Many ISP’s consider themselves to be just a “pipe” for their customers and have no responsibility to provide security for that customer. This pipe can be broken by security issues, and many of these security issues can be addressed by the ISP before the customer is ever affected. For example, detecting, controlling, and preventing denial of service attacks on ISP customers would be a great value-added service. Is it an ethics question to provide these services? I would say it is an ethics question to not provide customers with at least options for these kinds of services. Obviously, the price for the service is not free, but there are many organizations that would pay a “little bit” extra for the added protection.
Security comes in many forms to include the standard BIG 3: Confidentiality, Availability, and Integrity (CIA) and I would add in here Communications. ISP’s can help themselves and their customers by focusing on security issues they can control.
- Confidentiality. This is a tough nut to crack for ISP’s. They can do things to protect their internal architecture and assure protections are in place to minimize their systems from being used to intercept and exploiting information passing across the ISP’s backbone. This includes preventing and detecting sniffers and protecting the backbone from being hacked.
- Availability. ISP’s can take measures to assure their backbones and connections are secured to help prevent denial of service and other availability issues for the clients. By the ISP recognizing denial of service attack or other attacks on availability, they can keep themselves operational and their customers
operational. ISP’s cannot force a client to implement security on their end, but they can help to prevent some security issues from reaching the client.
- Integrity. Similar to Confidentiality, ISP’s can take steps to protect their internal infrastructure so the ISP is not a source of problems. They can also offer customers solutions to improve integrity on the customer networks.
- Communications. ISP’s need to communicate with their customers, the security features they do and do not have in place. ISP’s also should offer value added security recommendations and solutions (whether at a cost or not) so customer’s have options. From a communications standpoint, ISP’s shouldn’t attempt to hide security issues, but address them proactively and when necessary react with drive and conviction to resolve the security issues. ISP’s can also be a source for getting the word out on security issues and solutions.
I have seen a trend of ISP’s moving toward providing security features, options, and solutions for their clients. I believe this trend is due to some consideration of ethical responsibility and that there is money to be made in providing security solutions to customers. The moral of this story: ISP’s, take the high road, be a provider of recommendations and solutions that will help your customers. It will help build a long-term, trust relationship with your customers.
Security comes in many forms to include the standard BIG 3: Confidentiality, Availability, and Integrity (CIA) and I would add in here Communications. ISP’s can help themselves and their customers by focusing on security issues they can control.
- Confidentiality. This is a tough nut to crack for ISP’s. They can do things to protect their internal architecture and assure protections are in place to minimize their systems from being used to intercept and exploiting information passing across the ISP’s backbone. This includes preventing and detecting sniffers and protecting the backbone from being hacked.
- Availability. ISP’s can take measures to assure their backbones and connections are secured to help prevent denial of service and other availability issues for the clients. By the ISP recognizing denial of service attack or other attacks on availability, they can keep themselves operational and their customers
operational. ISP’s cannot force a client to implement security on their end, but they can help to prevent some security issues from reaching the client.
- Integrity. Similar to Confidentiality, ISP’s can take steps to protect their internal infrastructure so the ISP is not a source of problems. They can also offer customers solutions to improve integrity on the customer networks.
- Communications. ISP’s need to communicate with their customers, the security features they do and do not have in place. ISP’s also should offer value added security recommendations and solutions (whether at a cost or not) so customer’s have options. From a communications standpoint, ISP’s shouldn’t attempt to hide security issues, but address them proactively and when necessary react with drive and conviction to resolve the security issues. ISP’s can also be a source for getting the word out on security issues and solutions.
I have seen a trend of ISP’s moving toward providing security features, options, and solutions for their clients. I believe this trend is due to some consideration of ethical responsibility and that there is money to be made in providing security solutions to customers. The moral of this story: ISP’s, take the high road, be a provider of recommendations and solutions that will help your customers. It will help build a long-term, trust relationship with your customers.
Greg Miles, Ph.D., CISSP, CISM
Security Horizon
Labels:
Subscribe to:
No comments:
Post a Comment
Silahkan isi komentar Anda tentang artikel saya :