Defence mechanisms

Managers have to make sure that authorised users get fast, simple access to the resources they need without being hampered by overly complex security mechanisms

Security is an ongoing challenge for any IT department, but there are many different hardware and software platforms available to help. Most companies have long had the basic elements in place – firewalls, anti-virus/anti-spam software and intrusion detection and prevention systems, for example.

But some organisations have been compelled to implement a range of other security tools designed both to stop hackers and malware getting into their systems, and sensitive information from getting out, and to manage the considerable workload that security puts on IT staff.

Tight control of access to business networks, applications, data and services is essential to prevent viruses, worms and other forms of malware from potentially wreaking havoc with IT systems, causing expensive downtime and damage to an organisation’s reputation.

But at the same time, managers have to make sure that authorised users get fast, simple access to the resources they need without being hampered by overly complex security mechanisms.

Single sign-on
“The biggest challenge really comes down to striking a balance between flexibility and responsiveness, maintaining an audit trail, knowing who is who, and managing that trust,” says Bill Rafferty, development manager at City University London, which recently started using IBM’s Tivoli systems management software platform to simplify staff and student access to web-based applications and other educational services.

Implemented with the aid of systems integrator Pirean, the single sign-on technology imports user authentication details from a central Microsoft Active Directory database and provides up to 25,000 people with secure access to existing collaborative services and portals. It also provides a framework for in-house software development that City University IT staff can use to customise the software for other forms of secure application access in the future.

“Having to manage access and security for each application separately was provi ng to be extremely time consuming and negating some of the savings we had made,” says Rafferty. “Pirean delivered a solution that allows us to rein in those costs and deploy new applications quickly without generating more management overheads for the IT department.”

City University also uses a technology called Shibboleth, an open source single sign-on technology standard that provides access to shared library and online resources for certain groups within its community.

Identity and access management
But the sheer number of people accessing some networks still makes it difficult for IT staff to make sure only authorised users are given permission to connect. In some cases, simple username and password-based authentication can be supplemented by other measures, including hardware-based solutions such as tokens, biometric readers and barcode readers.

Milton Keynes College, for example, has to date insisted that students accessing its online resources, including the internet and virtual learning environments, do so from the college’s own computers, in much the same way as staff do in office environments.

“We have gone from a basic export from our student management system to a deal with NetMania that provides self-service password resets that are tied to barcodes on student ID cards,” says Ashley Allen, Milton Keynes College systems database administrator. “The only way to access a PC is by having that ID card, which gets around things such as password sharing.”

The college is now moving towards a system that allows students to attach their own PCs to the network – something that brings its own set of security headaches.

“We are moving towards letting students use their own kit, by setting up a guest network that does not allow access to shared areas or home drives,” says Allen. “We’re looking at a couple of products for this, such as Barracuda Networks’ portal appliance, which allows us to lock down their PCs and provide them with pretty much everything they get.”

Encryption
Many organisations, particularly those in the public sector, have to make sure they comply with the terms of the Data Protection Act (DPA), and have used encryption on employee laptops to protect data from being compromised in the event of that device being lost or stolen.

NHS Lothian is just one of many health trusts to have applied encryption and device control technology to patient records accessed by up to 25,000 employees, for example. Last year, it installed Lumension Security’s Sanctuary Device Control and Becrypt’s Disk Connect software on 11,000 employee devices. These tools help ensure that the data on all those devices is encrypted, but also that only authorised users can write data from the network onto removable media such as USB drives, CDs and DVDs. Detailed audit trails of both device usage and data transfer means IT staff can quickly trace the source of any data leakage.

But research from privacy and information management research firm the Poneman Institute published last month suggests that encryption alone is not enough. Its report, The Human Factor of Laptop Encryption, found that as many as 53 per cent of British business managers have simply turned off encryption mechanisms to facilitate access to their systems, indicating that encryption has to work in conjunction with other security tools to be effective.

Network access control
Neither encryption nor indentity and access management can handle the considerable threat posed by non-approved devices brought into company environments by staff, business partners or customers. Many organisations use dedicated network access control (NAC) appliances to monitor the devices being attached to their network and either permit or deny them a connection to the system.

The IT department at London South Bank University (LSBU), for example, handles requests from a user base that comprises 23,500 students and 2,500 staff. A core requirement of the campus network overhaul, begun in 2006 with the aid of sy stems integrator Data Integration, rests on the provision of a NAC system designed to minimise the considerable threat from malware introduced by “rogue devices”, including unauthorised laptops and smartphones.

“We had no previous NAC system in place, but we have an issue with staff and students bringing non-standard, personal, unsecure devices in and connecting them to our network,” says LSBU network team leader Philip Wright.

“Our network was infiltrated by a worm a few years back, which caused major disruption and downtime, with the whole IT team working around the clock to fix the problem.”

To solve the problem, LSBU initially installed four ForeScout CounterACT NAC appliances at its main campus, followed by a further three at its student halls of residence. It now has plans to add further devices to its library buildings and computer labs.

NAC devices work by monitoring the ports on network switches to identify different types of traffic and ensure that end user devices attaching themselves to the network adhere to pre-defined security policies.

The authentication process imports user details from Active Directory or other user databases, but NAC devices also perform other functions, such as setting up virtual private networks (VPNs) for remote users, and checking on the status of personal firewalls running on each device.

Where a laptop does not have the required anti-virus or anti-spam software, the NAC can redirect them to a safe or “quarantined” area of the network where appropriate applications or updates can be installed.

The City University IT department is also trialling Nortel’s Secure Network Access Switch to perform similar functions to NAC, backed up by F5 secure sockets layer acceleration appliances to aid remote VPN access. But other organisations take a different approach to network security, not least due to cost, with NAC appliances often costing more than £5,000 each while only supporting a certain number of users or devices.

“We had a look at a NAC solution, but got some insanely expensive quotes from Cisco, so we decided on a different approach that sees us shut off a range of IP addresses from the rest of the network and present shared areas via a log-in page,” says Milton Keynes College’s Allen.

Web and message filtering
Another way to minimise the risk of malware getting into IT systems, which has the effect of preventing users viewing and downloading unsuitable or potentially harmful content, is to use web filtering software that denies access to specific sites.

Milton Keynes College is using Bloxx’s web filtering appliance to control the web access of its 16,000 users, helping to minimise network security risks and IT management time. The college previously used Novell’s BorderManager, then replaced it with Surf Control, but found neither provided sufficient traffic logging capabilities, which can help IT staff identify when students try to circumvent controls by using anonymous proxies.

“We have firewalls for everything else, and Bloxx handles everything that comes in through port 80, filtering instant messaging, BitTorrent and so on,” says Allen.

“Anonymous proxies are a big deal for us because the connection we get to the Joint Academic Network depends on an agreement to log all traffic in and out of the site, so for disciplinary reasons we can prove which users are going to which sites – if they hit anonymous proxies, all bets are off.”

Message filtering software performs a similar function by scanning email for unsuitable content, including executable files that may contain malware, and either blocks or quarantines them. Nor is it just about incoming messages – it can also stop sensitive commercial or financial details from leaking out.

Last year, the Royal Albert Hall (RAH) installed Mimecast’s unified email management platform, which handles almost 4,000 emails a day from customers and partners. The RAH also processes large numbers of credit card transactions, and as such falls under Payment Card Industry rules that demand that customers’ financial details be adequately protected.

“Having the ability to automatically scan for keywords and complex strings is vital,” says Crispin Gray, RAH head of information systems. “And if anyone inadvertently sends credit card numbers out of the system via email, that message is picked up and deleted.”

Read how Middlesbrough College removed the need to perform manual patch management here