Mark Ford leads Deloitte & Touche’s Security & Privacy Services practice in the firm’s North Central region (Great Lakes and Ohio Valley). He also helped launch the company’s identity management service line and directs that practice on a US national and global basis. He started his career in information protection as an officer in the U.S. Army Military Intelligence Corp. ITsecurity.com recently interviewed Ford on corporate IT security, compliance, and identity management. He’s also one of the top influencers in IT Security. We caught up with him on the latest trends in security.Related Stories:So You Failed a Security Audit – Now What? Create Your Own Security AuditIT Security’s Security Audit Buyer’s GuideSecurity Audit Resource Center
ITsecurity.com: What trends do you see in corporate IT security departments?
Ford: IT security has had a white hot shining light on it recently. A lot of that has been highlighted by regulations like HIPAA and Sarbanes-Oxley and the impact to the market is starting to come out. It continues to be one of those top issues in the IT departments and executive management – recent surveys indicate that it’s one of the top one or two issues for the CIO.
ITsecurity.com: Is the emphasis on IT security spread evenly across industries or have some industries gotten the jump on others?
Ford: Typically, you see it in those information-centric organizations earlier than you do in others. You see it in financial services and banks more so and earlier than you’ll see it in manufacturing … retail … the consumer business industry. Historically these leaders would look at you and say, “We sell products” or “We make cars, why do we need to have computer controls like a bank?” Their focus is on business operations, getting the product to the customer. But that has all changed quite significantly with the advent of this regulatory focus. The reality is that we weren’t doing controls on security very well and we’re paying the price. That impact has really changed the importance of IT security over the last five years or so.
ITsecurity.com: I’ve been reading a lot about Payment Card Industry Data Security Standard lately. Is that the most pressing compliance push at the moment?
Ford: That is a big push in retail businesses these days. How we are addressing that is with a standards-based approach. We have developed a framework that is based on standards such as ISO 17799 and 27001 with the addition of privacy standards. This framework accommodates the PCI requirements. So, if you want to go after PCI specifically, we drill down into the different standards that let you obtain what PCI is looking for. Doing it from a standards-based approach … you can look at it more holistically. If a policy is not required for PCI, but is required for some other regulatory issue, or internal control policy for that matter, you can apply it then or later on as your circumstances allow.
ITsecurity.com: So the framework covers privacy as well as the 17799 and 27001 standards?
Ford: That was one of the things we thought was missing with ISO. We’ve added that in to make sure [the framework] covers privacy as well. It helps us put everything in one bucket.
We also like to apply a maturity model to this. In this case, we are talking about the maturity of the security control environment. So we break the different components down and let the client look at it from a maturity model perspective that is based upon as scale of say zero to five. They can say, “This is not going good enough; I’m a zero and I at least need to be a one.” The next task would be to define a security or control process that would bring them to that level, which meets their tolerance for risk as opposed to applying too many controls and new security practices.
ITsecurity.com: In general, have you seen any shifts in how enterprises structure IT security? For example, are organizations rethinking perimeter security?
Ford: When you think about the perimeter threat, that is where we have put a lot of emphasis historically. Perimeter security is a “must have.” Today, if you don’t have that figured out, you are completely off the map from a controls perspective.
Today and in the future I think you are going to have to apply much stronger layers of defense in your organization. You will have to manage data at a granular level and manage access through these various layers. So the perimeter is still very viable, but now you can’t rely on the perimeter as your sole defense mechanism. You have to have defense in depth.
It really comes back to the stack approach. Look at the very bottom of the stack. The infrastructure needs to have really strong resilience and the ability to defend itself. Not only at the perimeter, but across the entire enterprise. We are trying to segregate the networks; once through the perimeter, [an attacker] can’t go romping around the enterprise without having checks along the way, so to speak. We use a “zone architecture” approach. For example, back in 95, when the Internet was first making its debut and people were getting connected, once you secured access through the perimeter you could go anywhere within the enterprise network. And a lot of the time that was a global network. You had a big, flat network, an open network. You need to start separating that and start putting fences along the way and layers of defense for access to the most critical information. As you come up the stack, you are looking at how to protect access moving toward an application or multiple applications. This is when you start getting into the area of enterprise identity and access management. The authorized means to get across those layers is through having a properly authenticated identity and credentials.
ITsecurity.com: So, where is identity management headed? Are most large organizations moving toward federated ID management?
Ford: Most large organizations are still trying to get their house in order and those who are a little bit further ahead are starting to leverage federated identity concepts. One of the main uses of federation now is, “How do I deal with outside customers.” For example, an electric utility can provide their customers a service where they can pay their bills on a web-site or portal and use federation technology to give customers additional services coming from third-party business partners without having to make the customer log-in again to the third-party’s site. This type of federated access to the third-party’s application is fairly simple, as opposed to internal corporate users access requirements are typically much more complex and much more difficult to provide through federation technologies.The bottom line…we are starting to see some uptake of federation in the marketplace, which I’m excited about. We’ve been talking about federation for many years now and it has been slow to get going, but we are starting to see major initiatives take off. The adoption of federation technology is giving us more value over time. The technology that federation brought to the table is foundational for emerging architectural concepts such as service oriented architecture.