Network Access Control: Bridging the Network Security Gap
by Graham Cluley - Senior Technology Consultant at Sophos - Monday, 03 February 2008.
The business work place has evolved significantly over the last ten years. Back then, networks were far more simplistic; the internet was not a critical business tool, there was far less legislation, and there were no applications for employees to launch in the workplace, except for a sly game of Solitaire. Now, a company's IT network is its central hub, an increasingly complex environment that offers dramatically enhanced efficiency, but also brings with it a convoluted set of problems for increasingly over-stretched IT departments.

Modern technologies have opened a Pandora's box of issues for companies trying to keep control of their networks. It is not unusual for a typical employee to launch instant messaging, log onto Facebook and start sharing videos with friends and colleagues. Not only might members of staff log on to the network from their desks, they might also log on from home, or from their laptop at a WiFi hotspot in a coffee shop or at the airport.

While the ubiquity of the new internet is predominantly positive for businesses, boosting employee up-time and therefore productivity, it has opened up a can of worms in terms of security, and adhering to an ever-escalating number of compliance regulations is becoming an increasingly difficult challenge for organizations. By their ability to puncture holes in corporate defenses, these new technologies are like candy to a baby for cybercriminals, who are exploiting these vulnerabilities to infect networks with malware, spyware and Trojan horses for their financial gain.

Organisations' ongoing drive for more flexible working practices also has a major impact on the overall security of corporate networks. Now, networks need to be opened up to third parties, such as contractors, customers and consultants, but these guests may not use the same security applications as the host network and may not have applied the most recent software upgrades or patches. Moreover, full-time employees are frequently granted administration rights that enable them to use their computers from outside the office, but this can compromise security, as it requires that some critical security services are disabled.

Despite the risks involved in not keeping a tight rein on the comings and goings of network users, a surprising number of organisations have no enforcement mechanism in place to drive compliance or to report on results. This gap in corporate policy exposes the enterprise to a range of threats; not simply from malware and hack attacks, but also the loss or theft of intellectual property, and punishment from inadvertently flouting regulatory requirements.

Some forward thinking businesses are however cottoning on to the risks and have therefore begun to implement security policies which try to control employee use of corporate resources and the internet whilst at work. While such frameworks can go some way towards ensuring that employees toe the line, they can be difficult to implement and enforce. Furthermore, policies alone do not present a watertight solution and they cannot stop all security breaches that are outside user control.

What are security companies doing to support customers?

The complexity of managing modern security applications, combined with a lack of control over employee and visitor computers attaching to the network, has driven many security vendors to incorporate compliance and enforcement capabilities as extensions to existing products. Indeed, some vendors have gone as far as to shift their position from promoting single endpoint security products to creating and endorsing entire suite of endpoint security solutions to give IT departments back the control they need to quash the growing threats to their networks. It has become starkly apparent that companies need support in managing all the various users and endpoints accessing their networks to ensure that security and compliance breaches do not take place.


What's the real cost of a security breach?

The majority of business decision makers admit that their organisation will suffer an information security breach and that the cost of recovery could start from around $1 million.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Thu, Feb 11th