Introduction
2
Information Security Technical Report, Vol. 1, No. 2 (1996) l-2 Introduction Gary Hardy, Director of Consultuncy, Zergo Ltd This issue of the Information Security Technical Report concentrates on the topic of Distributed Systems Security. I can remember when the term “Distributed Systems” first appeared in the mid-seventies. In those days distributed systems meant implementing mini computers in business areas outside of the traditional mainframe environment, with a communications link to the centre. The distributed system was really a local system acting as a front end to the mainframe. The terms personal computer, local area network, remote gateway, homeworking, desktop computing and so on hadn’ t been invented, and word processing was only just emerging based on special machines built for the purpose. From a controls point of view, these so-called distributed systems were usually set up with wherever possible mainframe-like controls. The machines were housed in purpose built rooms, the user interface was a dumb terminal, and much of the processing followed fairly traditional control schemes. Nowadays, of course, the IT environment is entirely different. IT has become available to everyone and everyone can connect their IT with everyone else via networks. It could be said that the distributed computing environment is nothing more than the consequence of the explosion of IT and its mass availability to individuals at all levels. From a control and security perspective the changes are very significant. The new technologies that are available now and those that are expected to appear in the next few years provide major control challenges. The culture, discipline and practices that we have been used to must be applied in a more complex environment In general, the business requirements for security have increased considerably because the IT is more pervasive and there is a much higher dependency on IT to support critical business operations. The power of information and the realisation that it is a major corporate asset have raised the awareness in all types of organization of the need for better information security. The solutions fall into two main categories: Organization and management Security of IT is clearly the responsibility of every member of the workforce, because everyone is an active user. Awareness, local ownership and accountability have never been more important. In today’s lean and flat management structures, controls need to be coordinated centrally but devolved efficiently to individual business functions. Clear organization-wide policies, standards and guidance are needed to maintain consistency and to enable efficient working practices to be put in place. Controls that are piecemeal, disjointed and uncoordinated are a recipe for high risk, high cost and inefficiency. Technical measures The advanced technology of today requires advanced technical approaches to security. Increasingly, automated functions for security tasks such as access control, communication security, and data integrity, are becoming available, and are being recognised as an essential part of the IT infrastructure, not an afterthought. Security of the distributed IT 0167-4046/96/$15.00 0 1996, Elsevier Science Ltd 1
-
Upload
gary-hardy -
Category
Documents
-
view
213 -
download
0
Transcript of Introduction
Information Security Technical Report, Vol. 1, No. 2 (1996) l-2
Introduction
Gary Hardy, Director of Consultuncy, Zergo Ltd
This issue of the Information Security Technical Report concentrates on the topic of Distributed Systems Security.
I can remember when the term “Distributed Systems” first appeared in the mid-seventies. In those days distributed systems meant implementing mini computers in business areas outside of the traditional mainframe environment, with a communications link to the centre. The distributed system was really a local system acting as a front end to the mainframe. The terms personal computer, local area network, remote gateway, homeworking, desktop computing and so on hadn’t been invented, and word processing was only just emerging based on special machines built for the purpose.
From a controls point of view, these so-called distributed systems were usually set up with wherever possible mainframe-like controls. The machines were housed in purpose built rooms, the user interface was a dumb terminal, and much of the processing followed fairly traditional control schemes.
Nowadays, of course, the IT environment is entirely different. IT has become available to everyone and everyone can connect their IT with everyone else via networks. It could be said that the distributed computing environment is nothing more than the consequence of the explosion of IT and its mass availability to individuals at all levels.
From a control and security perspective the changes are very significant. The new technologies that are available now and those that are expected to appear in the next few years provide major control challenges. The culture,
discipline and practices that we have been used to must be applied in a more complex environment
In general, the business requirements for security have increased considerably because the IT is more pervasive and there is a much higher dependency on IT to support critical business operations. The power of information and the realisation that it is a major corporate asset have raised the awareness in all types of organization of the need for better information security.
The solutions fall into two main categories:
Organization and management
Security of IT is clearly the responsibility of every member of the workforce, because everyone is an active user. Awareness, local ownership and accountability have never been more important. In today’s lean and flat management structures, controls need to be coordinated centrally but devolved efficiently to individual business functions. Clear organization-wide policies, standards and guidance are needed to maintain consistency and to enable efficient working practices to be put in place. Controls that are piecemeal, disjointed and uncoordinated are a recipe for high risk, high cost and inefficiency.
Technical measures
The advanced technology of today requires advanced technical approaches to security. Increasingly, automated functions for security tasks such as access control, communication security, and data integrity, are becoming available, and are being recognised as an essential part of the IT infrastructure, not an afterthought. Security of the distributed IT
0167-4046/96/$15.00 0 1996, Elsevier Science Ltd 1
Introduction
infrastructure must be based on a consistent architecture, a sound management and administrative platform, and should use technology that enables interoperability and flexibility.
The control mechanisms are becoming increasingly complex. Standardised and open systems based solutions are needed for organizations wanting a consistent long-lasting enterprise-wide approach to distributed systems security.
The Report further develops these issues and covers the following topics:
An overview of security in the distributed systems environment, with examples of the new risks that exist and the new types of control that are required to manage them, by Mike Horrell of Zergo.
A practical case study of how a major UK utility has implemented controls in a distributed environment, by Simon O&y of Solarity.
An examination of how access rights in a distributed environment can be
administered centrally using a sophisticated management tool, by Keith Girt of Zergo.
A look at data warehousing and the ways in which data can be protected and backed up, by Joe Galsworthy of Storagel’ek.
The real issues behind single sign-on, one of the current hot topics in distributed access control, by Gary Hardy of Zergo, and
Two articles covering the need for standardisation and technically consistent approaches to multi-platform distributed systems. The first takes a look at object-oriented systems and describes the intiatives of the CORBA Object Management Group, by Belinda Fairthorne of ICI,. The second looks at the standards resulting from the initiatives of the Open Group.
All the articles in this report represent the views of the authors and not necessarily the views of the organizations that they represent.
2 Information Security Technical Report, Vol. 1, No. 2
