Lock The Back Door To Data

When organizations examine the security of their applications and data, they tend to worry, nearly exclusively, about security breaches and hacks occurring at the public-facing front end. That's where e-mail systems and browser-ready interfaces leave the organization vulnerable. So, security technologies are installed to tighten the perimeter defense. In go the firewalls and antivirus software. In go the intrusion detection systems.

But, companies should also consider what vulnerabilities might remain at deeper network levels. After all, companies are increasingly likely to open some enterprise systems and data not just to inside users but also to trusted trading partners and customers. For example, certain modules within a manufacturer's ERP (enterprise resource planning) system may be intentionally exposed via Web services interfaces.

As Dennis V. Pollutro, CEO of security vendor Synctomi Inc. (Union City, PA), sees it, opening the enterprise's networks or subnetworks is fraught with risk. "Through a VPN [virtual private network] connection, you may have your networks attached to the network of a trading partner. Or, you may have given outside contractors - for example, an outsourced billing provider - access control rights to certain applications on a particular network segment," Pollutro says. "But, a person who knows a bit of code can scan that network segment and see all of the other servers on it."

So, to protect against security breaches and, in particular, data theft or loss at the application level, organizations should consider following an emerging security trend: the deployment of network security appliances at deeper network levels, including back end storage.

Is Your Networked Storage At Risk?
According to Scott Gordon, VP, marketing, for security vendor NeoScale Systems, Inc. (Milpitas, CA), there are different types of storage security appliances. "Some act as a proxy, storing and forwarding information. Some act as an access control device. Some act as an authentication device," Gordon explains. There is also variety in terms of the places on a network where a storage-protecting appliance could be positioned. "An appliance could sit in front of a NAS [network attached storage] box and authenticate users trying to access the data on the NAS," says Gordon. "Or, an appliance could sit behind the NAS box and handle encryption of data that will be replicated to other storage."

Companies that have multiple user groups accessing arrays on a SAN [storage area network] could install an appliance on the SAN fabric for access control. Since the SAN houses several groups' data, each group could be given its own encryption key.

Give Network Users Tunnel Vision
Deploying security tools in an appliance rather than as software loaded onto application servers brings the key benefit of centralized security management. "Rather than have the administration process distributed among applications or storage devices, you can centralize that function," says Gordon. "Plus, the appliance offloads storage security services, preventing some security services from consuming host server processing power."

Pollutro agrees that integrated functionality constitutes much of the promise of appliance-based network security. But, he notes that interoperability among the various security tools will be essential. "There has been a lot of talk about a next generation security appliance that houses technologies from various categories, such as firewall, intrusion detection, intrusion prevention, access control, antivirus, and so on," says Pollutro. "Groups like the Open Security Exchange are working to establish industry standards for interoperability."

In the meantime, Pollutro believes that any integrated security solution must provide granular yet comprehensive protection, typically beyond the reach of a point solution. "In many cases, point solutions address security issues only for a particular network segment or a group of network users," he says. "A security appliance must ensure that an individual user has access only to what that user is supposed to see, not to the entire network topology."