Enterprise Network Security: The Wall Street Journal Gets It Wrong
Owen Linderholm on August 13, 2007digg_url = "http://digg.com/security/Wall_Street_Journal_Called_Out_On_Ridiculous_IT_Security_Article";
The Wall Street Journal recently published an article looking at security on network systems and, more precisely, how to get around it so that the average employee can do the things they want that the network idoesn"t allow. The publication did soften the blow to corporate IT by asking what risks employees were taking by doing this but somehow forgot to point out the biggest risk of all to the employee: termination. Disregarding the mildly irresponsible approach taken in the article, it is also significantly outdated and assumes that enterprises are employing, and employees are dealing with, what we will call "enterprise network security 1.0." In fact many large enterprises have moved on and are employing new technologies — "enterprise network security 2."" if you will — that make most of the article irrelevant.Related Articles:Bypassing Network Access Control SystemsCrime Wave: IT Security Attacks on the Rise The Importance of Standards to Network Access Control How to Prevent the Network Attack of the Future
And there"s another issue: The modern enterprise often doesn"t mind many of the described activities. An employee wants to take a few minutes to manage bank accounts online? Go ahead. But any organization will get upset if employees are visiting gambling and porn sites from work. Regardless of company policies, however, modern security systems don"t worry all that much about many of the issues described. They use sophisticated and advanced techniques that either make bad behavior impossible or neutralize any consequences before they occur. Real security systems look at all traffic on the network coming in and going out. They don"t care if it is user- generated or machine-generated. What they care about is what is happening. Take the first example in the Wall Street Journal article — sending large files. A real security system doesn"t care if you are sending large files or not (and modern networks aren"t as worried about storage as older ones since storage is cheap and plentiful nowadays). But the system does care what the file is. Is it sensitive data? Who owns it? Do you have rights to be sending it somewhere? Is there a regulation or policy in place that states that the data must be encrypted? Faced with far more sophisticated detection systems and measures, the mere issue of how to send large files becomes a minor one.The goal of a modern security system is to enable productivity and real system users to do what they want to achieve their goals without compromising enterprise security — and to do this as transparently as possible. But there is one more wrinkle that is critical: reporting. New regulations — especially SOX (Sarbanes-Oxley Act) and HIPPA (Health Insurance Portability and Accountability Act) — mean that a great deal of functionality is required, especially in terms of recording and tracking what is done on a system. This last goal alone means that it is unlikely that the average employee will really be able to move information around without someone knowing. The question is whether or not they will care."Enterprise network security 1.0" as described in the Wall Street Journal article is geared towards stopping users from doing things, blocking traffic in and out of the network, and constantly scanning for "signatures" of malware. It is intrusive and resource-intensive, and it effectively encourages users to try to get around it in order to get their jobs done. Unfortunately, that also encourages them to get around it to do other things, too."Enterprise network security 2.0" is much less interested in users and what they are doing. It looks at network traffic and decides if it cares about the traffic or not. Then it decides what to do. It is based on policies that are set centrally and enforced across the network. It relies on things like securing every device that connects to the network and making sure that it has no issues before it connects. And, most importantly, it carries on its work in the background — often without the average user"s knowledge. Also, it tries to stop behavior it doesn"t like dead in its tracks. This new kind of IT security is not a full set of mature technologies yet. It includes technologies like NAC (Network Access Control) and IPS (Intrusion Prevention Systems) that try to be predictive and proactive rather than reactive. Depending on how these features are configured and on the organization"s policies, they could freely allow or block most of the traffic discussed in the Wall Street Journal"s piece.Let"s go through the items one by one.How to send giant files. The real question for the enterprise is "How do I make sure the files being sent by employees are OK for them to send?" Nobody cares if the picture of grandma and the cousins must get off via email to your sister this morning, but they do care if "grandmapicture.jpg" is actually a confidential PDF that has been renamed. If the file is actually gigabytes in size as mentioned in the article, then it will probably get blocked anyway for tying up network bandwidth — and rightly so. And if you want to transfer large files regularly,l don"t send them. Instead, use an online storage site and mail your friends and family a link. Then you don"t fill up mailboxes with gigabytes of data that the recipient might not even want. And employers will want a system that restricts access to confidential data as well as a system that checks outgoing data against policies and decides if it should be blocked, encrypted or just let through untouched. For more information, see our Email Security Resource Center, Firewall Resource Center and NAC Resource Center.How to use software that your company won"t let you download. The real question for the enterprise is NOT what the employee downloads but what they are running. This is relatively easy to detect AND block. One suggestion the Wall Street Journal made was to run software off a portable source like a USB stick. But good NAC software will detect the insertion of a USB storage device and apply enterprise policies against it. In other words, if it has banned software on it, it won"t be given access and won"t work. The alternative solution listed was to use Web based-equivalents. NAC software ca alson decide if an application can be run from a Web site. Employees are better off making a good case for a sensible policy. There is evidence now that some personal use of Internet applications is good for productivity, and IT departments can make approved installations of software like instant-messaging clients available.How to visit Web sites that your company blocks. First off, this is just a bad idea. If you get caught, there isn"t really going to be much you can do to prevent getting in a lot of trouble. If the site is one you really ought to be able to visit, then try to chat up your IT people. If not, think awfully hard about how you are going to be able to explain why visiting PokerStars.com was necessary for your work. The Wall Street Journal"s suggestions in this case are pretty good ones, although a smart IT department is going to be able to block proxy sites too. Many of the more advanced IT security firms now use reputation-based filtering that doesn"t really have to use a list of blocked sites but instead relies on a large and ever-growing database of sites that exhibit "bad behavior" and are suspicious. Do you really want to have the IT department flag your Internet activity as suspicious and start watching it in detail?How to clear your tracks on your work laptop. This one is the closest the Wall Street Journal comes to modern practices. Sure, people use their work laptops at home. And yes, you don"t want the boss to know what you are doing. But does the boss even care? What the boss cares about is what went home with you from work, not what happens at home. They also care about what comes back with you from home — like malware and so forth. But in reality, most of the issues are with you walking out with sensitive data — particularly personal data — and having your laptop stolen. There are quite a few solutions to these issues from the enterprise security point of view, and they range from not allowing sensitive data onto mobile devices to encrypting all sensitive data to locking mobile devices remotely — and on the way back in, scanning devices before they reconnect to the network.How to search for your work documents from home. Frankly, this ought to be part of the network and security policies for your organization anyway. Most organizations already have VPNs (virtual private networks) set up for employees to tunnel into the network from outside in a secure manner so they can access documents, email and so on. The Wall Street Journal"s scenarios just shouldn"t be possible with good network security.How to store work files online. This one is just plain a bad idea. There are better ways to get access to work files — much better ways. You shouldn"t try to do this ever, and if you get caught by the IT department, you should expect to be in big trouble. There aren"t many good options, and why are you storing work files on a third-party site? Could it be to enable industrial espionage? Better get ready to answer that question if you try this.How to keep your privacy when using Web-based emal accounts. This is an iffy one. The Wall Street Journal"s answers are exactly right on this — and again, modern security systems should be able to detect when you do something stupid like trying to attach confidential documents, regardless of whether you are using HTTPS. And the Wall Street Journal got it right about why this is a problem. But frankly, any modern IT staff is going to regard this as business as usual.How to access work email remotely if your company won"t spring for a BlackBerry. BlackBerries are so 2006. If it is important that you access work email remotely, your company will help you do it. If they don"t want to help, then email forwarding will certainly work — but be aware that a good email security system will catch and block email that shouldn"t go out that way. Most companies provide secure ways to access company email remotely anyway, so why not use them? There are solutions to lock stolen or lost devices, and there are encryption and secure logon services that make it very hard for unauthorized users to employ devices. Also, consider whether you really want the electronic leash you are setting yourself up for.How to access you personal email on your Blackberry. The Wall Street Journal is mostly right on this point, but again, a good email security program WILL be able to scan your personal email as you connect onto the network and make sure that it is malware-free.How to look like you are working. Not to overly promote the protestant work ethic, but surely the answer to this is to actually be working? And if your boss is going to fire you for a moment of looking up the best brand of shoe to buy, then maybe it"s time to find another boss anyway? Maybe getting fired would be the best result.We"ve been deliberately rather harsh about The Wall Street Journal"s article, but this is not completely unreasonable since the wrong issues are being considered here. The first issue is keeping everybody secure in an increasingly hostile online world, and that means keeping your employer safe too. The second is looking at the problems as a whole; often it is better to simultaneously give employees more autonomy and power while simultaneously increasing overall security.Here are some great further resources on our site for digging deeper into modern security solutions.