A place for everything, and everything in its place: that’s the idea behind multi-tiered security strategies, the latest trend in the art — and science — of protecting your IT investment.
It means creating rings within rings that protect not just the network server, but processes carried along
the network.
“”The realization is that, even with traditional security in place, you’re still vulnerable,”” says Kelly Kanellakis, director of technology at Enterasys Networks in Mississauga.
“”You don’t have to get to the server to do damage.””
Is it really such a new idea at all? “”Yes and no,”” says Sam Curry, director of product management for Computer Associates’ eTrust suite.
“”It’s not new in the sense that it’s not something you buy, it’s more of a philosophy.””
It’s not that people hadn’t thought of a tiered security strategy before, Curry says. But networks have grown and become more complex. “”As networks have become more complex, so have the threats and the difficulties in identifying them,”” Curry says.
The big problem in network security is that the threats usually come from unexpected quarters — from within the enterprise rather from out in the wild and wooly world of the Internet.
“”This is something most managers would rather not admit,”” despite the fact that studies like the annual survey by the Computer Security Institute consistently show that the vast majority of security breaches can be traced to careless practices or employees, says IDC Canada senior analyst Dan McLean.
“”The conventional wisdom is that you need one perimeter,”” Kanellakis says, “”It’s a firewall. And that’s it. In reality and in terms of best practices, that really is not enough. It doesn’t protect you from within and it doesn’t protect you at all your access points.””
The whole point behind a multi-tiered security strategy is to protect the network and an enterprise’s networked assets from the kind of threats that circumvent the outer perimeter, whether those are denial of service attacks launched by armies of zombie machines or a disgruntled mailroom clerk on the last day of his job.
“”You do this by layering the security,”” Kanellakis, says. “”I like to describe it in terms of a medieval castle, with its moat, walls, long, winding approaches and drawbridges. Every one of those things provides a different layer of protection. As you get closer to the castle, you have deal with a different security layer. The same thing should apply to the network.””
That kind of multi-tiered approach might make a whole lot of sense. But how do you do it?
The bottom line is that multi-tiered security is a strategy more than a technology. The idea is to provide users with access only to those parts of the network they need to do their jobs.
It’s technologically driven, but its fundamentally a management issue, and “”security management is a layer on top of the technology that you have deployed,”” Curry says. “”The question is, can you turn this into processes that you can map from end-to-end?””
The trick is to manage the identities of every user and manage all of the access points. “”Three years ago, we said that security has to be an holistic venture,”” Kanellakis says, “”it’s not just a firewall. We developed a concept called user personalized networking, where each user gets a personalized experience — almost a personal firewall.””
The security management suites of both CA and Enterasys ares designed around open standards like the lightweight directory access protocol to sit comfortably atop whatever enterprise system a company has deployed. “”We have integration kits that allow us to integrate with whatever you happen to be using as readily as with our own products,”” Curry says. “”The hooks are standards-based, and where there aren’t standards, we are championing them.””
It all sounds simple enough, and both Curry and Kanellakis talk about “”one-click”” ease of use and “”simple”” deployment. The problem, says McLean, is that security management is rarely that simple, and that tends to frighten enterprise managers. As elegant as role-based access appears, he says, getting access control talking to your human resources database is neither simple nor a one-time deal.
“”Conceptually, the idea is great, but the problem comes from the practical application,”” McLean says. “”You can imagine that linking the two, creating rights and permissions around roles, can be a pretty complicated task. You have to reference a permissions directory, and the problem becomes one of continuity and management. What happens when people take on different roles in the enterprise? What happens with the exceptions?””
At the end of the day, that creates a considerable amount of resistance to new security investments, no matter how promising they appear.
“”The thing that kills investment in security is that a lot of people look at how daunting it is and then throw up their hands and say, ‘We’ll take a pass,'”” McLean “”That’s the big issue with IT security.””
The vendors insist that their solutions can handle the exceptions well enough, but concede that the complexity of multi-tiered security, or the perception of complexity, has made for a tough sell.
“”The response has been relatively good, but it generally comes back to, ‘Do we really need this level of control?'”” Kanellakis says. “”The best response seems to be coming from universities, where they have to manage a constantly changing and very diverse user base.””
All that might change, however, as governments in the U.S. and Canada pass legislation creating stricter due diligence definitions.
McLean says some of the market resistance comes from uncertainty about what enterprises will be required to do.
“”If you talk to enough vendors, you’ll see how tough it is,”” he says.
“”I think their customers are watching for the legislation that will force their hand.””
Curry agrees, but believes that the legislation is coming, and with it, a groundswell of interest in multi-tiered security.
“”I have a hunch that Canadian legislators are carefully watching the successes and mistakes made elsewhere,”” he says.
“”It will happen soon, and when it does, we have the solutions to ensure that our customers have the best security possible.””
