“The old days, when you could just turn on your desktop anti-virus product — I think those days are long behind us,” says Joe Zasada, manager of technical services at St. John’s Ambulance Alberta in Calgary. His organization, which has 70 employees plus volunteers working across the province, uses multiple anti-virus tools, virus-throttling technology and intrusion detection, and has firewalls not only at the perimeter of its network but segmenting the network — for instance, separating office PCs from those used for training.
Then there are the virtual private networks (VPNs) designed to secure remote access to the network. As security becomes more complex, businesses increasingly see a need for enterprise security strategies, as well as ways to collate information from the various tools and evaluate their performance. And they are grappling with new issues created by growing mobility and anywhere, anytime access.
The enterprise view
Bill Jensen, product marketing manager at Check Point Software Technologies Ltd., a security software firm with headquarters in Ramat Gan, Israel, and Redwood City, Calif., says security is about protecting not only the network but the data. That requires a combination of tactics, from securing the network perimeter to encrypting data on mobile devices.
“Many enterprises look at network security as taking a layered approach,” says Bob Berlin, manager of product marketing at Cisco Systems Inc. in San Jose, Calif. “You can’t just do one thing and know that your network is secure.”
“More and more,” adds Richard Branston, general manager of the security practice at Markham, Ont.-based IBM Canada Ltd., “our clients are saying, ‘I want to do centralized security operations where I’m looking at the entire enterprise from a security perspective.’”
Pamela Casale, chief marketing officer at security software vendor Intellitactics Inc. in Reston, Va., says the road to an enterprise security strategy starts with consulting stakeholders to determine what level of risk is acceptable. Then you can formulate a policy that lays out the controls that will achieve that goal.
Standards such as the International Standards Organization’s ISO 17799 and Control Objectives for Information and related Technology (COBIT) are useful frameworks for building a security strategy, advises Jan Wolynski, a director in the advisory services practice of consulting firm PricewaterhouseCoopers LLC and a former police officer.
And, says Casale, it’s important to define the roles and responsibilities of everyone who is part of your security plan. That, she stresses, means everyone from the chief security officer to every user who has a user ID and a password.
Integrating the tools
A layered approach to security can produce information overload headaches. As configured out of the box, many security products generate a number of alerts that can be “a little overwhelming,” Zasada observes. And with many different products, security staff could be looking at 10 or 20 different screens, says Casale.
“IT managers are focusing more and more on getting end-to-end visibility,” says Karthik Krishnan, senior product manager in the Security Products Group at Juniper Networks, Inc., of Sunnyvale, Calif.
One route to this unified view is a suite of security tools from a single vendor, designed to work with a single management console. That may work if you’re starting from scratch, Wolynski says, but many organizations already have not only security tools from different vendors, but network equipment that has its own security capabilities built in, and they need to integrate it all.
In that case, the more realistic option is something that can correlate data from multiple vendors’ security products.
Intellitactics Security Manager is one example. “We transform millions of events into a fewer number of alerts,” Casale claims.
Major network infrastructure vendors Cisco and Juniper have each taken their own approach to this. Cisco touts the concept of the “self-defending network” with security provisions built into network hardware. Its Monitoring, Analysis and Response System (MARS) pulls together information from multiple devices. MARS works with many third-party products as well as Cisco’s own equipment, Berlin says.
Cisco’s Network Admission Control (NAC) framework also works with other vendors’ products, says Brendan McConnell, product manager for the NAC appliance. NAC can translate information from some 300 products made by about 50 vendors into access policies, he says. The switches and routers as well as the access server, though, must come from Cisco.
In November, Juniper launched Unified Access Control, which adheres to the non-profit Trusted Computing Group’s Trusted Network Connect standard. That means you can plug in any vendor’s products as long as they conform to the Trusted Network Connect standard, Krishnan says. But Zasada offers a reality check on integrated security tools. They usually require a dedicated desktop computer and a lot of configuration work to get the desired results, he says. “The amount of time needed to set them up, and the resources, is quite large.”
And while integration is improving, there’s no one dashboard that handles everything. Vendors recognize the need but commercial interests get in the way, says Tom Slodichak, chief security officer at security consultants WhiteHat Inc. in Burlington, Ont.
Evaluating effectiveness
With multiple security tools in place, how do you determine what’s working and what isn’t? How do you justify the expenditure by showing that every tool in your arsenal is doing its job? First, Wolynski advises, it’s important to have clear goals and documented criteria for selecting tools. Of course, there’s one very good indicator of whether your security systems are working: whether your systems get broken into or not. The question is, “Was I impacted when my peers and colleagues were?” says Branston.
Monitoring the alerts the various tools generate is a good way to see how many problems they’re preventing, Zasada says, and log files are invaluable for this purpose.
Casale says security management consoles like Intellitactics’ can also help, thanks to reports that help the security manager see what each security tool in his or her arsenal is picking up. “If you’re trying to look at the effectiveness of your antivirus, you can run reports on all the anomalies generated by your antivirus. You can run reports on all the alerts generated by your IDS system.” Such reports can also indicate when security controls need to be tightened or relaxed, Casale says, and help the security administrator see how long incidents take on average to be resolved.
If a tool isn’t performing, it may need some adjustments. Few security tools do everything a given enterprise wants straight out of the box, Wolynski points out.
Endpoints everywhere
IT security professionals face a new headache today. “Your perimeter is dissolving to where your LAN is just open to anybody being able to come in and get access,” Krishnan says.
One of the greatest security threats to the corporate network is the company employee who takes work home and works on a laptop over the weekend, points out John Dathan, Juniper’s director of enterprise sales, Americas International. Kids may use the same laptop to play games and download music, possibly introducing viruses, spyware and other hazards. Then, says Dathan, “Monday morning that executive walks back into the office, walks right past all the firewalls and right past all the perimeter things that have been built.”
And it’s not only employees. In this age of anywhere, anytime access, Slodichak says, clients and partners may want network access while visiting your office.
An increasingly popular way to address these concerns, Slodichak says, is to implement software that can not only check mobile devices for viruses but make sure they are equipped with firewalls and up-to-date antivirus signatures before allowing them into the network. Those that fail the test can be directed to a virtual LAN isolated from the rest of the network to obtain necessary updates.
Mobile devices that fall into the wrong hands are also a significant problem, as numerous headlines have shown in the last couple of years. The issue is growing not only because the devices are proliferating but because their storage capacity is increasing. “How many filing cabinets do you think can sit on an iPod today? It’s rooms and rooms of them,” says Branston.
Rapidly proliferating wireless hotspots also present problems, says Dean Turner, senior manager of security response at Symantec Corp. in Cupertino, Calif. Traffic on the public networks is unencrypted unless road warriors use VPNs to connect to the office, he says, and “that’s like setting a buffet for these guys.”
What’s a security manager to do? VPNs have become virtually de rigueur for road warriors connecting to enterprise systems from outside the firewall. Web-based applications with carefully considered access controls can help. And educating employees about proper security precautions when on the road, from avoiding dicey hotspots to thinking twice about storing sensitive data on laptops and handheld, is a critical part of the strategy. Around a dozen of St. John’s Ambulance Alberta’s 70 employees work remotely on a regular basis. Zasada says the power users rely on VPNs to connect back to the office, but St. John’s Ambulance has also constructed some web-based applications and those with simpler requirements can connect using basic terminal services. "You can’t shut down the mobilization of data,” Branston says, “so the only thing you can do is protect it.”