- Email: [email protected]
Developing a corporate Internet policy
July 1995
Network Security
Developing a Corporate Internet Policy Kermit Bese ke Secure Computing Corporation Today, it seems as every corporate Cl0 is under the gun to go out and get hooked up to the Internet. Several years ago this trend started slowly with the technical folks and today it’s expanded so far - indeed exploded -that forward thinking marketing types want a corporate Internet connection to push their wares by developing a ‘Net presence. What has changed7 Forty million people is what’s changed: the whole world, spanning 1OOt countries and nation-states is hooked together by the Internet. This Net is growing like crazy and whatever you say about it is probably already obsolete. The Net is a collection of networks where no one is in charge, no formal concrete legal or law enforcement mechanisms exist and there is little or no recourse against system abuse. And you (the CIO) are asked to eagerly and aggressively take all that proprietary information you’ve protected all your life and connect it to the Net. The Net has new tools. Cryptography, a tool formerly reserved for governments and
Star Ranger Decoder Rings is ubiquitous on the Net. This came about when a new system called Pretty Good Privacy (PGP) was released on the Net. This system, which uses a technique called public key cryptography, has two keys, one private and one public. This system was released to the Net in (possible) violation of US law and (apparent) US patent law across international borders, If encrypted traffic is traversing your network, how can you as Cl0 accept responsibility for information flow? The benefits of the Net are derived from four major Internet services (see Figure I). Telnet is a kind of worldwide telephone system which allows users to go into and gain Usenet Newsgroups
Web Sites
Open Discussions Among
Access Server System
Figure
10
I: lnternet
Services.
access to other computers, including, of course, your own if it’s connected to the Net. There are archives of data which can exist in the World Wide Web and, of course, your marketing folks want to rush to create your own Web site. The ubiquitous point-to-point E-mail system delivers billions of bytes of information daily, and there is Usenet News, a kind of broadcast E-mail system in which a single posting will typically be read by 50 000 to 100 000 people. The Usenet News system is interactive and sometimes unforgiving. Make a miscue and you’ll get ‘flamed’ for at least a week. And you (the CIO) are asked to connect to these services, maximize the benefit and minimize the risk. The Internet multiplies the threat to your computers and internal corporate network systems. Anyone with a modem is now able to send messages all over the world with or without encryption, The Cyberworld sits at the front door of your company every microsecond and the risks are many. Let’s look at the case of a disgruntled employee who wants to slander the company. With the aid of a simple keyboard, that employee can send out slanderous information to literally tens of thousands of people worldwide. That story will probably be picked up by several media groups that are connected to and continuously monitoring the Net. And you (the CIO) are still asked to connect to the Net. So what about the risk of this behaviour? The wise Cl0 will take the time to develop a Corporate Internet Policy. But most ClO’s are overwhelmed with just setting up corporate connections to the Net so their
01995 Elsevier Science Ltd
July 1995
energetic cybbr-aware employees can go surfing while much less worrying about policy. Policy demographics
Today, corporate America’s Internet Standard Policy and Procedures (ISPP) fall into three categories. ’
l
l
Category 1: The Corporation has a policy that it will not connect to the Internet. Category 2: The Corporation is connected to the Internet and has no policy whatsoever. Category 3: The Corporation is connected to the Internet and has a formal policy.
The percentage of corporations in either Categories 1 or 3 is growing, however, too many corporations, some World Class, are in Category 2. figure 2 shows a current estimate of the percentage of Fortune 2000 companies in each category. The Category 1 companies clearly have a policy. These companies recognize the security risks of an Internet connection or the Cl0 is unwilling to deal with the chaos on the Net. One has to wonder if these companies
Network SecufHy
can maintain world class status by not inter-networking, This simple policy, “We will not connect to the Internet”, is often unintentionally violated. Companies that have this policy in place are often connected to the Net through: A department/ organization having a small Internet dial-up service account. A system inter-networked with a consultant, contractor or government agency that is connected to the Internet? Employee home Internet accounts which may or not be tied to local company remote access tele-commuting. A marketing organization’s World Wide Web site. The Category 1 approach is a concept that is intended to keep a corporation out of Information Warfare by retarding the corporation’s entry into the information age. Category 2 corporations (no Internet policy whatsoever) are predominant and located throughout the world. Corporations need to consider whether or not they are maximizing Internet benefits while minimizing the risks. Within the US, corporations risk lawsuits if valuable information
Policy in Place
Figure 2: lnternet Policy Demographics
01995 Elsevier Science Ltd
is electronically stolen or destroyed or if their computer resources are misused by Internet marauders who wreak havoc on other Internet users. Many of these companies are world class, Total Quality Management (TMQ) orientated, IS0 certified and have policies in place for darn near everything. That is everything except where, why and how they will operate in cyberspace. Category 3 corporations have an Internet Policy. Some of these corporations have developed this policy to exploit every potential business opportunity provided by the Internet. Others have developed this policy solely to protect themselves from Internet warfare. The Best-in-Class corporations are developing policies with bdth good and evil in mind. Developing
a policy
The development of an Internet Standard Policy and Procedure (ISPP) for a world class company is not a simple task. The Cl0 given this responsibility should first consider why the company is connecting to the Net and what benefits the company anticipates to derive from this connection(s). Generally, the policy statement should align itself with other corporate objectives. For example, if a corporation has an objective to satisfy its customers, the ISPP should reflect a policy that deals with satisfying customers. A simple policy statement like, “Internet usage is intended to provide timely communication with our customers” is a good start. However, a statement along the lines of, “Our corporate Internet usage is to provide us with timely communications with our customers while minimizing the risk of loss of private and proprietary
11
Network Security
information of our corporation, employees and shareholders” is more complete and more accurately reflects the realities of cyberspace. So far this all sounds easy, but as the Cl0 looks to satisfying all of the internal customers, the ‘rocks-in-the-road’ start to look like boulders, Here is what happens as the Cl0 heads off to survey and satisfy the internal customers. After meeting with engineering management, the Cl0 learns that engineering is eager to connect to the Net. The Net is a place where engineering can get design help, however, they don’t want the people at their company helping others (competitors) on the Net. The Net is an opportunity to recruit new technical team members, however, they don’t want it to help competitors steal employees, Technical questions about company products can be answered in product related Usenet Newsgroups, however, only certain techies are allowed to answer these questions. This constraint means some employees must be prohibited from answering questions on behalf of the company. Everyone would like a World Wide Web browser, however, the Cl0 is responsible to make sure Web browsing does not negatively impact engineering productivity. And of course E-mail is essential, however, E-mail should be restricted to company matters and no proprietary information is to be sent out via E-mail. And by the way, don’t forget to have a training course on Internet services and etiquette. As though this is not enough, it’s off to marketing to see what they want from the Net. Thinking this is easy, the Cl0 typically finds out that marketing groups have heard all about the Net and they are
12
ready to go big time. First they want to establish company presence and establish a World Wide Web site, an FTP server and have the ability for customers to fill out forms (leave leads), leave orders and RFPs and answer customer surveys -all electronically, Finally, marketing wants to be able to create their own web pages themselves and after they get things up and running, they don’t want anyone on the outside to maliciously alter the information, By now the Cl0 has recognized that a new world order IS process is coming. In the new IS world, marketers are MIS programmers. Now it’s off to see the internal finance department customer. They want to supply Annual Reports on Web pages, invoice electronically, get paid electronically, raise capital electronically, work with the auditors electronically and so on and so on. Oh, and by the way, this system must be secure and the Internet is the most economical way to do it according to Forbes, Business Week, etc. And don’t forget the Internal Auditors are concerned over the risks within our information system. By now any Cl0 realizes that the good 01’ days of mainframes and dumb terminals were utopia and the days of Internet cyberspace may likely be a career limiting experience. So now we have an internal customer survey and know what the employees want. But there’s more. What about the company’s customer? What do they want from our newly found electronic abilities and services? The answers to that survey will only put more demands on Cl0 which will apparently conflict with risks of the Net. Now let’s sit down and write our policy.
Remember we are a TQM company so let’s start with: Our corporate Internet usage is to provide us with timely communications with our customers while minimizing the risk of loss of private and proprietary information of our corporation, employees and shareholders. Usage of the Net will comply with the following: . The Cl0 has to ask, how does Net usage impact standard corporate policies and procedures? .
How should Net users be trained?
.
Should company Net users execute a company Net Usage Agreement?
.
How is proprietary information protected?
.
How is Net etiquette maintained?
.
How are company announcements maintained?
.
How are Net activities monitored?
.
Is encryption allowed?
.
Who is responsible?
.
What monitoring does the MIS department do? What’s legal?
.
Who maintains the company Web page?
.
Who maintains the company FTP site?
l
Who posts on behalf of the company to Usenet News?
l
Can executable software be brought in from the Net? Are viruses imported?
01995 Elsevier Science Ltd
Network Secufity
July 1995
Are any Net services of no
value to the company and restricted to off hour usage? How is suspicious probing of company Net users handled? How is strategic partner’s information protected? From the Net? From each other? How do strategic partners’ policies impact this policy? Do some Usenet groups violate company policy? Create legal risk? How do we protect against malicious computer takeover and misuse? How do we control privilege? How do we ascertain how our computer system maintains our policy?
How do we keep Net users from becoming root users? How do we deal with remote Telnet? How do we deal with remote FTP? How do we deal with remote dial-in? Can E-mail bring in malicious code? What system of identification and authentication do we use? Is it secure? Do we need to subdivide and firewall our internal network? From each other? To control privilege? Between partners? Do we have government classified info on our Net? How is it protected? What risk of export violation does the Net give us?
The Culture of Control: Safeguarding Intellectual Property in the Age of Networks - Part 2 David R. Warlock European Information Industry Association, UK This is the second and concluding part of an article on
safeguarding intellectual property. This part looks at the national and international bodies which might need to be involved to create the support necessary for technological answers based on metering. The final section of the article considers these implementation Issues and suggests some possible conclusions. Metering and billing systems In the best of all possible worlds, where document
01995 Elsevier Science Ltd
security was guaranteed on the network, metering and billing systems would need to be simple and low level to be
Developing a Net policy is not easy, fun or befriending, but it needs to be done preferably before one connects to the Internet. There are no ‘right’ or ‘wrong’ answers, and as you delve into ISSP, you will find that the questions and answers inextricably intertwine. Each question must be considered thoroughly, but never as a standalone issue. These are high level management decisions that affect every employee, customer, partner, stockholder and the corporate entity itself. They must not be made in haste. The first step is to realize the opportunity while accepting the risk. Cyberspace is a unique double edged sword, but fundamentally not all that different from other business considerations. The smart Cl0 will approach the Internet with open eyes, knowing that there are compromises to be made, but he must always keep his company’s best interest at the forefront of the process.
effective. Their objective, after all, would simply be to record legitimate trades; they would have no role whatsoever in detecting illicit movement of documents for which no copyright recognition had been made or fees paid. There is every indication, as this report is being finalized, that First Amendment lawyers in the US will rally to the defence cause in the case of David LaMacchia, the MIT student accused of placing copies of software programs (including Excel, Windows and SimCity) on the Internet with intention to procure a felony. The prosecution will argue that Mr La Macchia placed the software on an MIT bulletin board with the intent that third parties unknown to him should use the network to access the bulletin board and copy its contents, although they
13
Network Security
Developing a Corporate Internet Policy Kermit Bese ke Secure Computing Corporation Today, it seems as every corporate Cl0 is under the gun to go out and get hooked up to the Internet. Several years ago this trend started slowly with the technical folks and today it’s expanded so far - indeed exploded -that forward thinking marketing types want a corporate Internet connection to push their wares by developing a ‘Net presence. What has changed7 Forty million people is what’s changed: the whole world, spanning 1OOt countries and nation-states is hooked together by the Internet. This Net is growing like crazy and whatever you say about it is probably already obsolete. The Net is a collection of networks where no one is in charge, no formal concrete legal or law enforcement mechanisms exist and there is little or no recourse against system abuse. And you (the CIO) are asked to eagerly and aggressively take all that proprietary information you’ve protected all your life and connect it to the Net. The Net has new tools. Cryptography, a tool formerly reserved for governments and
Star Ranger Decoder Rings is ubiquitous on the Net. This came about when a new system called Pretty Good Privacy (PGP) was released on the Net. This system, which uses a technique called public key cryptography, has two keys, one private and one public. This system was released to the Net in (possible) violation of US law and (apparent) US patent law across international borders, If encrypted traffic is traversing your network, how can you as Cl0 accept responsibility for information flow? The benefits of the Net are derived from four major Internet services (see Figure I). Telnet is a kind of worldwide telephone system which allows users to go into and gain Usenet Newsgroups
Web Sites
Open Discussions Among
Access Server System
Figure
10
I: lnternet
Services.
access to other computers, including, of course, your own if it’s connected to the Net. There are archives of data which can exist in the World Wide Web and, of course, your marketing folks want to rush to create your own Web site. The ubiquitous point-to-point E-mail system delivers billions of bytes of information daily, and there is Usenet News, a kind of broadcast E-mail system in which a single posting will typically be read by 50 000 to 100 000 people. The Usenet News system is interactive and sometimes unforgiving. Make a miscue and you’ll get ‘flamed’ for at least a week. And you (the CIO) are asked to connect to these services, maximize the benefit and minimize the risk. The Internet multiplies the threat to your computers and internal corporate network systems. Anyone with a modem is now able to send messages all over the world with or without encryption, The Cyberworld sits at the front door of your company every microsecond and the risks are many. Let’s look at the case of a disgruntled employee who wants to slander the company. With the aid of a simple keyboard, that employee can send out slanderous information to literally tens of thousands of people worldwide. That story will probably be picked up by several media groups that are connected to and continuously monitoring the Net. And you (the CIO) are still asked to connect to the Net. So what about the risk of this behaviour? The wise Cl0 will take the time to develop a Corporate Internet Policy. But most ClO’s are overwhelmed with just setting up corporate connections to the Net so their
01995 Elsevier Science Ltd
July 1995
energetic cybbr-aware employees can go surfing while much less worrying about policy. Policy demographics
Today, corporate America’s Internet Standard Policy and Procedures (ISPP) fall into three categories. ’
l
l
Category 1: The Corporation has a policy that it will not connect to the Internet. Category 2: The Corporation is connected to the Internet and has no policy whatsoever. Category 3: The Corporation is connected to the Internet and has a formal policy.
The percentage of corporations in either Categories 1 or 3 is growing, however, too many corporations, some World Class, are in Category 2. figure 2 shows a current estimate of the percentage of Fortune 2000 companies in each category. The Category 1 companies clearly have a policy. These companies recognize the security risks of an Internet connection or the Cl0 is unwilling to deal with the chaos on the Net. One has to wonder if these companies
Network SecufHy
can maintain world class status by not inter-networking, This simple policy, “We will not connect to the Internet”, is often unintentionally violated. Companies that have this policy in place are often connected to the Net through: A department/ organization having a small Internet dial-up service account. A system inter-networked with a consultant, contractor or government agency that is connected to the Internet? Employee home Internet accounts which may or not be tied to local company remote access tele-commuting. A marketing organization’s World Wide Web site. The Category 1 approach is a concept that is intended to keep a corporation out of Information Warfare by retarding the corporation’s entry into the information age. Category 2 corporations (no Internet policy whatsoever) are predominant and located throughout the world. Corporations need to consider whether or not they are maximizing Internet benefits while minimizing the risks. Within the US, corporations risk lawsuits if valuable information
Policy in Place
Figure 2: lnternet Policy Demographics
01995 Elsevier Science Ltd
is electronically stolen or destroyed or if their computer resources are misused by Internet marauders who wreak havoc on other Internet users. Many of these companies are world class, Total Quality Management (TMQ) orientated, IS0 certified and have policies in place for darn near everything. That is everything except where, why and how they will operate in cyberspace. Category 3 corporations have an Internet Policy. Some of these corporations have developed this policy to exploit every potential business opportunity provided by the Internet. Others have developed this policy solely to protect themselves from Internet warfare. The Best-in-Class corporations are developing policies with bdth good and evil in mind. Developing
a policy
The development of an Internet Standard Policy and Procedure (ISPP) for a world class company is not a simple task. The Cl0 given this responsibility should first consider why the company is connecting to the Net and what benefits the company anticipates to derive from this connection(s). Generally, the policy statement should align itself with other corporate objectives. For example, if a corporation has an objective to satisfy its customers, the ISPP should reflect a policy that deals with satisfying customers. A simple policy statement like, “Internet usage is intended to provide timely communication with our customers” is a good start. However, a statement along the lines of, “Our corporate Internet usage is to provide us with timely communications with our customers while minimizing the risk of loss of private and proprietary
11
Network Security
information of our corporation, employees and shareholders” is more complete and more accurately reflects the realities of cyberspace. So far this all sounds easy, but as the Cl0 looks to satisfying all of the internal customers, the ‘rocks-in-the-road’ start to look like boulders, Here is what happens as the Cl0 heads off to survey and satisfy the internal customers. After meeting with engineering management, the Cl0 learns that engineering is eager to connect to the Net. The Net is a place where engineering can get design help, however, they don’t want the people at their company helping others (competitors) on the Net. The Net is an opportunity to recruit new technical team members, however, they don’t want it to help competitors steal employees, Technical questions about company products can be answered in product related Usenet Newsgroups, however, only certain techies are allowed to answer these questions. This constraint means some employees must be prohibited from answering questions on behalf of the company. Everyone would like a World Wide Web browser, however, the Cl0 is responsible to make sure Web browsing does not negatively impact engineering productivity. And of course E-mail is essential, however, E-mail should be restricted to company matters and no proprietary information is to be sent out via E-mail. And by the way, don’t forget to have a training course on Internet services and etiquette. As though this is not enough, it’s off to marketing to see what they want from the Net. Thinking this is easy, the Cl0 typically finds out that marketing groups have heard all about the Net and they are
12
ready to go big time. First they want to establish company presence and establish a World Wide Web site, an FTP server and have the ability for customers to fill out forms (leave leads), leave orders and RFPs and answer customer surveys -all electronically, Finally, marketing wants to be able to create their own web pages themselves and after they get things up and running, they don’t want anyone on the outside to maliciously alter the information, By now the Cl0 has recognized that a new world order IS process is coming. In the new IS world, marketers are MIS programmers. Now it’s off to see the internal finance department customer. They want to supply Annual Reports on Web pages, invoice electronically, get paid electronically, raise capital electronically, work with the auditors electronically and so on and so on. Oh, and by the way, this system must be secure and the Internet is the most economical way to do it according to Forbes, Business Week, etc. And don’t forget the Internal Auditors are concerned over the risks within our information system. By now any Cl0 realizes that the good 01’ days of mainframes and dumb terminals were utopia and the days of Internet cyberspace may likely be a career limiting experience. So now we have an internal customer survey and know what the employees want. But there’s more. What about the company’s customer? What do they want from our newly found electronic abilities and services? The answers to that survey will only put more demands on Cl0 which will apparently conflict with risks of the Net. Now let’s sit down and write our policy.
Remember we are a TQM company so let’s start with: Our corporate Internet usage is to provide us with timely communications with our customers while minimizing the risk of loss of private and proprietary information of our corporation, employees and shareholders. Usage of the Net will comply with the following: . The Cl0 has to ask, how does Net usage impact standard corporate policies and procedures? .
How should Net users be trained?
.
Should company Net users execute a company Net Usage Agreement?
.
How is proprietary information protected?
.
How is Net etiquette maintained?
.
How are company announcements maintained?
.
How are Net activities monitored?
.
Is encryption allowed?
.
Who is responsible?
.
What monitoring does the MIS department do? What’s legal?
.
Who maintains the company Web page?
.
Who maintains the company FTP site?
l
Who posts on behalf of the company to Usenet News?
l
Can executable software be brought in from the Net? Are viruses imported?
01995 Elsevier Science Ltd
Network Secufity
July 1995
Are any Net services of no
value to the company and restricted to off hour usage? How is suspicious probing of company Net users handled? How is strategic partner’s information protected? From the Net? From each other? How do strategic partners’ policies impact this policy? Do some Usenet groups violate company policy? Create legal risk? How do we protect against malicious computer takeover and misuse? How do we control privilege? How do we ascertain how our computer system maintains our policy?
How do we keep Net users from becoming root users? How do we deal with remote Telnet? How do we deal with remote FTP? How do we deal with remote dial-in? Can E-mail bring in malicious code? What system of identification and authentication do we use? Is it secure? Do we need to subdivide and firewall our internal network? From each other? To control privilege? Between partners? Do we have government classified info on our Net? How is it protected? What risk of export violation does the Net give us?
The Culture of Control: Safeguarding Intellectual Property in the Age of Networks - Part 2 David R. Warlock European Information Industry Association, UK This is the second and concluding part of an article on
safeguarding intellectual property. This part looks at the national and international bodies which might need to be involved to create the support necessary for technological answers based on metering. The final section of the article considers these implementation Issues and suggests some possible conclusions. Metering and billing systems In the best of all possible worlds, where document
01995 Elsevier Science Ltd
security was guaranteed on the network, metering and billing systems would need to be simple and low level to be
Developing a Net policy is not easy, fun or befriending, but it needs to be done preferably before one connects to the Internet. There are no ‘right’ or ‘wrong’ answers, and as you delve into ISSP, you will find that the questions and answers inextricably intertwine. Each question must be considered thoroughly, but never as a standalone issue. These are high level management decisions that affect every employee, customer, partner, stockholder and the corporate entity itself. They must not be made in haste. The first step is to realize the opportunity while accepting the risk. Cyberspace is a unique double edged sword, but fundamentally not all that different from other business considerations. The smart Cl0 will approach the Internet with open eyes, knowing that there are compromises to be made, but he must always keep his company’s best interest at the forefront of the process.
effective. Their objective, after all, would simply be to record legitimate trades; they would have no role whatsoever in detecting illicit movement of documents for which no copyright recognition had been made or fees paid. There is every indication, as this report is being finalized, that First Amendment lawyers in the US will rally to the defence cause in the case of David LaMacchia, the MIT student accused of placing copies of software programs (including Excel, Windows and SimCity) on the Internet with intention to procure a felony. The prosecution will argue that Mr La Macchia placed the software on an MIT bulletin board with the intent that third parties unknown to him should use the network to access the bulletin board and copy its contents, although they
13