REDMOND, Wash., Nov. 11, 2005 – Not too long ago, it was a relatively simple task for organizations to secure their networks at the perimeter. The network could be isolated from the world at large, with a combination of technologies and the physical boundaries of the corporate office serving as walls and moats to keep intruders at bay.
But what should organizations do when their network no longer has a static perimeter, and their employees are as likely to log on from their home in Albuquerque as they are a hotel in Shanghai or a café in Rome? In today’s interconnected, global business environment, do networks even have “edges”?
This is the topic of the November’s Security360 webcast, taking place Tuesday, Nov. 15. As they do each month, Microsoft Corporate Vice President Mike Nash and Director of Product Management Amy Roberts of Microsoft’s Security Technology Unit will gather with security experts to discuss the topic at hand.
This month, the conversation will focus on how unmanaged devices, such as laptop PCs, can more securely connect to corporate networks. Viewers will hear perspectives and ideas from a variety of industry guests including Laura Koetzle of Forrester Research, John Meakin of Standard Chartered Bank and Barbara Nelson of the enterprise connectivity service provider iPass. Other guests on the show will include Bob Gleichauf of Cisco, independent software and network security consultant and Microsoft MVP Steve Friedl, and Andrew Harding of Juniper, along with Mark Ashida and Karen Worstell of Microsoft.
During the webcast, these industry experts will be invited to share their real-world insights on the current challenges facing IT departments in improving edge security, emerging trends and best practices, and the most effective technologies available to address security at the network’s edges. Audience members will be given the opportunity to submit their questions, with time reserved for a live Q&A session to answer selected questions during the show.
Forrester Research’s Laura Koetzle, vice president and research director of the firm’s Computing Infrastructures and Security group, discussed the policy enforcement issues customers are faced with as their networks become more complex in her November 2005 report “Securing the Network From the Inside Out” and in her July 2005 report “Jericho Forum Looks to Bring Network Walls Tumbling Down.”
“It’s hard for companies to determine where they should put various enforcement points today, given that they’ve got overlapping wireless networks, wired networks that may have public segments, employees dialing in from all over the world and using their own broadband connections, virtual private networks, production floor networks and process control networks,” notes Koetzle. “With all of this going on, it has become very difficult for companies to decide where and how enforcement should happen.”
Distributing Security Functions to the Work Stations
John Meakin, who will take part in the 360 roundtable discussion moderated by Roberts, represents Standard Chartered Bank as a founding member of the Jericho Forum, an IT industry group dedicated to identifying and mapping edge security scenarios, and bringing those together with the right technology to address each unique situation.
“At Jericho we’re not inventing new mechanisms necessarily,” says Meakin. “We’re surveying what vendors are producing, the technology standards that have been published, and marshalling those together as the nuts and bolts of each unique solution. In this way we’re looking to address a range of scenarios, from relatively simple branch-office type implementations on up to highly challenging kiosk-style security scenarios.”
Meakin’s experience at Standard Chartered Bank gives him plenty of real-world knowledge and experience to draw from. With offices in remote locations in Africa, India and elsewhere, Standard Chartered has long been working to balance the need for comprehensive security with the economic realities of its network’s distant edges.
“It doesn’t make sense economically to put a $250,000 firewall into our branch offices in Nairobi,” he says. “So we’ve really had to look at how to distribute those security functions to the work stations, the transport mechanisms and other places, to bring those costs down while at the same time providing the level of security necessary to maintain a banking operation.”
Other examples from Meakin’s experience with Jericho Forum include unifying joint business ventures where employees from several companies may need access to the same corporate network, without the hassle of setting up a new set of user profiles and security policies. Within Standard Chartered Bank, new “perimeter-less” scenarios are being investigated to reduce costs and increase market reach, including supplementing traditional branch networks with distributed PC kiosk systems, where a single PC in an unsecured environment, such as a library or shopping center, may be used to perform sensitive functions such as account balance transfers.
“You have to build up a lot of trust with users that the PC is secure, no matter where it is or what it’s being used for in the interim,” he says. “This is a very complex problem and it’s one that Standard Chartered is working to address in cooperation with the Jericho Forum.”
Securing Devices in a Distribution Environment
Nelson of iPass also notices the growing need to secure devices in a distributed environment. iPass boasts a long history of providing remote access for business travelers around the world. Initially an aggregator of worldwide Internet service providers, iPass has grown its expertise to incorporate much of the security policies and technologies prevalent in the business world today.
“Over the years, the ability to connect to networks all over the world has added layers of complexity,” Nelson says. “Today iPass makes sure that when a user connects, her device is in a safe state and protected from the network she is logging onto, and that the enterprise policies are in place around that connection. Doing this requires a lot of cooperation and communication with vendors and service providers all over the globe.”
According to Nelson, iPass technologies must perform such functions as launching a virtual private network automatically, ensuring that the PCs firewall is in place and active, and checking that anti-virus software is operating properly and contains the most recent updates. More than simply allowing the user to authenticate and gain access, iPass services today validate the health and safety of the PC itself.
And according to all of the panelists, this is the new network boundary. It’s a combination of the user, the location, the device, and the data he or she needs to access and manipulate. Each company has unique business needs, information, employees and customers. And each one has a unique network, with its own set of policies and technologies to address each business scenario, they say.
For companies trying to determine the right approach, Microsoft has a suggestion: Tune in Tuesday to learn more.