Vendor Conflicts Bug Security Chiefs ...

Computerworld - ... who believe that incompatibility among security products impedes their efforts to lock down their systems. Vendors "need to open up their security model, so companies can apply the product to their own security needs," argues Allen Kerr, vice president of IT infrastructure and information security at Premera Blue Cross in Mountlake Terrace, Wash. Kerr points to vendors that claim, for example, that a product is compliant with the Health Insurance Portability and Accountability Act, which is good. But that doesn't help him when he needs to extend the product to be compliant with patient health information strictures set by individual states. "I say, open up the security model so I can be compliant across the board," he concludes. Phil Attfield, an IT security consultant in Fall City, Wash., agrees. "Security is infrastructure now," he says, "and it needs to have policy enforcement standards set across the board." Unless vendors open up their APIs, that's not possible. Ron Moritz, chief security strategist at Computer Associates International Inc., acknowledges the problem and says it will take until 2006-07 for the application programming interfaces in CA's eTrust security applications to be available to users for customization.

Another brewing security issue that worries Kerr and other corporate information security heads who were at a CA-sponsored dinner at Safeco Field in Seattle last week is outsourcing. "What people worry about is securing the transmission of data," he says. "But that's the simplest part." Karen Worstell, chief information security officer and vice president of IT risk management at Redmond, Wash.-based AT&T Wireless Services Inc., says there's "no difference between Tukwila, [Wash.,] and Bangalore" in the way IT managers need to treat their outsourcers. However, she suggests that you develop service-level agreements that specify how the information can be used by outsiders, who can see it and whether work on an application can be subcontracted out. "And you need to monitor or audit the outsourcer once or twice a year," Worstell advises. She says she believes that the Sarbanes-Oxley Act changed the way IT has to think about outsourcing deals. "Now you can outsource the work, but not the responsibility," she wisely says.

The mainframe gravy train keeps getting longer for Attachmate Corp. The Bellevue, Wash.-based company will release its MyExtra Smart Connector Mainframe Edition late this month. The new version of the software, which already exists as a server-based product outside the mainframe, now runs directly in an OS/390 or zSeries environment. Plus, the latest version will add VSAM and DB2 connectors to its IMS and CICS links. Attachmate Vice President Markus Nitschke says application writers can use the mainframe-based version to tie information inside disparate databases running on the big iron with a single SQL join command. And, he boasts, performance jumps at least 100 times by running the connectors directly on the mainframe as opposed to on an external server.