With security, simplicity isn’t best
- 19 May, 2003 15:34
All IT managers strive for simplicity. Heck, who doesn’t want work to be less complex? Who doesn’t want a turnkey solution? Who doesn’t crave out-of-the-box gear?
But when you’re talking about security, simplicity should not be a determining factor. There has to be a sense of sophistication to whatever you install so that corporate data is not compromised. It can’t be so easy that any numbskull can hack away at your network.
And that’s the point I want to hammer home.
Simple would be a plan that involved merely firewalls and antivirus software. Go beyond that and you have a comprehensive strategy that envelops the core of your network. There are five contributing factors that will make creating this strategy possible.
First, the cost of security tools is dropping. You can put more elements into securing your network without breaking the bank. Second, performance is improving, so you’ll get more for your money. Third, the management tools that tie together all these elements are improving and becoming more interoperable. This gives you a clear view of where you need to shore up resources and where you have over provisioned them.
Fourth is the reality that policies regarding security are not a bad thing. This is the point that is most important. A few years ago, you couldn’t get past the drawing board in most organisations trying to create a solid security plan. There were always exceptions based on politics within companies that blew holes in an IT group’s security strategy.
Finally, one of the biggest boons to making security a reality is the advancement of Layer 2 authentication. With 802.1X, we finally have a technique for figuring out who is trying to access a network before they get to the applications.
To tackle the intricacies of developing a plan, you will need to know how to build security into the gear; integrate security management with traditional network management; embed security in remote desktops and mobile laptops; use new technologies such as intrusion prevention and detection to go beyond perimeter security; and employ encryption and certificates to restrict access.
Don’t expect what you learn to be simple, but expect it to be thorough. That’s your best defence.