Distrusted partners
- Reduce text size Decrease text size
- Increase text size Increase text size
- Print article Print
- Jump to comments Comment
- Share this article Share
- Email article to a friend Email
How can a company protect itself from increased security risks wrought by collaborative commerce? One way, is to audit partners to make sure they take security just as seriously.
| |||||||
In 2000, when European aircraft manufacturer Airbus, the joint venture between EADS and BAE Systems, first laid plans for the triple-deck, 555-seater jumbo, the A380, it was faced with an immense logistical challenge.
The proposed aircraft was, quite literally, going to be too big for any one company to design and build. Airbus's solution was to outsource the creation of various sections of the plane and many of its hundreds of thousands of components to suppliers on a scale unprecedented in the aircraft industry.
This distributed structure introduced a whole new set of issues - few more critical than security. After all, in order for the virtual organisation to work, partners would be invited to hook their business processes and systems into Airbus's 'extended enterprise' and given trusted access to valuable and sensitive intellectual property about the A380.
How could Airbus ensure that its partners would safeguard its confidential material as zealously as it would itself? The answer was become a cyber-sleuth - to set-up its own security auditing unit that would travel the world checking out the computer security of suppliers.
Over the last few years, contractors have been told to tighten up their security as a result of the reports written by Airbus's
| ||
The application of that kind of sanction, however, is a rarity, stresses Airbus global third party security auditor Andrew Phillipou. "In the five years that I have been doing this," he says, "I have stopped just one company's [access]. I discovered a remote access server owned by [a competitor sitting] on the partner's network, with no restricted access to [locally-held] Airbus information," he adds.
Most companies are co-operative, partly because the audit is free - although they will need to pay for any remedial work that needs to be done, such as the installation of firewall software - and partly because there are is so much money riding on the contracts.
Airbus is hardly alone in wanting to vet partner security. Its archrival Boeing has also adopted the practice. And, as the banking world moves from proprietary to Internet-based funds transfer systems, it is increasingly a pre-requisite for financial services companies. On Wall Street, too, since the Enron and WorldCom scandals pushed corporate governance to the top of the business agenda, it is now common practice for the major investment banks to assure partner security levels, says Jerry Ungerman, president of firewall supplier Check Point Software.
Already, all of Britain's big four banks operate third party security auditing practices, as do some smaller institutions such as the Alliance and Leicester.
For Airbus, the development of its programme was driven by the fact that it not only had to outsource so many elements of the A380 design process, but also because it had to search far-and-wide to find companies with the right skillsets at the right price.
The company has contractors across the US, Europe, China, India, Taiwan, Japan and Australia working on the project. Airbus is not just concerned with the increased security risks associated with many organisations accessing shared parts of its network, but it is well aware of the increased potential for industrial espionage - either by jealous rivals or indeed the secret services of foreign governments.
That risk is very real, believes Phillipou. In one routine audit, he found two 'black boxes' connected to the network of an Airbus divisional office "in a country with a very active secret service". Nobody knew what the boxes were or what they were doing there, he says. "And I still have no idea to this day."
That just underscores necessity for auditing partners, no matter how tricky that may be. Charles Pask, managing director of consultancy ITSec Associates, says that third party security auditing is particularly important for manufacturing companies because they often have vital intellectual property assets that must be protected.
In the US, says Cable &Wireless chief technology officer Bill Hancock, the practice has been boosted by the introduction of the Sarbanes-Oxley Act, which requires
| ||
On top of that, there are the more specific computer security requirements of the recently introduced US Health Insurance Portability and Accountability Act (HIPAA). That sets rules on security and privacy for any company that deals with American healthcare organisations - regardless of where they are located.
Gadget inspectors
But interloping on partners' system set-ups is a delicate business, and requires some strict protocol. Airbus's security auditing methodology, for example, is based on BS7799, the British Standards Organisation's security management standard. This details how an organisation should implement its own internal security procedures, as well as the policies it expects partner organisations to follow.
While, the BS 7799 provides a comprehensive management framework for security audits that the non-technical can easily understand and appreciate, Ray Stanton, head of the UK security practice at Unisys, warns that there is a danger of auditors falling into a 'check list' mentality. Organisations should not fail to examine in depth how well an organisation actually manages its security on the ground, he says.
"We can ask whether they have access control and they will say 'yes'. But then there are the questions of password length, how they do it, whether it is for everything or just a few systems," he outlines. Stanton originally devised Airbus's third party security auditing program in the late 1990s, before moving on to Unisys.
One company audited by Airbus' Phillipou, for example, passed the checklist with flying colours. But when he moved on to the on-site technical audit, he found Airbus design data - which was deemed 'top secret' - was being held on a machine within a section of the sub-contractor's network that was also used for projects sponsored by one of Airbus' main competitors.
Ultimately, therefore, it requires hands on inspection by knowledgeable staff to ensure that a partner not only has the right security controls in place, but that it is genuinely security conscious and has the right day-to-day management procedures as well.
"You've got to go in and take a look at what they are doing, rather than ask them what they have got," says Pask. It also gives the auditor an opportunity to assess the culture of the organisation and how open to change they will be if their security is found to be deficient in some way.
For Phillipou, it is not just about seeing for himself that suppliers' systems are well looked after, but also about building a relationship based on trust between him and his opposite number at the supplier so that information can more freely be shared. "I consider suppliers' security teams as
| ||
That 'chain of trust' agreement is increasingly part of doing business. Cable &Wireless, for instance, is audited by a number of customers including automotive exchange Covisint, for whom it hosts its market sites, says Hancock. C&W is audited to both SAS 70 and ISO 9001 standards.
SAS 70 was developed by the American Institute of Certified Public Accountants (AICPA) and covers 'control activities', which generally includes IT and related processes. ISO 9001 is the quality assurance standard that ensures that those processes are consistently applied.
Levels of trust
Phillipou divides suppliers' systems and the various Airbus offices located around the world into four categories based on levels of trust. The first includes only its European Union-based offices connected to its wide area network (WAN). These are trusted implicitly because he has direct access and control over what happens there.
The second includes other Airbus offices outside the European Union. "It's not that we don't trust our own people in our own offices in foreign countries, but you have to take into account that we have to use local telecoms providers that we have no control over," he says.
Here, Phillipou fears wiretaps intercepting commercially sensitive communications between head office and the local office. Not just data about intellectual property, but ongoing sales negotiations that might prove valuable to rivals.
In the third category are suppliers that Phillipou is confident are meeting his minimum security requirements. These are typically suppliers that he has visited, audited and approved.
Finally, there are the suppliers that he simply does not trust. Normally this is down to their inability to understand the importance of security or to take the appropriate measures when asked.
Such visits also enable him to size up suppliers in terms of their business continuity strategies. What would happen if a key supplier suffered a power cut? For one in India, instead of an uninterruptible power supply, it has a bank of diesel truck engines standing by, says Phillipou.
Even when some organisations go to great lengths to ensure that they conform to best practice, elementary mistakes can be made.
"I was doing an assessment for a communications company in Thailand of one of their suppliers," says Stanton. He could see instantly what was wrong, but the suppliers could not. "'What's next door?' I asked. They didn't understand. It was a liquid petroleum gas storage warehouse - right next to their disaster recovery site," he says.
For Phillipou, it is ultimately about managing business risk. "For me, the bottom line is to ensure that the product gets from the production line and out to the customer as soon as possible," he says.
And with a product as complex as the A380 (the first aircraft are due to be delivered in 2006), not only is the intellectual property worth billions, but any hitch at any one of its suppliers scattered around the world could have a catastrophic impact on whether the A380 flies on time or not.
