Chaucer Consulting

Thought leadership from Chaucer

Articles, Case studies,
Industry experience, Subject matter

Articles

You can’t trust the network

As boundaries get wider, every new technology opens another potential hole in a company’s network, encouraging hackers in their probing for the weakest link

New technology is great, isn’t it?

Blackberries, 3G phones, Wi-Fi, memory sticks even iPods are opening up all sorts of interesting possibilities for making business more efficient, effective and even fun.

At the same time there’s a growing demand to securely link key business partners (including outsourcers, many based in exotic places) across the supply chain as well as provide the ability to support new patterns of working (home & mobile workers).

But spare a thought for the hard pressed IT security team. Not only are the boundaries getting wider, but every new technology opens another potential hole in a company’s network, encouraging hackers in their probing for the weakest link.

So here’s a terrible truth - the internal company network is no longer a territory that can be reliably protected without either:

• spending unreasonable amounts of money/effort, or
• inflicting unacceptable usage limits on internal users and business partners.

Is there a solution?

Yes - stop trying to defend the undefendable. Instead set up boundaries at a level that are defendable and secure the links between these “islands” of security. I call this point to point security (PTOPS for short). PTOPS principles are relatively simple:

• Only the physical data centre network is trusted. All other networks and systems are by default “un-trusted”.
• Network perimeter defences are set up around central systems only.
• All desktops, laptops, etc are locked down and have software firewalls installed.
• If sensitive data is held on a desktop it is kept in an encrypted file area.
• All connections between all systems (e.g. desktop to server) are via encrypted links using Virtual Private Network (VPN) technology.
• Users are authenticated using a physical device e.g. password generating “dongles”. All links between users and core systems are authenticated in this manner with authentication (and user access rights) defined at the perimeter of the data centre.

This approach offers the business a number of benefits:

• The “defence” line of the business is clearly defined, small and physically controlled.
• There is one approach to security for ALL user access. For example a desktop user in an office connects in exactly the same way as a home worker or a business partner in their own premises.
• User access rights can still be restricted based on type of user and/or location of access point.
• All key systems and data are secure.
• Flexibility and speed of response are significantly enhanced.
• The IT department is probably already using all of the technology required, but only for a sub-set of users (e.g. roaming Laptop users).

If it’s that easy, why haven’t we done it already?

If only we knew 10 years ago what was going to happen, we probably would have! As it is, changes and technological advances have arrived piecemeal over the years and as each new problem came along the best solution always looked like a point upgrade to the existing approach.

So the main issues holding back the change are:

• Businesses will have made a significant investment in their existing IT security arrangements.
• The incremental cost of fixing one issue always looks lower than taking a more strategic approach.
• A lack of understanding of the opportunity cost of not taking a better approach and the flexibility and ease of enhancement that comes with this approach. 

So what should we do now?

Do the cost/benefit analysis. If it doesn’t stack up, do it again year after year until it does. Eventually more and more firms will realise that investment in the new approach is not just a smarter and cheaper security solution, it also dramatically improves the level of service IT can offer.

This level of change will take time and require investment, but the quicker you start the more money you will save in the longer term. Some businesses have already woken up to this fact – has yours? If not, you’ll need to develop a new company mantra:

“You can’t trust the network. You can’t trust the network.You can’t trust…”

In this section 

• Articles
• Industry experience
• Financial services
• Chemicals
• Government
• Health sciences & pharmaceuticals
• Leisure
• Manufacturing
• Misc
• Oil & gas
• Retail
• Telecommunications & software
• Subject matter
• Mergers & Acquisitions
• Operations & Process
• Outsourcing & Offshoring
• Regulatory compliance
• Information Technology
• Case studies