|
February Issue of the Taos Newsletter: IT Security
Interview with Moses Cesario, VP of
Information Technology (CIO) of Affymetrix
Tell me a little about your organization and what
makes security important for you?
Affymetrix is based on protected IP. We have
one of the largest IP portfolios - in numbers of patents issued - of any biotech company.
Our sustainable competitive advantage comes from this, hence, security
issues are of very high importance to us. We are actively engaged
in ongoing R&D efforts that, prior to patent or copyright protection,
are "secrecy protected". Data security is essential in continuing
to build the IP portfolio.
What are the 2 or 3 security issues at the top of
the CIO list this year? Why? How are you addressing these?
First, I would say employee awareness. The
biggest threats are coming through your door - disgruntled employees
or people looking to steal physical assets. If someone wants to
break in badly enough they will, so it's up to you to make it difficult
to get to your assets. Employees need to understand the risks and
be made responsible to guard against them - confidential information
sitting on a fax or printer, and PCs left unattended and yet logged
in are good examples. We spend a lot of time on awareness campaigns - we
ensure our employees understand our guidelines and their responsibilities
by laying them out in a training course we offer. We follow this
up by assigning individuals from the security team (information
security coordinators) to each business unit. They distribute security
policy and best practice information to the business units and
bring back information about challenges and risks in security for
the units. We're constantly talking to our community and point
out at every chance areas of vulnerability, helping them put in
place the right defensive behavior.
Next is home office/mobile office
management.
This has been a major focus for us. We're doing some
interesting things in this space. First we have concluded that
we can't take responsibility for the security of our employees'
home network environment. However, we do put a firewall client
on their laptops that secure that system from any intrusion which
may come from an unsecured network. Additionally, we encrypt the
hard drive in the laptop so that even if it's stolen, the data
is safe. We also use a Cisco VPN infrastructure both for external
access and wireless access within the Affymetrix facility. And
of course we make known and enforce our policy guidelines.
Third
is an updated password security
infrastructure.
We have a cutting edge approach to single-sign-on
password management. We are early adopters of Encentuate. Essentially
what happens is you have a USB key with software loaded onto
your PC that takes your login and password and verifies it. Then,
it interacts with all the points of access where you need a password
to log you into systems and applications with the randomly generated
passwords it creates. So, even if someone knows your login and
password, they need your system to log in; your login and password
are only relevant to the first step - the verification with Encentuate.
Users can take their Encentuate key with them for use with any
number of systems they may use. This provides two factor authentication - user
login and password plus authentication through a hardware
key and software. Alternatives we evaluated were BEA and Cisco,
but they really don't have the technology to do what what Encentuate
does, and the price point was right.
How do you manage security relative to outside
partners & vendors?
We conduct annual outside audits to verify the effectiveness of
the information security program in place. We also rely on our
anti-virus software solutions, and have gone through an extensive
effort to harden our environment - looking at all potential points
for hacking and closing those down as much as possible.
Along similar lines, how do you
manage security for wireless, mobile, and remote users?
We have a hard VPN (software) around the network. The wireless
cloud is separate from that, so if you want to use wireless in
the office you need to VPN in just as you would if you were at
home. We use Cisco's technology for this.
With the need to implement stronger
and stronger security measures, how do you go about getting user
buy-in?
Largely through awareness, by demonstrating to them the risks.
Whenever we see risky behavior in our environment, we let the employee
know about it, sometimes by doing what it is someone with malicious
intent might do. This let's them feel first hand the consequences
in a safe and educational way. It really makes people think and
take steps to act more carefully. In addition, we use the liaison
infrastructure with the information security coordinators I mentioned
earlier. We constantly connect with our end-user community, helping
them understand the guidelines and to live within them.
Quantifying the cost of attacks is extremely difficult
in any organization. Any advice on how to approach this difficult
task?
You have to be practical. You have to ask the
stake holders the question - what if this data/IP was compromised?
The employee base has to define the risk for us, then we can
look at putting the appropriate measures in place to protect
it.
How much security is "good enough" and
how do you define that?
That's really personal to each company. You have to decide what
is important to protect, and then take appropriate measures to
create a security policy that reasonably does so. Then, of course,
you need buy-in at the highest levels in your operation as well
as the awareness of every employee.
How effective are the various technologies
available today - user authentication (ID & passwords), Anti-Virus
software, Firewalls, Digital ID's & certificates, Biometrics?
Not very. In reality information security is a lot like security
in your home. If someone wants to get in and they are skilled in
the art, they will get in. We try to understand the imperfect nature
of the information security effort and make good decisions about
mitigation at the highest areas of exposure.
Beyond these, what are the most
exciting new technologies? What do you see as the next big thing
in security?
As mentioned earlier, the two factor authentication provided by
Encentuate is an important next step.
Of people, processes, and technologies
- which pose the biggest challenge in overcoming network security
issues? How would you rank all three?
I would rank them as People, then Technology, then Process. An
effective security program consists of a system that relies upon
people within the company as much as it does technology. Both of
these taken together create an effective information security environment.
And Process is something that can be done well with good leadership.
You really have to have a strategy around security that involves
all three, tools alone are really not going to cut it.
What good books, authorities, or other sources
can you recommend that have most influenced your thinking?
- Kevin Mitnick: The Art of Deception
- The CISSP book of guidelines
- The ISO standard checklists (section 17799)
Each of these gave us valuable perspectives and tools to use in
setting our information security policies and in putting the right
practices and tools in place to support those.
About Affymetrix
Affymetrix is dedicated to developing state-of-the-art technology
for acquiring, analyzing, and managing complex genetic information
for use in biomedical research. The Company began independent operations
in Santa Clara, California in 1993. Affymetrix is a market leader
in creating breakthrough tools that are driving the genomic revolution.
By applying the principles of semiconductor technology to the
life sciences, Affymetrix develops and commercializes systems that
help scientists alleviate human suffering and improve the quality
of life.
|
