- Capability: How effectively will the gateway handle the functions most important to your operation? How well will it conform to your enterprise’s published performance standards?
- Platform support: How efficient will the technology be within your hardware/operating system environment? Is it certified to meet your corporate production requirements?
- Compliance: If you must comply with corporate or industry regulations—HIPAA, GLB, Sarbanes-Oxley, and PCI, for example—does the system meet those standards and support timely, efficient compliance reporting?
Relative risk factors relate to the cost of acquiring, installing, operating and maintaining the system. The right gateway choice for your company is the one that delivers the most value per dollar compared to 1.) other options in the marketplace; and 2.) the importance of the following factors within your operation:
- Performance: Better-performing systems consume less CPU, disk and memory resources. They are typically a better long-term buy for two more reasons: corporate traffic almost always increases rather than decreases, and a robust gateway can reduce (or redistribute) overall loads so your existing infrastructure can accommodate more traffic.
- Reliability: By definition, gateways are expected to be highly available. How well will the system scale in large, clustered implementations? How quickly can it recover from exceptional conditions, including component failure?
- Ease of implementation: The more quickly the gateway can be installed and put into production, the better the odds for rapid adoption and support by the enterprise.
- Ease of use: The most vocal proponents (or critics) of any system are usually the people responsible for its day-to-day operation. Usability promotes user adoption and delivers tangible benefits such as fewer input errors and faster, more effective reporting. From an operations standpoint, a system that can be readily modified and reconfigured requires shorter maintenance windows.
The fundamentals of securing corporate data don’t change. At the most basic level, they boil down to restricting access, applying safety measures to the data itself, and making duplicates in case the original is lost or corrupted.
The operational context for these fundamentals, however, is constantly evolving. Most enterprises go through four stages of integrating information security into their core business processes.
Stage #1: The Fortress
At this stage, the enterprise protects data by building a wall around it. Information within this fortress is not encrypted, and the data transfer mechanisms aren’t necessarily secure. Protection consists of restricting physical access to campuses and data centers and requiring passwords for log-in. Database passwords are often left at default values or are widely known and rarely changed, since all the data is "internal" anyway. In this scenario, the safety of all data is essentially equivalent and completely dependent on physical safeguards. Security is not intrinsic to either the data or business process.
Stage #2: The Private Line
At this stage, the company embraces the "private line" or "secure tunnel" for inter-enterprise data exchange. This link is secure, but no assumptions are made about protection beyond the link, and a breach in the link will expose all in-transit data. Business processes at either end of the link expect data in its native format. Security is not intrinsic to either the data or business processes.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.