InformationWeek
Defining The Business Value Of Technology
February 21, 2000
 Printer ready |
Security Frameworks Are Key To Reducing Vulnerability
By Jason Levitt
Many vendors provide some interoperability using the OPSEC standards, although the process isn't akin to the plug-and-play interaction of more-mature interoperability standards. Indeed, most collections of security products still require some custom integration to manage them coherently, even when they comply to OPSEC's standards. Also, a similar initiative by Axent Technologies, IBM, and Network Associates should also see products released this year that deliver at least part of the interoperability puzzle.
A particularly important component in these suites is the vulnerability scanning software.
BindView's HackerShield 2.0 software has recently improved its reporting and scanning features. WebTrends Security Analyzer 2.1 now includes the ability to download new security tests from its Web site, in much the same way that virus software vendors have made new virus profiles available. Network Associates' CyberCop Scanner 5.5 includes the ability to quickly patch flaws discovered by its audits. Network Associates is particularly well-positioned to deliver comprehensive solutions, having acquired several key technologies from companies such as McAfee, Sniffer, and Trusted Information Systems.
But none of these systems can succeed without first laying the groundwork of your security policies. Companies must maintain a comprehensive accounting of what services are required by what types of users: anonymous Internet systems presumably have the simplest set of services (Web and inbound E-mail, for example); intranet users likely need access to more services, such as corporate groupware; and administrators need local access to even more. Most companies will have more classes of users, but the process is essentially the same no matter how many groups you support. With this information, you need to create policies that will enforce and audit these access restrictions especially as you bring new services (or new servers) online and intruders discover new vulnerabilities.
Given this complexity, it's no wonder that most vendors of security products, provide consulting services. Traditional consulting firms such as Ernst & Young's eSecurity Online also offer reviews and assistance in developing a comprehensive security policy.
ecuring your network is an increasing complex task. Applications, particularly Web applications, are becoming more complicated, while there's an increasing push to make nearly all information in your IT department available to a growing number of people inside and outside your company. The challenge is to tie together the products you use to secure your network, firewalls, virtual private networks, intrusion-detection, and virus-scanning systems, into a coherent suite that you can easily apply your security policies to. One effort to create a framework for all these components to interact and be centrally management is the 3-year-old Open Platform for Security initiative.
Return to main story, "Are You Vulnerable?"
Featured Microsite
