Network security is a daily challenge as hacking and viruses proliferate. Cliff Saran reviews some approaches to keeping the bad guys at bay
With the growing threat of hacking, viruses, worms and internal fraud, security of computer systems has become a priority for businesses. IT directors are constantly having to assess how best to deal with security and the latest legislation. On a daily basis they are being asked to balance policy, process and the implementation of security in order to ensure the business is able to withstand an attack, detect fraud quickly, support the way the business wishes to work, and ensure security complies with audits and other legal requirements.
One of the major problems is locking down security in order to simplify security management, while still keeping systems open enough to allow organisations to share information freely with business partners and customers.
If security is too tight it can hinder business. IT departments are unable to react quickly enough to the changing nature of business. Security policy embedded in firewall rules is too inflexible and too complex to support the dynamic nature of modern business.
John Kavanagh speaks to Nick Bleech, head of security at Rolls-Royce about a vision for IT security based on the premise that there should be no barriers. The idea is that firewalls are redundant and networks should be far more open to allow business partners to connect their networks together in order to share data.
Another problem users face is how to approach testing. Unless the network is checked regularly, how can you be sure it is secure? Vulnerabilities come in many guises. Users need to be sure their applications and operating systems have been patched to the right level, that their anti-virus signatures are up to date, and that firewalls, routers, wireless and virtual private networks are secured. With the level of patching required, it is far too easy for IT departments to miss a critical patch or misconfigure a network access device.
Testing can be conducted with automated tools which prod the network continually to gain access. Some organisations hire network security consultants to test the network for vulnerabilities.
Network security can easily take up too much time, at the expense of other critical IT services. Rather than trying to secure everything at once, it is sometimes better to do a simple thing well.
Helen Beckett looks at the pragmatic approach to security taken by Toyota Europe, which is using an intrusion prevention system to identify malicious network traffic before it is able to damage the corporate network. This removes the management overhead of maintaining a totally secure network. Toyota spends just one hour a week checking security logs from its intrusion prevention system.
Preventing hacking or virus attacks is not the only reason users are implementing network security. Of increasing concern for IT directors is how to ensure IT systems comply with regulatory requirements.
As Lindsay Clark notes in his article, since networks have become such a powerful tool for business to manage and distribute corporate data, their security is subject to a whole range of legislation. He examines how regulations affect network security policy, and how IT directors can keep their networks legal.
While there are products and services that claim to improve, simplify and manage all aspects of network security, security is more than just a technical problem. IT directors must look at how such products fit within the overall business.
Is the investment in security justified by the nature of the risk? Do the products or services match the culture of the business and how business partnerships are run? How is regulatory compliance within the business supported? Such questions need to be addressed when selecting the right types of product and services.