This is some advice that I can offer people who are implementing security. Create a roadmap, dont just react; and, balance between customer education and policies to actually guide how you implement the IT tools.
To be much more secure two years from now than I am today. How realistic is that for organisations running global operations in an increasingly dangerous world as ours?
I think its very realistic. I think weve been doing it for many years. I think first as a vendor we are trying to develop technology that will be sort of bulletproof. As I said, were not trying to develop a system based on our experience with attacks that have already occurred. We like our basic firewall, our basic stateful-inspection capabilities…all that, its generic technology that can enable every protocol. I say enable because you can also disable.
But the whole idea here is when you actually deal with, say, communication security, youre saying, What things I want to enable, rather than, What things I want to block. Thats already a proactive approach.
Next thing is mainly this: if we look at the infrastructure, we can easily spot the areas that are strong and the ones that are weak. So, from a company perspective, its not about waiting for the attack to happen, its looking at the infrastructure and saying, Do we have good user identification capabilities? Do we have a good, segregated and secured network for every part of the world? Is our network organised in a way thats actually secure?
We separate. We dont make it too complicated. But we create, lets say, three domains of security; we put some servers in one domain, some servers in another domain; and then we control the flow. This way we sort of contain possible attacks and we block things.
Creating this kind of architecture, simple on the one hand but powerful on the other hand, can be used to prevent attacks. These are the kinds of proactive things that every company can do.
As I said earlier, so many enterprises go by the old way of doing things: when your server gets attacked, you start working on how you can better secure it. Instead, you should take your architecture and designate it into three or four levels, decide where everything belongs and go and put the right tools in to protect the resources at each level. Thats how we create a proactive environment.
That could start out being much more fragile, but its usually much more cost-effective because youre not doing things under pressure. Instead, you can engineer it, organise it and build it the right way.
Is it possible to secure everything instead of just going the holistic way of prioritising areas for securing?
I think you need to secure everything. And the reason is very simple. Because almost every access point to the network can lead to break in to the entire network.
You can say, My computer has a lot of sensitive data on it. We have to protect this computer in a much stronger way than that of some entry level employee who works in a generic unclassified job.
But guess what, if the computer of that employee in a generic unclassified job gets a worm or Trojan horse that can penetrate the network, it will do just as much damage as if it came through your computer.
So yes, there are levels, and there are some subtle differences between servers and people and services, and you can look at them and segregate them into different grades of security. But at the end of the day you need to secure the entire infrastructure.
By the way, thats even more critical in the IT world or the network world than in the physical world. In the physical world youll look and identify spots that need higher security levels and those that need lower levels of security, and so on. In the digital world, you dont see everything, and a penetration to one part of the world can immediately lead to other parts.
On the one hand you have the principle of segregationif there is something happening, it will be contained in one part of the network and not flow to the others. Its a good principle. But on the other hand, once you look at your infrastructure as a whole, you quickly realise that you need the same technologies to protect all parts of your network.
Are your customers capable of protecting all parts of their networks then?
First of all, most customers do already have whats needed. If I look at the most basic thingwhat we do is firewalls. They protect the entire network, they dont protect just part of it.
How well theyre setup is segregated, what levels of different security policies they have to different parts of their whole networksthose really depend on the connectivity needs of our customers more than anything else.
For example, some banks in the world dont allow Internet access for every employee. If thats realistic for the type of work they do, thats a good approach. It reduces the risk of getting Trojan horses or viruses and things like that. On the other hand, in my organisation, data access is always a delicate issue to handle. I may not really want any external access given to people who are developing software. But I dont think I can tell them that, because given what they do, how can they not have connectivity access to the entire Web and to all the infrastructure in the world. So really, the main thing that counts is not so much whats more or less sensitive but whats the practical way of working for the people at the organisation.
And thats the number one issue.
Sign up for Computerworld eNewsletters.