Focus on Data

By Timothy Dyck  |  Posted 2003-06-16 Print this article Print

The place to focus a security assessment is on the data itself. Data protection should be provided through centralization of location, systematic application of access controls, encryption and physical security.

Centralizing data is a matter of simplifying security management and reducing the number of network access points and server locations where extensive security controls need to be implemented.

Network and data access controls should be implemented using central directories such as LDAP, Microsoft Corp.s Active Directory, Novell Inc.s eDirectory or public-key infrastructure. A global directory provides that very valuable single point of administration for user rights, and organizations should bias their selection of network and application infrastructure toward products that provide solid directory support.

Encryption of data on disk is a well-understood and well-supported practice among network operating systems, but network encryption is not as common. This is particularly an issue when using wireless networks. With Secure Sockets Layer encryption and VPNs so well supported for external traffic, theres no reason not to use these approaches internally. For example, Cranite Systems Inc.s Wireless-Wall Software Suite 2.0 earned an eWEEK Excellence Award for its ability to encrypt wireless traffic transparently yet effectively.

Finally, physical protection—network gear, server hardware and data backups—must always be enforced in parallel with network access controls.

Moving from data to the servers on which data resides raises the issue of sheer scope in large organizations. Security configuration, remote monitoring and patch management for thousands of servers and hundreds of thousands of connected network devices is an immensely daunting challenge for IT staff.

This is a topic that eWEEKs Corporate Partner advisory board members have raised as a pressing issue, a factor that contributed to Foundstone Inc.s FoundScan Vulnerability Management System 2.5 winning in the Excellence Awards Enterprise Resource Protection category. The product provides rapid network vulnerability scanning and patch deployment monitoring for large networks—functionality that is highly useful for keeping far-flung networks secure.

Firewalls have been the linchpin of network boundary security for many years, although threats have increasingly been shifting to application-level attacks over HTTP or other application-specific ports left unfiltered by most firewalls.

A new breed of white-list-based Web application firewalls is emerging to deal with this threat from outside attacks. eWEEK Labs recently evaluated three such applications, which perform deep HTML protocol inspection to provide real-time monitoring and attack prevention.

Protocol-based network security monitoring is very much the leading edge of network security practices. Major firewall vendor Check Point Software Technologies Ltd. is shipping this month its first protocol-specific traffic inspection and attack prevention firewalls; this effort signals a shift to greater intelligence in firewall products as application-level attacks become increasingly common.

West Coast Technical Director Timothy Dyck can be reached at

Timothy Dyck is a Senior Analyst with eWEEK Labs. He has been testing and reviewing application server, database and middleware products and technologies for eWEEK since 1996. Prior to joining eWEEK, he worked at the LAN and WAN network operations center for a large telecommunications firm, in operating systems and development tools technical marketing for a large software company and in the IT department at a government agency. He has an honors bachelors degree of mathematics in computer science from the University of Waterloo in Waterloo, Ontario, Canada, and a masters of arts degree in journalism from the University of Western Ontario in London, Ontario, Canada.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel