Persuading people to pay for security certificates 4

[jrbarnett]

Background
I've recently got involved in implementation of a web application. One of the vendor's recommendations is that the web site is secured using SSL, which is fair enough given the nature of the data that are to be entered or reported on using it.

In a meeting to discuss implementation I mentioned that we would need to buy an SSL certificate for the web server, and while for development and testing this wouldn't be necessary, it would be needed before we could go live with it.

My boss, a typical computer end user, and a member of our finance department who were also at the meeting started asking about this.

I explained that SSL certificates installed on the web server (and subsequent use of https instead of http) means:

* the communications between their PC and the web server are encrypted (ie not sent across the wires as plain text)
* your pc could guarantee that the web server on the end was what the server it said it was, rather than any machine trying to impersonate it.
* SSL is a widely used used in online banking and shopping sites for ordering and transfer of payment information.
* The only negative point is that there is a slight performance hit overall over non encrypted traffic.

The response was on the lines of "Um Ah OK" without a definite "This needs to be done" item on the to do list.

This isn't the first web application we have, but it is almost certainly the first that will need to be made accessible from outside my employer's organisation, and I know that the guys who run our firewalls etc won't let external traffic to it without SSL installed and working.

Questions
Going further than my own background information above, can anybody think of ways to persuade non IT professionals (managers, accountants, doctors, lawyers etc) to spend money on IT security infrastructure such as SSL certificates for web servers, code signing certificates for in house developed software etc?

John

 

[AndrewTait]

Company/organisation reputation. The Media love stories of confidential information getting into the wrong hands!!!!

Also, why not get together with your networks/firewall guys and provide a united front on this.

Many organisations have someone who is responsible for information security, particularly if it is personal data. Get them on board as well.

=======================================
You may think if it isn't broke, don't fix it. Engineers think that if it isn't broke, it doesn't have enough features yet!
======================================

 

[dyarwood]

Ask them to put there money where their mouth is. Ask them would the be happy for data such as THEIR credit card information to be passed over the internet so anyone can read it. If the answer is no then lead on with the fact you data is no less important than that about why wasn't the website secured etc. Using arguments that an end user might have once their details had been stolen. [Tongue in cheek]If they say yes then have fun with that[/Tongue in cheek].

 

[BabyJeffy]

Set up a packet sniffer (need to get authorisation from someone - or just have a lot of chutzpah). Sniff the cleartext usernames and passwords being sent to non-work related sites being used by those in a position to make decisions (ie. the boss you mention).

Present them with their passwords and explain that anyone can do this, and that if SSL was used they wouldn't be able to see these passwords in cleartext (and would be little value).

Of course this is just one reason for using SSL for untrusted network access, but there is nothing more shocking than seeing your password in cleartext when you thought it was private.

You might get fired, but then you might not. Depends on the organisation. A chap did something similar at one contract I was on, and he was given the task of making things more secure as a result!

Cheers,
Jeff

[tt]Jeff's Blog [!]@[/!] CodeRambler

http://www.coderambler.com/

http://www.coedit.co.uk/

[/tt]

Make sure your web page and css validates properly against the doctype you have chosen - before you attempt to debug a problem!

FAQ216-6094

 

[CajunCenturion]

I would strongly recommend against stealing passwords just to prove that it can be done. The ends do not justify the means, and it will bring your own integrity into question. It shows that you're willing to engage in unethical, and quite possibly illegal behavior, just to prove your point.

I think Andrew's idea of presenting a united front is an excellent idea, and I already know you well enough to know that you will, if not done already, put all the risks and precautions in writing. In that document, you might want to summarize a number of cases clearing showing the real financial losses the other people have incurred by not making proper security arrangements. I would also have specific references to those cases to emphasize how real the danger is.

--------------
Good Luck
To get the most from your Tek-Tips experience, please read
FAQ181-2886
As a circle of light increases so does the circumference of darkness around it. - Albert Einstein

 

[jrbarnett]

Like the united front idea, may well approach them to see what they say about it.
Agree with CC - wouldn't deliberately sniff passwords - even tools such as wireshark and ethereal blank out passwords where they are known in specific login sequences.

John

 

[robbieguy2003]

I'd go with the suggestions above, involving your network/firewall team/guys will be beneficial.

If you have/work to something like BS7799/ISO27001 then this should certainly be raised.

I would look at SSL as a mandatory requirement for this solution to go forward, who is responsible for the project? is it this manager? if hes not technical like you say, try to explain the benefits of SSL rather than what it does.

Benefits could be anything like;

> Client Confidence - They will feel more confident using a secured service rather than 'taking a chance' with security.

> Data Loss - If data is sniffed, is it/would it be valuable to competitors? could they impact the business with the data they would obtain?

which is fair enough given the nature of the data that are to be entered or reported on using it.

What is the data? is it confidential (addresses, names, postcodes, hr data etc). What would be the impact on the business if that data was leaked, not from a security point of view but potential reputation and financial loss.

I would ensure that the manager has the relevant information infront of them showing the risks of not implementing it and what could happen if any of those risks actually happen along.

Once he has the information infront of him to make an informed decision, he should make the correct one.

Try and make the alternative of not implementing SSL seem like a bad idea to the business and work from their. If there are clear risks to money/reputation - most people sign things off very quickly these days.

I wish someone would just call me Sir, without adding 'Your making a scene'.

Rob

 

[jrbarnett]

Use is going to be current staff using the system but from outside the main premises. Lower bandwidth requirements than logging into Citrix and running through there (especially as we have some people out in Africa where 56K is luxury bandwidth).

The data relates to academic research project proposals, so it will include estimated financial costings for aspects of the project, staff salaries (some user types will have the ability to drill down to see exact salaries as well as other allowances/payments as part of that - NI contribution, pension etc; others will only see a top level summary total). It will be able to generate official documentation to specific funders including some of this information etc.

John

 

[rosieb]

John - I'd get your Data Protection Officer involved. SSL is a widely accepted method of securing data, your data would almost certainly fall under the terms of the Data Protection Act.

Not using SSL would leave you very vulnerable if there were to be a security breach.

Rosie
"It doesn't matter how beautiful your theory is, it doesn't matter how smart you are. If it doesn't agree with experiment, it's wrong." Richard Feynman

 

[sillyVM]

I would just tell your boss buy a wild card certificate, and ask your customer to pay for it. Lets say it cost $500 a year, and you have 10 customer, ask them each to pay you $100 a year. You just made $500/yr for your boss!

 

[Ed2020]

If the system is going to be used by staff then is encryption more important than proving you are who you say you are?

If so would something like OpenSSL be of any use to you? My (admittedly very limited) understanding is that the cost in site certificates is getting a reputable company to sign it for you to verify you are what you claim. Maybe this isn't necessary in this situation.....?

http://www.openssl.org/

Ed Metcalfe.

Please do not feed the trolls.....

 

[jrbarnett]

SillyVM
This application is for use within the organisation I work for - the people who will use this will be staff within the organisation; we don't have external clients as such.

Ed
While most of the staff who work here are London based, there are several research groups based overseas in places where it really isn't feasible to run through Citrix systems, which means that this will eventually be made externally accessible.
Therefore we need the level of security that would be required by professional applications - ie security certificates on the web server.

As is constantly banged on by the people concerned, you can't add it on as an afterthought, it has to be put in at the start.

The reputation of my employer within its own areas means that getting organisations to verify it as genuine won't be a problem.

John

 

[lionelhill]

Quote:

"I know that the guys who run our firewalls etc won't let external traffic to it without SSL installed and working."

Since the "Um Ah OK" response came from someone who doesn't really know what they're talking about, perhaps the way to handle this is not to present it as a "can we have..." question, which demands thought, and implies "No" is a possible response. Perhaps you need to issue this as a "To complete this project we need..." statement, which doesn't offer the opportunity of refusal, and merely states the true costs of carrying out the project.

People often feel uncomfortable making positive decisions that cost money yet fall outside their field of expertise. The original managers may be quite grateful not to be given the choice. It allows them to concentrate on what they do best.

In the event that someone queries it, you can always pass them on to the firewall experts to let them fight it out between them.

 

[lgarner]

SSL certs do three things:
1. Encrypt traffic
2. Prove that the website is the one you intended to visit, by warning of a name mismatch
3. Prove that the site is operated by the company that it claims to be (actually, that the root CA verifies the identity).

Since it's internal, you can do without #3 as your staff hopefully knows your company and its site. You can use a self-signed certificate, and you can provide a link for your staff to install the root CA in their browsers.

You can also get a free cert from cacert.org.