AISEFs.
Hanson says AISEP is already receiving high levels of interest from both vendors and organisations looking to have their systems rated as "secure" to Australian standards and to meet Australian conditions.
"We've got nearly a dozen products under evaluation, and a few others are starting to line up and get interested," he says.
"Certainly we are starting to see that there is quite a bit of interest in industry for ITSEC evaluated products. I know some of the banks are interested in them, State Government departments and Federal Government departments are interested, and the industry itself is looking for that type of assurance," says Hanson.
There are six levels of evaluation, from E1 to E6. A product that has been evaluated to E1 level may be used by government to protect sensitive information. Only products evaluated to the highest level, E6, can be used to protect Nationally Classified SECRET information from uncleared (and potentially hostile) users.
At the time of going to press, AISEP had just completed its first evaluation, of the Sun SPF100 firewall, which was evaluated to E1.
"We've been very pleased with the way that firewall evaluation went," Hanson says. "It's taken only a few months, the quality of the evaluation has been good, and we've been very happy with the way that evaluation was performed by the evaluation facility.
"We're feeling that take up of the program is now starting to pick up, after a slow start-up period, and we're happy that it's now going to provide good, certified products to government."Discovering the firewall or encryption product you just spent a fortune on has major security flaws by reading about it on the Internet seems a hard way to find out about the problem, particularly since it may well be too late by then to avoid exposure. Concern over a lack of a security rating can even cause organisations to hold off on adopting new techniques and technologies.
For instance, many government departments and some private sector organisations are so concerned about the lack of a single firewall product certified by the Federal Government for local use that they have decided to delay introduction of Internet services until the situation is rectified.
Now leading firewall and Internet security specialist Softway has become the first organisation in Australia to submit a firewall - its Secure-IT Gauntlet product - to E3 security certification.
Under Australian Government regulations, certain types of sensitive data - including data under the protection of privacy legislation such as tax, welfare and law enforcement details - must be secured at E3 or greater.
"Until now, no firewall vendor in Australia has applied for certification beyond the E1 level," says Hanson, adding his office was seeing a high level of activity for firewall certification.
"I think obviously there's a big take up of Internet connectivity both in government and throughout the industry as well, and of course people want to be properly protected.
"Softway's decision to apply for E3 certification has the full support of DSD.
Many government departments urgently need a certified E3 firewall. Without an E3 firewall, these departments have been forced to delay the introduction of Internet services," he said.
Hanson says the firewall began formal evaluation in late October last year, at which time the product was placed on DSD's Evaluated Products List (EPL) under "In Evaluation". To evaluate the product to ITSEC standard, CSC Australia will consider both Softway's own corporate security procedures as well as the Secure-IT Gauntlet firewall itself.
"Evaluation of the software developer, not just the product, is important," says Hanson. "Softway has access to the source code for its firewall. As a result, DSD must have confidence in the company's internal security procedures and business processes."But the evaluation will have to go even further than that. Since Softway's Secure-IT Gauntlet firewall is based on firewalls developed by Trusted Information Systems (TIS) Inc, a US-based Internet security specialist, CSC must also evaluate TIS before awarding Gauntlet's E3 rating.
So far, vendors have paid to have evaluations conducted by AISEFs, with DSD oversighting the evaluation. Its role is to ensure evaluations have been conducted fully to IT security standards, and that there has been no conflict of interest during the evaluation process.
"The whole idea of the scheme is that we've chosen the companies that have the expertise and the management practices and the integrity to perform the ITSEC evaluations. DSD remains in the process as the certifier so that the actual evaluation results are every bit as good as if we did it.
"We oversight the entire process, and we won't put our stamp of approval on that particular evaluation unless we are happy with the way it was conducted," explains Hanson.
Compared with equivalent schemes operating in the US and UK, Hanson says he is proud of the Australian scheme. For one thing, in Australia commercial sponsors are free to initiate evaluations of their products, should they wish to sell to government or where they see other advantages in receiving a security evaluation.
In the US, however, the Government will currently only evaluate products it plans to use in Government IT. This may change soon, however. Hanson says the US is now looking closely at the Australian model as it considers adopting a commercial scheme similar to ours.
Being evaluated is not cheap. It takes upwards of three months to perform an evaluation, at standard industry consultancy rates. Nonetheless, the scheme seems to promise good value for money. Hanson says overseas studies show the cost of a commercially sponsored evaluation is about the same as the cost of a fully government formed evaluation.
"A lot of that is down to the extra time taken in a government-performed evaluation. Limited government resources mean the cost of actually supporting evaluations with documentation, and in having people available to answer questions, actually adds quite a bit to what is supposedly a free evaluation."Hanson says all Australian users should have a high degree of confidence in products evaluated under AISEP.
"They've been conducted to internationally recognised standards, they are being oversighted by an independent government body, and as a consequence all concerned can have confidence the evaluation is good."And he says that as more vendors win certification for their products, rivals will feel considerable pressure to ensure their products are rated to the same high standard.
"The number of products starting to get into the evaluation section is growing, and I think that as more and more companies start to see a benefit of getting an ITSEC certification, that number will grow even more. Certainly we are getting quite a few more firewall vendors interested in undergoing certification," he says.
"Basically what we are trying to do is to make the process as attractive as possible to potential evaluation developers and evaluation sponsors. We want more products available to government, and of course available to everyone else.
"I think the program is good news for the whole IT community. It will be good for the users of IT security products and I also hope that its been good for the providers of IT security," says Hanson.
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.