commentary Putting all your security eggs in the one basket can leave you open to risk. But taking the layered approach does take dedication.
Every IT Manager accepts that some amount of money needs to be spent on protecting their information assets. But how do you determine how much to spend and on what forms of protection? And what happens when you add voice to the data network? Worst of all, if you're placing all your eggs in one basket, how strong's that basket?
A complex question (and answer) can be summarised by the equation: risk = threat x impact x likelihood.
|A converged network requires more concentration, faster response, and a deeper knowledge of the environment.|
The same approach should be taken when looking at the risk involved with a converged network. Assets are subject to threats so identify the specific threats in a converged environment.
Moving IP voice onto the data infrastructure means any network downtime has a much greater impact -- employees lose access to not just e-mail and network resources, but the phone.
But adding redundancy into the converged network by adding call setup servers and additional gateways to the PSTN to the network increases the resilience of the VoIP solution. It also means there are more devices to secure, monitor and patch.
With the addition of unified messaging there is a significant motivation to compromise security surrounding converged networks. The attraction for hackers to bring down a high-profile converged network, or to have another try at classic voice exploits such as toll bypass, is singificant.
So what can you do to benefit from the new services and flexibility offered by convergence, while retaining the same level of security?
Firstly, assess your performance against basic IT security practices. Have you drafted a security policy? Does this policy focus on business risk? Do your systems and procedures implemented satisfy policy and reduce risk? Was your last audit preceded by a flurry of documentation effort? If you're struggling with basic security processes and regular audits, then you're probably also struggling with justifying the amount of infrastructure and work that goes into securing a converged network.
Secondly, get ready for more rigorous security management processes and procedures. A converged network requires more concentration, faster response, and a deeper knowledge of the environment. Good design is the key to good security and should be taken seriously, right down to IP addressing schemes. Vigilance is a key part of responding to the shifts in the impact and likelihood of threats. A 24x7 monitoring and management capability enables vulnerabilities to be quickly identified and addressed. Gartner suggests that by 2006 "information security spending will drop from an average of 6-9 percent of IT budgets to an average of 4-5 percent as enterprises improve security management and efficiency."
The bottom line is that having "all the eggs in one basket" does increase risk. The good news is that increased level of spending on security is justified by the cost savings achieved from a converged network. On the other hand, it does require a more disciplined approach and greater vigilance.
Oliver Descoeudres is marketing manager at network IP/Internet network infrastructure builder and solutions provider NetStar Australia. He can be contacted at firstname.lastname@example.org or or on 02 9805 9759.
This article was first published in Technology & Business magazine.
Click here for subscription information.