Building a Safety Net

Enterprise computer security is everybody's business.

Who is responsible for the latest rounds of virus and worm attacks? While speculation includes the usual suspects—intelligent but twisted coders—the list has also lengthened to include digital terrorists. While we may never know who is responsible, the bigger question for technology professionals is who is responsible for keeping those viruses and worms away from your companys IT infrastructure.

The answer is everyone: vendors, end users and system administrators. Everyone needs to own up to responsibility, or businesses will be suffocated under a continuing worm and virus onslaught.

Vendors, Microsoft in particular, are everyones favorite blame target. Next January will mark the two-year anniversary of Bill Gates memo outlining the companys Trustworthy Computing strategy, in which Gates said that from that time

on, the company would give priority to security over new features in upcoming products. That initiative was not inspired by altruism, but by the recognition that as Microsoft marketed to a Windows environment ranging from tiny mobile devices to huge enterprise servers, the companys fortunes would rise or fall with the level of customer trust.

The upcoming announcement this fall of Office 2003 will be an opportune time for Gates to explain how Trustworthy Computing is faring in the face of continued virus attacks that leave end users with systems tangled and useless. The current process of posting and pushing fixes via the Web is not working. Users cant be counted on to install the patches, and system administrators cant be expected to allow patches to be installed without some testing to see what effects those patches will have on their networks.

In a recent phone interview, Steven Sinofsky, Microsofts senior vice president for Office, said, "The Microsoft Office [2003] design is the most secure system we can design." It had better be, as the next version of Office transforms the product from an integrated desktop productivity suite to an application integration platform for tying companies closer to customers and suppliers. Office users Ive spoken with are unanimous in asking that Microsoft explain and defend its Trustworthy Computing road map before extolling the integration benefits of the new Office platform.

"In light of this weeks virus-related issues, we have chosen to delay our deployment of Office 03," said an eWEEK Corporate Partner, asking to remain anonymous to keep competitive vendor calls to a minimum. "We had planned to release a qualified Win XP/Office 03 build onto new computers and gradually deploy to the rest of the corporation. What we have decided is that we need a much more robust Win2K environment before we can do the gradual migration."

"How can anyone responsible for infrastructure allow tighter collaboration without solid security? The rapidity with which the latest round of worms spread was amazing," said Kevin Baradet, chief technology officer at the Johnson Graduate School of Management at Cornell University and another Corporate Partner. "At this point, I would be very reluctant to turn on any of these collaboration features unless I could be sure that the productivity gained was significantly greater than the costs of cleaning up after an incident."

In this case, customers are doing the right thing in demanding upfront that a vendor address the security issue. The virus problem will not be solved by finger-pointing after the fact, but by being proactive in addressing the problem.

Of course, being proactive is difficult when your servers are crashing under the latest virus attack or you have end users who habitually open unknown files and carry laptops that live in both protected corporate environments and wide-open home and travel environments.

And it would be good to see hardware vendors spending as much effort to provide systems that can be easily and visibly locked down as they do promoting systems that have the latest displays and huge storage capacity.

In the end, all those touched by a computer virus are responsible for setting up an environment where the next virus will be kept at bay. Until that responsibility is shared by all, the next virus making the rounds will continue to make a mockery of the current state of security.

Discuss this in the eWeek forum.

Eric Lundquist can be reached at