/dq/media/agency_attachments/UPxQAOdkwhCk8EYzqyvs.png)
Follow UsSecurity implications in a mobile environment
Despite securing the network through server hardening and other measures,
mobile users who work onsite are a major security issue for most enterprises.
Once these users come back into the network and connect their mobile devices,
there is a very real possibility that they can infect the network. According to
the CIOs, the whole issue of security here is concerned with two kinds of
connectivity-one is Internet and the other non-Internet. In the first case,
people outside the enterprise need to dial in to the network, while in the
second case mobile workers come back and connect their devices back to the
network.
There is usually a fundamental difference in approach about the security
policy in these two cases. In the first case, the internal network can be a
closed user group or the enterprise can use a franchisee network for outsiders
dialing in. Typically organizations follow the route of identification,
authentication and authorization to control this outside access to the network
Approaches like quarantining devices like PDAs or laptops have been used to
tackle the security issue in the second case. Maybe, having an internal help
desk to educate the employees would be useful; or better would be to have an
automated patch management at least on the desktops.
Synchronizing different point products vs. integrated single vendor
solution
Some enterprises intentionally source security products from multiple
vendors, while some use an open architecture, which gives a framework for using
various products that enhance the manageability of the overall security
environment. Each vendor product serves a specific purpose and if skill sets are
available within the organization to handle all the products, it often gives the
CIOs better assurance.
|
/dq/media/post_attachments/1beb48c4dc18f8e390c81c69ee251b225d98d9d69a3d1a44c1be194a1068893e.jpg)
Each product serves a different purpose-even if one product fails, the
other would detect the vulnerability. Often because of budgetary constraints,
enterprises have slowly adopted one product at a time and then amalgamated these
point products preferably on an iopen architecture.
Against these approaches, some CIOs prefer using an integrated security
solution from a single vendor especially for blended threats since that often
offers defense in both depth and breadth of the organization. Also having a
common console for all the products enhances and eases manageability.
Ultimately, whichever approach is adopted, CIOs need to take a call on risk vs.
RoI.
Lack of clarity
In today's heterogeneous environments across organizations, CIOs are
looking at whether automated patch management is cost effective, beneficial or
ultimately how effective they are. In many enterprises, automated patch
management helped clear blocking of bandwidth because of spurious traffic.
Therefore, it can be cost effective because the TCO is not only in terms of
network management, but bandwidth management as well.
Some feel it is not justified to look at RoI for patch management solutions;
rather it should be mandatory to patch your servers in case there is a
vulnerability. When a patch is loaded, it often impacts the enterprise
applications. Therefore, one best practice could be to first download the patch
in a staging area and check its adverse affects on other applications and then
only upload it on the live server.
Spam becoming a big nuisance
Spam is just not only an irritation any more, it is seriously compromising
organizational productivity by choking bandwidth and often leading to denial of
service. Most vendors are now coming with solutions that have spam control
incorporated into them, but most CIOs feel that might not be the only solution.
What is required is defining an organizational level security policy, whereby
certain mails with specific characteristics should be blocked. Often the senior
management crib about one or two important mails that might get blocked this
way, but they should be educated as to making that little compromise.
|
/dq/media/post_attachments/eb9fe521bc423433b71ea578a904081d4eb966e4913bc2c083405135e706ea58.jpg)
“It does not matter whether you adopt a best of breed or an integrated solution, you ultimately have to look at a risk vs. returns policy”/dq/media/post_attachments/975ec4eea344d8444f936058ca1fa9eadb9237f9ddcbdd390885116c2b46ca27.jpg)
“It was an organizational policy decision to amalgamate different point products so we created an open architecture to fit in these point solutions”/dq/media/post_attachments/33eefc8a30ddc090c676d97ba5d01c21d09b724cb97a7039197be443f48a77ec.jpg)
“I see a big threat in automated security update and it would not be long before somebody breaks it and sends you a patch which itself is a worm”Additionally, CIOs can allow only senior management within the organization
with specific rights to access mails from anywhere, since this often is a main
cause for network vulnerability. Ultimately, this should be a question of what
many CIOs term as CIA, standing for confidentiality, integrity and availability.
Merits of outsourcing security services
Enterprises are gradually giving away parts of their security functions to
external service providers. Not only are security functions towards maintenance
of IT infrastructure being increasingly outsourced as part of normal IT
outsourcing, even security audits are more and more done by independent vendors.
Currently, security functions like management of firewalls, network and host
intrusion detection systems, managed VPNs and vulnerability testing are
preferably outsourced. Some organizations are even outsourcing the security of
different servers to multiple vendors.
|
/dq/media/post_attachments/cbc11915ccb6e64e04ac75e79f1c7a26d8e7b56da05ad563e6340dd7143eb627.jpg)
“There should be different security policy approaches in case there is someone trying to access a resource on the network”/dq/media/post_attachments/f6d27ac581c2c17c3308b460483236dad48617ecdb3f7fd04e79f6de078e1048.jpg)
“Today there are four promising shielding strategies available which include behavior blocking and virus throttling”/dq/media/post_attachments/d6c1273815061e2721907f99b9f54dc9e1f8657e7731ba3879c1515d5ba4e555.jpg)
“Our best of breed solution involves Sophos on Exchange Server, Trend Micro on gateway, McAfee and Symantec on enterprise desktops...”A section of CIOs however, feel that there is no urgent need to outsource
security services to third parties because that would mean sharing of
administrative rights to mission-critical resources. But here it is imperative
to have people with specialized skills within the organization to manage these
IT systems.
Safeguarding Your IP
A national seminar on 'Intellectual Property Infringement-Counterfeiting/Piracy'
will be held on August 24 at the national capital. The one-day seminar,
organized by the CII Alliance for Anti-Counterfeiting/Piracy (CAAC), will
highlight the economic and social issues/damages due to counterfeiting/piracy
and also discuss on issues involved in combating this menace.
According to CII, the seminar will also help strengthen enforcement, identify
the technology interventions and chalk out strategies for industry action.