A more secure union
A more secure union

Integrating the networking and IT security staffs delivers operational benefits, but comes with challenges, reports Jim Carr.


Managing and securing a corporate network infrastructure can be like juggling a half dozen bowling balls: it's too much work, really, for one pair of hands, yet adding a second set only complicates things.

Yet that's often the situation that enterprise networking and security professionals often find themselves in. They need to cooperate to keep all the balls in the air, but run the risk of getting in each other's way as they do.

Still, more enterprises are merging some of the tools and responsibilities of the two departments into an integrated environment, even if they're not physically combining their networking and security teams and operations.

Such is the case with the Bank-Fund Staff Federal Credit Union (BFSFCU), a Washington, D.C. credit union that provides financial services to 55,000 workers associated with the World Bank, the International Monetary Fund and the International Finance Corp. The networking and information security staffs are “separate and distinct groups,” says Rich Anderson, the information security officer and business continuity coordinator at BFSFCU, which is one of the nation's 20 largest credit unions with about $2.5 billion in assets.

“We have somewhat overlapping responsibilities, and we do share some of our tools,” says Anderson. Most notably, the credit union's IT staff has expanded use of its security information management (SIM) system to provide reports that the security and IT organizations make use of for different purposes.
A failed user login attempt, which generates email alerts to both Anderson's risk-management group and the credit union's IT help desk, is a prime example, says Anderson.

On one hand, a failed login could occur if someone's trying to use the wrong account to access resources without authorization, Anderson says. That could lead to a potential data breach, which is handled by the security group.

It can also, however, indicate that an employee forgot their password after a forced password change. In this case, the alert lets the network help desk be more proactive and call the user who's locked out and unlock the PC for them, he explains.

Another example: When an employee plugs a USB device into a computer, Anderson gets an email that tells him who it was and the ID of the device.

“We're trying to control data leakage, and a camera, cell phone or USB device are all really just hard drives and a way data could leak out,” he says.

The security staff, he explains, is concerned that it will bring in an unwanted virus or allow data to leave the company. The IT staff, on the other hand, is concerned that the device could cause a problem on the network.

All that aside, Anderson is old school in his perspective of the integration of security and networking.
“It's good business practice not to have the information security personnel in the IT department,” he says. “You lose separation of duties, that impartial insight.”

No ideal world
In an ideal world, there'd never be any conflict between the IT professionals who manage enterprise networks and those who secure them. That's not reality, however, and thus enterprises often struggle with the question of how the two groups can more efficiently work together.

One trend is a move away from the security department serving as a consultant to the rest of the company, says Michael Gavin, a security strategist with Security Innovation, a services and technology provider. Now, security isn't left just to security professionals anymore.

“Network administrators are handling security, and programmers are starting to take up some of security responsibilities,” Gavin explains.

The integration process is still very much in flux, however, he believes.

“A lot of larger organizations have a problem in that they move slowly. There's an organizational component when grappling with this kind of change, and that's a challenge for large companies.”

As a result, there's now more of a dotted line connection between security and networking staffs than ever before. That is, there's no direct reporting between departments involved, but they do work together more closely than previously, according to Gavin.

He sees more direct integration of the two functions at the managerial level. Enterprise security pros have seen reports of security never getting anywhere if it remains siloed, he says. “They find they need to have communication between the security professionals and people managing business elements,” he adds.
If there's a breach, for instance, the security staff must deal with the network folks, as well as the legal, public relations and marketing departments.

“Everyone has to come to the table and understand each other's responsibilities and how to respond to different types of events,” Gavin says.

Tom Turner, vice president of marketing at Q1 Labs, a network security management company, agrees with Gavin to a point. He says he's seeing the separate IT and security silos breaking down, with network and security working closely together.

There're plenty of benefits from this merging, he adds.

“Having closer collaboration between network and security teams ultimately means better response, better ability to manage risks and better ability to evaluate and improvise as the threats change,” he says.

Significant benefits

Cooperation between networking and information security staffs can lower IT operational costs. The reduction can come in several ways.

The increased visibility and control into the network infrastructure that a merged team delivers means it takes fewer people and less time to operate a network, says Trent Waterhouse, vice president of marketing for Enterasys, a networking company. As an example, he says that one of his company's customers, with 30,000 workers and a merged IT security department, operates with 20 percent of the IT employees that staffing surveys suggest they need.

Sanjay Beri, vice president of access solutions at Juniper Networks, points out the significant capital expenditure savings that result when security and IT rely on the same equipment to manage their two realms. These can include lowering costs by sharing a common set of information and reporting resources.

And he's not alone in his assessment.

“We're seeing corporate IT and security getting together to introduce security into processes earlier,” says Peter Evans, director of marketing at IBM's ISS division. “That can reduce costs rather than introducing security as an afterthought.”

There are significant benefits for operating a merged IT/security group, says Andrew McKinney, the director of technical services at Richardson Financial, a $7 billion (Canadian) brokerage firm with 11 offices in Canada. The network and security employees are part of a single group because when the company was formed five years ago, “we built it that way,” says McKinney.

“Combining the departments provides inherent optimization because individually we can oversee security and networking. Network engineering isn't just focused on networking optimization and connectivity. They're involved in creating access lists, defining security policies and enforcing them,” he explains.
Combining the two functions also makes it easier for the company to establish new sites as it expands, he adds.

“Most of our projects have network pieces and security components, and we're able to use our common skill sets to define, implement and change policies.” McKinney says.

On the network side, McKinney's group must ensure that employees have enough bandwidth for the applications they use. On the security side, the details include how workers will authenticate and enable authentication auditing.

The integration of the two disciplines even impacts the network equipment the company buys. The firm's deployment of a WAN optimization product from Blue Coat Systems, for instance, served the interests of both security and networking.

First, its deployment was implemented to ensure that critical business functions, such as being able to place orders on the stock market or manage client accounts, received priority on internet bandwidth, according to McKinney. But security was a secondary concern, because he was seeing a lot of internet bandwidth used to access YouTube.

“We enforced security policies to control use of these sites during critical periods,” he says.
The installation also allowed Richardson Financial to control access to sites that it wanted to limit according to the company's code of conduct, he says.

“We use the Blue Coat box as a common tool to ensure our policies are being enforced.”

McKinney shares one of Anderson's concerns. Putting too much control in one person's hands can be problematic, he argues.

“We have a strong change management process in place that reviews changes at different levels before we implement them,” he says. “It's useful to have common people make changes, but we make sure they're monitored and appropriate.”

In the end, the challenge of merging the two groups comes in finding the right individuals who can understand and appreciate the difference between network and security functions, says McKinney.
“You can't throw it together haphazardly.”