Boldly going beyond the perimeter

Data security remains the most critical issue facing many IT leaders today, but how has technology evolved to combat the growing arsenal of weapons being deployed by hackers and others doing their best to create havoc within corporate systems and seize the information they hold?

In the past, businesses tended to build security barriers around their networks to keep out unwanted intruders and devices. The idea was to effectively construct a security wall around the router connecting the private local area network to the public internet, using a combination of tools such as firewalls, intruder detection/prevention systems and demilitarised zone features embedded in the routers themselves, and exerting tight external access control by enforcing virtual private network (VPN) connections.

Though relatively straightforward to configure and control, systems organised solely around the network perimeter security model were criticised for being inflexible, not dealing with the threat of internal intruders and relying too much on internet protocol security-based VPNs for remote access, which if compromised, presented hackers with an unobstructed route right into the heart of the organisation’s network.

The weaknesses of the perimeter security model have forced IT departments to take a more holistic view of the way they tackle data security, says Richard Nethercott, managing director for security at IT services firm Logica.

"There is not much chance of the perimeter being evaded, but there are limitations. We now need to consider all data and business operations and come up with necessary countermeasures that can be applied with more granularity to individual systems, data, applications and personnel,” he says.

More recently, with the growing number of mobile devices that require remote access to corporate applications and databases and the increased use of web protocols such as HTTP and XML, and Secure Socket Layer connections within internal networks, the idea of the perimeter-less data security environment has taken hold. This expands the idea of the perimeter to include any device connecting to the corporate network from anywhere.

A big part of the perimeter-less security model relies on effective identity and access management (IAM) technology on every device to make sure that only trusted users with proper authentication can get hold of the data in question from wherever they happen to be.

Charity Barnardo’s is in the final stages of installing and testing Oracle’s IAM suite, which will eventually be used across all its IT infrastructure, encompassing about 7,000 users, 5,000 desktops, and 1,000 laptops.

The scale of the project and the robust policy and procedures it employs required Barnardo’s to assemble a team dedicated to establishing staff identity and providing system access and system access changes.

“This is quite labour intensive. It is not the case that everyone can see everything and go anywhere,” says Bob Darby, director of information services at Barnardo’s.

Although he does not anticipate any major changes in the charity’s requirement for ID and access management in the future, a widening of its scope to include business partners and affiliates is inevitable.

“I am expecting more take-up as we engage in work with various organisations in the public and voluntary sectors, that require us to prove our security credentials,” says Darby.

Barnardo’s is also looking to move from using ID tags to biometric authentication once suitable devices become more widely available at acceptable cost. Darby believes that as well as protecting access to sensitive information, strong IAM policies also prevent the introduction of viruses or other malware to its network.

Bournemouth University opted for an alternative approach to mitigate the risk of a virus infection –­ network access control (NAC). It installed a NAC system from Khipu Networks in 2007, to ensure that the estimated 4,500 student desktop and laptop PCs accessing its network did not introduce malicious code into its networks, while simultaneously improving the user experience.

“We had the odd virus, but the main problem was the student experience,” says Bournemouth University IT infrastructure group manager Mark Flexman. “Before, we had a situation where all the students would arrive on the first day of term and we had to manually check every single computer for viruses before providing them with network access, which meant some of them were waiting six to eight weeks.”

An online check-in system allows students to log in via the internet from their houses or halls of residence, at which point the client device in use is immediately checked for problems and the username and password validated.

“If the anti-virus software is out of date, the PC is placed in a quarantined area that limits access to the Microsoft or McAfee web site so that updates can be downloaded. It also means we do not have to go and visit the computer to patch the anti-virus software,” says Flexman.

The NAC will eventually be extended not just to cover an additional 2,000 staff computers, but also devices on the Wi-Fi network and IP telephony handsets. Though the system provides the potential to enforce security patching on other, non-security applications, Flexman does not see the point of taking advantage of that yet.

Neither Flexman or Darby report that installing NAC and IAM has had any discernible effect on either client device or network performance, and say most users acknowledge the need for data security measures anyway.

“There is zero impact on performance and no privacy concerns because there is no software agent downloaded to the PC,” says Flexman. “Students know the policy before initial registration, and know they have to make sure their software is up to date if they want to use it.”

Darby says: “When operational, Oracle IAM certainly will improve our service and will make identity provision faster. The benchmarks we have conducted show no appreciable impact on network or application performance.”

Moreover, Darby believes he is in a fortunate position of working with people who appreciate the need for security, and are less likely to complain about the imposition of secure methods of working.

“The need for security is embedded within the Barnardo’s culture. Our practitioners handle sensitive data on vulnerable people every day, many of whom trust us with this data when they will not trust anybody else,” he says. “This makes my job easier, since our practitioners realise we are taking proper measures to secure the data of the young people with whom they work.”

Both Barnardo’s and Bournemouth University had specific security requirements they needed to address and performed appropriate market research to identify the right product for the job. But with so much security hardware and software available, the biggest headache for many IT chiefs is identifying the ones that best suit their needs.

Before looking at any technology, the priority is to narrow down the information that needs protecting as a matter of course, then assess how much of that is covered by data retention rules, says Logica’s Nethercott.

“It is all about trying to understand the current state of security and what they are trying to do ­ – which parts of the business are more valuable than others, what assets need to be protected, and whether they need to be compliant with international standards or regulatory demands,” he says.

As with many organisations, Barnardo’s has to comply with multiple different data regulations –­ not all of which are consistent. For example, regulations such as the Data Protection Act (DPA) apply across the board, while others apply to only certain sets of data.

“Various systems have additional specific requirements written into the regulation,” says Darby. Because Barnardo’s works with vulnerable children, the government’s ContactPoint scheme stipulates that identity checks include referrals to the Criminal Record Bureau, and that when accessing systems, two-factor authentication is used. Users must also be trained in the use of certain systems, and the charity must be able to provide a full audit trail.

Some IT professionals believe there is one clear technology choice when it comes to vouchsafing their data integrity – ­ encryption of all data at source. But as Nethercott points out, this is not completely guaranteed to satisfy the terms of the DPA.

“People tend to see encryption as a get-out-of-jail-free card, but the experience is quite different and it can represent a limitation for many business applications,” he says.

Encrypting every piece of important data involves a complex process of key generation and transmission, which can slow down information access and create management headaches, a criticism that is often directed at corporate security systems by users.

However, there are signs that the tension between system security and usability is easing. IT security is undergoing its own evolution, and data security measures may eventually become either invisible or so seamlessly integrated into daily working practice that users do not even notice they are there.

“The industry is going through a learning curve and everybody has to take that on board. In the future I can foresee tools and technologies that make things far easier from a security perspective, so much so that the whole process is transparent to business operations,” says Nethercott.

Whether this state of affairs makes life easier for the IT department is a moot point, though. Behind the scenes, managing identities, encryption keys, passwords, access policies and audit trails for compliance purposes is still likely to take a lot of work, as is keeping on top of the game when it comes to patching security applications against fresh malware and newly discovered vulnerabilities.

“There is always something clever that comes out of the woodwork and gives us a challenge,” says Flexman. “I am interested in getting as many systems as possible to prevent infection, but more importantly to manage and monitor security so that we can deal with a problem more effectively with minimum impact to the business when it does arise.”

Darby says: “The threat has always been there, but the requirement on organisations is to prove that they have taken appropriate measures, and to demonstrate that those measures really work.”

Indeed, the evidence suggests that IT leaders are continuing to intensify their security efforts. A recent report from Forrester Research forecast that larger businesses will spend 12.6 per cent of their entire IT budget on security in 2009. This is up from 11.7 per cent in 2008 and 7.2 per cent in 2007.

“Security is a constant battle and always will be. You can never rest on your laurels and anybody who thinks so probably needs to be shot,” says Flexman.

The final part of our guide explores the legal responsibility companies have for staff actions and the options open to firms that are victims of e-crime

10 tips for avoiding data loss

Implement a strong employee joining and exit process Revoke email and network access quickly when an employee leaves. Give new members of staff access only to the resources they need.

Educate staff Ensure data is only accessible to staff on a need-to-know basis or push data to relevant people.

Avoid remedial action Don’t plug holes with a point security product – implement systematic controls between the user and the data not on the network or gateway.

Identify assets and information flows Map intellectual property and the way it is accessed to help identify and prioritise your security approach.

Restrict the manipulation of data Plan who needs access, print authorisation, data alteration and export rights to email, IM or removable devices. Apply restrictions to specific documents or content by time and location.

Watch the gatekeepers Subject system administrators and privileged users to change management and critical server file integrity checks.

Don’t overlook the obvious Block data export to USB sticks, MP3 players and so on and scan outgoing email for confidential attachments. Restrict copy and paste for IM and other social networking media.

Use encryption Where you permit data export to removable media, ensure it is encrypted.

Use two-factor authentication Always combine a password with a secondary method of authentication, such as biometric readers.

Combine your security arsenal Integrate physical biometric access systems, CCTV and even RFID, with virtual data security systems to provide more effective evidence of security breaches.