Network Systems DesignLine | How to protect data in an IP world

Get the latest news, products and how-to information on network systems. Sign up for the Network Systems DesignLine newsletter, a weekly e-mail guide dedicated to the needs of engineers developing networking equipment and components. Here is our RSS feed.








 Network Systems DesignLine » How-To » Enterprise Networking

 
 HOW-TO : Enterprise Networking

How to protect data in an IP world

Today, according to CERT, the FBI, and InterGov, nearly 80 percent of security attacks originate within the firewall and 50% of intrusions are not publicly disclosed. By architecting encryption into three primary functions, see how to enforce data protection across enterprise environments as a security overlay that operates independent of the network.
By Rod Starrett, CipherOptics Print This Story Send As Email Discuss This Story Reprints

Page 1 of 4

Network Systems Designline
(06/05/2006 9:41 AM EDT)

Rate this article
WORSE | BETTER
1 2 3 4 5
The biggest threat to data security is underestimating the threat to data security. And, as IP networks become the de facto standard, ignoring reality will extract a heavy price down the road.

Assessing risk comes down to simple arithmetic: What is the data worth, and what is the damage if it is compromised? It makes sense that organizations dealing with such highly sensitive data and proprietary intellectual property as customer financial information, national security information, highly competitive product development information, patient medical records, must take a closer look at the vulnerability of their network. A single breach can wreak havoc in the long term. Lawsuits from customers, fines for non-compliance to government regulations, degradation of an established brand are consequences that are very real, and often very difficult to overcome.

The way we conduct business today often creates holes in our IT systems allowing new types of attacks that pose an unacceptable risk in protecting data and intellectual property. These new types of attacks target holes in applications, processes used for data access, and any place where valuable data lives. Data protection at the network layer can provide a hardened infrastructure to safeguard critical and confidential data in a way that other security technologies cannot. It can protect new and legacy applications at the same time; and provide the enforcement of security at the core of data protection, protecting data itself. Data protection therefore, must be an essential layer of defense.

Data protection strategy
The concept of data protection as a primary layer of defense begs some questions. Should a company try to keep up with 2000 application and OS patches that may cover dozens of applications, or consider a different type of data protection solution? Perimeter defense is essential, but does not protect against the risk that comes from insiders, so is it time to encrypt data-in-motion? What does a robust data protection strategy look like? And where should data protection be applied most effectively? How do you protect your business from intrusions that are happening everyday, but you don't know about them because they are not publicly disclosed?

Beyond the perimeter
The focus of traditional network security is on protecting the perimeter by deploying firewalls, intrusion detection systems (IDS), intrusion prevention systems (IPS), anti-virus software, and identity management systems. These security measures do their part in preventing many known threats from entering the network. Relying on perimeter defense is not enough when data travels inside the perimeter from one site to another over the core IP network, or against emerging threats that are not detected by traditional network security techniques.

According to studies by CERT, the FBI, and InterGov, nearly 80 percent of security attacks now originate within the firewall and 50% of intrusions are not publicly disclosed. Organizations must look beyond perimeter defenses to a comprehensive, multi-layer security solution that provides defense in depth.

Layered defense and defense in depth
Looking back 15-20 years ago when companies where first connecting their business to the Internet, people defended their infrastructures and their data at the perimeter, initially with firewalls and then with IDS/IPS systems. Even at the 2006 RSA conference, a primary focus was identity management and device validation. Federated management, tokens, and PKI are examples of products focused on proving who entities are and ensuring that they have adequate rights to access a resource or the infrastructure. NAC and NAP are examples of technologies designed to validate that a device has the right virus protection, software patches and other items configured in order to join the network. Each of these uses signatures and cryptographic techniques to provide each layer of security.

Once the perimeter is fortified, people and devices are validated, there is still one additional step that security conscious organizations deploy, and that is data protection. Data protection defends against intrusions that get past traditional security techniques, threats from insiders, and keeps the core business asset secure--specifically the data--and is the next step for a defense in depth security architecture.


Figure 1. Threat-focused security: Looking beyond the perimeter


Figure 2. Best practice for protecting data and IP: Layered Security for Compliance

The figure above shows the layered approach for protecting data. The best-practice threat focused security approach deploys a triple-layered defense solution that (1) controls access, (2) defends the infrastructure, and (3) protects data. Access control mechanisms (e.g. AAA, Federated identity) and infrastructure defense mechanisms (e.g. firewall, IDS/IPS, anti-virus, content filtering) are important components of a comprehensive security infrastructure. But the foundation, missing in most architectures today, must be a robust data protection solution that secures data-in-motion as it travels the network. This is critical to a "defense-in-depth" network security strategy.

Beyond patches
Patches are being issued in alarming numbers and keeping up with them can be a nightmare. Furthermore, since only half the breaches are reported, there will be many vulnerabilities for which no patch has been created. Companies should consider an alternative to reactive patchwork.

A robust data protection strategy must proactively secure data against network and application vulnerabilities. End-to-end encryption of data on the network provides a data protection overlay that eliminates the significant vulnerabilities in the network.

Page 2: next page Print This Story Send As Email Discuss This Story Reprints

Page 1 | 2 | 3 | 4


 
eSearch  

 Top 5 Most Read
 How-To Stories
1. 2. 3. 4. 5.

 Top 5 Most Read
 News Stories
1. 2.

  • Introduction to Optical Transmission Systems

    		•
  • Optimizing Embedded Systems for Broadband 10 Gigabit Ethernet Connectivity

    		•
  • Interfacing a DS3231 with an 8051-Type Microcontroller

    		•
    The entire library >>  

    		 
     Top 5 Most Read
     Product Stories
    1. 2. 3.

     Sponsor

    EE Times TechCareers
    Search Jobs

    Enter Keyword(s):


    Function:


    State:
      

    Post Your Resume
    -----------------
    Employers Area
    Most Recent Posts
    GE Corporation seeking Lead Systems Analyst in Van Buren Township, MI

    Osram Sylvania seeking Sr Applications Engineer in Danvers, MA

    Accolo, Inc. seeking User Experience Engineer in Reston, VA

    Johnson Controls, Inc seeking Project Development Engineer in Pittsburg, PA

    WhiteHat Security seeking User Interface Engineer in Santa Clara, CA

    More career-related news, resources and job postings for technology professionals


     Tech Library
    ¤ Looking for the appropriate Industry Association? This comprehensive, up-to-date list will take you to the right Web site for the help you need.

    ¤ Got a question about a standard? Here are direct links to resources detailing the industry's most important communications standards.

    ¤ Freshen up on technology, new and old, with these links to interesting and informative tutorials.

    More from TechLibrary
    Welcome to our DesignLine network of web communities. On these sites, we provide practical how-to technical information for engineers and engineering managers involved in Automotive,audio, DSP, DTV, EDA, Industrial Control, Mobile Handset, Power Management, Programmable Logic,RF,Video, and Wireless networking design. Check out the sites and let us know your thoughts.
    		 



    HOME  |  ABOUT  |  FEEDBACK  |  CONTACT
    Career Center | CommsDesign.com | Embedded.com | EE Times | TechOnline
    Planet Analog | DeepChip | eeProductCenter | Electronic Supply & Manufacturing | Webinars


    All material on this site Copyright © 2006 CMP Media LLC. All rights reserved
    Privacy Statement | Your California Privacy Rights | Terms of Service