Online Security

by Sumeet Sabharwal    Nov 12, 2007

The Internet has matured from a phenomenon to a transformational infrastructure that’s changing our society. Consumers can conduct business from virtually anywhere. And they increasingly expect companies to provide access to services, content, and information anytime, from any device. As enterprises open and extend their IT enterprise to accommodate the demands from their employees, customers, suppliers, and partners, threats and vulnerabilities increase exponentially. These threats disrupt the key assets of business: data, internal networks, and website or commerce portals generating revenue. When attacks on these assets occur, they have a real impact on the revenue, brand, and productivity of the targeted organization. Therefore, it comes as no surprise that secure business enablement has emerged at the top of the priority list for most CIOs, given the reality of these security threats and the corporate compliance issues companies are required to address. Because security vulnerabilities can be exploited in a variety of ways, most companies, to safeguard their information assets, have tried to adopt a holistic paradigm across both controls and technology.

The introduction of regulatory controls over the last decade focused initially on privacy and the mitigation of risks associated with the storage of personal data. Given the changing nature of the threat, this has expanded beyond traditional data security to an enterprise view of security, which covers all types of vulnerabilities and perceived risks that corporations today face. Measures like the Sarbanes-Oxley Act in the US and other regulatory efforts in other countries have acted as a further catalyst, prompting organizations to address risks that shareholders experience as an integral part of their operational responsibilities.

The result has been a recasting of security policy formation as a subset of overall organization controls, especially geared toward demonstrating compliance. This has pressured an increased formalization of governance structures, frequently as a direct result of actions by boards of directors. It has also spurred the development of various industry standards, including Control Objectives for Information and Related Technology (CobiT) and ISO27001. CIOs are increasingly adopting CobiT as the model to highlight their focus on IT controls.

Prompted by the breakneck pace at which hackers are forging new and more easily used technologies, the technology industry has responded with tremendous innovations and services. The traditional security environment in the 1990s comprised a perimeter firewall and a desktop antivirus control. Fast forward to early 2000, and attacks became more sophisticated. Since early 2001, the security technology list has broadened considerably, and the designs for implementing those technologies can employ small armies of technicians. Network designs, from perimeter-based to zoned, have proven to be weak and have failed to meet the needs of both IT and the business. Core security services to applications and systems have improved dramatically, making enterprise security service architectures viable for the first time if new local application development is taking place.

Even the simple idea of keeping the attacker out is now antiquated, as the majority of successful attacks are conducted by insiders, who are already past the defensive perimeter of network security. Once inside, the attacker invariably has a rich selection of applications to target each with their own set of security weaknesses and vulnerabilities.

Therefore, the fact that internal personnel could do serious damage to the organization became a reality. As a result, technology development has expanded to include focus on controlling employee behavior, as well as detecting and stopping attacks that originate on the network interior.

As we look back over the security landscape, the one thing that has remained constant is the name of the game: develop the technology that stops bad things from happening. While enterprises have done a decent task of mitigating the historical security threats, today’s security threats are more sophisticated, and pose a greater risk to organizations than ever before. Today’s security threats are no longer just a nuisance; they compromise data, destroy reputations, and put organizations at risk. Existing security tools don’t solve the issue, and a gaping security hole can bring down entire businesses.

This has led to the advent of the fourth generation of security platforms comprising devices that can do all of the security functions lumped together into a category called Universal Threat Management (UTM). Beyond their role as the under-security cop, these devices also encompass the traditional switching and routing functions. Their inherent architectural flexibility makes them easy to fit into existing environments and even make some things, which were once considered impossible, possible. For instance, a large enterprise with several business units can deploy these advanced networking and security devices at the core. It can then assign virtual security domains to each business unit while performing content filtering and firewalling between each virtual domain. Thus, it can segment the business units and maximize the investment in core security devices.

However, technology can only do so much to address the issue. The problem goes beyond technology. Security awareness in companies can be low, and attackers understand and exploit that. If someone really wanted to penetrate an organization, for example, they might first try and call up an employee on the phone, pretend to be from the IT department, and ask the employee to “confirm” their login name and password. Or, if one were desperate, they may tailgate an employee into the building and then look for an empty office with the notorious yellow sticky-note on the monitor with that person’s current password written on it.

With these threats in mind, the battlefield is broader than traditional network security. In fact, one must think of network security as just the first layer of defense. A barrier that makes it more difficult for an attacker to get at your assets, but one that you can’t depend alone upon, still allows room for intrusion. It’s crucial to build a defense-in-depth and give equal focus to all 3 aspects: adequate investments in technology, a comprehensive security policy, and significant education and training of the user community. Done effectively, this will provide a set of interlocking mechanisms to keep attackers out and company assets in.

No technology or product can act as a quick fix and remove all the security exposures a company may have. As much as we may wish otherwise, there’s no silver bullet. Equipped with this understanding, your next step is to develop a plan that addresses all your company’s unique security concerns and tradeoffs.

By Summet Sabharwal, MD of NaviSite, India