Securing IT Services
Very few management textbooks would go into the technical detail this book uses to describe the security and performance problems we all face. Hopefully you found the descriptions of various situations helpful to you. Here are some points I would underscore:
Availability. The systems we use are interconnected and a failure in one part can lead to problems across all connected systems. Service availability is dependent upon component availability. A system that uses multiple components will have service availability no greater than the cumulative downtime of all the components. In other words, if each component is down 1% of the time and I have five components in my system, my system will not be able to serve me 5% of the time. The graph on page 426 shows this quite well.
I hope as you were reading that, you were thinking of the systems you use every day, and counting the devices necessary for you to send email or download reports.
Facilities. Last year when the recession really began to bite, I was at a meeting of area CIOs and we discussed project funding. All said that many projects were being scaled back, but they could still get money for security installations and development. 9/11 woke up a lot of CEOs to the plight of businesses that could be attacked. This chapter describes some of the facilities larger companies can build and some of the measures they take (I know of one Valley employer who takes security even further, hiding the data center in a remote location). For smaller companies there is now a growing business of providing data security for a monthly fee, complete with regular data downloads and safe storage.
Threats. While the threat description in the book was very comprehensive, I think if the authors were writing the chapter this week, they would add an additional section on digital warfare. We know a number of efforts were made by the Serbians to attack US systems, and experts came to realize that the Internet made a vehicle for such attacks in all future conflicts. While we would expect most attacks to be against government and military targets, there is no reason to assume that commercial enterprises would somehow be exempt. What kinds of attacks would they use? I would expect the usual hacker attacks, but attacks written with state support using the “talents” of the native experts and hired hands – essentially more attacks with more effective techniques. Unfortunately, three weeks ago when I asked a group of CIOs whether they were taking additional precautions as the war approached, none said they had given it much thought. I hope they don’t come to regret their inattention.
Responses. I won’t add anything to the comprehensive list of responses in this chapter, but I would urge you to take a look at a web site they mentioned:
The Computer Emergency Response Team comes out of the Software Engineering Institute at Carnegie Mellon University in Pittsburgh. I have been to one of their training seminars and I was very impressed. Just browse the site to see the resources they have and the range of attacks they are handling. They are the U.S. experts on this topic.
I prefer you not talk about your company’s security responses this week. There is no reason for outsiders to know what you do or do not do to protect your company. I hope you will look into the measures the company takes and evaluate for yourself if the company is on the right track.
Let’s focus our questions this week on the case.
1. Given all the suggestions in this chapter, what should iPremier have done to protect themselves? Now that the attack is over, what should they do? Besides the technical responses they need to take, are there responses they need to take in regards to their customers or investors?