Previous Articles >> Enterprises must implement IM security strategies Top Enterprise Security Trends for 2007

Data or information is a key driver for growth of a business in the e-economy. But with the generation and accumulation of huge data, confidentiality and security of this data often becomes a challenge for CIOs and IS managers. A comprehensive defense strategy is what is needed to protect confidential data. Defense-in-Depth (DiD) is one such approach that combines the capabilities of people, operations and security technologies to establish multiple layers of protection.

DiD network security follows the industry best practice by implementing multiple layers of security and detection. Although, in the DiD strategy firewalls are involved as an important layer, they are not relied upon as a single defensive solution. The Internet boundary is composed of a series of firewall technologies, subnets and transfer networks.

This ensures only encrypted sessions from an explicit subnet are allowed to access any of the infrastructure devices. Further, the number of externally advertised IP addresses is kept to a minimum by using a series of non-routable internal DMZ transfer networks. In addition, separate subnets are used for externally facing production servers, test servers and applications. The external domain-naming server denies zone transfer requests to make network reconnaissance work more difficult. Firewall rules are close by default and then selectively opened as required.

Network based intrusion detection sensors (IDS) add another layer of protection through needed visibility. Deploying IDS both inside and outside the perimeter gives the visibility as to what attacks are coming on your network. The internal sensors are used for forensics to study if intruders have breached the perimeter. In addition, it can also determine if any unauthorized activity is occurring from inside your network against external targets. Further, the performance and rule set used in the firewall complex can be verified by comparing these two sensors.

Another key component in this multi-layer approach of enterprise security strategy is the ongoing vulnerability assessment and penetration testing efforts. It also involves onsite in-depth vulnerability and penetration testing on a smaller number of representative field sites. Furthermore, all infrastructure devices are tested and monitored to ensure that both policy and hardening standards are maintained.

Detecting security events on the host is yet another layer of defense Defense-in-Depth currently deploys. Nevertheless, it is still in the evaluation phase to determine the best approach and tools to accomplish this additional protection to an enterprise network. In addition, the costs and benefits are being analyzed for more wide spread deployment.

Consistent, tested and proven hardening standards add another very important barrier to your defensive security strategy. Today, ten different operating systems and twenty-six types of application server- hardening standards are being developed and deployed. All of these standards also are managed using a change control mechanism to ensure quality. Servers are dedicated by function and allowed to only host one type of application. For example, a web server is not allowed to be a database server.

Though, defense-in-depth strategy helps you to secure your network, a lot has to be done in the following areas to make it absolutely resistant against any attacks.

Security management tools, which perform log processing, collecting and maintaining configuration data has to be rapidly developed to make it effectively deployed.

Deploying an out-of-bandwidth capability for security and network management should be the key trends to focus on. In addition, traffic scanning of additional ports for malicious code and Security awareness needs to be an integrated part of the organizational culture. These deficiencies are now being studied and plans are being developed to address these needs.

Dr. C.Manohar , IT security analyst with the Center for Advanced Computing says, "Managing the security program for a large enterprise is a huge and ongoing task." "Any security strategy, including a defense-in-depth approach, needs to be well thought out and centrally controlled before implementing it," he warns.