Security, the Way It Should Be
Today, security is often provided by patched-together, reactionary defenses, which many see as an inhibitor to business. In order to take their rightful place as a business enabler, security systems must provide distributed, real-time, flexible defenses against attacks.
By Deborah Radcliff
July 10, 2000 12:00 PM ET
Computerworld - What if IT managers discovered a magic way to shield e-commerce from all things illegal, such as online credit-card heists, denial-of-service attacks, Web page destruction, viruses and data thefts?
Achieving all that doesn't take a magic wand. What it does take is changing how your organization thinks about security so that the lines between security and business processes no longer exist.
It also takes an evolutionary restructuring of the security infrastructure. The goal: proactive, scalable and flexible security that can easily accommodate new applications, mergers and network changes.
 | | | Where to get help in improving security
• www.sans.org/topten.htm - The top 10 vulnerabilities and exposures to networked systems, from the SANS Institute
• www.cert.org/infosec-outlook - A monthly publication by the Carnegie Mellon Computer Emergency Response Team that covers various levels of information security protections
• www.infosecuritymag.com - An in-depth look at enterprise system management security profiles, published last month
• bsp.cio.gov - Chief Information Officers' Counsel of security best practices documents; primarily for government agencies, but some of the principles can be applied to the private sector |
|
"The vast majority of network plumbing gear in use today is misconfigured. We see it all the time with our clients. They bring a wire from the Internet to a switch that carries traffic to both the internal LAN and the Web server," says Stefan Jon Silverman, master technologist at Scient Corp. in San Francisco, which builds e-commerce applications for clients.
"But if you get it right - access control lists and rigid enforcement of traffic routing - nobody from the Web server can see into the internal machines," he says.
What do information security professionals want in this replumbed, business-enabling security model?
• Code-level review of both homegrown and vendor-developed applications to ensure that they're free of common vulnerabilities.
• Distributed firewalls that provide specialized security wherever it's needed, not just at the front end.
• More granular authorization levels to support the varying access needs of business partners, corporate users and customers.
• Intrusion detection that depends less on looking for attack signatures after the fact and more on real-time monitoring of business rules violations.
• Encapsulated operating system kernels so that no applications run at the all-powerful position of root (Unix) or administrator (Windows NT).
• Centralized management consoles that blend security and networking tasks such as load balancing.
Already, some vendor tools and network security professionals are implementing such changes.
Security From the Beginning To minimize confusion, Ian Poynter starts with what he terms "security from the beginning." Poynter,
