Deconstruct the network security dilemma

Communications News,  Oct, 2001  by Selwyn Joffe

• E-mail
• Print
• Link

Adopt a strategy for B2B or B2C e-commerce.

The growth of extranet usage within organizations, whether embodied as business-to-business or business-to-consumer activity, coupled with the rash of high-profile "hack attacks," has changed the perception of most IT managers from viewing Internet security as a low-profile add-on to an essential component. The technology of security has also matured, and adoption by business is accelerating.

Making a connection to the Internet or conducting e-commerce opens up the network to security threats--from the open connection, as well as from any confidential unprotected data transferred between authorized parties. Without a control mechanism to govern the information flow in and out of the network, valuable data may be accessible to unauthorized users.

The Internet security landscape has quickly grown past its simple antivirus software roots, now consisting of such functions as encryption, firewalls, virtual private networks (VPNs), intrusion detection, authentication/authorization/administration software, Internet access control and digital certification. Outsourced security services are also beginning to emerge as a viable market. According to one source, the Internet security market is expected to experience compound annual growth of 28% for the next few years, reaching $8.5 billion by 2003.

Companies are increasingly focusing on security--due to such factors as the growth of e-commerce, expanding requirements for remote network access, the increasing number and severity of security breaches, an emerging trend toward security outsourcing, and escalating numbers of Internet-enabled small and midsize businesses.

According to a report from International Data Corp. (IDC) of Framingham, MA, the frequency and sophistication of security attacks are accelerating rapidly. The American Society for Industrial Security estimates that American companies lost more than $45 billion in intellectual property in 1999.

SECURITY ATTACKS ON THE RISE

With e-commerce careening toward record levels--estimated to reach $3 trillion in three years by IDC--more sensitive data is vulnerable to electronic spying than ever before. Thefts of confidential customer data is reported with alarming frequency, and companies and analysts increasingly agree that a primary source of computer-related theft is due to the efforts of insiders, accounting for upwards of 80% of illegal snooping and service disruption. The average loss due to electronic intrusion is an estimated $500,000.

Companies should adopt a strategy for securing their network within the next few years, since virtually every business will inevitably be involved at some level in business-to-business or business-to-consumer e-commerce. For most, this will include integrating confidential enterprise resource management and customer information with supply-chain partners.

Further, companies will need to develop comprehensive deployment plans. Today, most security implementations resemble more of a hodgepodge of add-ons than a result of any coherent strategy. With its array of secure routers, intrusion detection systems, firewalls and VPN boxes, all sporting their own management scheme, the edge of today's enterprise network is sometimes analogous to rush-hour gridlock.

At the same time, these assorted devices must somehow be consolidated and managed in a consistent way, according to a well-defined security policy. The policy, a key element of the overall strategy, should be used to define issues such as where encryption is required (rather than the vendors of routers and VPNs).

Performance is also an important factor to consider. Since encryption requires significant processing resources, the most efficient strategy puts responsibility for encryption with servers and individual PCs, rather than on routers and VPNs, which could easily become bottlenecks for aggregated data streams.

Policy management is a critical component of any security implementation. A company's security policy must be an integral component of the IT function, including deciding what to secure and how to go about doing it. While sensitive data transported over the Internet must be carried using encryption and authentication, a big portion of communications are better left untouched, such as dissemination of product information, news or legally required financial information.

SECURITY AS AN ENABLER

Security is no longer considered simply as a network add-on, but rather as a fundamental enabler to using inexpensive bandwidth. To take advantage of the bandwidth boon, companies will need solutions that utilize such technologies as public key infrastructure (PKI) and authentication-capabilities that allow a company's employees to establish data transactions with known outside entities.

Once the link is established, the data communications also need to be secure. Some vendors have offered solutions that integrate security at the application level. An alternate approach implements the security function at the OSI model's Layer 3, which provides end-to-end security.