You say you want a security revolution

Well, you know . . . I'm not much of a singer. Just ask my kids. But the old Beatles anthem about revolution doesn't have much of a place in today's network and security space. Not that a revolution isn't sometimes needed, but most of the time it's not at all practical. That's why the word of the week is evolution.

Most of us are employed by businesses that do stuff. Maybe you manufacture things or heal people or help manage the finances of folks. I don't know much (this time, ask my wife), but if your security is getting in the way of doing the things that pay the bills, the security manager is not long for this world. You don't have an option to bring down the network for any length of time. You may have a couple of hours here and a couple there (depending on the nature of your business), but taking things offline for days at a time will make you very unpopular in the boardroom.

I'm going here because in my last column I talked about "blowing up your network," and - despite some of the hype backlash I've heard being leveled at network access control (NAC) since my column - I firmly believe NAC is the future of network security. What I didn't say was that you could get there overnight. If you have more than a handful of users, your key word is evolution.

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

Well, you know . . . I'm not much of a singer. Just ask my kids. But the old Beatles anthem about revolution doesn't have much of a place in today's network and security space. Not that a revolution isn't sometimes needed, but most of the time it's not at all practical. That's why the word of the week is evolution.

Most of us are employed by businesses that do stuff. Maybe you manufacture things or heal people or help manage the finances of folks. I don't know much (this time, ask my wife), but if your security is getting in the way of doing the things that pay the bills, the security manager is not long for this world. You don't have an option to bring down the network for any length of time. You may have a couple of hours here and a couple there (depending on the nature of your business), but taking things offline for days at a time will make you very unpopular in the boardroom.

I'm going here because in my last column I talked about "blowing up your network," and - despite some of the hype backlash I've heard being leveled at network access control (NAC) since my column - I firmly believe NAC is the future of network security. What I didn't say was that you could get there overnight. If you have more than a handful of users, your key word is evolution.

Revolutions tend to be bloody, expensive endeavors involving a lot of carnage. Ultimately we usually wonder what was accomplished. That's both in the real world and within our networks. Your job, as the shepherd of information protection, is to put in place an infrastructure that is highly available and protects private information. You need to do this in a cost-effective and nondisruptive fashion. Of course, those two things tend to be at odds with each other at times, but that is the goal.

Though it's pretty rare, revolution sometimes does make more sense. If someone drops a bag of money in your lap - or your infrastructure is in such tatters there is no way to get there from here - revolution is your best option. You'd be well advised to roll out the new capabilities on a test group (that includes the CIO) to ensure you are not going to affect the company's workflow adversely.

The first time a sales guy can't enter in a big order because his anti-virus update failed and he got stuck in quarantine jail, you'll know what I mean. Maybe this is obvious to you, but you'd be surprised at how many folks do things without properly managing expectations and without a fallback position if things go awry.

For everyone else, you are looking at an evolutionary path to NAC. First you pick the lowhanging fruit: Protect your data center and your mobile professionals. You don't need a network brain transplant to do this, because it can be accomplished with some simple overlay NAC devices.

The data center is an easy call. That's where the money is, so that's what you need to protect. Folks coming from the finance network (or in the finance group) get access to the finance system. Folks in janitorial don't. Likewise, your mobile professionals are most likely to be compromised, because they hang out in some unsavory places (such as coffee shops and hotels). Making sure they are not polluted before entering is pretty important also and can go a long way toward ensuring that one infected device doesn't become many.