By Winn Schwartau
Network World, 01/27/97

Security is no longer just about security. Today, security is about resource and information management, and it turns out that good security is a byproduct of a well-run organization.

The corporate enterprise network is constantly changing; in three years it will be different from today, and in five years it will have changed some more. Thus, whatever plans we make today for enterprise management and security must be able to accommodate an unknown topological future. On top of that, the typical large-scale enterprise network is geographically far-flung, physically heterogeneous and logically as complex as a London street map. In short, technical chaos.

So what's the slightly paranoid, overburdened, downsized, modern, in- formation-rich, systems-reliant organization to do? For those of you waiting and longing for a magic security pill or the Holy Grail of Security, quit holding your breath. Technology is not the first place to spend money or allot resources; it is not the answer. As Stephen Katz, chief information security officer for Citibank, N.A., says, Get rid of the techno-babble. This is a management problem.''

Who's the boss?

Policy goals are up to you. You might choose to prepare your enterprise networks to be resilient against hurricanes, floods and computer viruses, but not worry about hackers. Whatever policy and goals you choose, make sure they are unambiguously clear and that everyone in your organization is made aware of them.

Opening Pandora's box

At the same time, an information asset evaluation should be performed. What information resources are important enough to be protected, and where are they located? Stephen Cobb, director of special projects at the National Computer Security Association (NCSA), notes that ''the evaluation process helps determine the relative value of data to a company. It raises awareness and makes people think.''

Top-to-bottom employee education and security management cooperation should go without saying, but so many firms miss this. You need to have the cooperation of the security staff, throughout the entire enterprise, as well as the support, understanding and compliance of end users. An ongoing education process for the entire staff should be tailored to meet the needs of each group or department. ''[Otherwise] security will be bypassed, turned off or ignored. And that's worse than having no security at all,'' Citibanks Katz says.

Technical enterprise security

There are several approaches one can take, and they all rest on the foundation of a security architecture. Keep in mind, there is no perfect solution; no one vendor will meet all of your needs exactly, everywhere throughout your organization, but many may come close.

Multilevel security (MLS) is one choice the government has been exploring for years. The premise of MLS is that some data can only be viewed by people who have appropriate security clearance. In the Read Down/Write Up MLS policy, each document is labeled according to its sensitivity and the security clearance of the person who created it. So someone with a lower security clearance can write up to Secret or Top Secret, but not down to Unclassified. Similarly, the person with Secret clearance can read secret, confidential and unclassified documents, but not Top Secret.

Another approach to MLS, used in products such as NetLock - from the Hughes Electronics Corp. unit with the same name - is cryptographic isolation. In this case, all documents are encrypted once they leave the workstation for either transmission or storage. The trick is that each security level uses a different encryption algorithm and/or encryption key. Therefore, only Secret keys can open Secret documents using a Secret algorithm. But the infrastructure for managing all these keys requires extra levels of protection as it becomes the single point of failure in the chain. Complexity reigns.

Such systems can be cumbersome, expensive, difficult to manage and subject to rapid obsolescence. It takes so long to validate the system works that by the time approval is given, the software and system are a generation or two old. As Don Sortor, a security specialist with a large multinational firm says, ''MLS? It's gone. Who cares about it?''

Maybe not even the government anymore. It is slowly migrating to new models of information assurance, detection and response because MLS proved to be too expensive and restrictive.

Centralized security

Since the end of the 1980s, companies have been searching for a better technical solution, and it might be finally arriving. Vendors of enterprise security products are coming to the realization that the real problem is enterprise network management.

One of the favored technological approaches for dealing with distributed enterprise networks is a centralized management scheme that includes a security server. To see how centralized security works, let's pretend your entire organization is connected just the way you want it. Everyone can talk to everyone they need to; the communications links work, the routers and bridges route and bridge as advertised. Remote dial-up works from anywhere on the planet; TCP/IP, SNA and NETBEUI are all happy, interconnected campers.

Now let's add security.

From an enterprise security view, we need several crucial elements that ideally make our network both manageable and reasonably secure. None of these individually are magic security pills, but taken together, in the right dosages, they can cure many of our ills.

1. First is the ability of authorized managers to add, change, or delete users across a wide range of platforms, operating systems and applications. Also known as single point of registration (SPR), this allows a security manager to add a new user to a centralized database. Think of the X.500 model here and then add resource attributes. So User A or User Group Z will be assigned passwords, user IDs, access rights to applications, and resources as determined by job function, seniority or need.

This single-point security management step consolidates the efforts of a dozen or more people, who might or might not have the time to add Henry to the RACF database. The SPR takes care of it all. Now this is not a quick fix; there is pain in reaching this euphoric technical aerie. Especially in a large organization, picking a particular platform to begin implementation might make good sense. Axent Technologies, Inc., for example, advocates conquering one technical domain (or operating environment) at a time rather than engaging in an all-out technical assault. Its centralized OmniGuard products are designed for Unix, Netscape Navigator, NetWare and Windows NT.

2. Whether for a single set of platforms or the heterogeneous maelstrom of your networks, another highly desirable function is single sign-on, or SSO.

With 10 to 20 passwords and user IDs for as many resources and applications, security breaks down because the user wants to do his job, not just keep track of passwords. So he writes them down. SSO allows the user to authenticate himself at his client machine, using a range of techniques (see story, page 48). Then he is automatically authenticated to any subsequent application or resource he may choose. It's clean and neat but has its own set of problems.

''Automatic authentication between nodes and resources is essential because today there is no such thing as 'my network' and 'their network,' '' Infocores Allen says. ''If you are networked, you are networked.'' Unisys Corp., for one, offers a suite of single-point security products for the client/server environment.

3. The well-managed enterprise security server should present a functionally transparent view of the user's universe because it's critical to his job performance. Regardless of which client operating system is in use (Windows 3.X, NT and 95, Unix and Macintosh), the graphical representation of his access to applications, systems and resources should reflect the underlying and invisible security concerns. Simply put: If the user is not meant to have access to some distant set of selected resources, then don't put them on the screen.

Richard Gill, director of channel marketing for ICL North America, advocates the central server approach for different reasons. This approach means ''the user will not have to go through periodic, costly retraining every time there is a technical reorganization or IT makes other network changes,'' he says. The user's view is consistent, the security server information is updated, and, as far as the user is concerned, the same icon gets him to where he wanted to go anyway - invisibly.

ICL's Access Manager was the first commercial product to present a homogeneous view to the user of a complex global network's resources and applications.

Now there are many different techniques to achieve this, and vendors - including Computer Associates International, Inc. with its Unicenter suite - will be more than happy to tell you why their approach is the best. But there is no standard vocabulary among vendors yet, so be careful to make sure you understand exactly what the vendor is promising.

4. Our ideal enterprise security system will also want to be able to detect certain behavior that is deemed inappropriate, both from the inside and the outside. Intrusion detection is getting a lot of press these days because of the Internet. But don't be fooled. Dan Woolley, vice president of business development for security vendor Memco Software, Inc., warns, ''Insiders are still the biggest threat to our systems, and some 50% of computer crimes still occur from current or ex- employees.'' Has a user repeatedly tried to access one resource using a series of unknown passwords within a short period of time? Has someone tried to log on to three different terminals or clients on three different continents at the same time?

Internet Security Systems, Inc. in Atlanta offers tools to test your perimeter security, and WheelGroup Corp. of San Antonio, Texas, has developed response tools for attempted intrusions. More security concerns are going to be response-oriented as opposed to merely building a high wall.

Intrusion detection systems are getting smarter, and you may hear some fancy words to describe them. Some claim fuzzy logic, which is better left to elevator and washing machine controls. Others claim artificial intelligence agents, but they have never really panned out. I prefer the term ''heuristic'' to de-scribe a self-learning system, which changes the rules gradually over time. ''Parameterization'' means you choose a set of out-of-bounds guidelines where the system reacts in some manner. But if a thousand people act the same out-of-bounds way every day, the out-of-bounds conditions will change to reflect the actual behavior of the system. PRC, a McLean, Va.-based systems integrator, and Hughes Aircraft Co. have been looking at various approaches under the correct premise that intrusion detection should be dynamic not static.

5. A security system that can react automatically to problem situations is critical, but such products are in their infancy. Some reactions may be fairly benign, such as merely sending a notice to the console or security manager screen. Others trigger E-mail. Some of the better reaction mechanisms may choose to run a predefined process. Unless the reaction to the intrusion actually accomplishes something, such as halting the attack or identifying the offender, it's pretty useless.

We're awaiting further developments in this area, but in the meantime, make sure you emphasize to your security vendors that this is high on your list.

All of these concerns are grounded in security basics. Memco's Woolley says, ''Simplify the risks and then adapt to the real needs you have identified. Enterprise security comes down to perimeter defense, transmission defense, data/systems integrity, and administrative audit, alarm and response.''

''Such systems offer more than security,'' ICL's Gill says. ''Real cash can be saved [through] operational efficiencies, simplified online systems administration, less functional overlap and redundancies, and lower help desk costs. They all add up to a justification for investment in enterprise network security.''

Security specialist Sortor maintains that ''you have to pick the number of technical security pieces to implement based upon your real needs. Do you need Kerberos? Do you need crypto everywhere? How strong does your authentication need to be?'' Perform a risk analysis to identify the problem areas, then select technologies to solve those problems. Stephen Cobb sums it up: ''Concentrate on the vulnerabilities and the access points.''

Making it all work

There will be growing pains, so take some advice from Woolley, who's been there: ''Whatever you do, start small. Pilot it first.'' Build a pilot that, once working can be easily scaled in size, complexity and distance. Start with one or, at most, two platforms and get the feel of how the system works. Ask your vendor for 30-, 60- or 90-day trials, and be prepared to pay for consultation services for initial training.

And remember, technology is not always the answer. One of my financial clients was worried about connecting to the Internet. We quickly determined the major cause for concern was the human resources department; if it was online, sensitive information may be compromised. The company expected a technology solution, maybe an intranet firewall, so the rest of the company could connect to the 'Net.

In a matter of minutes, we determined that out of more than 5,000 employees, only six needed access to the human resources computers, and those same six needed only basic Internet access for corporate E-mail. We gave them a quick, inexpensive and effective solution: an air gap. Disconnect the human resources computers from the company network and the Internet. Give all six of them an extra, low-end PC (which were lying around unused) to access company E-mail. It cost one-hundredth of what the company wanted to do technically, and management headaches were reduced to zero.

Sometimes technology ain't all it's cracked up to be.