IT must take a broader view of security than is mandated by California's new legislation.
If a homeowner installed a steel-reinforced front door, then added a surveillance camera and even posted a 24-hour guard, one might hope that a helpful neighbor would ask, "But what do you have out in back?" One must assume that weaker points will quickly become the targets of new attacks.
Californias Database Breach Security Notification law (SB 1386) likewise invites a narrow focus on the front door of customer-facing ITthat is, on the edge-protection and encryption elements of what ought to be an overall security strategy. Its vital, though, to keep on walking around the building and checking all the doors and windows, especially at high-visibility financial transaction sites, whose threat environments can be dangerously diverse.
See eWEEKs recent interviews with IT execs from MasterCard
The challenges facing a data-intensive operation like Visas range from imperfect technology to careless users and, increasingly, even to the unintended consequences of poorly crafted laws.
In the technical realm, every possible type of cyber-attack has some possible bearing on a customer-facing e-commerce sites operations: A saturation-bombing denial-of-service attack might degrade system performance, shifting business to other service providers. A passive snoop of the origins, times and amounts of transactions could give a company valuable knowledge of the success of its competitors various promotional campaigns. Unauthorized access to individual records could have severe privacy implications as well as creating opportunities for fraud.
Every IT security pro must take a correspondingly comprehensive view of threats both inside and outside the direct control of the enterprise and must develop the partnerships necessary to achieve security end to end rather than merely edge to edge. If an attacker cant succeed through technology, theres always trickery. For example, any number of scams display great success in getting people to disclose credit card numbers and other key data to persons who pretend to be legitimate customer service personnel. Continuing user training is therefore an essential part of any security solution.
Enterprise IT architects should likewise strive for security that does not depend on the users knowledge or awareness, since users bad choices (such as obvious passwords) are among the most common points of failure.
Visas Thompson is exactly right in identifying reliability and performance as the crucial technical criteria and the need to enable new value-adding services as the strategic mandate that Visas technology gurus must constantly bear in mind. All enterprise IT pros should be thinking along the same lines. Security is a means, not an end, and it must be achieved in ways that complement and do not confound the goals of the system being protected.
Technology Editor Peter Coffee can be reached at firstname.lastname@example.org.