Users try to balance security, IT needs

As networks and digital data come under increasing attack and government regulations hold corporations to stricter standards when it comes to information security, IT managers are looking for ways to balance the need for security with the demand for IT flexibility.

That was an underlying theme at this week's Computer Security Applications Conference, which brought together security experts from academia, government and industry to share the latest research and practices in information security. Topics covered everything from secure access technologies to vulnerability assessment to managing a secure IT environment.

While IT executives may be familiar with security conferences held by the Computer Security Institute or RSA Security, most probably aren't familiar with the Computer Security Applications Conference, which held its 21st annual gathering in Tucson. The conference is built around selected research papers submitted primarily by the academic and government sectors.

About 200 people attended the event, mostly from government and academia, a jump from the 175 that attended last year. The number of papers submitted also grew, from 135 last year to roughly 200 in 2005, says Dan Thomsen, conference chair and a lead analyst at the Cyber Defense Agency.

"The papers come out with good innovative ideas that people are actually using to build technology that's working," he says. "What we do here is let other people hear about these efforts, not only other researchers, but also people in companies and in the government." 

Marcus White, a Unix systems administrator with Bechtel-Nevada, a joint venture of Bechtel and Lockheed Martin, came to the event for the first time this year after hearing about it from a colleague.

"I'm here to see what's out there and see the direction of where security is heading. I'm also here to hear about Linux," says White, who is based in Washington, D.C.

Bechtel-Nevada runs Red Hat's Linux distribution, which includes the National Security Agency-based Security Enhanced Linux. The growing threat of malicious code, Trojans and viruses coupled with an increasing demand for tighter security and control means the search for better security is ongoing, White says.

"Just in November we noticed a fivefold increase in the number of viruses we are seeing," says White, who was listening to a session discussing the use of IPSec for access control in Linux-based networks.

"It helps to hear what people are doing. The issue with security is if you put in too much security, it's too cumbersome and restrictive," he says. "What I'm seeing here is people are trying to find a balance between security and usability."

Finding that balance is the key to a successful security strategy, says Thomsen.

"The biggest skill a security person has is a finely tuned sense of paranoia," he says. "You can't be too paranoid so you lock everything up and get nothing done. You have to know what security technology will allow you to get your corporate mission done."