Co-op to certify tools to measure level of security
No amount of preflight checks can guarantee that a plane won't fall out of the sky, and yet the airline industry is required to conduct those checks before takeoff. It's a condition of doing business that the airlines and their customers understand and accept.
Soon, the same may be true for companies that want to connect their computer systems to the Internet.
The Bethesda, Md.-based Center for Internet Security (CIS), a nonprofit cooperative enterprise, plans to release a series of global benchmarks that will let firms measure and monitor the security status of systems connected to the Internet. The CIS was formed less than two months ago by more than 80 private companies, government agencies, academic institutions and consulting firms.
These benchmarks, or security rulers, will enable companies to select a specific level of security and then use certified third-party tools to validate that their systems meet minimum standards of operation.
The CIS will release its first benchmark for Sun Microsystems Inc.'s Solaris operating system in the next few weeks, according to Clint Kreitner, CIS president and CEO, who at a meeting in Washington last week encouraged a group of government and industry security professionals to join. Future releases will cover Linux, Windows 2000, Windows NT, HP-UX, IBM's AIX, Silicon Graphics Inc.'s Irix and eventually, individual applications.
The CIS is based on the notion of collective action, said Kreitner, adding that charter member companies get to review, comment and vote on the draft benchmarks. "None of us can do this by ourselves," he said. "The necessity of collective action is clear."
Charter memberships are available through December at $20,000 for consultants or suppliers, $5,000 for user organizations and $1,000 for individuals, said Kreitner.
A senior White House official who attended the meeting called the CIS a unique effort to create a security consortium of Internet users. "We have all sorts of consortiums for vendors, but nobody has ever created a consortium that represents the interests of users," said the official, who requested anonymity.
Users were less enthusiastic, however, about another plan by the center -- to make available an anonymous database that would allow companies to compare their security status with that of their peers. Some users who attended the briefing expressed concern about the database and the potential for leaks of sensitive or proprietary information. They said they are concerned that the automated tools used to report their "anonymous" configuration data might also inadvertently capture network maps and other data.
Franklin Reeder, chairman of the CIS, downplayed the security risks related to CIS membership. The center is about "making the business case and giving the marketplace clear signals of what works and what doesn't" in the realm of Internet security, said Reeder.
"People are hungry for yardsticks," said Alan Paller, director of research at the SANS Institute in Bethesda, Md. "Only a few of the consulting organizations who have their own proprietary rating systems will find these public rulers problematic, but they will coome around very quickly once their clients discover the value."
Bill Crowell, CEO of Cylink Corp. and a former deputy director of the Fort Meade, Md.-based National Security Agency, called the CIS effort "a precursor to the ultimate need" to establish broad standards that companies and organizations can use to measure their vulnerability and liability. "Minimal performance standards are achievable," said Crowell. Cylink is a Santa Clara, Calif.-based provider of
public-key infrastructure security systems.