July 22, 2002
(Computerworld)
Washington
Security benchmarks for operating systems are typically arcane measures that get little public attention. But last week's release of a security benchmark for Windows 2000 Professional drew broad government backing, including White House recognition. And this support has made the benchmark's creators hopeful that it could ultimately give private- and public-sector users more leverage with vendors.
What makes this particular benchmark unique is the cast of characters behind it. The major U.S. government agencies that deal with IT and security, such as the National Security Agency, the Defense Information Systems Agency and the General Services Administration, had a hand in crafting the benchmark, as did the Center for Internet Security, a nonprofit end-user group.
End users say such benchmarks are a big help.
"They save us a heck of a lot of time," said John Walsh, vice president of information security at Allfirst Financial Inc. in Baltimore. He uses security benchmarks to configure hundreds of servers. "They are accepted industrywide as a good place to start when building a secure system," Walsh said. "I think there is a lot of value in them."
But the benchmark's backers also hope that its broad-based support can be used to send a message to vendors about the need for strong security before products are shipped.
"We want to use the power of a user consensus to influence the vendors and [original equipment manufacturers] to secure these systems before they ever ship them, at least to a minimal level," said Clint Kreitner, president and CEO of Bethesda, Md.-based CIS.
If vendors put in security settings before products are shipped, "we can install it and run it, rather than go through another process," said John Gilligan, CIO of the U.S. Air Force. Today, military IT professionals must configure and test security settings before deploying each workstation, he said.
But even if vendors shipped systems meeting benchmark standards, Walsh said it would not stop him from verifying it. He compared it to a military job he had many years ago as a parachute rigger. "I implicitly trusted the people I worked with, but I only jumped with my own chute," he said.
The benchmark gives users a "preflight checklist" of security settings. Administrators can use the baseline standard to configure systems before rolling them out to users.
The Windows 2000 benchmark grew out of benchmarks developed by various federal agencies, but it was also based on a Microsoft Corp. security template, said Steve Lipner, director of security assurance at Microsoft. The Windows 2000 benchmark provides detail, not fundamental changes, to Microsoft security practices, Lipner said. The company also worked on the benchmark.
The Windows 2000 security settings are set at "moderate" levels and set in a way to ensure applications won't break, said Lipner. Preconfiguring PCs with Windows benchmarks before they're shipped would be something vendors could ultimately do, he said.
Microsoft's efforts to beef up security won praise from Richard Clarke, special adviser to the president on cyberspace security, who also called the private- and public-sector collaboration "an example of how things should be done."
 |
|
|
