In the annals of networks, 2003 will be known as the year of network security. With the passage last year of the Gramm-Leach-Bliley Act, the Health Insurance Portability and Accountability Act and the European Union’s Directive on Data Protection, 2003 will be the year when companies will need to view network security from a regulatory and competitive standpoint.
From a regulatory standpoint, companies affected by the legislative acts will be held accountable for ensuring that personal information in their systems is secure. If it is leaked, stolen or “sniffed” off data networks, a company can face legal and financial consequences. From a competitive standpoint, even companies not directly affected by the regulations will need to address network security as consumers and business partners begin to demand protection of personal information.
Along with protecting against the promiscuous viewing of personal information, companies will need to implement security to protect their systems from software-based attacks such as adaptive worms, viruses, Trojan horses and denial-of-service attacks.
Network security will need to be more than just an access control list in a boundary router, an encrypted password on a file server or a basic configuration on a firewall. To provide the protection needed to ensure privacy of competitive strategy and compliance with federal regulation, companies will need to enlist external and internal resources.
External resources are needed to perform a full security audit. An internal audit could miss potential security holes. The back-door network access that the engineers use to troubleshoot problems remotely might not be viewed as a problem by internal personnel, but an external auditing team might view it more objectively.
External resources also should be considered for the implementation and management of security platforms. It can be costly to train and retain security engineers. Unless you have a large network requiring dedicated security engineers, it might be more economical to use a third-party vendor to implement and manage the security infrastructure.
However, as the ultimate responsibility lies with the company, internal resources are necessary to oversee the security process. Each company needs internal resources to identify business-specific security measures and processes that are needed, define the access and protection that is required, manage creation of the security environment, oversee third-party vendors, and ensure that any new security requirements are identified and implemented.
The network is the door to a company. It can’t be open to everyone, but to do business the door can’t be completely shut. Network security will become essential as the doorman – letting in customers who have a right to access the network, keeping their identities and information as discreet as possible, and blocking the door to all others.