The evolution of borderless networks renders a single-perimeter defense woefully inadequate. Instead, it's better to sustain multiple security points and various types of security.
Here are some steps for strengthening the security of existing enterprise networks to keep pace with new challenges.
Security professionals often sound like a broken record when it comes to security policy, but experience has shown that policy must come first. Without policy as a guide, there's no hope of successfully following this path. The policy doesn't have to be fully fleshed out; in fact, it's better to leave out some of the details. What is needed early on are broadly defined access controls among various parts of the network (for example, branch offices, production systems, Internet systems, headquarters, guests and executive staff) or various roles within the network (customer service, management, clerks, development, quality control).
One point to remember: Security policy should be written assuming total visibility. The technology may not fully support the security policy, but the policy should not be limited to what is easily done. Technology changes quickly, and what is difficult today may be easy tomorrow.
The policy will help to identify different zones in the network, areas where multiple systems or applications have similar security policies and access controls. Then, the hard work of moving systems and users begins. Many networks grow based on physical topology because that is the simplest way to manage things. But to apply access controls, it's necessary to segregate systems and users into appropriate security zones, which may require some rearranging or deployment of more sophisticated technologies such as VLANs.
For example, it's common for servers to be grouped within data centers based on acquisition date -- everything bought at the same time goes into the same cabinet. But if those servers represent production, test and development systems for the same application, then they have very different security requirements and may need to be segregated physically or logically so that appropriate access controls can be applied.
Pushing access controls to the network is a smart way to add security, but self-protecting end systems, especially servers, would be even better. In an ideal environment, the network should be secure even if all firewalls failed to open to the Internet.
Most organizations have been somewhat lackadaisical in their application and host configurations, thinking that their firewalls will protect them. That point of view must change. While additional access controls will add protection, hosts should have a good dose of self-protection. This includes host-based firewalls, good password and service management discipline, and best practices for secure configuration of the host operating system.
Now that the network is divided into zones, access controls can be put into place between the zones. This is the point at which IT managers need to select the appropriate technologies, including switch/router access control lists, firewalls, intrusion prevention systems and other in-line access control tools. If switch or router upgrades or equipment purchases are required, now is the time to make sure that the hardware or software is ready to go. This step is more about finalizing details of security planning because most of the hard work happens in the first three steps.
Once everything is in place, security policy should be pushed to the access control points. There are two important things to remember here. First, centralized tools are a must. No organization can manage security effectively and without errors if someone has to manually connect to dozens of devices and try to maintain a coordinated policy. Second, it's best to start small. If the first "policy" includes only a single rule or access-control-list entry, that's a good start.
The method of successive approximation -- moving forward carefully by building on what's tried and true -- is the safest way to add security to a borderless network, both from an operational and a political standpoint. The work may take longer, but safer is better.
Every policy push should be accompanied by a period of time allocated to examining logs, listening to user feedback and testing to be certain that the new policy is actually effective.
At this point, the process enters an infinite loop. The security policy document should be revisited to see what areas of policy have not yet been implemented and what areas of policy need more definition. Furthermore, the policy being pushed to the network should be tightened to more closely represent the policy document. The policy on paper and on the network should have as narrow a gap between them as possible.