by Eric Berkman

Can You Trust Third-Party Security Certification?

Mar 01, 200113 mins

Reader ROI

See why more companiesare seeking security seals of approval

Understand what value you can and can’t place on them

Learn how to cover all of your security bases

Security is the biggest concern for anyone engaged in e-business, no doubt about it. However, it’s no longer a matter of whether companies have security?if they don’t, they won’t be in business long?but just how effective that security is. n This concern for security quality has spawned a rapidly growing industry for third-party certification. Hundreds of companies?including brick-and-mortar types such as the Miller Brewing Co., financial services companies like Mellon Shareholder Services, and even ASPs such as Digital Insights?are bringing in accounting organizations and security vendors to audit their security posture. The goal is to win a “Good Housekeeping” type of security seal that tells a company’s partners they can have confidence doing e-business with it. But is this reassurance more valuable as a marketing tool or is it a true benchmark of a company’s security stance? n Companies that have been through the certification process say it works. Take the case of New York City-based PartMiner, and its e-marketplace, the Free Trade Zone, that went live last year. Before it did, CTO Mark Schenecker assembled a focus group to determine how folks on both sides of the electronics components

supply chain felt about security. He got an earful. “Your website promises that you won’t share our data,” the group’s participants told him. “We trust you personally, but how do we know you’re really taking all the right steps to keep our information out of the wrong hands?”

So Schenecker brought in the Big Five accounting firm Ernst & Young to evaluate PartMiner’s security practices. After combing through the company’s firewalls, intrusion-detection technology, hosting center, physical plant, internal procedures and other systems, Ernst & Young bestowed its seal of approval on PartMiner, which the company displays prominently on its website. PartMiner pays Ernst & Young five figures each quarter for it to continue that testing and monitoring.

Schenecker insists his company has gotten value for its money. “Our market is a very tight community,” he says. “The level of trust has increased, and we believe this has translated directly into the level of transactions performed on the site.”

Who Tests the Testers?

The security community is split as to the real value of certification. Sure, it works well as part of an advertising campaign, but what does certification really prove?

Security certification vendors like TruSecure in Reston, Va., and Axent Technologies in Cupertino, Calif., insist that people can trust any company that is awarded their seals, because it means they’ve passed rigorous testing against all threats. But that’s exactly the problem. A seal suggests absolute security, but nothing is 100 percent secure. While there may be complete protection against known threats, enterprising hackers are constantly coming up with new methods of attack.

Meanwhile, there are no universally recognized standards for testing an organization’s security. Nor is there any universally accepted body that will approve or oversee those who do the testing. No one is even in the process of formulating specific testing standards. So, unless you’re an expert yourself, it’s tough to ferret out the fly-by-night opportunists looking to make a buck. And if you are an expert, why would you need any of these guys in the first place?

That being said, it would be a mistake to label certification a waste of time and money. After all, if you’re investing the resources, you are at least demonstrating that you have security on your radar screen and that you are taking it seriously.

“We know our [certification] has been successful based on the amount of inquiry from potential business partners and new customers about the nature of certification,” says Mike Lapelosa, director of internal audits for Group Health Inc. (GHI), a New York City-based health-care network. “And we see a lot of organizations beginning to use the same process.”

A typical certification is much like a physical exam. Just as a good doctor will do more than simply ask you to open up and say “aah,” the good security examiner performs every conceivable test. Lapelosa went through this when he and his colleagues hired TruSecure to test GHI’s information security two years ago. At the time, the health-care network was just beginning to assert its Internet presence and needed to maximize doctor and hospital access while guaranteeing the patients’ right to privacy. TruSecure, a security solutions company formerly known as, began with an onsite evaluation of every aspect of GHI’s security practices. Consultants reviewed all written policies and procedures, interviewed programmers and computer staff to ascertain their level of technical expertise, and studied GHI’s Web infrastructure to spot areas where hackers might break in undetected.

TruSecure also conducted a vulnerability analysis in which it actually tried to break in to the network from the outside and examined GHI’s backup and disaster-recovery procedures in case the network went down. TruSecure eventually gave GHI its seal of approval, which the company now sports on its website. Lapelosa says the process took “two weeks from soup to nuts,” with TruSecure workers onsite working full time with both him and GHI’s IT staff.

The company continues to scan GHI’s network for vulnerabilities on a quarterly basis, and once a year it comes in to do a follow-up of all its reviews. If GHI fails to implement its recommendations, it can lose its seal. That’s something TruSecure has not yet done with any of its clients, though a spokesman said that at least once a month someone will fall into a “danger zone” where they are given up to 30 days to fix a security hole before the seal is revoked.

Lapelosa wouldn’t reveal how much money was spent in GHI’s certification, but TruSecure CEO Adam Joseph says the process typically costs around $90,000 per site. “It obviously varies with the size of the company,” he says.

Lapelosa says the process has given his company the assurance that it has the proper approach to security, which?with the privacy regulations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) looming on the horizon?has become even more important for players in the health-care industry. The seal also gives people confidence in the GHI brand, he adds.

Meanwhile, experts agree that for a CIO, certification can be a useful way to cover your behind. “It validates what you say you’ve done,” says Charlie Johnson, vice president of business development and sales at Symantec Security Services, the consulting arm of Axent Technologies. “If the company is spending the money for security services and equipment, you want someone to come in and say the money you’ve spent made sense and provided the level of security you thought you had.”

Terry Milholland, CIO and CTO of EDS, the Texas-based computer services giant, agrees. “[Certification] lets you tell your senior management and board of directors that you’re practicing good security hygiene,” he says. “Of course,” he adds, “that isn’t to say you don’t have exposures, because anyone who says otherwise is a fool.”

An additional benefit is relative peace of mind. If your vendor or Big Five company conducts ongoing monitoring, you’ll know that your security practices are relatively up-to-date. Like Milholland, Johnson points out that nobody can guarantee 100 percent security. You still have to maintain whatever security would be expected of a company in your shoes. “[The certification process] gives you a warm fuzzy feeling that you’ve done everything a reasonable person would expect you to do,” he says.

Finally, you shouldn’t underestimate the significance of a company’s willingness to stake its reputation on its assessment of your security, says John Alsop, president and CEO of Borderware Technologies, a Toronto-based firewall vendor. “That’s the real value,” he says.

As happy as certified companies may be, certification has obvious limitations. Critics like John Thomas would say that the seal in and of itself does nothing more than influence naive customers and business partners. “Those of us who know the business realize that there are no absolutes when it comes to security,” says Thomas, president of Vienna, Va.-based Titan Vigil, a company that performs security monitoring for commercial and government organizations. “If someone came to me and said, ’Please do business with me because I’ve got X, Y and Z’s approval,’ I’d chuckle to myself before laying right into them.”

Just When You Think You’re Secure…

The very act of stamping a seal on your website can be risky. It’s a lot like the old Eveready commercials, where actor Robert Conrad would put an alkaline battery on his shoulder and dare you to knock it off. The minute you start bragging about how secure you are, hackers will line up to try to prove you wrong. In fact, many in the hacker community actually believe they’re doing a public service by exposing insecurities, says Thomas.

“They’re very cynical people,” he says. “As soon as someone comes along and says, ’Do business with me because I’m secure,’ I can promise you some hacker will get in and plant some kind of logic bomb.”

Meanwhile, how can you be so sure the tests proved anything in the first place? While there may be recognized standards for testing the security of a product, there’s no commonly accepted methodology for testing the security of an organization. Standards are important for any kind of security testing, says Ron Ross, director of the National Information Assurance Partnership in Gaithersburg, Md., a government group that validates lab testing of IT products.

“I’m not saying a seal has no value, but if everyone is doing something different, it’s hard to compare what kind of service you’re really getting,” he says.

Plus, not every evaluator will necessarily be on the up-and-up. There are plenty of reputable vendors out there, but there are also a lot of guys who see that this is a hot area and hang up a shingle, hoping to get some action.

“You especially see this in areas where security is becoming federally mandated, [like banking and health care],” says Rob Dodson, director of business development at Symantec Security Services central region. “People with no medical background are all of a sudden becoming HIPAA experts. And people with no incidence-response background are jumping all over the FDIC incidence-response requirements.”

Perhaps the biggest concern of all is the fact that when you’re certified, it reflects a mere snapshot in time. Basically, it tells people that according to a particular testing methodology, you were secure as of 10:24 a.m. last Tuesday?the last time you were monitored. The problem is, that doesn’t guarantee that you were secure at 10:25 a.m.

That’s a major reason why Thomas takes these seals with many grains of salt. “A lot of people think it’s like the UL [Underwriters Laboratory] stamps they see on their TVs,” he says. “But their TVs don’t change a lot from when they bought them.”

Johnson takes the timing metaphor a step further. It’s like checking a guy before he walks into a bar to see if he’s been drinking, he says. “Four hours later, he’s blind drunk, but he stumbles into a cop and hands him a piece of paper saying he’s fine.”

Red Flags and Best Practices

If you do decide to have your security certified, there are steps you can take to maximize the value of the process. First, choose the right vendor. Like anything else, it’s a combination of name recognition, references, reputation and experience. You want someone you can trust, because you’re giving that company the most intimate access possible. Schenecker felt most comfortable with Ernst & Young. Lapelosa went with TruSecure, because he wanted a company that dedicates 100 percent of its business to security assessments.

Johnson recommends having two companies certify you. That’s one way of dealing with the lack of standards, and it also gives you an extra layer of confidence, he says. “It’s important. Because if you’re not secure, you’ll be on the front of The Wall Street Journal explaining why your stock shouldn’t drop down to $10.”

When it comes to doing business with a company that already boasts a seal on its site, don’t take that as the only thing you need to know. Meet with the people handling its security and ask intelligent questions. Better yet, have your own third-party expert look into its processes and technology.

“Look at how it was assessed,” says Thomas. “Look at things like ongoing monitoring. Check to see if the security officer is principal to the CIO or four echelons below.”

If the CIO has sole responsibility for security, with no input from the CFO or in-house auditor, that’s a big red flag, says Thomas. “I love CIOs,” he says. “I was the CIO of many organizations when I was in the military. But I know the stresses CIOs come up against. And if the CFO isn’t engaged in the information security business of the company, I’d question whether there aren’t some holes in the sieve.”

Make sure your partner adheres to the same standards you do. For example, credit card behemoth Visa USA has come out with a list of requirements that member banks, merchants and third-party service providers will eventually have to satisfy (see “Visa USA’s Security Requirements,” at left). These requirements already apply to ISPs and gateways, and Visa insists on the right to have its chosen security experts conduct onsite reviews and Web server monitoring.

“With the Internet, there’s all sorts of new ways to obtain customer information,” says John Shaughnessy, Visa USA’s senior vice president of risk management. “It’s no longer the old dumpster-diving type thing. It’s almost like electronic dumpster-diving, and we need to make sure we’re up to speed as an industry.”

What it comes down to is that, where security is concerned, there’s no such thing as complete trust. Thomas is an advocate of any process that improves security, for example, but believes that putting faith solely in seals is a mug’s game.

“I’d encourage anyone to go through the process of having his security reviewed,” he says. “But don’t think for a minute that the endgame is to have the process performed and then you walk away.”