Master 3-D messaging security

In the 1980s and for much of the 1990s, video games were “side scrollers.” You moved Super Mario left and right across a scrolling digital landscape. Occasionally, you’d leap high or jump low to dodge threats and get on with your business. Messaging security was similar. You needed to protect messages as they moved in and out of your business and up and down your organization’s hierarchy. Not too tricky.

Times have changed. Today’s video games offer immersive 3-D environments. In a typical combat game, your character faces attacks from above and below, left and right, in front of you and behind you. Basically, you need to protect yourself from every digital threat imaginable—from every angle in every direction. The same is now true in the complex world of messaging security. You now need multi-directional, multi-protocol, multi-layer security. Or, as I like to call it, 3-D protection for messaging security.

Or to put it in more basic terms: If you hire a guard to watch who is going into your organization that same guard also has to look at who’s exiting your organization as well. The guard has to watch inbound traffic to protect against intruders. Distributed Denial of Service (DDoS) attacks, email bombs and other threats that can bring down entire email infrastructure.

The guard must also guard against two types of outbound threats: The first is the risk of regulatory-related information slipping out of your company. Here, you have to protect customer or financial data to comply with Sarbanes-Oxley, HIPAA (health insurance portability and accountability act) and other regulations.

The second outbound risk involves your own intellectual property. Naturally, you don’t want a list of your customers, R&D practices or source code information finding its way onto the Web.

2-D products don't work
Unfortunately, many security products have yet to leap onto the 3-D landscape. They’re stuck in 2-D environments. Most legacy gear performs one thing—perhaps blocking spam or zapping viruses. The products simply don’t offer 3-D protection for messaging and communications.

Still, there’s no reason to call it quits. Savvy Chief Information Officers can keep their companies in the game by studying the 3-D threat landscape, and embracing a comprehensive solution that offers complete messaging security. For the sake of simplicity, I’ve organized the total 3-D security solution into three components. Think of them as three steps to success in today’s hostile IT security environment.

Step 1: Multi-direction protection
The first of our three dimensions is multi-directional security. Here, you’re going to need a security solution that offers inbound protection from intruders, spam, phishing, viruses and worms. But that’s not all. Multi-directional security must also deliver outbound protection, ensuring that email and other types of messages comply with corporate policies and compliance mandates like Sarbanes-Oxley and HIPAA (Health Insurance Portability and Accountability Act).

Alas, some companies discover the need for multi-directional security after the damage has already been done. We’ve frequently read about pharmaceutical companies that accidentally shared patient information over email. That’s a huge violation of HIPAA that can hurt your brand, your business and your customer relations. And a handful of global 2000 businesses have accidentally shared their financial results over email before the news was disclosed to financial markets. That typically triggers a visit from the Sarbanes-Oxley police.

Small, privately held companies also suffer when they fail to master multi-directional security. Much like their larger cousins, small businesses need security solutions that stop confidential information or intellectual property—perhaps your R&D, investment plans or other IP—from leaking out onto the Web.

Here again, lots of vendors sell point product that scan emails for questionable incoming and outgoing content. But you need a multi-directional solution that safeguards all of your applications. I call that multi-protocol protection, and it’s the second dimension of our 3-D matrix for messaging security.

Step 2: Multi-protocol protection
Admittedly, most of the security industry remains focused on email security. At first glance, that makes good business sense.

During 2006, roughly 90 percent or more of Internet email traffic was spam, according to Gartner Inc. It makes perfect sense to mitigate that threat. But you can’t stop there.

You also need to determine whether you’re going to permit employees to use Web-based email, instant messaging, peer-to-peer (P2P) file sharing services, and voice over IP applications like Skype. Some businesses will outright ban such applications. But it’s becoming increasingly difficult to do so. Today’s college graduates expect to communicate over IM and Skype. And many employees expect to use Web-based email as a back channel for private conversations within work.

This mix applications similar to the mix of accessways into your business. Naturally, you don’t just lock your front door. You also lock your side doors and back doors. In the digital world, email is often your front door—but don’t forget about newer doors like instant messaging, Web mail and Skype.

Whether you embrace or ban these applications, you need a multi-protocol solution that accounts for them. You’ll need a solution that either blocks IM or effectively scans IM traffic to determine whether the message content is approved for sharing. Several Wall Street firms have already paid stiff fines for failing to monitor and/or block instant messages containing questionable content from employees.

Of course, the risks only climb higher with P2P and VoIP solutions. Consumer P2P systems can allow your employees to quickly decentralize information, sharing throughout your company, and potentially, with company outsiders.

Here again, many vendors promote point solutions. One may effectively target email. Another may manage or monitor instant messaging. Avoid the temptation to tackle each application with a separate security solution. Otherwise, you could wind up with a dozen different security appliances, each focused on a different component of protocol security.

The wiser move is to scour the market for a true all-in-one solution that delivers multi-protocol security.

Step 3: Multi-layer protection
You’ve tackled multi-dimensional and multi-layer security. So far, so good. But your journey toward true 3-D protection isn’t complete. Your final step requires a multi-layered approach to security.

Here again, be careful. Some security companies dabble in desktop security. Others will safeguard your portal or gateway. But what you really need is a multi-layered security system that protects your network edge, your gateway, your PCs and your portal systems.

Don’t be lulled into feeling safe because a new operating system upgrade has a built-in firewall. Don’t settle for only a gateway solution or a network edge solution. Instead, really investigate the market for multi-layered security.

If you do settle for mediocrity, you could wind up creating more problems than you solve. Consider the world of operating systems. Sure, some operating systems now include built-in firewalls. In theory, you’ve just addressed desktop security, inbound protection and outbound compliance. But in practice, you’re dead-wrong.

Many built-in firewalls only offer basic inbound protection. They don’t offer any type of in-depth outbound protection. Nor do they protect your portal, gateway or network edge. Again, stick with multi-layer security that addresses each of these network components.

Master of your domain
You now know each component within a 3-D protection system for messaging security. Now for the really tricky part of the evaluation process. In addition to finding multi-directional, multi-protocol and multi-layered solutions, you need to make sure that all three solutions work with one another.

I’m only aware of one IT security company that has mastered all three dimensions of IT security. And you can guess which one that is.

biography
Paul Henry is one of the world’s foremost global information security experts and vice president of Technology Evangelism at Secure Computing Corp. (Nasdaq: SCUR). He can be reached at paul_henry@securecomputing.com.