Network securitys organizational profile has risen steadily in the past two years, and security concerns are now much more likely to be represented at a senior-management level. As a result, security is as much about technical defense mechanisms as it is about organizational risk management, policy creation, and effective organizational education and training.
“Were seeing shifts away from technology people to risk management individuals,” said Jerry Brady, chief technology officer at managed security services company Guardent Inc., in Atlanta.
“For three to four years, people have been purchasing security products to solve their problems,” said Brady. “For the most part, people have been implementing stopgap products to solve their security problems. Weve seen a renewed focus on regulatory needs or standard ways to address their problems. Security assessment is looking at what your risks are and then mapping out action plans to bring out better or more managed security procedures.”
Also changing the landscape is the fact that the law has been inserting its long arm into corporate security policies as never before, making regulatory concerns a top priority for security staff. In the financial services and health care sectors, the Graham-Leach-Bliley Act and the Health Insurance Portability and Accountability Act, respectively, have mandated sweeping changes in how protected information is transmitted, accessed and secured.
Impending legislative requirements will do yet more to make network security concerns matters of interest to corporate boards and CEOs.
SB 1386, an amendment to the California Civil Code, was passed in September and goes into effect July 1. This sweeping measure will have nationwide impact because it applies to all organizations—public and private—that either conduct business in California or that own or license data that contains personal information about any California resident.
SB 1386 requires organizations to disclose to customers the compromise or even suspected compromise of information. This will allow customers to take steps to prevent possible identity theft. Disclosure is the right thing in any case, but the bill (and the threat of lawsuits against noncompliers) will propel security changes from the top down.
Encryption is one technology that will get a boost from SB 1386, since the law pertains only to unencrypted information. Many databases make field-level encryption easy to perform, with Oracle Corp.s Oracle database and IBMs DB2 standing out in this area. Using data encryption was always a good idea, but now its the smart thing to do legally as well.
Security From the Inside
Bills such as SB 1386 and proposed federal legislation such as the S.228 and S.223 bills (both sponsored by U.S. Sen. Dianne Feinstein, D-Calif., and pertaining to Social Security and credit card number protection, respectively) are just a few of the many factors that are prompting necessary changes in network security strategies.
Its clear that IT security management techniques need to more carefully balance the importance of corporate counsel, human resources staff and risk management best practices with the latest in security technology.
Strong network security is like a cabbage—lots of layers surrounding a hard center. In the same way, security needs to start from the inside out.
Too many organizations take the wrong approach: planning elaborate defenses for the outside network perimeter but marginalizing internal network security. This approach ignores the reality that significant numbers of attacks originate internally or are a combination of internal and external forces, and it misses the modern condition of very permeable outer network perimeters.
With many mobile workers connecting through a VPN (virtual private network) and corporate applications often now accessible to employees connecting from the Web at large, there is no clean way to separate those connecting as always internal or always external. Private Web exchanges, Web services, EDI (electronic data interchange) and other business-to-business links also blur network defense lines.
Focus on Data
The place to focus a security assessment is on the data itself. Data protection should be provided through centralization of location, systematic application of access controls, encryption and physical security.
Centralizing data is a matter of simplifying security management and reducing the number of network access points and server locations where extensive security controls need to be implemented.
Network and data access controls should be implemented using central directories such as LDAP, Microsoft Corp.s Active Directory, Novell Inc.s eDirectory or public-key infrastructure. A global directory provides that very valuable single point of administration for user rights, and organizations should bias their selection of network and application infrastructure toward products that provide solid directory support.
Encryption of data on disk is a well-understood and well-supported practice among network operating systems, but network encryption is not as common. This is particularly an issue when using wireless networks. With Secure Sockets Layer encryption and VPNs so well supported for external traffic, theres no reason not to use these approaches internally. For example, Cranite Systems Inc.s Wireless-Wall Software Suite 2.0 earned an eWEEK Excellence Award for its ability to encrypt wireless traffic transparently yet effectively.
Finally, physical protection—network gear, server hardware and data backups—must always be enforced in parallel with network access controls.
Moving from data to the servers on which data resides raises the issue of sheer scope in large organizations. Security configuration, remote monitoring and patch management for thousands of servers and hundreds of thousands of connected network devices is an immensely daunting challenge for IT staff.
This is a topic that eWEEKs Corporate Partner advisory board members have raised as a pressing issue, a factor that contributed to Foundstone Inc.s FoundScan Vulnerability Management System 2.5 winning in the Excellence Awards Enterprise Resource Protection category. The product provides rapid network vulnerability scanning and patch deployment monitoring for large networks—functionality that is highly useful for keeping far-flung networks secure.
Firewalls have been the linchpin of network boundary security for many years, although threats have increasingly been shifting to application-level attacks over HTTP or other application-specific ports left unfiltered by most firewalls.
A new breed of white-list-based Web application firewalls is emerging to deal with this threat from outside attacks. eWEEK Labs recently evaluated three such applications, which perform deep HTML protocol inspection to provide real-time monitoring and attack prevention.
Protocol-based network security monitoring is very much the leading edge of network security practices. Major firewall vendor Check Point Software Technologies Ltd. is shipping this month its first protocol-specific traffic inspection and attack prevention firewalls; this effort signals a shift to greater intelligence in firewall products as application-level attacks become increasingly common.
West Coast Technical Director Timothy Dyck can be reached at firstname.lastname@example.org.