The best hope for a security solution that protects enterprise-wide networks while allowing for centralized management is the emergence of standards. Security standards like DCE, Kerberos, SAML, elements of IPv6 and others continue to be the Holy Grail for which we wait. However, the wait continues after decades with little hope for a standards-based security solution in the immediate term. Why wait for a new standard when an existing standard will do.
Letís take a look at some of the security issues facing the IT professional and see what management problems they have in common:
- All data, including passwords, flows in the clear over most networks
- The insider threat is on the rise
- Wireless networking means networking is not restricted to wires any more
Another huge security problem that has been mainly ignored, because it is hard to solve, is the insider threat. An insider can abuse their privilege to collect sensitive data for the fun and profit of the individual, with no regard for the organization. The insider threat has always been much greater than the hacker threat, but mild-mannered, trusted employees stealing data is not headline material like a thirteen year old hacking the Pentagon. In reality, the disgruntled employee has more motivation and more access to sensitive data than any outsider. The network must not turn into an enabling technology for the disgruntled employee to compromise data or have access to data beyond that with which they are trusted.
Today, wireless networks are common place, sending and receiving data packets within corporate meeting rooms, office bays and yes, even beaches. With the expanded network perimeter, it is even more important that each packet coming in be authenticated to make sure it is coming from a valid user. Additionally, each packet going out must be checked to ensure sensitive data is not being broadcast to allow just anyone to pickup.
One way to solve all three of these problems is to control the data packets going in and out of each host. If each host only looks at the packets bound for it, the password sniffing problem is solved. If users are only allowed to access the hosts they need to do their job, they are limited to only the data with which they are trusted. As result, as much as possible, insider threat protection is gained. Finally, if each packet is checked going in and out of a host, the wireless hub would never see sensitive packets, and outsider packets entering via the wireless hub would be read only by the intended host.