For Mid-Sized Organizations, High Security Can Be Low Cost

In a tight economy, it’s easy to believe that postponing investments is fiscally responsible.

When it comes to security for business networks, though, making reasonable investments to protect critical data and applications can be the most cost-effective and responsible path.

The Computer Emergency Response Team (CERT) reports that the number of computer attacks doubled last year, and no executive can assume that his or her company is safe just because it's not among the Fortune 1000. While a large organization can spend significant funds on security, there are simple and cost-effective steps you can take to make your company's networks, applications and data more secure.

The commonsense steps a manager can take to bring cost-effective security to the enterprise fall into three categories: Policies, integrated solutions and open source software. Paying attention to each of these can help your company take major steps towards protecting its operations while keeping the most conservative CFO happy.

According to industry experts, nearly 90 percent of all proprietary data is stored in digital format. Unless your company is the rarest of exceptions, this means that you have sensitive information at risk of exploitation from unauthorized access. The first step in protecting this information is making employees aware that management is serious about security. Developing policies that define sensitive information and how it may be used, and then enforcing them across the organization, will make a significant difference.

In some organizations this will mean limiting, possibly for the first time, who has access to information and in what forms it may be accessed. In a company that has quickly grown as a flat organization, this is likely to entail work on defining network and file permissions, establishing permission groups, and applying more network discipline to the enterprise. There are benefits beyond security to the discipline, but executives will have to carefully explain them to employees in order to keep morale and compliance high.

When hardware and software are employed to enforce security, some will argue that best-of-breed individual applications, from firewall to user authentication, should be put into place so that every function is fulfilled by the most technically advanced technology. This can be a fine strategy if you have a large, experienced IT staff or the resources to contract with a security integration firm. Yet executives concerned with costs can look at integrated solutions, in which multiple functions are collected in a single network server.

The obvious advantage to this sort of product is that someone else, generally the device vendor, has performed the application integration, ensuring that all security software will function in concert, rather than risking a security lapse through unintended application interaction. A less obvious advantage has come through the continuing development of the applications commonly used in integrated solutions. This is, these applications are continually improving, decreasing the technology and quality difference between them and the single-server applications touted for best-of-breed installations.

The applications used in integrated solutions have improved rapidly because many are, or are based on, open-source software. Often developed and debugged by large groups of programmers working collaboratively, open-source software has improved in quality and advanced in technology at a rapid pace during the last four years. While some executives still harbor reservations concerning open-source software, the fact that many routers, storage subsystems and other network appliances already run on open-source platforms lends credence to the claim that the software is up to the demands of enterprise use.

Security is certainly an expense, but the stakes of not preparing adequately for the intruder who will one day attempt to force his way inside your network are too high not to prepare. By keeping your eye on these three keys, you can ensure that your preparations do the job of security without doing a job on your bottom line.

Steve Schlesinger ([email protected]) is general manager of Astaro Corp. of Burlington, Mass. Astaro is a developer of open source Internet security products.


Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.