Boldly going beyond the perimeter

In the past, businesses tended to build security barriers around their networks to keep out unwanted intruders and devices

Data security remains the most critical issue facing many IT leaders today, but how has technology evolved to combat the growing arsenal of weapons being deployed by hackers and others doing their best to create havoc within corporate systems and seize the information they hold?

In the past, businesses tended to build security barriers around their networks to keep out unwanted intruders and devices. The idea was to effectively construct a security wall around the router connecting the private local area network to the public internet, using a combination of tools such as firewalls, intruder detection/prevention systems and demilitarised zone features embedded in the routers themselves, and exerting tight external access control by enforcing virtual private network (VPN) connections.

Though relatively straightforward to configure and control, systems organised solely around the network perimeter security model were criticised for being inflexible, not dealing with the threat of internal intruders and relying too much on internet protocol security-based VPNs for remote access, which if compromised, presented hackers with an unobstructed route right into the heart of the organisation’s network.

The weaknesses of the perimeter security model have forced IT departments to take a more holistic view of the way they tackle data security, says Richard Nethercott, managing director for security at IT services firm Logica.

"There is not much chance of the perimeter being evaded, but there are limitations. We now need to consider all data and business operations and come up with necessary countermeasures that can be applied with more granularity to individual systems, data, applications and personnel,” he says.

More recently, with the growing number of mobile devices that require remote access to corporate applications and databases and the increased use of web protocols such as HTTP and XML, and Secure Socket Layer connections within internal networks, the idea of the perimeter-less data security environment has taken hold. This expands the idea of the perimeter to include any device connecting to the corporate network from anywhere.

A big part of the perimeter-less security model relies on effective identity and access management (IAM) technology on every device to make sure that only trusted users with proper authentication can get hold of the data in question from wherever they happen to be.

Charity Barnardo’s is in the final stages of installing and testing Oracle’s IAM suite, which will eventually be used across all its IT infrastructure, encompassing about 7,000 users, 5,000 desktops, and 1,000 laptops.

The scale of the project and the robust policy and procedures it employs required Barnardo’s to assemble a team dedicated to establishing staff identity and providing system access and system access changes.

“This is quite labour intensive. It is not the case that everyone can see everything and go anywhere,” says Bob Darby, director of information services at Barnardo’s.

Although he does not anticipate any major changes in the charity’s requirement for ID and access management in the future, a widening of its scope to include business partners and affiliates is inevitable.

“I am expecting more take-up as we engage in work with various organisations in the public and voluntary sectors, that require us to prove our security credentials,” says Darby.

Barnardo’s is also looking to move from using ID tags to biometric authentication once suitable devices become more widely available at acceptable cost. Darby believes that as well as protecting access to sensitive information, strong IAM policies also prevent the introduction of viruses or other malware to its network.

Bournemouth University opted for an alternative approach to mitigate the risk of a virus infection –­ network access control (NAC). It installed a NAC system from Khipu Networks in 2007, to ensure that the estimated 4,500 student desktop and laptop PCs accessing its network did not introduce malicious code into its networks, while simultaneously improving the user experience.

“We had the odd virus, but the main problem was the student experience,” says Bournemouth University IT infrastructure group manager Mark Flexman. “Before, we had a situation where all the students would arrive on the first day of term and we had to manually check every single computer for viruses before providing them with network access, which meant some of them were waiting six to eight weeks.”

An online check-in system allows students to log in via the internet from their houses or halls of residence, at which point the client device in use is immediately checked for problems and the username and password validated.

“If the anti-virus software is out of date, the PC is placed in a quarantined area that limits access to the Microsoft or McAfee web site so that updates can be downloaded. It also means we do not have to go and visit the computer to patch the anti-virus software,” says Flexman.

The NAC will eventually be extended not just to cover an additional 2,000 staff computers, but also devices on the Wi-Fi network and IP telephony handsets. Though the system provides the potential to enforce security patching on other, non-security applications, Flexman does not see the point of taking advantage of that yet.

Neither Flexman or Darby report that installing NAC and IAM has had any discernible effect on either client device or network performance, and say most users acknowledge the need for data security measures anyway.

“There is zero impact on performance and no privacy concerns because there is no software agent downloaded to the PC,” says Flexman. “Students know the policy before initial registration, and know they have to make sure their software is up to date if they want to use it.”

Darby says: “When operational, Oracle IAM certainly will improve our service and will make identity provision faster. The benchmarks we have conducted show no appreciable impact on network or application performance.”

Moreover, Darby believes he is in a fortunate position of working with people who appreciate the need for security, and are less likely to complain about the imposition of secure methods of working.

“The need for security is embedded within the Barnardo’s culture. Our practitioners handle sensitive data on vulnerable people every day, many of whom trust us with this data when they will not trust anybody else,” he says. “This makes my job easier, since our practitioners realise we are taking proper measures to secure the data of the young people with whom they work.”

Both Barnardo’s and Bournemouth University had specific security requirements they needed to address and performed appropriate market research to identify the right product for the job. But with so much security hardware and software available, the biggest headache for many IT chiefs is identifying the ones that best suit their needs.

Before looking at any technology, the priority is to narrow down the information that needs protecting as a matter of course, then assess how much of that is covered by data retention rules, says Logica’s Nethercott.

“It is all about trying to understand the current state of security and what they are trying to do ­ – which parts of the business are more valuable than others, what assets need to be protected, and whether they need to be compliant with international standards or regulatory demands,” he says.

As with many organisations, Barnardo’s has to comply with multiple different data regulations –­ not all of which are consistent. For example, regulations such as the Data Protection Act (DPA) apply across the board, while others apply to only certain sets of data.

“Various systems have additional specific requirements written into the regulation,” says Darby. Because Barnardo’s works with vulnerable children, the government’s ContactPoint scheme stipulates that identity checks include referrals to the Criminal Record Bureau, and that when accessing systems, two-factor authentication is used. Users must also be trained in the use of certain systems, and the charity must be able to provide a full audit trail.