[an error occurred while processing this directive]


Opinion -
Open House (March 2000)
As businesses race to become e-businesses, Simon Moores advises caution when opening up your internal systems to the all-seeing eye of the Internet.


Of late, I’ve found myself commenting quite frequently on issues surrounding on-line security. Well-publicised problems surrounding The Halifax, Prudential and of course, The Conservative Party’s own bank account, have all played their own part in encouraging the media to speculate as to whether the world is entirely ready to leap on board the e-commerce roller-coaster.

Online banking

Recently, I announced that at long last I was confident enough with the systems security to go on-line with my own account at a leading bank. This optimism lasted less than a day. I was called a few hours later by the Producer and asked if I had heard the news. Apparently account details of a particular High Street bank’s customers were visible to other customers, in a systems glitch that closely resembled the HotMail fiasco of the autumn. Now I haven’t a clue what Operating System software lay behind the Web browser in this case and, for a change, it’s not really that important. The problem, it seems, with this example and several others doesn’t lie with systems being compromised by hackers. Rather, it’s a consequence of an overall level of complexity, where a minor procedural change to one part of the system has the result of opening a door somewhere else.

Such dangers are supposedly addressed by strong testing and change management policies but a glance at twelve month’s worth of news stories, rather leaves me with the conviction that even at the highest and most highly paid levels, getting it right is more of an art form than an exact science.

You may remember the PC Week Linux Vs Windows NT Security challenge, that Linux lost, much to the outrage of the Linux camp and the delight of Microsoft. Linux lost because PC Week failed to set the server up properly and Microsoft’s own challenge administrator is on record as saying that he hadn’t realised how difficult it was to secure an NT Server in such a hostile environment. That said, and with all credit to his skills, as far as I’m aware, the beleaguered NT Server is still running safely at the end of its IP address.

Security is very big business and from what I can see, it faces a number of very real problems. It’s such a delicate subject, that when I met Amazon’s CEO, Jeff Bezos, he refused, point-blank, to discuss the subject with me at all.

The .com transition

The industry that we all swim in is a relatively young one and today, many companies are focused on what their futures will be if they fail to make the overnight e-business transition into a .com. As a consequence, CEOs everywhere, are instructing IT Directors to open up internal networks to the intrusive gaze of the Internet. As the responsibility, or should I say liability, moves downstream, it invariably lands on the desk of an unfortunate soul who suddenly becomes responsible for the tangle of connected services and Operating Systems that lie behind the corporate firewall.

I ask you, if the United States Department of Defence has concluded that through the relative immaturity of systems software, it can’t adequately protect itself from the open nature of the Internet, expecting business to have solved the problem is a tall order.

Software and the technology that drives it, is anything less than static. As a result, one doesn’t have the luxury of years or even months to study a particular environment. Certainly, no time to become a Jedi Master in between cups of hastily snatched coffee. Vendors, driven by the short-term demands of their shareholders insist on treating their customers as guinea pigs. As every new Service Pack rolls out of the door, it brings with it the risk of unwelcome and undocumented surprises. If you happen to be A Lotus Domino administrator, then SP 6.0 is a great illustration of what I mean. Much the same could be said of migration to Windows 2000 or indeed, any new piece of software. I know it’s better, bigger, faster, has a flashy box and will make me more attractive to women but who’s to say that I won’t be handing the front door keys of my business to three hundred million people the moment I go live on the upgrade?

Will the vendors offer any guarantees over security or accept any liability if some gaping security hole is revealed in a critical piece of software? Of course not! That all right then and goes some way to explaining why lemmings leap off cliffs