10 Ways to Implement Multi-Layered Security

10 Ways to Implement Multi-Layered Security

How secure is your enterprise? Does your current strategy include true end-to-end security? Learn 10 ways to better implement a multi-layered security approach in your organization. Topics covered include: Lost laptops and smartphones, botnets, network security, messaging security, Intrusion Prevention Service (IPS), End Point Security, and much more.

Any complex business has security holes: lots of them. And in today’s world of always on, ubiquitous computing, universal Internet connectivity, and seamless mobility it’s getting harder to identify the risks, much less closes them. Worse, a fast-growing, global dark economy centered on disseminating and leveraging exploits is making it more difficult to predict attacks and mount targeted defenses. While classic hacker prizes like your strategic

IP or customer credit-card files are still very much at risk, your business may also be the target of less-pointed attacks, like email or e-commerce denial of service, or random ‘phishing’ aimed at capturing employee or customer personal data. Bottom line: as defender, you must fight to thwart every possible attack. The attacker, however, only needs to locate one weak link to wreak havoc.

A better solution to this dilemma is multi-layered security: implementing multiple, overlapping security solutions so that your most-critical assets are buried deep behind several lines of defense. In theory, it’s a solid strategy, but one that large enterprises – even with comparatively great resources and large pools of specialized IT talent -- have been at pains to deploy.


Lorem Ipsum Dolor Sit Amet Conseteteur Sadipiscing Elitr

3

TIME for An upgrADEIt’s doubtful you’d still be in business if you didn’t already have endpoint security (i.e., virus and malware protection), and hadn’t given your less-savvy users at least one round of stern talks about “never opening strange emails.” As a next step, upgrading desktop and laptop operating systems may be the single most effective move you can make to secure your company – not only because an OS upgrade brings online collective security learnings from prior versions, but also because the upgrade process itself tends to simplify and impose rigor: eliminating old, little-used applications, and giving you a change-up point for negotiating new security protocols with users.

Windows 7, for example, is at this point increasingly a known quantity, generally more stable than XP, highly compatible

with legacy software, and with improved security, encryption, malware removal, automated patch sequencing, and other

features built in. But how do you simplify and reduce the workload of transition, not to mention manage the licenses involved? The answer is to implement an automated solution for OS upgrade distribution and management -- one with appropriate characteristics (e.g., large file storage, session bandwidth, OS-specific logging, policy management, etc.) to handle this specific task, which has storage, network and computational characteristics quite different from everyday patch issuance and configuration management (see below).

pATCh EArLy, pATCh ofTEnWhile we’re on the subject, getting a handle on OS and application patches lets you keep ahead of exploits while improving product stability and performance. Patch deployment solutions let you

evaluate, select, test, aggregate, deploy, log, and audit patch history. So it reduces workload,

increases assurance, and provides an important link in the technology due-diligence chain for regulatory compliance. Because patch deployment is typically more time-sensitive, but less storage and bandwidth-intensive than OS upgrades, the architecture supporting these solutions is slightly different. Often, the patch-management function is augmented by configuration and policy management (see below).

ConfIgurE rEMoTELyServers, endpoint PCs, laptops, and mobile devices can all be made more secure by ‘hardening’ their configurations -- a complex and time-consuming process involving turning off unused services; constraining remote-access and other convenience features; setting administrator and user identities; defining execution policy for required applications; and many other details. Configuration management software keeps track of device, OS, application, and other configuration masks, interrogates and applies appropriate configurations over the network, and can often be used to remotely commandeer stolen or otherwise-exposed devices.

Patch deployment solutions let you evaluate, select, test, aggregate, deploy, log, and audit patch history.



4

VIrTuALIzE ThE broWSEr AnD Surf froM ThE InSIDEThe web is a critically-important tool for modern business. But the browser is a popular insertion-point for malware and has become the vector for remote attack techniques like Cross-Site Request Forgery (CSRF). Letting users manage their own browsers can lead to trouble: unsophisticated folks are prone to installing toolbars, plugins and other ostensibly labor-saving tools that may embody malware or leave them open to attack, and to turning on features like password caching, forms-filling and history that can make a stolen PC a gateway to enterprise applications, mail and data. A better answer – now supported by some security-oriented edge-network devices -- can be to supply users with a virtualized instance of a filtered standard browser. This strategy offers users a high level of assurance against commonplace attacks, and prevents even successful attacks from executing code, rooting the OS, or reaching and compromising the local file system or other vulnerable targets.

SECurE ThE pErIMETErA mid-2010 EMA study found that 71% of organizations with 2,500 or fewer employees had significant trouble finding and retaining IT security specialists. That’s a telling stat when you think of the how complex a full-featured, enterprise-class layered security solution can be. Attacking the problem, Unified Threat Management systems consolidate security and edge-network functions, blending gateway switching and routing with firewall, VPN, content-aware web filtering, antivirus, anti-spam and data-loss prevention (DLP). The pre-integrated result can be simpler to manage, and UTM devices can also be key enablers in helping you outsource security monitoring and network management to dedicated professionals.

SECurE ThE EnDpoInTSSecuring endpoint devices in an enterprise setting isn’t always easy, and solutions aren’t perfect. So layers should be implemented here, as well. Antivirus, local firewall and similar applications work to bar exploits

and infections. Biometric and two-factor access security help prevent exposure of data. And file-based encryption keeps key information safe, even if it leaves the enterprise net and gets copied to portable media.


MuLTI-LAyErED SECurITy brokEn DoWn by ArEAS of ConCErn AnD AppLICAbLE TooLkITS

IT Area of focus Areas of Concern relevant Toolkits

Endpoints• OS level•

Patch history•

Configuration hardening•

Desktop access•

Application access•

Install/Use policy•

File access•

File storage•

VPN authentication•

Browsing•

Email•

Backups•

OS update appliance•

Patch/configuration appliance•

Patch/comfit appliance•

Embedded biometrics•

Remote policy mgmt.•

Endpoint encryption•

UTM manager•

Secure browser•

Secure email•

Incremental backup•

Network Edge• Patch history•


VPN•

Firewall•

Stateful inspection•

Data-loss prevention•

Log archiving/backup•

UTM manager•

Optional off-site management•

Email• OS level•

Patch history•



Whitelists/Blacklists•

Boundary encryption•

Backups and archiving•

Secure Email cluster appliance • management

Archive management•

Endpoint data encryption• OS level•

Patch history•


Resilient computing•


DB encryption•

Backups and archiving•

Automated infrastructure • management

Patch/configuration appliance•

Backup management•



6

bIoMETrICSA little-discussed, but equally important aspect of endpoint security is access control. Though it adds some cost to laptops, embedded biometric access control (e.g., via fingerprint) offers high security while reducing service caseloads (e.g., password-reset requests).

hIDE In pLAIn SIghTSometimes even the best-engineered and maintained access-control and intrusion-prevention systems fail. And no peripheral defense is proof against an ‘inside job.’ One effective way to mitigate the risk is to use deep encryption on proprietary and critical files to prevent data loss. Modern whole-enterprise file-based encryption solutions can be engineered to run transparently, encrypting files in ways that don’t inhibit authorized use while protecting them in transit and in storage, both on the company premise and when files are copied to thumb drives or other removable media.

SECurE EMAILEmail is a classic attack vector for introducing malware, phishing, and other attacks. It’s also the

mainstay of compliance, auditing, and proving due-diligence under any regulatory regime. So email integrity is essential in managing all forms of business risk. For this reason, it makes sense, even within the context of an otherwise-comprehensive layered security plan, to treat email as a special case and give it another layer of protection. The good news is that top-rated email security systems are improving radically, offering malware and spam protection, boundary encryption to protect partner communications, sophisticated administration controls, and end-

user-empowering features such as the ability to define and manage whitelists and tune spam settings within policy guidelines.

ThErE’S no SubSTITuTE for huMInTHuman Intelligence (HUMINT), skill and attention is the backbone of reliable security. But if you’re

pressed for resources, it can be hard – or impossible – to retain and deploy the skills you need to manage your layered security system and intervene around-the-clock when trouble strikes. Luckily, new models for engaging with security experts and for cost-effectively outsourcing the round-the-clock vigilance required to maintain cross-system integrity are evolving quickly, in tandem with hardware, firmware, and software architectures for Unified Threat Management. The simplified, pre-integrated nature of UTM solutions makes them ideal for enabling remote network

and application monitoring, giving your IT staff access to IT experts when you need them and where you need them the most, all while effectively controlling costs and risk at the same.

One effective way to mitigate the risk is to use deep encryption on proprietary and critical files to prevent data loss.


Technology

10 Ways to Implement Multi-Layered Security