Sergey Nivens - Fotolia
Securing your network against external and internal threats is a worthwhile pursuit, but keep in mind that no plan will ever be bulletproof.
There is no such thing as absolute security for data, networks or anything else. While information security is essential in almost all organizations, vulnerabilities exist across the IT value chain, from physical plant to networks (both WAN and LAN) to applications. Our goal is to apply mechanisms, policies and procedures that provide an optimal degree of assurance that sensitive information will not be compromised by hardware, software or human error -- or nefarious human intent.
Core security requirements include these essentials:
- an appropriate security policy
- education, training, awareness and reinforcement
- encryption of sensitive data when in residence (in storage on enterprise- or user-owned devices, as well as on servers and also in the cloud) or in transit across a network (via VPNs)
- management systems, including directory services, identity management and appropriate accounting and reporting
- authentication of users and their devices
The ultimate threat, however, remains one that most IT managers choose not to even think about: the rogue employee or contractor -- someone with legitimate access to the network and at least some of the information resources it connects -- who compromises security either inadvertently or intentionally. One of the most visible examples here is the highly-publicized Edward Snowden case, wherein an authorized user of a very sensitive national security network chose to further his own agenda via actions that his superiors deemed illegal.
To be fair, defense against network malfeasance in terms of access or compromise to the data present is difficult when cleared and trusted insiders are involved -- although, in the Snowden case, we might have thought that one of the nation's most critical, experienced and sensitive intelligence agencies would have been able at the very least to master the Security 101 steps noted above. Leaving the political issues aside, let's consider this case study to illustrate what steps can be taken to mitigate such a threat.
Using his role as a systems administrator, Snowden was able to make off with a large amount of highly classified information. Yes, Snowden had an appropriate security clearance; he had passed a rigorous background check. Yes, he did have access to computer systems containing sensitive information. But why was the data he had access to not encrypted? Surely he had no need to know the contents of every file he purloined. So while he was authenticated as a legitimate user of the network, the internal security mechanisms within NSA apparently relied upon perimeter security -- the assumption being that anyone inside of the perimeter could be trusted even without a specific need to know.
This astonishing lapse in judgment is as serious a gap in security as can exist in any IT shop. Only authorized users should have access to sensitive data, and then on an individual basis and only with a need to know. Anyone in possession of stolen data would thus see only an encrypted file, and even though encryption is not perfect either, today's techniques can be very effective.
Summarizing what we've learned from the Snowden example, here is a set of good practices for minimizing the effect of potential internal threats to the network and the data it provides access to:
Access to any given piece of sensitive information is granted only to those who have passed a background check and who have a need to know that information. Sensitive data should be compartmentalized so that unauthorized individuals, even those who are otherwise cleared, trusted, legitimate users of the network, will be unable to access or even see these files. This type of security can be easily implemented in many of today's operating systems.
Have a written policy that defines what information is sensitive, who can have access to it (and under what circumstances) and what to do in the event of a breach. Regular reinforcement of the need for security and monitoring of network activity by redundant staff can further reduce risk here.
Put in place appropriate data encryption, VPN, authentication and management systems that include the tracking of sensitive data and the generation of alerts whenever this data is accessed, modified or otherwise acted upon. Mobile content management systems are a great place to start. It's very interesting that the trend toward mobility, often identified as yet another potential threat to security, may in fact be the key element in deploying effective information security strategies -- even when mobility isn't a factor.
There really is no such thing as absolute security, but it is possible to provide very good defense against threats, both external and internal as well. There are no shortcuts here, however, and eternal vigilance is a cost that will always be with us.