“The old days, when you could just turn on your desktop anti-virus product — I think those days are long behind us,” says Joe Zasada, manager of technical services at St. John’s Ambulance Alberta in Calgary. His organization, which has 70 employees plus volunteers working across the province, uses multiple anti-virus tools, virus-throttling technology and intrusion detection, and has firewalls not only at the perimeter of its network but segmenting the network — for instance, separating office PCs from those used for training.
Then there are the virtual private networks (VPNs) designed to secure remote access to the network. As security becomes more complex, businesses increasingly see a need for enterprise security strategies, as well as ways to collate information from the various tools and evaluate their performance. And they are grappling with new issues created by growing mobility and anywhere, anytime access.
The enterprise view
Bill Jensen, product marketing manager at Check Point Software Technologies Ltd., a security software firm with headquarters in Ramat Gan, Israel, and Redwood City, Calif., says security is about protecting not only the network but the data. That requires a combination of tactics, from securing the network perimeter to encrypting data on mobile devices.
“Many enterprises look at network security as taking a layered approach,” says Bob Berlin, manager of product marketing at Cisco Systems Inc. in San Jose, Calif. “You can’t just do one thing and know that your network is secure.”
“More and more,” adds Richard Branston, general manager of the security practice at Markham, Ont.-based IBM Canada Ltd., “our clients are saying, ‘I want to do centralized security operations where I’m looking at the entire enterprise from a security perspective.’”
Pamela Casale, chief marketing officer at security software vendor Intellitactics Inc. in Reston, Va., says the road to an enterprise security strategy starts with consulting stakeholders to determine what level of risk is acceptable. Then you can formulate a policy that lays out the controls that will achieve that goal.
Standards such as the International Standards Organization’s ISO 17799 and Control Objectives for Information and related Technology (COBIT) are useful frameworks for building a security strategy, advises Jan Wolynski, a director in the advisory services practice of consulting firm PricewaterhouseCoopers LLC and a former police officer.
And, says Casale, it’s important to define the roles and responsibilities of everyone who is part of your security plan. That, she stresses, means everyone from the chief security officer to every user who has a user ID and a password.
Integrating the tools
A layered approach to security can produce information overload headaches. As configured out of the box, many security products generate a number of alerts that can be “a little overwhelming,” Zasada observes. And with many different products, security staff could be looking at 10 or 20 different screens, says Casale.
icon.
