Network Security: Not Just About Defending the Perimeter

Untitled Document

In a trend that is escalating, Web 2.0 applications can transform web browsers into security battlefields that need to be defended as vigorously as each computer and mobile device accessing the network.

Hyperconnectivity -- where everything that can be connected, will be -- is continuing to drive huge increases in devices, users and applications accessing networks. Nortel estimates that, by 2010, there will be 10 devices connected to the network for every person using them, resulting in five billion connection points around the world.

Even in this world of hyperconnectivity, security is usually taken for granted or it is not a top priority for busy employees who are trying to get things done quickly. This is something I see every day doing consulting.

Hyperconnectivity further complicates the challenge for today's IT professionals who must keep security tight across all devices and applications without putting so many restrictive barriers in place that they slow down business processes and productivity.

As a consulting services professional for enterprise security to Nortel customers, I find even when security is designed to be high for corporate information, employees often disregard their company's safeguards, in practice, adding another level of risk that's hard to defend against. UK-based IT Governance Limited recently issued a report based on its survey that found 68 percent of employees admit to bypassing their employers' information security controls in order to do their jobs.

Employees aren't being malicious when they do things like send a highly confidential document to a colleague through public IM services like Yahoo, or connect their laptop to WiFi at an airport. They are probably just trying to use some valuable time to make progress on their work.

Shackling an enterprise with too many security features, for example, can slow corporate web servers to a crawl as they get bogged down with processing-intensive tasks like encryption and decryption of all data, causing network delays that can seriously disrupt the real-time quality needed for live Webcasts or VoIP conversations.

It's a constant balancing act between two ideas: what's an acceptable level of risk, and when does security get so restrictive that it's too much? While the complexity of securing the enterprise today across so many interconnected devices and applications is certainly much higher, the basic approach is simple and the principles are no different from how things worked with Web 1.0.

Security is still all about defending the perimeter. But where you once had only one perimeter to defend around the whole corporate network, like a moat around a castle controlling who could enter, you now have lots of little perimeters, lots of little defensive circles that have to be placed around each device and many of the applications.

In effect, the corporate network is like a castle that has been opened to the public and each of its rooms now requires protection from each visitor whether that involves a person or another machine. Security becomes very granular and complex. It is no longer "install a firewall and forget about it."

Nortel's Layered Defense approach is designed to ensure there are no single points of security failure in a network. This is accomplished by using multiple approaches to security enforcement at multiple areas within a network, including access points, virtual private network (VPN) routers, encryption, firewalls, plus network core protection, to isolate and eliminate any threat that happens to slip through all other layers.

Despite the publicity surrounding high-profile breaches, when you consider all the millions of electronic banking, commerce and other business transactions that are safely completed every minute of every day, around the world, security technologies are already doing a monumental job.

But the advice I always give to our clients is to never take anything for granted. What was secure yesterday may not be secure today.

Just because things are made easy (posting pictures on the Web rather than e-mailing them to friends) or cheaper (think VoIP calls versus traditional calls) doesn't mean that their level of security is high enough. Every individual and every business has to weigh the real level of security against the value of their risk when using any ICT systems. Be vigilant and never assume anything is safe until it's been checked and is continuously re-checked.