One of the fundamental questions every organization faces on a daily basis is: "Is our data safe?" The consequences of not knowing can be disastrous for an enterprise.
Most companies feel they get "security" by putting a firewall in front of their Web and mail servers. But this really provides a false sense of safety. The fact is businesses will never have 100 percent protection, so they need to begin thinking of security as a never-ending process, instead of as a one-time fix.
In essence, the entire security model should be flopped upside down. A firewall will keep most of the "script kiddies" out and can help protect your systems from some denial-of-service attacks, but there is one major limitation of a firewall: It won't tell you if someone got through. So why not start with what you are trying to protect in the first place - the data and the systems on which that data lives? This technology, known as data integrity, answers the basic question, "Is my data safe?"
In the never-ending struggle to protect data, there is no silver bullet, no single product or suite of products that will stop all attacks. What is needed is a portfolio of security products, each of which is best-of-breed in its respective category. There are three basic categories that I will discuss - integrity assurance, access control and auditing.
Integrity assurance consists of the monitoring and logging of any changes made to data, when those changes were made and by whom. It is a fundamental technology that should be at the core of every system, because it is an essential first step in damage assessment and recovery. If you have an incident, integrity monitoring can reveal exactly what has been done, which in turn can enable you to fix it very quickly. It can be used to prevent changes to system configuration, or to ensure that different shifts of system administrators aren't making errant or other unwanted changes to the data itself.
Access control is the attempt to keep unauthorized users out of your network while allowing authorized users to work freely. Of course, this includes the firewall, but to be truly effective, it has to incorporate other tools to help keep people out. Among the best technologies in the area of access control are:
- Single sign-on, which prevents any one user from accessing the system with multiple simultaneous log-ons;
- Authentication tools such as Kerberos or public key infrastructure;
- Token systems like SecurID, which add another level of identification; and
- Operating system-level tools that prevent unauthorized ports from being used; one example is IPchains, a Linux utility that limits the ports that get forwarded through a firewall.
Most of these technologies only work as long as their configurations don't get modified. Using tools to keep an eye on their modifications will give you the confidence that those tools are still working.
Auditing can be subdivided into two categories. The first is the initial audit of your systems, a process by which you determine that you are not using vulnerable versions of software. It ensures that all other risks within the system have been minimized. Available tools, including a number of commercially available vulnerability scanners, can assist you with this. Once you've finished configuring your system and have eliminated as much vulnerability as possible, you need to lock down your system. Using tools to regularly audit your system for changes will give you confidence in your configuration.
Only after compiling a portfolio of all three categories - integrity, access control and auditing - can you have confidence in your systems and their abilities to resist attack.
For more information on tools, check out the System Administration, Networking and Security Institute, SecurityFocus.com and, of course, companies such asTripwire.
Brian Robison is technical marketing manager at Tripwire. He can be contacted at firstname.lastname@example.org.