10 Ways to Implement Multi-Layered Security

advertisement
10 Ways to Implement
Multi-Layered Security
10 Ways to Implement Multi-Layered Security
2
How secure is your enterprise? Does your current
strategy include true end-to-end security? Learn
10 ways to better implement a multi-layered
security approach in your organization. Topics
covered include: Lost laptops and smartphones,
botnets, network security, messaging security,
Intrusion Prevention Service (IPS), End Point
Security, and much more.
Any complex business has security
IP or customer credit-card files
A better solution to this
holes: lots of them. And in today’s
are still very much at risk, your
dilemma is multi-layered
world of always on, ubiquitous
business may also be the target
security: implementing multiple,
computing, universal Internet
of less-pointed attacks, like email
overlapping security solutions
connectivity, and seamless
or e-commerce denial of service,
so that your most-critical assets
mobility it’s getting harder to
or random ‘phishing’ aimed at
are buried deep behind several
identify the risks, much less closes
capturing employee or customer
lines of defense. In theory, it’s
them. Worse, a fast-growing,
personal data. Bottom line: as
a solid strategy, but one that
global dark economy centered
defender, you must fight to
large enterprises – even with
on disseminating and leveraging
thwart every possible attack. The
comparatively great resources and
exploits is making it more difficult
attacker, however, only needs
large pools of specialized IT talent
to predict attacks and mount
to locate one weak link to wreak
-- have been at pains to deploy.
targeted defenses. While classic
havoc.
hacker prizes like your strategic
10 Ways to Implement Multi-Layered Security
Time for an upgrade
It’s doubtful you’d still be in
business if you didn’t already
3
features built in. But how do
increases assurance, and
you simplify and reduce the
provides an important link in the
workload of transition, not to
technology due-diligence chain for
mention manage the licenses
regulatory compliance. Because
involved? The answer is to
patch deployment is typically
implement an automated solution
more time-sensitive, but less
for OS upgrade distribution
storage and bandwidth-intensive
and management -- one with
than OS upgrades, the architecture
appropriate characteristics
supporting these solutions is
(e.g., large file storage, session
slightly different. Often, the
bandwidth, OS-specific logging,
patch-management function is
policy management, etc.) to
augmented by configuration and
handle this specific task, which
policy management (see below).
Lorem Ipsum Dolor Sit Amet
Conseteteur Sadipiscing Elitr
have endpoint security (i.e., virus
and malware protection), and
hadn’t given your less-savvy users
at least one round of stern talks
about “never opening strange
emails.” As a next step, upgrading
desktop and laptop operating
systems may be the single most
effective move you can make to
secure your company – not only
because an OS upgrade brings
online collective security learnings
from prior versions, but also
because the upgrade process
itself tends to simplify and impose
rigor: eliminating old, little-used
applications, and giving you a
change-up point for negotiating
new security protocols with users.
Windows 7, for example, is at
this point increasingly a known
quantity, generally more stable
than XP, highly compatible
has storage, network and
computational characteristics
quite different from everyday
patch issuance and configuration
management (see below).
Patch early,
patch often
Configure remotely
Servers, endpoint PCs, laptops,
and mobile devices can all be
made more secure by ‘hardening’
their configurations -- a complex
and time-consuming process
involving turning off unused
While we’re on the subject, getting
services; constraining remote-
a handle on OS and application
access and other convenience
patches lets you keep ahead of
features; setting administrator and
exploits while improving product
user identities; defining execution
stability and performance. Patch
policy for required applications;
deployment solutions let you
and many other details.
Configuration management
Patch deployment solutions let you evaluate,
select, test, aggregate, deploy, log, and audit
patch history.
software keeps track of device,
OS, application, and other
configuration masks, interrogates
and applies appropriate
configurations over the network,
and can often be used to remotely
with legacy software, and with
improved security, encryption,
malware removal, automated
patch sequencing, and other
evaluate, select, test, aggregate,
commandeer stolen or otherwise-
deploy, log, and audit patch
exposed devices.
history. So it reduces workload,
10 Ways to Implement Multi-Layered Security
Virtualize the
browser and surf
from the inside
Secure the
perimeter
The web is a critically-important
that 71% of organizations with
tool for modern business. But the
2,500 or fewer employees had
browser is a popular insertion-
significant trouble finding and
point for malware and has
retaining IT security specialists.
become the vector for remote
That’s a telling stat when you
attack techniques like Cross-
think of the how complex a
Site Request Forgery (CSRF).
full-featured, enterprise-class
Letting users manage their own
layered security solution can be.
browsers can lead to trouble:
Attacking the problem, Unified
unsophisticated folks are prone
Threat Management systems
to installing toolbars, plugins and
consolidate security and edge-
other ostensibly labor-saving
network functions, blending
tools that may embody malware
gateway switching and routing
or leave them open to attack,
with firewall, VPN, content-aware
and to turning on features like
web filtering, antivirus, anti-
password caching, forms-filling
spam and data-loss prevention
and history that can make a
(DLP). The pre-integrated result
stolen PC a gateway to enterprise
can be simpler to manage, and
applications, mail and data. A
UTM devices can also be key
better answer – now supported
enablers in helping you outsource
by some security-oriented edge-
security monitoring and network
network devices -- can be to
management to dedicated
supply users with a virtualized
professionals.
A mid-2010 EMA study found
4
and infections. Biometric and
two-factor access security help
prevent exposure of data. And
Lorem Ipsum Dolor Sit Amet
Conseteteur Sadipiscing Elitr
instance of a filtered standard
browser. This strategy offers
users a high level of assurance
against commonplace attacks, and
prevents even successful attacks
from executing code, rooting the
OS, or reaching and compromising
the local file system or other
vulnerable targets.
Secure the
endpoints
Securing endpoint devices
in an enterprise setting isn’t
always easy, and solutions
aren’t perfect. So layers should
be implemented here, as well.
Antivirus, local firewall and similar
applications work to bar exploits
file-based encryption keeps key
information safe, even if it leaves
the enterprise net and gets copied
to portable media.
10 Ways to Implement Multi-Layered Security
5
Multi-Layered Security Broken Down By Areas of Concern and
Applicable Toolkits
IT Area of Focus
Areas of Concern
Relevant Toolkits
• Endpoints
• OS level
• OS update appliance
• Patch history
• Patch/configuration appliance
• Configuration hardening
• Patch/comfit appliance
• Desktop access
• Embedded biometrics
• Application access
• Remote policy mgmt.
• Install/Use policy
• Endpoint encryption
• File access
• UTM manager
• File storage
• Secure browser
• VPN authentication
• Secure email
• Browsing
• Incremental backup
• Email
• Backups
• Network Edge
• Patch history
• UTM manager
• Configuration hardening
• Optional off-site management
• VPN
• Firewall
• Stateful inspection
• Data-loss prevention
• Log archiving/backup
• Email
• OS level
• Patch history
• Secure Email cluster appliance
management
• Configuration hardening
• Archive management
• Stateful inspection
• Whitelists/Blacklists
• Boundary encryption
• Backups and archiving
• Endpoint data encryption
• OS level
• Patch history
• Automated infrastructure
management
• Configuration hardening
• Patch/configuration appliance
• Resilient computing
• Backup management
• Stateful inspection
• DB encryption
• Backups and archiving
10 Ways to Implement Multi-Layered Security
Biometrics
A little-discussed, but equally
important aspect of endpoint
6
mainstay of compliance, auditing,
pressed for resources, it can be
and proving due-diligence
hard – or impossible – to retain
under any regulatory regime.
and deploy the skills you need
So email integrity is essential in
to manage your layered security
managing all forms of business
system and intervene around-
risk. For this reason, it makes
the-clock when trouble strikes.
sense, even within the context
Luckily, new models for engaging
of an otherwise-comprehensive
with security experts and for
layered security plan, to treat
cost-effectively outsourcing
email as a special case and give it
the round-the-clock vigilance
another layer of protection. The
required to maintain cross-system
good news is that top-rated email
integrity are evolving quickly, in
security systems are improving
tandem with hardware, firmware,
radically, offering malware and
and software architectures for
spam protection, boundary
Unified Threat Management. The
encryption to protect partner
simplified, pre-integrated nature
communications, sophisticated
of UTM solutions makes them
administration controls, and end-
ideal for enabling remote network
Lorem Ipsum Dolor Sit Amet
Conseteteur Sadipiscing Elitr
security is access control. Though
it adds some cost to laptops,
embedded biometric access
control (e.g., via fingerprint) offers
high security while reducing
service caseloads (e.g., passwordreset requests).
Hide in plain sight
Sometimes even the bestengineered and maintained
access-control and intrusionprevention systems fail. And no
peripheral defense is proof against
an ‘inside job.’ One effective way
to mitigate the risk is to use deep
encryption on proprietary and
critical files to prevent data loss.
Modern whole-enterprise filebased encryption solutions can be
One effective way to mitigate the risk is to use
deep encryption on proprietary and critical files
to prevent data loss.
engineered to run transparently,
encrypting files in ways that
don’t inhibit authorized use while
protecting them in transit and in
storage, both on the company
premise and when files are
user-empowering features such as
and application monitoring, giving
the ability to define and manage
your IT staff access to IT experts
whitelists and tune spam settings
when you need them and where
within policy guidelines.
you need them the most, all while
effectively controlling costs and
copied to thumb drives or other
Secure email
There’s no
substitute for
HUMINT
Email is a classic attack vector for
Human Intelligence (HUMINT),
introducing malware, phishing,
skill and attention is the backbone
and other attacks. It’s also the
of reliable security. But if you’re
removable media.
risk at the same.
Download