In recent years an increasing number of enterprises have come to rely heavily on computer systems; indeed many (such as airlines, banks, manufacturers, retailers, and most branches of government) could not function at all without them. Thanks to the ever-improving price and performance of hardware, it has become cost-effective to deploy computers in more diverse and ubiquitous roles and to address an expanding variety of business problems through the application of computing power and bandwidth.However, IT security has been dangerously neglected, with the result being that the imposing edifice of today's computing infrastructure may turn out to be built on sand. This is partly due to the inherent limitations of distributed computing. To a much greater extent, though, it is because most organizations that design, create, sell, and use IT systems have been content to adopt a purely reactive attitude toward security.The Internet on which the great majority of modern distributed systems are based is, in a real sense, intrinsically insecure. In its early days (as the Advanced Research Projects Agency Network ARPANET), all users were trusted, so it was never an objective to provide strong defenses against subversion from the inside. None of the changes made since, nor even Internet Protocol Version 6 (IPv6), have materially changed this situation. Moreover, there are so many different kinds of portable, pluggable, and embedded computer devices on the market that traditional perimeter defense using firewalls can no longer provide adequate levels of security. The resulting state of affairs has been memorably summed up by Gene Spafford, professor of computer science at Purdue University:Secure Web servers are the equivalent of heavy armored cars. The problem is, they are being used to transfer rolls of coins and checks written in crayon by people on park benches to merchants doing business in cardboard boxes from beneath highway bridges. Further, the roads are subject to random detours, anyone with a screwdriver can control the traffic lights, and there are no police.1Only when viruses began to rampage across the Internet and attackers stole customer details by the truckload did corporations start thinking about countermeasures. All too often it is only when an enterprise itself or a markedly similar one such as a competitor or partner finds its business badly harmed that it begins to think seriously about security. By then, however, it is too late to get the best results. Excellent security cannot be added on as a "bag on the side" (as engineers say). It has to be built in to architectural designs right from the start.Whether a given computer system is, or is not, successfully penetrated by attackers seems to depend mostly on whether any expert attacker is motivated to try. Very few systems could resist a prolonged attack using state-of-the-art methods. So far, luckily enough, the overwhelming majority of virus writers and other "black hats" have been amateurs with no apparent urge either to cause true harm or to enrich themselves. The amazing thing is how little damage, relatively speaking, they have chosen to inflict thus far, even when they had substantial portions of the world's IT infrastructure at their mercy.We cannot assume that this benign forbearance will persist indefinitely. The more valuable our computer systems become, the more attractive they will be to organized professional criminals, terrorists, and others who hope to gain some advantage by attacking them. Sooner or later, such people will penetrate a military system and pass mission-critical information to hostile powers; take over a banking system and delete all of its files; or, worst of all, extend tentacles of latent control into the very heart of an enterprise's IT systems, thus establishing at least an equal share of control over them and subverting all possibility of trust.Creating and maintaining an effective security regime is one of the hardest tasks known to man. Extending such a regime to accommodate large numbers of networked computers, running a huge variety of COTS and inhouse software, is harder still. To be completely honest, perfect security is nothing but a pipe dream; in practice, security must be treated as just one more set of risks to be weighed and managed. Unfortunately, a number of the most important risk factors are difficult or even impossible to quantify reliably.We do not know nearly enough about either the probability of security lapses, or about the consequential losses should they occur. For those who have never experienced a security disaster, it is hard to take the possibility seriously. They are like drivers who think, in effect, "I have never yet been killed in a car crash, so the odds must be negligible." Moreover, it is not always those who control security policies who stand to lose the most from security failures. The balance may need to be adjusted, if necessary by legislation imposing new duties on corporations.Corporate IT security has at least four dimensions, each of which is independent of the others. We are most familiar with the technical dimension: antivirus packages, firewalls, e-mail filters, and the like. But the human element is at least as important; the most secure system in the world can be compromised if a single user divulges a password or grants unauthorized access to the wrong room. Normally, business considerations dominate at the executive level, whereas many desirable security measures positively militate against business efficiency. Lastly, the legal dimension is obtruding more and more with every passing year.Ideally, corporate governance should take all of these dimensions and factors into account. This is more easily said than done, though. On the one hand, lax security leaves the enterprise open to potentially unlimited direct losses, as well as to prosecution for compliance failures or negligence, or to lawsuits by customers, shareholders, and others. On the other hand, unduly rigid or inappropriate security policies risk alienating customers, suppliers, and above all employees. Unfortunately, even a single disgruntled employee can represent a fatal security weakness.Successful corporate governance must juggle all these considerations, balancing the risks of too little security against those of too much or the wrong kind. Meanwhile, it must also grapple with the unavoidable fact that security is like a boat: it takes only one hole, anywhere, to sink it. Thus, no number of policies, committees, or worthy resolutions will suffice to maintain adequate security unless every employee is, at the very least, supportive of that aim. It must be the goal of IT governance to establish conditions in which every employee understands the need for security and accepts the compromises that must be made to preserve it.Notes1. "A Few of Spaf's Selected Quotes"(http:\/\/homes.cerias.purdue.edu\/~spaf\/quotes.html). This quote first appeared in print in the first edition of Web Security & Commerce by Simson Garfinkel with Gene Spafford (O'Reilly, 1997, p. 9).This article is an Executive Summary of the report "The Security Risks of Modern Distributed Systems."