David Ellis, director of e-security at Unipalm discusses best practice security management and the evolution of protection technology.
Confusion, fear, procrastination; these are words often associated with making decisions about IT security and as threats become more sophisticated it is easy to see why. The increasing popularity for workforce mobility and remote networking have made detecting and eliminating threats purely from within the corporate network alone an inadequate approach to network security. Organisations are beginning to realise that in order to protect their business, they must adopt a multi-layered security solution that protects from gateway to desktop to mobile device.
While these requirements present opportunities for the channel to become trusted security advisors, the daily emergence of new threats, along with the media exposure they generate, has given companies a greater understanding of their needs and made them more demanding. Reducing the total cost of ownership (TCO) and demonstrating improved return on investment (ROI) has become a key part of security solutions as expectations have grown. There is the added pressure of tightening legislation as the government recognises data security as a serious issue. As a result, the channel has to engage with different areas of the organisation, such as HR, significantly altering the dynamics of the selling process.
Boundaries between traditionally separate, although intrinsically linked, areas of security, such as Firewalls, Intrusion Prevention and content filtering solutions have begun to blur. Channel players who previously specialised in just one or two of these areas now need to offer a one-stop security shop. Those who can provide a total end-to-end security solution with competitive TCO and improved ROI will benefit from the changing market.
Balancing risk and cost
Running multiple applications on a single appliance is one of the markets fastest growth areas as organisations strive to lower TCO. While some vendors dispute the effectiveness of this approach, arguing that single appliances do not provide the specialised security requirements necessary for particular areas of business, they provide a good opportunity for the channel. Appliances offer savings through reduced cost of support contracts and management costs, as well as the number of devices being hosted in data centres. Examples of this type of technology include Nokias IP platform which can run multiple Check Point firewalls from one box, Symantecs SGS appliance and Crossbeam Systems solution which can host firewalls, VPNs, intrusion protection, anti-virus and web filtering from best of breed vendors on a single platform.
However, some companies are nervous about securing all their applications through one device and leaving the system open to a single point of failure. Managed services present a cost-effective alternative and are highly effective as long as SLAs are clearly defined and a reputable security provider is chosen. Although difficult to calculate exactly, ROI can be assessed on the business benefits gained, for example, deploying a secure remote access system will reduce the travelling costs of employees and, in turn, increase productivity. Equating this cost reduction against the increase in productivity over a set period of time will give a quantifiable ROI.
While ROI is an important consideration, companies also need to assess the ongoing operational costs. For example, how much will technical support cost? What is the price of changing the number of users in a license mid-contract? How much work will have to be done on the existing network to incorporate the new security and what happens if the organisation decides to grow or downsize? Resellers should make sure these costs are set out prior to implementation so customers cost expectations are met.
External threats securing remote devices
The use of PDAs, handhelds and mobile devices has revolutionised the way we do business. However, the security implications of these create a constant headache for IT departments trying to protect the corporate network from external threats. The boundaries of organisations networks are constantly expanding and security providers must address the new vulnerabilities these add to the equation.
The number of viruses targeted at mobile devices is expected to grow rapidly. Wireless and Bluetooth connectivity create the risk of data being intercepted and lost through damage or theft. As a further complication, these threats will vary by device. A laptop will generally hold more data than a smartphone and therefore holds a higher risk to the organisation should it get attacked, lost or stolen. As a result, there will be fewer viruses aimed at Blackberrys than Microsoft OS based laptops. Most devices will have built-in password protection. Similarly, services such as Bluetooth and WLAN should be protected by strong passwords and authentication, preferably in the form of tokens. Vendors such as Trend Micro or Symantec offer anti-virus solutions for mobile devices, data can be encrypted when stored within the memory of the device and, with the use of a VPN, transmissions can be protected.
However, while the technology to secure these devices is certainly available, most companies experience problems implementing corporate policies to manage them. Employees will purchase handhelds or laptops independently and use them on the corporate network, exposing it to a plethora of threats from outside the organisation. People are often the weak link in security and, in many instances, IT departments are unaware of the extent of mobile device usage. Clear guidelines should be established to manage mobile devices as part of an organisations IT infrastructure so that each product is secured, registered and supported. For increased control, companies should provide mobile devices, in the same way they might a company car, setting out clear boundaries on acceptable usage to ensure a greater level of security.
While a stringent corporate policy is imperative to any companys security management, employees connecting via third-party owned machines, such as hotspots in Internet cafes, present further security threats to the network from Malware or Spyware including keystroke loggers, Trojan horses, dialers and other unauthorised applications that transmit confidential data or spread viruses and worms. There are a number of ways of securing them. Having a firewall at the perimeter will ensure access is controlled to authorised users and an intrusion prevention and detection solution will block any suspicious attacks. Utilising strong authentication, such as tokens, will also protect against the use of weak passwords that are easily hacked. Combining these technologies will help guard the network from the threats that these types of locations can harbour.
When it comes to protecting company data, clear corporate policies have traditionally been reserved to larger organisations. This is enforced by MessageLabs recent research which states 40 per cent of UK companies have no formal risk management policy. The market presents an opportunity for the channel to help customers formalise their internal IT security policies. Policy management will play a key role in sales as channel partners take on the role of trusted security advisors and consultants offering complete one-stop solutions.
In many cases, a network and any existing security will have evolved over time. An effective way to open up the business is to offer vulnerability or penetration testing. Resellers can show their clients that a network is continually evolving with users, applications, data, wireless links and other applications being added and removed. Testing services help resellers and customers locate where information is stored, understand the security measures that are currently in place to guard that information and identify areas of weakness that place information at risk. Corporate IT policies should be based on this understanding.
IT policies should govern what information is confidential and what happens when a member of staff tries to send confidential data outside the company network. Resellers should be able to advise on the compliance issues associated with Sarbanes-Oxley and Basel II, as well as standards such as the British Standard (BS) 7799, relating to information security, and its international counterpart, ISO/IEC 17799. These will provide a framework to identify security needs for corporate control. Recent reports, such as the Turnbull report which states that public quoted companies should have a risk management strategy to protect shareholders, provide further justification for use of coherent IT security policies.
A new approach to security
From cost control to remote networking to policy management, the evolution of the security market holds huge potential for the channel. Working closely with vendors and distributors, resellers can become the educational force needed in a market consumed by fear of network attack and confusion as to what products are available. Increasingly complex network environments requiring multiple layers of security against malicious threats and intrusions present the opportunity for channel players to become one-stop security shops offering complete end-to-end security management and advice.