Information Technology Reference
In-Depth Information
ETHICAL AND
SOCIETAL ISSUES
Imperial Chemical Industries is a very large paint and chemicals
manufacturer based in London. The company was recently pur-
chased by Akzo Nobel for $16 billion. With a research budget of
around $60 million annually, and research data spread geograph-
ically over many computer systems at a variety of locations, Impe-
rial Chemical works hard to keep its valuable data protected and
secure.
Securing data over large distributed systems can be a costly,
time-consuming affair. It becomes more complex when one
company's systems are merged with another company's systems
over a network. In today's global information economy, it is not
unusual for a corporation to join its network with several partners
and suppliers. To secure such networks would require a large
suite of security software continuously running on all computers
and a team of security experts working around the clock.
Rather than incur these costs, Imperial Chemical decided to
outsource much of its information security to online companies
offering security SaaS. SaaS makes sense for many security appli-
cations because the scanning of systems can take place from any
network-connected system.
Imperial uses three SaaS security providers:
•
Qualys provides a vulnerability management service that
includes network discovery and mapping, asset prioriti-
zation, vulnerability assessment reporting, and remedia-
tion tracking according to business risk.
•
Veracode provides a service that scans all binary exe-
cutable files on the system, looking for bugs and viruses.
•
Message Labs protects Imperial's e-mail systems from
spam and viruses. It can also be used to filter out unau-
thorized and inappropriate content.
As securing corporate and customer data becomes increas-
ingly regulated, many companies are turning to security SaaS ven-
dors to make sure that they are in compliance with the law. For
example, the three companies above insure that their customers
are in compliance with the PCI DSS, the Payment Card Industry
Data Security Standard. This standard is required by certain com-
panies and banks that wish to insure their customers' privacy.
SaaS security systems are ideal for large organizations that
have thousands of computers to secure. However, it is also easy to
imagine how such services could provide a security solution for
individual personal computers as well. Currently hundreds or
thousands of home PCs are infected by spyware and serving as
bots being controlled by hackers to send spam and attack other
systems. Internet service providers do what they can to keep their
users safe, but they can't stop a user from running an infected file
or wandering to an infected Web site. Incorporating SaaS security
systems through Internet service providers to personal PCs would
clear up most of the infections that plague the Internet. As with
most security practices, there would probably be some tradeoff in
convenience and privacy.
Discussion Questions
1.
Why does it make sense for a large corporation to out-
source information security to a SaaS provider?
2.
What are the dangers of trusting corporate information
systems to an outside security firm?
Critical Thinking Questions
1.
Would you be willing to allow a security company to guard
your PC remotely while you are connected to the Internet?
Why or why not?
2.
Currently, PC users must run about four different security
applications to keep their computers safe: a firewall, virus
protection, spyware protection, and Windows Update. The
user is responsible for making sure these systems are
operational and up to date. Whose responsibility should it
be to secure a PC? How might this system be simplified
for users?
SOURCES:
Hines, Matt, “Security SaaS offerings growing up fast,” Computer-
world, August 23, 2007,
www.computerworld.com/action/article.do?
nomyId=170&intsrc=kc_feat.
Qualys Web site,
www.qualys.com,
accessed
February 2, 2008. MessageLabs Web site,
www.messagelabs.com,
accessed
February 2, 2008. PCI (Payment Card Industry) Security Standards Council Web
site,
https://www.pcisecuritystandards.org,
accessed February 2, 2008.
154
