There you go again, struggling with another bout of technology-induced insomnia. You're lying awake, staring at the ceiling. You're trying to decide if the image in your head of a hacker breaking into your organization's network is real or something from a dream while you dozed off for a few seconds. Yes, you, like others at organizations large and small, are deeply concerned about network security. And, your organization has bought and will continue to buy security products. But, how much security do you need? How many purchases will it take to replace that last dose of sleeping pills?
The likelihood is that you'll always feel you need more security. New threats will emerge, at different points across your enterprise, and you'll feel vulnerable. The knee-jerk response to that realization is an increasingly feverish buying cycle, with each new purchase attempting to stave off a new threat. But, two key factors should give you pause: 1) No matter how much security you buy, an expanding network in a growing organization can't ever be 100% secure. It's unlikely your IT or security team can map the entire network, let alone secure all corners of it. 2) Even if you could secure all corners, you probably couldn't afford to. And, you certainly wouldn't want to manage that many security products. What you need to do, instead, is look at your business needs and determine how much security is "just enough" security.
Networks Don't Like Security
I recently spoke with Dan Kaminsky, senior consultant for Avaya Global Services' security consulting practice. This industry insider suggests that the two technologies contained in the term network security become nearly incompatible when both are tuned to unleash all of their capabilities. "For a network to support the business needs of its users, the more network interconnections it has, the better. For security, on the other hand, more interconnections make the system less easy to define or defend," says Kaminsky. "So, if your primary goal for the network is that it be secure, then don't turn it on. A network doesn't exist to be secure. It exists to give functionality to business users."
So, plan for some manageable areas of vulnerability and accept a certain degree of insecurity. Not all of your data is critical, and some of it may not need to be kept confidential. Trying to lock it all down can disrupt arms of your business that would be more dynamic and profitable if some of its IT support were left slightly unprotected. For those business operations where you can't afford to take risks, add not just layers of security (e.g. network-level and server-level intrusion detection systems) but also layers of hardware reliability (e.g. clustered server configurations with failover protection). As Kaminsky reminds us, "That's why you build redundancy into your systems and monitor them. You do it so you can absorb a level of loss."