Threat Management, Incident Response, TDR

What you must know about network security before going global

Globalization involves extending the business to locations around the world to make the most cost effective use of global resources. This process is beneficial to both the company and the locale entered. The company gains the ability to create products or deliver services at lower costs than might otherwise be possible, and the region targeted for expansion gains employment opportunities that usually provide attractive salaries.

The drive toward globalization comes from companies who operate in time-constrained areas of the world, such as the United States and Western Europe, and who move selected operations to locations that are time-rich, such as Russia, India or the Philippines. These areas have an educated, available workforce without the market to employ it fully.

Though the workforce is educated, oftentimes these regions may not be well educated about security risks. Nor do they always embrace the standard precautions that are de-facto in the U.S, and some areas are wholly unaware of the underlying risks that drive network security. As companies expand into these regions, several issues must be examined, including placement of network infrastructure, corporate protection, and the risks associated with remote users.

The primary decision for companies expanding globally is: where will infrastructure resources be placed? Distributing infrastructure to remote locations can facilitate the work performed locally, but requires an appropriate level of trust. The economical usefulness of physical resources that house critical or intrinsically valuable information (such as intellectual property or personal identity data) must be weighed against the level of trust assigned to a location. Even for locations with sufficient trust, the mantra must still be the Reagan-era slogan, “trust, but verify.”

It must be recognized that remote locations are potential weak links for several reasons. It's easy to lose track of things outside one's direct view. A remote location is rife for a deployment to receive minimal follow-up. As things go in the security world, protections erode with every passing day. Left unattended, the security of a remote location is like a locked outdoor shed that ages after a few seasons in the weather. Eventually, the doors fall off and the roof caves in, and the lock becomes meaningless.

Remote resources are both physically and logically exposed. Therefore, prior to remotely deploying any infrastructure in support of globalization, consider the level of trust to be afforded to the remote site, why such trust is merited, and how it will be continuously verified. Once trust is understood and accepted, companies must calculate the value of the resources considered for remote deployment. If the resource is of significantly higher value than the trust placed on the site, no infrastructure can safely be deployed. If the level of trust is proportionate to the value of the resource, then the benefits of speed and ease of use may outweigh the security risk to distribute infrastructure.

Next, companies must consider corporate protection. Critical assets are unlikely candidates for remote deployment. Such assets should be maintained within corporate data centers with each remote location and/or user granted specific levels of limited access. This access must also be verified, but logical protections can be more restrictive. Corporate data centers generally house many valuable assets that justify greater security provisions and defense-in-depth solutions. Though individual assets may not justify multiple tiers of monitoring and defensive solutions, the consolidation of several assets makes it easy to enable top-tier security services such as multi-segment stateful firewalls, network-based intrusion prevention, host-based intrusion prevention, anti-X (anti-spyware, anti-virus, anti-spam), etc. Through the combined services of each solution, it becomes exceedingly difficult to circumvent or attempt to defeat each level of protection without notice.

This, however, is only true if appropriate attention is also given to those with authorized access to protected resources. When access to these assets is opened to remote users, authorized accounts must be properly monitored.

There are two primary levels of risk for remote users:
  • User doesn't respect access restrictions – This does not mean that the user is actively attempting to compromise security, but some simply do not see the harm in sharing privileged account information with others for them to conveniently complete a task. Security is not so ingrained in every society that people recognize the risk of sharing access credentials with others.
  • User becomes compromised – Remote locations face the risk of crime. It's often easy to compromise an employee from a remote site who has access to desired intellectual property or confidential data. The reason a remote user is more likely to be subverted is because the value of a bribe offered to a remote person can be exponentially more attractive than a similar offer in the U.S. or Western Europe. This then becomes an attack from the inside, and the employee is a threat.
Identifying these risks requires detailed monitoring to recognize when an authorized user is suddenly more active than usual, or is accessing documents that, while authorized, are well outside the user's normal activity. It also requires highly intelligent monitoring tools. Not only do the tools need to reject illegal requests, but they must have the ability to suspect abnormal activities. Intelligent "tuning" must be coupled with skilled expertise, so the events that generate alerts will be properly interpreted by a security analyst. The greater the volume of data collected, the better the chances such activities will be properly identified and deciphered, which further advances justification for defense-in-depth measures.

Security in a global organization requires intimate familiarity with each location, far more than a local campus environment merits. The purpose of every remote site must be well understood, inclusive of each permitted application and minimum access rights. Ongoing tracking of such rights is critical as new user roles are developed, current roles transition, and old roles expire. If a remote site does not have its own administrator (as is often the case), headquarter personnel must assume that role and establish policies and safeguards against allowing any remote site to “fall off the radar.” When accurate levels of trust are established, methods of verification implemented and life-cycle monitoring vigilantly maintained, globalization yields highly beneficial results for both company and each locale included in its global expansion.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.