Whether the problems lie with the end-user or at the board-level, with reticence or apathy, policy enforcement is one of the greatest challenges in securing the corporate network.
Technology that disrupts business processes and complicates work for the end-user will always be unpopular, making successful long-term rollout far less likely or effective. While security products are a necessity rather than an efficiency consideration, they are no exception to this rule.
The efficiency implications for policy enforcement stretch across the security spectrum, from anti-virus, firewall and intrusion detection and prevention solutions, to best practice implementation for hard disk encryption, secure messaging and secure email and internet policy. But in all of these areas, the most effective solutions are now evolving to ensure minimum disruption and maximum functionality for end-users and security administrators, simplifying policy enforcement by making compliance less of a chore.
Security policy is broadly applied in two ways - network policy enforcement to protect the integrity and operations of the network itself against outside attack, and Information Policy Enforcement to protect proprietary and confidential information from being accessed by unauthorized parties both inside and outside the corporation.
Network policy enforcement
With network policy enforcement applications such as firewall, gateway anti-virus and intrusion systems, the major efficiency implications are their impact on the speed of network traffic. The budget holders in companies of all sizes are going to be hard to convince of the merits of new products that slow down traffic, especially where they have recently invested in higher-speed networks and communications connections.
Beyond simply blocking port traffic, most of these solutions now function by analyzing and applying security policy to network traffic, based on packet header information on source destination and protocol. In all cases the challenge is to speed the processing required in this analysis to wirespeed or near-wirespeed levels in order to avoid bottlenecks.
Further exacerbating this situation, the increasing sophistication of security threats is heightening the need for so called 'deep packet inspection' devices. The most damaging recent attacks such as Code Red and Nimda, and the predicted plethora of new generation attacks, are demanding security systems which look even deeper into packet streams, using functions such as signature inspection and behavior-based analysis to determine what is 'normal' traffic.
The solution to the problem appears to be twofold. The first lies in the processor technology used in network security devices. Traditional network policy enforcement devices use software solutions based on general-purpose processors. This provides flexibility and cuts development times, simplifying the adaptation of devices to changing business needs and evolving threats. However, general purpose processors have difficulty keeping up with 100Mbps network speeds and currently have little chance of scaling to gigabit and beyond.
The only answer is to use new generation network security devices based fixed function or application specific processors, where the silicon is programmed specifically to perform inspection and classification of network traffic, allowing them to work at far higher speeds. This type of processor is already used in other policy-based networking devices such as load balancing and content switching solutions. The inflexibility of this method and the product volumes required to make dedicated chips cost effective have traditionally been a barrier to widespread adoption in security devices. However, programmable and semi-programmable silicon technology, and advances in production techniques are now removing this barrier.
The second factor likely to increase the efficiency of policy based network security is the convergence of separate (best-of breed) security solutions into a new generation of unified network security platforms. These devices only require a single interception of the packet stream and rationalize much of the duplicated processing for different functions.
Information policy enforcement
Despite this predicted convergence, many other important areas of security are going to remain outside the network security platform: issues such as the use of secure messaging for sensitive information, effective password policy, email policy, safe use of the internet, and encryption of stored information - especially on mobile devices which can be lost or stolen.
In the majority of these remaining areas, where it is an issue of security processes or ensuring use of the correct security tools and functions, policy enforcement becomes an issue of enforcing safe and secure working practices amongst an organization's employees. Here policy enforcement becomes a crossover function between the IT department and the HR department. However the efficiency of security products will be one of the decisive factors in achieving success.
Initially the IT side of this equation involves the drafting of security policy. Security administrators must then be able to detect breaches of this policy and who is responsible. There are an increasing number of specialist products available in this area. March's Group Test One in SC Magazine ran through many of the different options and highlighted some of the important considerations for buyers.
But only after policy is published and the tools and processes for detecting breaches have been put in place does the difficult job of enforcement really begin. This is where the HR or personnel management process takes over. Company policy is of no use without hard and fast disciplinary procedures to deal with violations. The problem is that security policy violations could be due to anything from ignorance and apathy through to malice and criminal intent, and there are no software programs which can make judgment on this!
In the few cases where security policy breaches can be judged deliberate, malicious or criminal, it is less of an issue for companies to act decisively in handing out the appropriate penalty. What is harder is where policy violations are due to forgetfulness, apathy, ignorance and people taking shortcuts. Here handing out penalties, antagonizing and even losing otherwise valuable staff, becomes more of a dilemma. Do you penalize members of the Board for opening unidentified email attachments, or leaving company documents un-encrypted on their laptop? And if you decide to let it pass 'this once,' do you do the same again? Do you do the same for the receptionist? And where do you draw the line?
The simple answer to all of these questions is that policy and the penalties for breaking it have to be enforced evenly, on everyone however uncomfortable this may be. But if unnecessary conflict can be reduced or avoided companies are clearly wise to do this.
With policy carrots, enforcement sticks
The key to reducing the need for penalties in behavior policy enforcement is twofold. If actions which break security policy can be actively blocked this is clearly easier than having to run through logs to detect breaches and then discipline the offenders; however this is not always possible or practical. End-user focused security products must also be made more simple and easier to use to encourage responsible behavior.
Employee use of the internet represents one of the greatest weaknesses in many organizations' security infrastructure. With internet surfing, a variety of software can be put in place to physically block dangerous or inappropriate sites. March's SC Magazine also looked at this area in their second Group Test. Similarly, instant messaging solutions and services which bypass the firewall can be simply blocked unless companies have the necessary session initiation protocol (SIP), firewalls and infrastructure to secure them effectively. But with other forms of Internet messaging, the stick approach to behavior policy enforcement may not be possible or practical
With email, other forms of internet messaging and groupware, almost all security administrators know how open and visible unencrypted information is while in transit over the internet. The most inexperienced hacker working with the most basic and freely available technology can read unencrypted messaging. However, even using the 'postcard' metaphor to impress this on staff has often not been enough to encourage the widespread use of secure messaging at either the Board or the individual employee level.
Simple-to-use products, easily deployed
Companies must look to using the most efficient and user-friendly software to encourage use of secure messaging. Effective integration with the everyday messaging solutions such as MS Outlook, Lotus Notes or Novell GroupWise, is essential. This allows the process of encrypting important messages to be reduced to simply clicking one extra button in a familiar environment. User interfaces for more complex tasks and configuration need to be self explanatory. The less arduous secure messaging can be made, the more employees will use it.
Even so, the fact that senders and recipients must both have security software remains one of the biggest barriers to secure messaging. The most effective way to eliminate this barrier is for organizations to use the most widespread and standards-based technologies. Equally importantly, obtaining, installing and setting up the required client software must be as simple and self-explanatory as possible. Customers, suppliers, partner companies and important business associates must be enticed to use secure messaging through the availability and simplicity of the solution.
Most secure messaging solutions are based on public key cryptography, where a user is assigned a pair of keys: one private key which is never revealed or transmitted, and one public key which can be accessed by anyone (like a telephone number). Public key is widely acknowledge as the most simple method of secure messaging and has the added advantage that is can be used for either confidentiality or for authentication (as a digital signature) in a messaging environment. With this type of system companies must look for solutions where the key infrastructure used for obtaining and administering key codes is simple and effective.
With the realistic likelihood of private keys being forgotten, it is also vital that companies look for solutions where retrieval of a user's private key can be achieved simply but safely. While one solution is to hold a list of private keys centrally, this not only compromises the security of the system, it places an added, and unnecessary, burden on security administrators. More effective solutions offer key recovery or reconstruction features which can be managed securely by the end-user. The use of additional decryption keys is also increasingly common, where corporate messages are signed with, and can be decrypted by an additional key managed by the corporation.
The widespread adoption of mobile devices has also opened up a significant new threat to corporate data 'in transit.' With the high risks of these devices being lost or stolen, Public key is one of the most effective methods for encryption of important files on hard disks. As such, organizations can further simplify security for the end-user, encouraging the safe storage of important documents by using single multifunction solutions which handle both secured storage and secure messaging. If the same keys and passwords can be used for storage and messaging, and if familiar user interfaces can be used for different security functions, they are all more likely to be used.
Protecting both technology and information
It is right that the focus for corporate security is shifting away from pure technology, looking more closely at information policy and policy enforcement as equally important issues. While there are clearly difficulties in integrating the functions of different departments, namely IT and HR, there is a real need to look at both areas together. Whether it is convincing the Board of the need for network security enforcement, or encouraging end-users to comply with policy, effective policy enforcement comes back full circle to the simplicity and efficiency of the security products that are chosen.
Jon Callas is chief technical officer at PGP Corporation (www.pgp.com).