The tried-and-true approach to enterprise network security has always been to secure the network edges, in an effort to block unwanted access into and out of the corporate network. By using network firewalls and other technology components, security has focused on blocking network ports and protocols and simply limiting the attackable footprint of an organization to the rest of the world. However, as social networking and mobile devices offer new vectors for attack and enterprise data continues to become even more mobile, a technology-centric focus on security may not be enough to protect an organization’s important or priority data.
John Pironti, president of the IP Architects, a security consulting firm, highlights the fundamental flaw in relying solely on technology solutions to achieve enterprise security goals, noting that “technology is always behind the adversary, so even the best scanning tools are based on the idea of figuring out how an exploit occurred, then fixing it. The adversary is constantly trying to find the hole in the technology and the technology firm simply can’t respond fast enough.”
"Data that may be unimportant one day can be very important the next and vice versa."
John Pironti, president, IP Architects
Instead, Pironti suggests a data-focused approach to security. “Many IT professionals forget that what matters are the business processes that are flowing through that technology and how that data is impacting the organization. The value of data changes regularly as it flows through business processes. Data that may be unimportant one day can be very important the next and vice versa.”
As a first step toward a data-centric security posture, enterprise wide area network (WAN) managers should work to build clarity into not only what data is being passed between both remote and external sites, but the context into why that data is moving. Understanding an organization’s business processes, such as how the sales team conducts a sale, will help the WAN team determine whether the data being moved around by a salesperson on a mobile device is appropriate.
“I’m not asking the WAN engineer to be a guru of business,” continues Pironti, “but they should have an appreciation for the business processes in terms of what data is flowing where, and what is acceptable and unacceptable based on their organization.”
Whether for regulatory compliance reasons or simply to meet the demands of business managers, many WAN managers are now being tasked with knowing what specific data has moved out of the organization and where it went. Even with a granular level of data flows in hand, however, the WAN team alone cannot be the lone protector of company data, but should work closely with an organization’s information security teams, as well as the business unit leaders. Rather than simply making decisions on what data is allowed to pass through the firewalls, WAN managers should instead be talking in terms of risk and rewards to business leaders. Ultimately, it should be up to those business leaders to determine whether the benefits of potentially risky activities, such as mobile access to corporate email, outweigh the potential risks.
A data-centric approach to security enables WAN managers to focus their efforts on the issues that most closely apply to an organization, but can actually improve the communications between the IT organization and the rest of the enterprise. In this case, aligning IT with the business offers the WAN manager a clear area to focus his attention, as well as empowering the organization’s business leaders to take an active role in the overall security of the enterprise.
This was first published in November 2010