Network Security: Not Just About Defending the Perimeter
By Ionut Ionescu, Director of Security Services for Nortel in Europe, Middle East and Africa (EMEA), Nortel
In a trend that is escalating, Web 2.0 applications can transform web browsers
into security battlefields that need to be defended as vigorously as each computer
and mobile device accessing the network.
Hyperconnectivity -- where everything that can be connected, will be -- is
continuing to drive huge increases in devices, users and applications accessing
networks. Nortel estimates that, by 2010, there will be 10 devices connected
to the network for every person using them, resulting in five billion connection
points around the world.
Even in this world of hyperconnectivity, security is usually taken for granted
or it is not a top priority for busy employees who are trying to get things
done quickly. This is something I see every day doing consulting.
Hyperconnectivity further complicates the challenge for today's IT professionals
who must keep security tight across all devices and applications without putting
so many restrictive barriers in place that they slow down business processes
As a consulting services professional for enterprise security to Nortel customers,
I find even when security is designed to be high for corporate information,
employees often disregard their company's safeguards, in practice, adding another
level of risk that's hard to defend against. UK-based IT Governance Limited
recently issued a report based on its survey that found 68 percent of employees
admit to bypassing their employers' information security controls in order to
do their jobs.
Employees aren't being malicious when they do things like send a highly confidential
document to a colleague through public IM services like Yahoo, or connect their
laptop to WiFi at an airport. They are probably just trying to use some valuable
time to make progress on their work.
Shackling an enterprise with too many security features, for example, can slow
corporate web servers to a crawl as they get bogged down with processing-intensive
tasks like encryption and decryption of all data, causing network delays that
can seriously disrupt the real-time quality needed for live Webcasts or VoIP
It's a constant balancing act between two ideas: what's an acceptable level
of risk, and when does security get so restrictive that it's too much? While
the complexity of securing the enterprise today across so many interconnected
devices and applications is certainly much higher, the basic approach is simple
and the principles are no different from how things worked with Web 1.0.
Security is still all about defending the perimeter. But where you once had
only one perimeter to defend around the whole corporate network, like a moat
around a castle controlling who could enter, you now have lots of little perimeters,
lots of little defensive circles that have to be placed around each device and
many of the applications.
In effect, the corporate network is like a castle that has been opened to the
public and each of its rooms now requires protection from each visitor whether
that involves a person or another machine. Security becomes very granular and
complex. It is no longer "install a firewall and forget about it."
Nortel's Layered Defense approach is designed to ensure there are no single
points of security failure in a network. This is accomplished by using multiple
approaches to security enforcement at multiple areas within a network, including
access points, virtual private network (VPN) routers, encryption, firewalls,
plus network core protection, to isolate and eliminate any threat that happens
to slip through all other layers.
Despite the publicity surrounding high-profile breaches, when you consider
all the millions of electronic banking, commerce and other business transactions
that are safely completed every minute of every day, around the world, security
technologies are already doing a monumental job.
But the advice I always give to our clients is to never take anything for granted.
What was secure yesterday may not be secure today.
Just because things are made easy (posting pictures on the Web rather than
e-mailing them to friends) or cheaper (think VoIP calls versus traditional calls)
doesn't mean that their level of security is high enough. Every individual and
every business has to weigh the real level of security against the value of
their risk when using any ICT systems. Be vigilant and never assume anything
is safe until it's been checked and is continuously re-checked.