Security used to mean setting up a firewall as a perimeter line of defense with trusted users on the inside and untrusted users on the outside. But in today's world of remote workers, trading partners, e-commerce customers and internal hackers, that perimeter line has been blurred beyond recognition.
An effective security strategy needs to be far more flexible and sophisticated than just posting a guard at the gate to your network. The new model for network security calls for protecting data wherever it is and trusting no one completely wherever they are, according to security experts.
The recommended approach is to classify data based on its importance and then to set up different layers of protection. The same goes for users. They need to be classified for the purposes of authorization based on their roles and their need to access specific applications. And the network needs to be divided into zones based on trust levels.
There are a variety of tools at your disposal. Antivirus software, encryption and VPNs can scour and shroud your data. Passwords, smart cards and policy enforcement software can guard servers and network zones from unauthorized access. The strongest, yet most expensive, armor lies in trusted or hardened server operating systems.
Once the tools are in place, you need to monitor the effectiveness of your efforts through internal traffic monitoring, logging and auditing, which can provide pre-emptive analysis and alerts for fending off attacks.
A secure network starts with a policy that has budget support and executive-level backing. It's the policy that determines the architecture and infrastructure needed to secure your data. It defines user roles and enforces access to information.
"Who needs access to what" is the biggest decision an organization needs to make, says Doug Jacobson, CTO for Palisade Systems, a security device manufacturer.
It might be human nature to trust the people you hire, Jacobson says, but it's not a good way to approach security. "The tendency is to give more access than should be, either because it's easier or because somebody asks for it," he says.
Users exceeding their level of access is a major problem that affects 60% to 75% of companies, says Gartner analyst John Pescatore.
At minimum, companies need to control access via role-based authorization tools. And for companies that allow network access to business partners, contractors or alliance members, these controls need to cross organizational boundaries. "Companies can get burned when their business partner turns into a competitor," Pescatore says.
"They are not really outsiders because they have a trusted door on your network," Jacobson says. "If they are a cause of a problem, intentional or unintentional, policy can say to sever the connection or have varying degrees of reaction."
Policy-based access controls can limit individual access to specific servers, applications and even to different documents within an application. The recent ratification of the XML-based digital signature standard and the XML-based encryption standard will allow access control at the data level within a specific document, so that some of the data fields get encrypted.
"It has always been talked about, and essentially been impossible to do," Pescatore says. The ability to encrypt specific parts of a document previously existed only in specialized electronic-forms applications, such as Adobe Acrobat, and has not been possible with Microsoft Word documents or Oracle databases.
Modern security architecture is about letting people in, but not giving them more access than needed, says Jeff Drake, executive vice president and co-founder of Access360, an Irvine, Calif., software manufacturer. "There's a difference between granting you access to our sales database and granting access to specific data in the database," he says.
Policy needs to be the broad umbrella under which role-based access, even time-based access control, can be enforced, Pescatore says.
Hardening the operating system
The strongest security protection available today is a trusted operating system or software used to harden operating systems. But few companies have been willing to harbor the expense and administrative burden of using these technologies to lock-down data and systems.
"Today, it's government, but in the future more financial businesses are going to say, 'Even while we know it's you on the network, we want to watch what you're doing,'" Pescatore says.
The idea of not trusting trusted users is gaining momentum in the merchant world. Visa is ratcheting up the pressure on online merchants to encrypt specific types of information. Visa also is sensitive to the expense in requiring merchants to harden all server operating systems when only the credit card numbers are its concern, Pescatore says. "Visa's saying there's a need to protect specific information, but it's not necessary to harden every server to do that," he says.
But for businesses that have a need, a trusted operating system or a hardened operating system is the best internal defense. These systems let users in but only let them access certain applications or files, and prevents users from making unauthorized changes.
They isolate applications at the operating system level to eliminate the problem of a hacker taking over a whole machine. They can restrict port activity, access to other systems, and essentially will let you define the limits of a program's actions.
However there are cost and other issues with deploying trusted and hardened operating systems. First, there is an expense because you need to install the new operating system manually on every server and update it when new versions are released.
And staffers need to be trained in how to administer a slightly different version of the operating system, Pescatore says. "When a new version of an application comes out, it may not work with the hardened or trusted version of the operating system," he says.
While trusted operating systems offer good security, they also can conflict with other applications. As a result, someone might decide to uninstall the trusted software, Pescatore says. "I'm the Web master, and my pager goes off at 2 in the morning. I find the Web server's down. I rip out the security software and the Web server works again," he says.
A firewall on every server
A lower-cost option is to deploy firewalls that are integrated into the operating system. Multiple firewalls and network zones can be deployed to protect access to internal network resources.
The impending launch of Web services will require companies to make their internal networks more secure. "If you think about it, what Microsoft .Net and what SunONE, all these Web services, are doing, is making it easier for an application inside the firewall to talk to an application outside the firewall," Pescatore says. "That connection going through the firewall means it's landing on some internal server, and that server better be secure."
Microsoft might need to make its own operating system more secure, and just like Solaris9 now ships with a built-in firewall, Microsoft .Net also might be shipped with a firewall built in to the operating system, he says.
Having a firewall built into the operating system means you can have a firewall on every server, and that's less expensive than putting a firewall in front 1,000 servers at a cost of $5 million. The cost of a firewall built into an operating system is negligible, Pescatore says. "Solaris9 is the same price, but it just has a firewall built in," he says.
A built-in firewall is similar to deploying a trusted or hardened operating system because it provides integrated management of the operating system and the firewall. It's different because firewalls focus on protocols and connections, and less on software running on the server.
Segregating critical resources into network zones is a common security practice for assigning different privileges and controls. Christophe Huygens, CTO for Ubizen which offers managed and application security services, says most companies typically establish four zones: an untrusted external segment, a completely trusted internal segment and two boundary zones where information is served up to the outside world via Web servers, mail gateways and domain name servers.
The zone that needs top security gets trusted operating systems, the moderate security zone gets policy enforcement software, at the very minimum. But firewalls and trust zones need to be employed on the internal network in conjunction with monthly vulnerability assessments, Pescatore says.
"We're advocating that companies consider managed services to perform vulnerability scanning on a daily basis," he says. Companies tend to scan internal servers less when they are inside the firewall.
"That's been a major issue because there's so many servers," he adds.
It comes down to money and a decision on whether the cost of compromised data, such as stolen credit card numbers, justifies the expense of implementing strong security measures, says Jacques Hale, a Butler Group Associate analyst. "Security's not cheap, but there's a cost in not having it," he says.