Running an enterprise without a formalised security policy seems as imprudent as installing office-building doors without locks. However, according to some security industry experts, it’s a common phenomenon.
Randy Kun, vice-president of marketing and product line management at Chrysalis-ITS in Ottawa, Canada said many companies don’t implement a security policy because they don’t believe that it has much to do with the real world. This misconception, Kun said, can be costly.
"A statement of consistency of what it is the organisation plans to do and not do provides an opportunity to critique and assess what’s going on in an organisation on an ongoing basis. Nobody implements everything, and that’s the reason that you have to have a policy," he said.
Knowing exactly what an organisation doesn’t do in terms of security allows a perspective on how much risk it is taking on, Kun explained.
Michael Murphy, Symantec’s Canadian general manager, agreed that a security policy is the first step to secure an enterprise’s infrastructure.
"It doesn’t have to be complex or convoluted, but it can’t just be a bottoms-up policy driven by someone in IT. It has to be embraced and bought into by senior management," Murphy said, noting that organisations can turn to consulting companies specialising in developing security policies if they’re against a brick wall.
RSA Security’s director of management and marketing for its authentication products division said that if defining a security policy and educating staff on the policy is the foundation for all precautions, the next step is to invest in basic defend and detect solutions.
"In terms of defending the perimeter of a company, things that come to mind are solutions like firewalls and antivirus products — technology to keep the bad guys out," said Bedford, Massachusetts-based Derek Brink. "Detection technology alerts you to intrusion and breached perimeter defences."
Brink noted that this is the fastest growing segment in the security industry, given the innovation in the virus-maker community.
According to Ian Curry, vice-president and chief marketing officer at Entrust in Ottawa, anti-virus solutions and firewalls are where a lot of organisations stop in terms of their security infrastructure.
"It’s just not enough," he said.
This is partly due to the fact that not all attacks are external.
"It’s sometimes sociologically hard to accept, but attacks happen inside organisations, and it’s really important that people think about that and assess the impact of what that means. Data has to be secure no matter what happens — no matter who leaves or comes in — and without consistency across applications you don’t have security," Curry said.
Murphy recommended that organisations take a multi-tiered approach to securing their infrastructure. "The military uses the term defence-and-depth,’ which is a linear approach to security," he explained.
This means that security-wise, there’s a fence along the perimeter, doors on buildings, locks on the doors and alarm systems. What Murphy proposes that enterprises consider is a ‘defence and breadth’ approach to security.
"It follows a linear patter of going from one point to the next, but also crosses widths — it’s security that goes across an organisation from client or desktop systems to network systems to perimeter gateway systems," Murphy said.
One approach gaining momentum in the enterprise is the use of multiple factors of authentication. As Kun explained, factors of authentication are different things you need to bring to bear to demonstrate that you are who you say you are. These are things you know, such as a password, things you have, such as a physical token or card, and things you are, such as fingerprint or an iris through the use of biometrics.
"Using two factors of authentication basically makes things more secure," he said. A related aspect to the multiple factors is the concept of the single sign on, which allows users to access information through one password.
"It’s reasonable to expect a human to look after one password, but most people tend to not be responsible with their passwords when they need to remember 10," Kun said. Brink agreed that the password issue is often one that leaves huge gaps in an infrastructure’s security.
"Passwords can be very expensive for an organisation. People pick their passwords poorly or write things down and this can become a management problem for both users and administration. It weakens security," he said.
"But authentication is a key step that companies can take." Another tip put forward by Murphy is for organisations to integrate the solutions that they do have. Many companies stock up on security products and solutions and then have a difficult time managing them.
"Integration is important because people are meant to do more with less today, and if the tools are centrally managed, they’re more effective and allow for a more timely response," he said. "Security is not about keeping everything out or even at bay 100 per cent of the time, because it can’t be accomplished, but security is an important component of business, and how quickly you’re able to respond makes a difference," Murphy said.
According to Brink, this philosophy applies to everyone.
"Every company can improve. Some are at the far right or the far left on a bell-shaped curve, but even those in the middle can do better," he said.
SIDEBAR:Top tips for securing an enterprise’s infrastructure
1. Create a security policy. "See security as a business issue, assess what is mission critical and what data is mission critical and take steps to wrap security around these things." — Murphy
2. Use cryptography and encryption. "Define attributes of encryption solutions and write a security policy for them." — Kun
3. Make sure it’s user friendly. "If it’s not transparent and easy to use for end users, as proven throughout the history of humankind, they’re not going to use it." — Curry
4. Layer your security. "At the baseline, you should have policy and education. Above that, defend and detect ideas, which are the basic things every company needs to do. Beyond that, authentication and identity management. On top of that, authorisation or access management and then you can leverage your security with electronic signatures and encryption." — Brink.