Home > Editorial > Full Story

Security: Thinking beyond firewalls

With the exponential growth demonstrated by corporate networks, most corporations have reached a point where it is almost impossible to have a control over data security.

Also, with more and more enterprises hopping onto the Net in order to save costs and increase efficiencies, the distinction between private and public networks is fast blurring. This is making it difficult for enterprises to fortify their data against external as well as internal attacks.

A firewall acts as the first line of defense against malicious hackers having a go at your precious data. But firewalls have their inherent drawbacks too. Firstly, they are not very effective against viruses or the new-age malicious worms that are capable of incapacitating enterprise systems. Then they are prone to internal attacks, mostly from disgruntled employees who do not have to pass through the firewall itself. Most investigations regarding hacking have shown that 60-80 percent of all security breaches come from within a company, rendering its firewall however advanced useless. Then you still need to worry about external hackers, who can use alternative paths like telephone switches, modems or even remote connections to the company server. These coupled with other equally vital factors makes it necessary for enterprises to think of security measures beyond firewalls.

There are numerous other tools/techniques, including Intrusion Detection Systems (IDS), encryption, etc, that can provide additional fortification for your enterprise data, just in case someone violates the first line of defense. But, sadly, even these may not be able to ensure foolproof security.

All this points to one thing, a need for a comprehensive security policy. A security policy is a prerequisite to proper security. It provides direction, it treats all areas necessary for proper security, and most important, provide a means for consistency. Without direction, completeness, and consistency, security can always be easily breached.

A security policy entails a detailed analysis of potential security breaches, implementing firewalls, IDS, hierarchical authorization to determine who can access particular type of data/files, and operational procedures like periodic software updates, disaster recover, etc.

Despite all this, a security policy will not be complete in the absence of user guidelines you need to tell users not to have post-it notes with their passwords on their monitors.

Does all this guarantee 100 percent security for you enterprise? No realistic computer or server security is foolproof. A security policy merely lessens the chance of any security breach. A best way to protect you enterprise network would be to periodically evaluate and update your security policy.

Sandeep Ajgaonkar
Assistant Editor
sandeepa@vsnl.com