Are restrictive network policies the only way forward for ensuring corporate network security? What are the other means being used today to secure office networks?
While the costs of bandwidth and the proliferation of devices offer users extended connectivity, they pose a risk for the networked enterprise today. In such a scenario, a large number of companies seek and enforce progressively stricter restrictions on network usage and internet access from the office. Is this the best way forward? What are the other means of ensuring that official information is not compromised? Also, are such restrictions adequate to secure information?
Answers (9)
In short, the answer is no. The other options relate to social engineering. Helping staff to understand the costs to the business of always pushing the envelope if IT resources. The effectiveness of this will depend on the size of the organisation. I think companies need to be realistic about the transportability of data and work with employees so that everyone benefits. restricting Web 2.0 sites can reduce the effectiveness of companies to attract the best talent.
If lock down of information is required to provide safety to the business, then products like ePolicy Orchestrator from McAfee will do the job. I should highlight that the company I work for is a McAfee reseller. We work with the Anti-Virus products, not ePO.
Links:
Steven P
General Manager at Foster Electric (U.S.A.)
Best Answers in: Organizational Development (3), Engineering (3), Manufacturing (2), Project Management (2), Computers and Software (2), Venture Capital and Private Equity (1), Personnel Policies (1), Corporate Governance (1), Change Management (1), Product Design (1), Enterprise Software (1), Telecommunications (1), Wireless (1)
Hi, Pavitra,
Instead of restrictive policies, which typically limit the productivity of diligent folk, I advocate the adoption of biometric security devices, as well as a robust employee retention policy (to minimize the security risks posed by revolving-door personnel policies).
Thanks,
Steve
Jon C
Vice-President and Owner, Cohn Consulting Corporation
Best Answers in: Using LinkedIn (7), Information Storage (2), Computer Networking (1), Databases (1), Information Security (1), Web Development (1)
Enacting and enforcing "progressively stricter restrictions" is often the result of approaching information security backwards. A laissez-faire approach forces the company to continually chase the new hot threat and block it. These companies would likely have been better served by starting from the standpoint of no access and then permitting access to specific resources on a structured, thought-out basis.
It is impossible to completely secure information without completely preventing access to that information - if someone can read it, they can reveal it. The only thing a company can realistically do is make compromise more difficult. Preventing file copies to removable media, monitoring usage (there are monitoring tools that can record webmail, files copied to removable media, and can alert on keywords) are some tools that help throw up obstacles to compromise.
This is also one reason why thin-clients are valuable in sensitive environments.
Log everything. This has psychological effect. Users can do most of the things, access most of the files on servers, of course with some restrictions, but if they are aware that all emails are archived, all activity on network is logged and easilly traceable (IP, MAC, authentification through domain) they will behave more carefully. And, with random checks of logs, you can get the picture of what is happening.
Of course, this approach requires a lot of time and energy, but it is good alternative.
If it is impossible to secure teh staff's workstations, it is always possible to have "red" and "green" computers and network infrastructire. One is connected internally and one is connected externally. This requires that no one cross-connects the internal and external networks.
Depends on how paranoid you are about any information.
Restrictive policies are never going to be enough to prevent security threats.Biggest security threat is not from intruders of network but insiders.
Educating people for responsible use of network resources goes a long way and always top it with employee care and retention program.
I don't think there will ever be a technology solution that alone will make for a fool proof security.
Michael S
Security focused Internet Executive with a Network Engineering background.
Best Answers in: Computer Networking (16), Telecommunications (4), Wireless (2), Information Security (1)
Hello Pavitra:
I think there is a pendulum effect in play where companies had very loose policies, got burned, and are now moving to the overly restrictive policies as a response. History says they will swing back towards the center, particularly when they discover that managing an "overly restrictive" network takes a huge amount of resources.
However, a well established network and usage policy is a key component to defense in depth. As with any security policy, it will not solve your security issues, but it limits yet another attack vector. It is up to a company to come up with a comprehensive security plan that defines critical resources and lays out policies and procedures to protect those resources. It's also key to consider security a process, not a single event or snapshot in time. Anyone who says to themselves "we are now secure" is setting themselves up for disaster.
Regards,
Mike
J O
Security/Network/Systems Engineer at VoIP Provider
Best Answers in: Information Security (33), Telecommunications (8), Software Development (5), Computers and Software (4), Computer Networking (4), Blogging (3), Enterprise Software (3), Wireless (3), Using LinkedIn (3), Personnel Policies (2), Career Management (2), Web Development (2), Purchasing (1), Event Marketing and Promotions (1), Auditing (1), Staffing and Recruiting (1), Employment and Labor Law (1), Events Marketing (1), Business Development (1), Corporate Governance (1), Project Management (1), Quality Management and Standards (1), Small Business (1), Starting Up (1), Databases (1), Information Storage (1)
Stricter regulations won't do much to ensure that information is not compromised.
Email policy "Thou shall not email out data without an S/MIME signature".
Policy will fail on human error: "CTO left his terminal opened, someone seems to have walked up to his desk and forwarded X information". Sure you took the steps to ensure that information could be audited. Now you have proof that the CTO's machine was the source of a data leak, but that does not necessarily mean the CTO sent it out. Password protect prior to sending... CTO has a post it note with his password on his LCD. Aggressive policy... Fails
Network Policy: "Thou shall not send X information to X address/network subnet" ... "In fact, we're going to use an uber NAC + IPS + IDS for both internal and external communications". Someone uses ICMP tunnel and evades your "security" Aggressive policy... fails
You can slap on all sorts of biometrics, appliances, etc., and most can be defeated. So you decided to go with diskless systems, biometric iris scanners, an uber NAC/IPS/IDS/Firewall/SecurID combo. Someone walks in with a hidden "button cam" and takes pictures while seated. Then what?: Metal detectors?
I believe outside of the far-fetched (someone with a buttoncam, although not highly far-fetched), a policy that dictates random auditing WILL BE DONE would likely deter more then a security policy that says "you should not...". "We are watching and we randomly check" while actually doing the checks is probably a best approach to deterring someone.
Imagine if you worked for say an insurance company. You walk into to the elevator after scanning your thumb in the lobby. When you get to your floor, you scan your iris. To turn on your machine, you scan your palm. Before starting work, you almost go to wipe your nose, but realize there are 5 cameras pointed in your direction. Your login comes on and warns you about security policy. You forgot its your mother's birthday so you shoot off an email... "Security violation" in come the network security team to tackle you...
How much security can you realistically expect to implement before working at an office will feel like you're working in the Pentagon. So the downside... Less productivity... (Takes times to get through all these checks). Employees will seem more "drone-like" which will make the office seem robotic. How long before privacy lawsuits are filed?
Policies, audits of those policies and training help a lot more then trying to become an Internal Great Wall of China.
Jonathan N
An experienced customer relation, solutions and Call Centre Professional
Really the only way to safeguard your network, is to completely lock out any traffic flowing to and from the outside world. Many insurance companies refuse internet access to their staff for this purpose.
In my managed print service experience, many had security concerns over our system. The same answer applies here. As long as you continue Windows and other software products to run automatic updaters, you are exposed. Plain and simple.
