Be Our eyes, ears & voice

Be a VAR Journalist

Print RSS

ADVERTISEMENT

The Internet has matured from a phenomenon to a transformational infrastructure that is changing our society. Consumers can conduct business from virtually anywhere, and they increasingly expect companies to provide access to services, content, and information anytime, from any device. As enterprises open and extend their IT enterprise to accommodate the demands from their various constituents including employees, customers, suppliers and partners, threats and vulnerabilities increase exponentially. These threats disrupt the key assets of business: data, internal networks, website or commerce portals generating revenue. When attacks on these assets occur, they have a very real impact on the revenue, brand, and productivity of the targeted organization. Therefore, it comes as not surprise that secure business enablement has emerged at the top of the priority list for most CIO’s, given the reality of these security threats and the corporate compliance issues companies are required to address. Because security vulnerabilities can be exploited in a variety of ways, most companies have tried to adopt a more holistic paradigm across both controls and technology to safeguard their information assets.



The introduction of regulatory controls over the last decade focused initially on privacy and the mitigation of risks associated with the storage of personal data. Given the changing nature of the threat, this has expanded beyond traditional data security to an enterprise view of security that covers all types of vulnerabilities and perceived risks faced by today’s corporation. Measures like the Sarbanes-Oxley Act in the United States and other regulatory efforts in other countries have acted as a further catalyst, prompting organizations to address risks experienced by share-holders as an integral part of their operational responsibilities.



The result has been a recasting of security policy formation as a subset of overall organization controls, especially geared towards demonstrating compliance. This has pressured an increased formalization of governance structures, frequently as a direct result of actions by boards of directors. It has also spurred the development of various industry standards including Control Objectives for Information and Related Technology (CobiT) and ISO27001. CobiT is increasingly being adopted as the model by most CIOs to showcase their focus on IT controls.



Prompted by the breakneck pace at which hackers are forging new and more easily used technologies, the technology industry has responded with tremendous innovations and services. The traditional security environment in the 1990s comprised of a perimeter firewall and a desktop antivirus control. Fast forward to early 2000 and attacks became more sophisticated. Since early 2001, the security technology list has broadened considerably, and the designs for implementing those technologies can employ small armies of technicians. Network designs, from perimeter-based to zoned, have proven to be weak and have failed to meet the needs of both IT and the business. Core security services to applications and systems have improved dramatically, making enterprise security service architectures viable for the first time if new local application development is taking place.



Even the simple idea of keeping the attacker out is now antiquated, as the majority of successful attacks are conducted by insiders who are already past the defensive perimeter of network security. Once inside, the attacker invariably has a rich selection of applications to target each with their own set of security weaknesses and vulnerabilities. Therefore, recognizing that internal personnel could do serious damage to the organization became reality. As a result, technology development has expanded to include focus on controlling employee behavior, as well as detecting and stopping attacks that originated on the network interior.



As we look back over the security landscape, the one thing has remained constant is the name of the game: develop the technology that stops bad things from happening. While enterprises have done a decent task of mitigating the historical security threats, today’s security threats are more sophisticated, and pose a greater risk to organizations than ever before. Today’s security threats are no longer just a nuisance; they compromise data, destroy reputations and put organizations at risk. Existing security tools do not solve the issue and it is a gaping security hole that can bring down businesses.



This has led to the advent of the fourth generation security platforms comprising of devices that can do all of the security functions that are lumped into a category called Universal Threat Management (UTM). Beyond their role as the under-security cop, these devices also encompass the traditional switching and routing functions. Their inherent architectural flexibility makes them easy to fit into existing environments and even make some things possible that were never possible before. For instance, a large enterprise with several business units can deploy these advanced networking/security devices at the core and assign virtual security domains to each business unit while performing content filtering and firewalling between each virtual domain, thus segmenting the business units and maximizing the investment in core security devices.



However, technology can only do so much to address the issue. The problem goes beyond technology. Security awareness in companies can be fairly low, and attackers understand and exploit that. If someone really wanted to penetrate an organization, for example, they might first try and call up an employee on the phone, pretend to be from the IT department and ask the employee to “confirm” their login name and password. If one were really desperate, they may tailgate an employee into the building and then look for an empty office with the notorious yellow sticky-note on the monitor with that person’s current password written on it.



With these threats in mind, the battlefield is broader than traditional network security. In fact, network security must be thought of as just the first layer of defense. A barrier that makes it more difficult for an attacker to get at your assets, but that cannot be depended upon alone still allows room for intrusion. It is crucial to build a defense-in-depth and give equal focus to all three aspects: adequate investments in technology, a comprehensive security policy and significant education and training of the user community. Done effectively, this will provide a set of interlocking mechanisms to keep attackers out and company assets in.



It is clear that there is no technology or product that can act as a quick fix, removing all of the security exposures a company may have. As much as we may wish otherwise, there is no silver bullet. With that, understanding it is important to develop a plan that will address the unique security concerns and tradeoffs that your company has. The steps to create a plan that will work for your company are straightforward, if not always simple in practice.