IT security suppliers should focus on fixing the root causes of poor security rather trying to sell obscure solutions to obscure problems, according to the head of security at one of the UK's leading investment banks.
Andrew Yeomans, vice-president for global IT security at Dresdner Kleinwort Wasserstein, will use this week's Infosecurity conference to call on suppliers to develop straightforward security products, rather than complex systems that do not meet the needs of IT departments.
"Lots of people are ringing me up offering compliance solutions that solve problems in increasingly small detail. They add some value, but sometimes it feels like diminishing returns. The products are almost creating the holes they block," he said.
Yeomans urged suppliers to go back to basics and to take a global view of organisations' security needs, rather than developing pinpoint solutions to problems.
"People are plugging obscure holes in security but not noticing that the backdoors are wide open," he said.
The problem of worms and viruses was solved 20 years ago in Unix systems, which used "execute bits" to prevent systems from executing data files as programs, yet organisations have to spend enormous sums defending themselves against e-mail viruses and worms, said Yeomans.
"Separating program from data files is a simple security mechanism. Windows does have some of the support for this, but it is not pervasive and it is not implemented correctly all the time," he said.
Dresdner Kleinwort Wasserstein would like to use smart tokens to secure authentication for its systems, but suppliers are working to different standards, so it is hard for users to mix and match technology, said Yeomans.
"One clear inhibitor is that many products try to lock out alternative techniques. If you use one token, that prevents you from using another token without doing a lot of systems integration yourself," he said
Paul Simmonds, global information security director at ICI, said business communications were being undermined because suppliers were not incorporating secure internet protocols into their products.
Working with its e-mail filtering supplier Messagelabs, ICI plans to use SMTP/TLS, a secure version of SMTP, that will allow it to verify the identity of e-mail senders.
The company has also rolled out AS2, a secure protocol for e-business, that is being championed by Wal-Mart. But neither technology has the critical mass to replace traditional insecure internet protocols.
"We need secure versions of the file transfer protocols Telnet and FTP. That would be a good start. There are more secure versions out there, but they are not widely adopted," said Simmonds.
Professionalism in IT security >>