This week's article is a bit of a departure from the ordinary, and I expect it
may engender a bit of controversy. That's because I want to discuss some
general principles of network security – and are to question a few dearly held
(in certain segments of the industry) myths and misconceptions along the way.
First, though, the common ground: one thing that almost everyone can agree on
is that network security is important, and becoming more so all the time. In
the early days of networking, only governmental agencies and organizations that
were working on top secret projects worried much about security. The average
business using networked computers didn't give it a lot of thought. One reason
for this was that most were only networked internally, with no electronic links
to the outside world. Internet connectivity was only for an elite few, and most
business networks were self-contained LANs; only the biggest spanned multiple
geographic locations connected by permanent WAN links. Even if they did have
dial-in servers or other outside connections on the network, many companies
assumed (rightly or wrongly) that the data on their computers would be of
little interest to anyone else.
All of that has, of course, changed. Today almost every LAN, from the
one-person home office to the giant enterprise, has a connection to the global
network. And the nature of the data that is accessible on those local networks
has changed too. From confidential financial data to client records to trade
secrets to personal journals, almost every "written" document is now stored on
a computer and that computer is likely to be networked to other computers in
the organization. The more competitive nature of today's business world and the
more litigious nature of today's society make it much more crucial that
sensitive data be protected from access, disclosure, modification or
destruction by unauthorized persons. And that is why security has moved
to the forefront of IT industry concerns.
An entire sub-industry has sprung up to address these needs. As with any other
product or service, security is being sold as a marketable commodity. Security
is big business, and if you listen to the wrong "experts," you can end
up spending a lot of money unnecessarily for much more security than your
network really needs – or worse, spending a lot of money and still not getting
the level of protection that your network does need. Before you hire a
high-dollar security consultant, be sure to do a little research and learn
something about network security yourself. Also try to learn something about
those who are contending for the contract.
Evaluating the Security Evaluator
And as in any other field, there are those who are in the network security
business to provide a quality service and others who are there to make a quick
buck. One way to tell them apart is to pay attention to how – or whether – they
go about evaluating your network's security needs.
A good security consultant will start by assessing several factors to determine
the level of security you really need:
The nature of your business
The nature of your data
Any legal issues that may impact the need for confidentialityThe company's
management philosophy (the "open door, one big happy family" mindset vs the
"locked down, need to know" attitude)
Beware of the security company that tries to sell you a "one size fits all"
solution. Like the same claim made by clothing manufacturers, it loses out to a
custom tailored outfit every time.
Myth No. 1: Super Duper Extra Tight High Level Security is the Answer
One big security myth is that every network needs high-level security. You'll
find plenty of security providers that will try to convince you of this, and
the reasons are pretty obvious: The more security you buy, the more they can
charge. It's much easier for them to just lock down everything (the "one size
fits all" thing again) than to customize the security measures to fit your
needs.
Be especially wary of anyone who tries to sell you any product or
service through high pressure tactics like fear and intimidation. If the major
sales pitch consists of dire warnings about all the disastrous things that will
happen if you don't buy their top of the line solution, run – don't walk –
toward the nearest door. You want to work with a security professional who's on your
side, who's interested in helping you address your needs within your budget,
not one who tries to scare you into spending as much money as possible.
Not only is the highest possible level of security not always necessary; it's
not even always desirable.
Myth...
You must be logged in to view this entire article. Click Here to Finish Reading this Article
Earn an affordable, online bachelor's degree in Information Technology—Security Emphasis
plus nine IT certifications including Sun Certified Programmer for the Java Platform, MySQL Core, and Security+. Your prior college and IT certifications may waive some degree requirements FREE subscription to Network World.
Your complimentary subscription will include 50 weekly issues jam packed with news analysis, expert industry opinion and management/career advice, all of which is packaged with your business needs in mind. We want to help you connect the technology dots and help you advance your company's business goals
Email this Article
Print this Article
