A year ago, I could not write enough about how unknowingly vulnerable companies' and individuals' personal computer systems were. It seems, however, that there has recently been a shift in consciousness, leading the public to the realization that there is a dire need for security. The recognition of this need is credited to the media, who report on frequent high profile attacks that cost experienced companies millions of dollars. Additional credit belongs to vendors, who have spent almost as much time educating the public of the need for security as they have spent developing the products. Smaller businesses and home users are coming to the understanding that they don't have to be high profile to be targeted.
Unfortunately, we are not there yet. The next generation of security thinking will reinforce the fact that we will never really be there. And that is because there will never be a completely self-sufficient security system. The cold reality is that security will be a constant battle against a foe that is overwhelming in size and inspiration. The need to improve security will exist as long as generations eclipse their predecessors in understanding of systems, as long as these generations hone skills before developing the good sense to use them morally, as long as vendors operate in a capitalist economy, and certainly as long as there is little accountability for those who choose "the dark side."
The understanding of the perpetual nature of the electronic threat has birthed a more enlightened security philosophy. This new understanding is the second step in our quest for electronic peace, and takes us from the primitive realization of the need for security, to the more sophisticated realization of how to use it.
In 2001, administrators began to understand that implementing a security solution is the easy part. Making it effective requires a feedback loop that results in perpetual adjustments to the existing solutions. The figure below details that upon installation, security appliances must be configured, managed, monitored, analyzed and maintained, resulting in reconfiguration. This security adjustment cycle will often mean the difference between effective security and a laughable challenge to malicious hackers. Moreover, each step in the cycle is a point of failure for the integrity of the network.
The first and most obvious step in the cycle is to install the equipment. This was the battle that has been fought by vendors in the past. Vendors are still fighting this battle, in order to generate sales. However, vendors are increasingly emphasizing the need to correctly configure this equipment once installed. Proper configuration ensures that services that are not necessary for network operations are disabled, and that the equipment is guarding the correct portions of the network. This focus on correct configuration has led vendors to be increasingly discerning in the resellers that they partner with. As security has moved to the top of the list of priorities for CIOs and administrators, many VARs and systems integrators have evolved to focus on security as a means of differentiation in a slowing economy. These more security savvy consultants are more knowledgeable of the correct configurations for security equipment, which reflects more favorably on vendors than those who have incompetently configured equipment resulting in network breaches.
The most important development for firewall and IP VPN equipment in 2001 was manageability. The ability to use an intuitive graphical management console to create and enforce security policy is the holy grail of modern security equipment. Management of equipment ensures that the users have correct access rights, and that security policy is enforced to all portions of the network. The ability to do this remotely has become an increasingly attractive feature.
Installation, configuration and management are too often the extent of involvement that administrators have with their security equipment. Monitoring and analyzing security equipment is generally a time-consuming, painful, eye-glossing, and tedious task that few are interested in performing. The monitoring and analyzing of security equipment output verifies the integrity of the network (or lack thereof), reveals where security breaches have been attempted, and gives administrators a feel for the dynamics of the network. Monitoring and analyzing can also bring performance problems to light, so that they may be addressed.
Equipment maintenance involves upgrading, updating and patching security equipment. Just like other networking equipment, security equipment is in a state of constant evolution; fixing bugs and vulnerabilities as they are discovered. Security equipment maintenance can also include adding additional ports or accelerators to improve the capabilities of the device. These types of changes generally will require some measure of reconfiguration, and so the cycle repeats itself.
If this sounds like a lot of work, that's because it is. Unfortunately, all of these steps are necessary in order to get the most benefit out of your security investment. A lackadaisical approach to any of these steps can easily result in a security breach, even with the best security equipment in place. For those who have better things to do with their time, managed security service providers will happily take care of all this work for you.
Jason Wright is industry analyst and program leader of security technologies, Frost & Sullivan (www.frost.com).