Project Management Institute

Detect + protect

BY DAVID E. ESSEX

img

HEIGHTENED GLOBAL SECURITY
     CONCERNS AND GOVERNMENT
    PRIVACY RULES PLACE NEW BURDENS
ON IT AND PROJECT MANAGERS ALIKE.

EXECUTIVE SUMMARY

img The rise of networked project management coincides with an increase in security and privacy fears in the wake of terrorist attacks and Internet-proliferated viruses.

img Emerging technologies are uncovering new threats, even as they facilitate and promote project communication.

img Threats are not just technologically based; individuals also may pose a danger to the security of information.

img Physically securing computers and other technology conduits can beget increased security for sensitive information.

img The Internet has turned most project managers into daily travelers of a relatively untamed, worldwide network that subjected them to all manner of rogues such as viruses, spam and hackers. After 11 September 2001, e-terrorism suddenly seemed an imminent danger, and companies took steps to shore up the bastions with new firewalls and intrusion-detection appliances that guard networks like stout sentries.

In the past two years, government regulations have strengthened demand for security and privacy safeguards. In the United States, for example, the Sarbanes-Oxley Act requires corporate executives to approve financial reports, and this need, in turn, has necessitated new controls in computerized financial systems. The Health Insurance Portability & Accountability Act (HIPAA) prescribes rules for storing medical and other personal information, and mechanisms are needed to guarantee project team members won't use such information inappropriately.

img Evolutionary changes in network technology itself are exposing new potential breeches. Wi-Fi wireless networks, for example, which project team members increasingly use to access corporate networks, are more vulnerable to snooping passersby when compared to wired networks. And letting outsiders onto any corporate network can create problems. “If you have nodes at the edges that are less protected, where you have contractors and others who are not protected, and they launch [adware] at home, then it can come in and infect your network,” says David Hartzband, technology vice president in the collaboration, content management software group at Hopkinton, Mass., USA-based EMC Corp.'s Documentum division, which makes eRoom collaboration software.

Web-based services represent an ongoing revolution in software development that lets programs communicate over the Internet. Yet such services require new security standards that will allow services to authenticate to each other, and these standards are just coming out. “It's a programmatic level of security, rather than a user logging in,” says Mark Moore, executive vice president of products and services at Redwood City, Calif., USA-based Niku Inc., a vendor of project- and portfolio-management software. “The challenge is making sure the [software] entities within the system are trusted to run those services.”

img

The increasing popularity of instant messaging (IM) also is creating security concerns. E-mail is more likely to have a built-in recording mechanism that enforces reporting and privacy regulations while IM typically runs outside enterprise project management tools. However, IM increasingly is a built-in feature in team collaboration software.

Experts say such challenges must be addressed at several levels. The first, and arguably, most important level is the enterprise network itself: the data pipelines and communication channels project team members use to stay in touch with each other and with centralized databases. Most of these solutions are well-known and established, but newer hardware and software categories call for extra layers of security to fortify networks.

Inside Jobs

img Despite myriad outside threats, security experts and project management software vendors say the biggest threat is low-tech and comes from inside companies: employees and business partners who have been granted permission to the computer network but abuse their access to personal information and corporate secrets. That's why much of the focus of security actually is on the user directories and network management tools that dictate who has access to what types of project information. Mr. Moore calls these three levels of security the three A's: authentication, authorization and auditing.

Authentication employs encrypted username and password log-ins for anyone trying to enter the system. In recent years, it has taken on a new wrinkle as more companies have employed “single sign-on” software, often from third-party vendors such as Netegrity Inc., which makes SiteMinder. The goal is to avoid the need for multiple usernames and passwords for authenticating workers on different applications. Besides simplifying users’ work lives, single sign-on minimizes the likelihood that employees will fall into lazy habits that hackers can exploit and “helps IT, because they can enforce password discipline better,” Mr. Hartzband says. But Mr. Moore notes that while single sign-on is becoming more popular, it isn't widespread enough. “Companies do struggle with this,” he says. “There are very few that have an effective single sign-on strategy.”

img Hundreds of options exist
to set up security profiles
for people allowed
to access project data.
Richard Faris,
Chief Technology Officer, Primavera Systems Inc.,
Philadelphia, Pa., USA

THE USUAL SUSPECTS

The more common vulnerabilities to enterprise networks include:

1    Viruses. Viruses and, increasingly, “worms,” are files that burrow into software and wait to do damage.

2    Adware. Also known as spyware or malware, adware often appears as pop-ups that promise to fix problems the adware actually caused.

3    Denial of Service (DoS) Attacks. In a DoS attack, PCs are programmed to make simultaneous requests at a Web site, making performance intolerable for legitimate users.

4    Hackers. Individuals find “holes” in software that allow them to break in and steal data.

In contrast, the authorization features of project management and collaboration software products let managers specify what kinds of information people and programs can access. Richard Faris, chief technology officer of Primavera Systems Inc., Philadelphia, Pa., USA, says that hundreds of options exist to set up security profiles for people allowed to access project data. What's more, you may want to simplify access rights for parties who are involved in a project but not responsible for implementing it. For example, “you might want a client to have access to the discussions, but not to the problem database,” Mr. Faris says.

Auditing is a newer function driven largely by government reporting requirements. In practice, it means that project management tools have added reporting features that help certify whether financial data has been moved into a data warehouse or that certain people were responsible for making backups of a database.

Take Advantage of PM Network's Pass-Along Value!

Have you found an article in PM Network® you'd like to use as a presentation tool? Would you like to distribute a project management article as part of a newsletter?

Contact the Project Management Institute (PMI) for information on reprinting articles (reprint@pmi.org) and permission to distribute them (permissions@pmi.org).

Reader Service Number 018

img Make sure [global team
members] are following
procedures that you approve
and are collaborating in a
secure environment.
David Hurwitz,
Vice President, Marketing and Strategy, Niku Inc.,
Redwood City, Calif., USA

The Internationalization of Privacy

When some team members reside globally, security issues may come to the fore. Criticality depends partially on whether global team members are using the Internet, which is less secure, or accessing information from within a private infrastructure, such as a wide-area network (WAN) running over private, leased lines. “There is a management structure that needs to be applied,” says David Hurwitz, Niku's vice president, marketing and strategy. “Make sure they are following procedures that you approve, and make sure they're collaborating in a secure environment,” he says.

img

Privacy concerns arise not just when project teams gain access to sensitive personal data of customers, such as the medical records of patients at a hospital, or the Social Security numbers and case histories of government welfare recipients; they also matter in projects requiring the participation of competing companies.

A third major privacy concern involves the personal information of team members themselves. “People don't want their people to know what their cohorts [earn],” says Mr. Faris. Companies face particular constraints when doing business in France and Germany, which restrict the rights of project managers to store skills and pay rate information. Mr. Faris says multinationals doing business in those countries sometimes resort to maintaining two project databases, one of which is stripped of the illegal data, a solution that he says “causes complications.”

One of the most popular means of securely integrating remote workers is virtual private network (VPN) software, or network hardware “appliances” that employ data encryption and other security mechanisms to simulate a private network over the public Internet. “I definitely see more and more organizations using VPNs,” says Stephen Skid-more, senior product marketing manager for Documentum's eRoom. “It makes you a node on your network, as if you're sitting in your office.”

IT departments at security-conscious companies almost universally secure their networks with the Secure Socket Layer (SSL), a client-to-server pipeline for transmitting encrypted data. Makers of project management and collaboration software include SSL support in their products and use a pre-assigned connection, Port 80, to communicate between products. “That way, you get SSL encryption, plus it's flowing over normal Web ports,” says Mr. Moore. Another common design element that minimizes the risk of disruption from rogue software or hackers is permitting users to access software only through a Web browser rather than having special client software that must be downloaded to each machine.

A DMZ (demilitarized zone) also puts secure communication devices, such as HTTP and e-mail servers, between private networks and the public Internet. Many companies also opt to keep all their mission-critical database and application servers behind a firewall. “Our most secure users never allow anyone outside their firewall to get in,” Mr. Faris says. He adds that some large corporate customers set up special servers outside their firewalls to provide access to contractors.

Virtual Realities

img Physical security, too, cannot be overlooked. It is crucial to have door card-keys that keep people out of sensitive areas, or biometric devices that read a person's fingerprint, voice or facial characteristics to authenticate their identity.

“We usually use two forms of validation, a physical means of identification and the standard password,” says Don Kings-berry, director of the Houston, Texas, USA-based global project management office for Hewlett Packard Co. “All of the buildings have security,” including those that are overseas. The PMO, which manages 3,000 global projects, employs fingerprint recognition on handheld computers used by project members.

Having a security plan no longer is an option. It's a major and indispensable step in any project manager's IT strategy. PM

David E. Essex is a freelance journalist specializing in information technology. A former editor at BYTE magazine, he has also written for PC World and MIT's TechnologyReview.com.

Reader Service Number 012

Reader Service Number 184

This material has been reproduced with the permission of the copyright owner. Unauthorized reproduction of this material is strictly prohibited. For permission to reproduce this material, please contact PMI.

PM NETWORK | JANUARY 2005 | WWW.PMI.ORG

Advertisement

Advertisement

Related Content

Advertisement