Network Security: Getting Started

Network security hasn't always been as important as it is today. The history of network security is a story of the evolution of processing power, connectivity, and the Internet.

When computers first appeared in business, they were large, multi-user devices locked behind the doors of a data center- a data center jealously protected by information technology (IT) staff. In many cases, users didn't even have terminals. They handed a request to a computer operator and received a report in return. No real security issues here.

In addition to business user restrictions, early computers were rarely attached to other computers; and the Internet didn't exist. Opportunities for attacker access to sensitive information were rare, and personal identity information was still largely kept on paper in file cabinets.

Eventually, personal computers began appearing in businesses. Of course, management wanted these systems connected to the data center systems. Thus, networks appeared. Early Token Ring and Arcnet technologies eventually gave way to wireless and Ethernet connectivity, providing high-speed access. Add to this the current need to connect to the Internet, and opportunities for criminals across the globe to steal data or hold networks hostage abound.

So our advancing technology, our need to connect to various business and public networks, and the growing requirement to collect and electronically store information require an aggressive security response. Protecting information isn't just the right thing to do, nor is keeping bad people from taking your network offline your only consideration. In addition to these outcomes, regulatory requirements contained in the HIPAA, SOX, GLBA, PCI DSS, and other government mandates make network security another cost of doing business.

So what is the definition of network security? That depends on where you stand. For the Legal department, network security is the set of controls required to maintain compliance with regulatory constraints. For product engineers, it may be the processes and technology to protect intellectual property. Business management will probably tell you that, while they are concerned with legal and intellectual property concerns, they also want to make sure critical business systems remain available.

It can get a little confusing when trying to sort all this out. However, from a security professional's perspective, all these requirements make sense. They are covered under the three pillars of information security:

• Confidentiality - concerned with making sure the wrong people can't see sensitive information
• Integrity - ensuring all data, whether medical, business, or financial, is accurate
• Availability (continuity) - keeping the bad guys from access they can use to take down a system or entire network (i.e., killing one or more critical business processes)

These three outcomes are the objectives of all network security, including stopping bad stuff from coming into the network and thwarting attacks which make it past perimeter controls- and they will eventually make it past your well-planned and implemented defenses.

In the next installment in this series, we'll explore at a high level how various layers of controls work to protect your network and the data stored in or moving through it.