Broad Security Focus Is Critical

By Peter Coffee  |  Posted 2003-10-13 Print this article Print

IT must take a broader view of security than is mandated by California's new legislation.

If a homeowner installed a steel-reinforced front door, then added a surveillance camera and even posted a 24-hour guard, one might hope that a helpful neighbor would ask, "But what do you have out in back?" One must assume that weaker points will quickly become the targets of new attacks.

Californias Database Breach Security Notification law (SB 1386) likewise invites a narrow focus on the front door of customer-facing IT—that is, on the edge-protection and encryption elements of what ought to be an overall security strategy. Its vital, though, to keep on walking around the building and checking all the doors and windows, especially at high-visibility financial transaction sites, whose threat environments can be dangerously diverse.

See eWEEKs recent interviews with IT execs from MasterCard and Visa.
The challenges facing a data-intensive operation like Visas range from imperfect technology to careless users and, increasingly, even to the unintended consequences of poorly crafted laws.

In the technical realm, every possible type of cyber-attack has some possible bearing on a customer-facing e-commerce sites operations: A saturation-bombing denial-of-service attack might degrade system performance, shifting business to other service providers. A passive snoop of the origins, times and amounts of transactions could give a company valuable knowledge of the success of its competitors various promotional campaigns. Unauthorized access to individual records could have severe privacy implications as well as creating opportunities for fraud.

Every IT security pro must take a correspondingly comprehensive view of threats both inside and outside the direct control of the enterprise and must develop the partnerships necessary to achieve security end to end rather than merely edge to edge. If an attacker cant succeed through technology, theres always trickery. For example, any number of scams display great success in getting people to disclose credit card numbers and other key data to persons who pretend to be legitimate customer service personnel. Continuing user training is therefore an essential part of any security solution.

Enterprise IT architects should likewise strive for security that does not depend on the users knowledge or awareness, since users bad choices (such as obvious passwords) are among the most common points of failure.

Visas Thompson is exactly right in identifying reliability and performance as the crucial technical criteria and the need to enable new value-adding services as the strategic mandate that Visas technology gurus must constantly bear in mind. All enterprise IT pros should be thinking along the same lines. Security is a means, not an end, and it must be achieved in ways that complement and do not confound the goals of the system being protected.

Technology Editor Peter Coffee can be reached at

Peter Coffee is Director of Platform Research at, where he serves as a liaison with the developer community to define the opportunity and clarify developers' technical requirements on the company's evolving Apex Platform. Peter previously spent 18 years with eWEEK (formerly PC Week), the national news magazine of enterprise technology practice, where he reviewed software development tools and methods and wrote regular columns on emerging technologies and professional community issues.Before he began writing full-time in 1989, Peter spent eleven years in technical and management positions at Exxon and The Aerospace Corporation, including management of the latter company's first desktop computing planning team and applied research in applications of artificial intelligence techniques. He holds an engineering degree from MIT and an MBA from Pepperdine University, he has held teaching appointments in computer science, business analytics and information systems management at Pepperdine, UCLA, and Chapman College.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel