Historically, security threats were thought to be from bad guys outside your network. That resulted in strengthening the perimeter of your network. Make sure the bad guys didn't get in, and life would be good.
And now it has become clear that the enemy might not only be "out there." Enemies may be stealing data from the inside, delivering your intellectual property to competitors or compromising private data for fraudulent purposes. So was born the insider threat.
Insiders have been involved in fraud since the beginning of time. They are in a trusted position and have access to sensitive data. They need access in order to do their job, so shutting them down isn't really an issue. So the keyword is going to be control. We can't shut down access, but we need to control it.
Technology keeps moving forward, and within the last two years large enterprises have started to deploy technologies that control access to networks, as well as monitor content usage both at the network perimeter and on desktop computers. Both of these technologies will be available to SMBs, so you should understand how they work.
Network access control
Network access control (NAC) products ensure that only devices adhering to a corporate policy are allowed on the network, while monitoring what the devices are doing when they are on the network. You can enforce policies on the configuration (antivirus, patch level, etc.) of devices, or what they are supposed to get to. Thus, visitors can get to only the Internet, but someone on the executive team gets free reign -- when they connect in the office. They have restricted access at home.
If you have a lot of visitors and/or contractors who need access to your network, or you have mobile employees, NAC is worth a look. You want something as nonintrusive as possible (so you don't have to re-architect your network) and that doesn't require each desktop to have an agent for enforcement.
Over time, NAC will be embedded within the network devices that you know and love, like your routers and switches. But that will take a while, so if you have a need to control what connected devices do now, check out NAC.
Leak prevention offerings currently target the large enterprise, but more products for SMB are appearing. In a nutshell, these products spider your network and figure out where your sensitive data is (it's in more places than you thought). They then employ gateways and endpoint clients (that run on your computers) to govern the use of that content.
But with that flexibility comes complexity. That's why these offerings are more enterprise-focused right now. Over time, prebuilt policies and more portable technologies will make these offerings a requirement for all organizations.
In the meantime, you can provide similar protection by integrating a number of existing product sets that you may already have. Your email gateway can scrutinize email, and your Web-filtering device can control where users surf. You can also implement device control products that turn off your USB ports, so desktop leakage isn't an issue.
The insider threat is something every organization must take seriously and start working on defenses to make sure the one you know isn't the one that kills you.
Mike Rothman is president and principal analyst of Security Incite, an industry analyst firm in Atlanta, and author of The Pragmatic CSO: 12 Steps to Being a Security Master. Get more information about The Pragmatic CSO at http://www.pragmaticcso.com, read Rothman's blog at http://blog.securityincite.com, or reach him via email at mike.rothman (at) securityincite (dot) com.
This was first published in July 2007