Commentary

Digg This!

Security threats have dramatically increased for Internet Protocol (IP) networks, applications, and the enterprises that rely on them. These threats come in many forms, from external and internal hackers, to viruses worms; and they threaten enterprises from beyond the perimeter, inside the firewall, and down to individual database files or communications.

With this increase in security threats, a host of solutions has emerged. Each group in an enterprise IT department is increasingly tasked and given budget to solve their security threats with one or more of these solutions. This patchwork of security solutions is where the real challenge for the enterprise begins.

Typically, an enterprise IT department is divided into different departments or areas of responsibility - networking, applications, desktop management, etc. Each group usually maintains its own priorities, agendas, and budgets. Security initiatives are relegated according to the goals of each group (or what they do not want to be responsible for). These three different agendas are the beginning of the breakdown for providing unified security.

For example, the network group will usually focus on protecting network access and access to IP services, using solutions such as firewalls, strong authentication, and remote access via IPSec or SSL VPNs. The application team will focus on protecting their application servers and access to those servers via file encryption, two-factor authentication, and an application extranet with SSL encryption for remote application users. Finally, the desktop team uses some type of application control to prevent hosts from using prohibited applications. To protect the endpoints, the desktop team uses desktop firewalls, IDS, and virus scanning.

In a perfect world - one without time constraints and coinciding schedules and priorities - vendors would have unified solutions for each threat. Without any political boundaries between these functional areas in the enterprise, these groups would implement a unified solution that covers each of their requirements - with a total lower cost of implementation.

Unfortunately, in the real world that's not how enterprise IT departments operate. Rather, most enterprises have overlapping solutions that result in a higher total cost of ownership without solving key threats. As a result, security is not unified in its deployment, leaving a high risk of vulnerability gaps as well as inefficiencies across the enterprise.

A common threat example is a network team that creates a remote access environment with a VPN and strong RADIUS authentication, but they don't have responsibility for the desktop. And the desktop team hasn't deployed a comprehensive desktop security solution. Therefore, users accessing the network remotely can be compromised by hackers and viruses and can compromise the network even though they are encrypted and authenticated.

At the same time, inefficiency emerges as the network team implements RADIUS for user authentication while the application team is using USB tokens for two-factor authentication and file encryption. Not only do network users have to deal with both RADIUS username and password and their token and its related username and pin code, but the enterprise is now paying for two different user authentication solutions.

What can enterprises do to address these challenges? While there is no shortcut, using the following guidelines should ensure that the enterprise goals are addressed along with those of the individual IT teams.

• Take a step back and review each of the security concerns that face the IT teams.
• Match those concerns with corresponding group initiatives to reduce risks.
• Review the various solutions that exist or are being evaluated, identify any overlap between them, and try to consolidate around that overlap.
• Identify the solutions that best meet the variety of needs and reduce the total cost of ownership.

For example, in the earlier scenario, if the network, security, and desktop groups had reviewed their respective requirements they could have prevented new risks, provided a more unified security model, and reduced costs. The network and application teams could have consolidated their authentication model around the two-factor USB solution, and reduced the management and cost of two authentication solutions. Also, those two teams could have also consolidated extranet access and general network remote access initiatives around SSL and IPSec VPNs. Then the two teams could work with the desktop team to protect the desktop and control application access with an endpoint security solution. This process may create some "political" issues but it would also reduce the number of solutions deployed and the cost of duplicated solutions, and increase the total budget available to address security issues and provide a unified security approach.