Security for Networks With Internet Access

Security for Networks With Internet Access

The continual process of enterprise risk management (ERM) has become an integral component of successful organizational assessment, because the process of accurately identifying various risk factors, and interpreting their potential advantages and disadvantages, ensures that a business remains capable of anticipating and addressing internal and external contingencies. The following ERM implementation plan for the security of internet-accessible networks is intended to provide a navigable framework for the development of a comprehensive ERM standard, including procedures to guide internal auditing and the construction of a capable and contemporary cyber law policy. Within the organizational structure of any complex enterprise, such as a small software development business, the continual exchange of data necessary to facilitate operational efficiency allows for the presence of clearly identifiable risk factors, including hazard risks, financial risks, operational risks, and strategic risks. The purpose of any ERM plan is to assess the various risks associated with the network of online interactions which occur daily between employees, customers, suppliers, investors, and other key stakeholders in the organizational hierarchy, while providing clear standards of conduct intended to mitigate said risks. The threat of external interference with organizational objectives must be mitigated through the application of an effective security and cyber law policy, while the resolution of internal risks associated with employee abuse or misuse of proprietary data is best resolved through strictly applied access control methods. Finally, a clearly distinguished set of cyber law guidelines crafted in congruence with legal precedent for digital media, as established by recent American jurisprudence, must be developed to apprise all members of the organization with relevant copyright, patent, and privacy statutes.

Of the four primary types of risk identified above (hazard risks, financial risks, operational risks, and strategic risks), the operational risks associated with the generation, storage, and exchange of proprietary or otherwise sensitive data is by far the most pressing from on organizational perspective. The threat of external malfeasance, in the form of data theft, hacking, and other nefarious activities designed to stunt the company's continued growth. As the world of modern commerce becomes increasingly digitized, with massive hangar-like buildings used to house the thousands of computer servers necessary to store billions of gigabytes of essential data, large organizations have become keenly aware of the need to safeguard their files and archives from prying eyes. Today's globalized marketplace brings a wealth of advantages in terms of accelerated commerce, but along with these benefits comes an array of threats, from the anarchistic campaigns of targeted computer hackers to infiltration by a competing firm. The field of information security and data protection has emerged to formulate effective defenses against these insidious database invaders, and within the broader spectrum of information technology (IT), data protection has quickly risen to the forefront of the executive decision making process. Several empirical studies have demonstrated that "as organizations use automated information technology (IT) systems to process their information for better support of their missions, risk management plays a critical role in protecting an organization's information assets, and therefore its mission, from IT-related risk" (Stoneburner, Goguen & Feringa, 2002), and it is the responsibility of competent managers to understand and apply the concepts of risk management to the technological aspect of their operations.

Every company that engages in commerce, whether domestic or international, must maintain extensive digital records documenting various transactions, and with the specter of identity theft looming large as ever, effective data protection risk management is a crucial component in assuring customer's sensitive information is shielded. While achieving a 100% data protection rate is obviously the goal of every IT manager, it is more realistic to expect that incursions will occur while managing this risk effectively through preventative measures. Although the majority of major "organizations try to avoid costly information security breaches, organizations cannot make their information 100% secure all of the time" which is why "managing the risk associated with potential information security breaches is an integral part of resource allocation decisions associated with information security activities" (Bodin, Gordon & Loeb, 2008). This process of anticipating security breaches within a data network involves assessing overall strengths and weaknesses and diverting resources appropriately, which is why the most effective managers are expected to maintain a working knowledge of information security and data protection methodology. By recognizing the fact that "in most organizations, the network itself will continually be expanded and updated, its components changed, and its software applications replaced or updated with newer versions," while remembering that "these changes mean that new risks will surface and risks previously mitigated may again become a concern" (Stoneburner, Goguen & Feringa, 2002), the shepherds of today's most complex organizations can assure that the constant stream of data they produce is protected from the growing list of technological threats.

The traditional conception of information security has always been predicated on the protection of physical data, with reams of paper files stored in secure cabinets behind locked doors, but the internet revolution has largely refocused the emphasis on safeguarding digital data from external intrusions. However, as experienced IT network security analysts know all too well, "the subject of computer networking is enormously complex, involving many concepts, protocols, and technologies that are woven together in an intricate manner & #8230; (and) to cope with this scope and complexity, many computer networking security structures are organized around the 'layers' of a network architecture" (Kurose & Ross, 2012). While the field of modern information security emphasizes a multilayered approach to preserving system integrity, including the use of firewalls, cryptographic algorithms, access control, and other data protection techniques, erecting effective barriers to provide physical security should still be prioritized by any competent information security officer. As anybody with experience in the information technology (IT) industry can attest, the integrity of a firm's digitized data and software is only guaranteed when the underlying hardware systems are fully functioning and operable. Simply put, information security is a profession which requires a comprehensive approach, one involving both the protection of data itself and the safeguarding of server farms and other devices used for data storage. A consensus has developed within the ranks of information security officers as to how physical security should be properly deployed, with most experts agreeing that "physical security protection for IT equipment and systems should be established, based on defined perimeters through strategically located barriers throughout the organization" (Peltier, Peltier & Blackley, 2005). By analyzing and evaluating the various physical security methods employed by information security officers, it is possible to determine which of these approaches provides the most effectual results.

The first task for an information security officer to consider when developing a physical security plan is the size and scope of the operation being defended. For large corporations, commercial operations, or political organizations which require the use of massive server farms to facilitate the transfer and storage of digital data, it is essential to erect a multilayered system of defensive capabilities (Layton, 2007). Smaller entities like independent businesses will typically require only a single server to support their operations, and for these firms the physical security conditions will not be nearly as exhaustive. It has been observed through an extensive process of trial and error that "for a large server farm, several concentric rings of technology-based protection and access control might be appropriate whereas, for the distributed version, simply keeping individual servers in locked rooms might be sufficient" (Peltier, Peltier & Blackley, 2005), and a close familiarity with the size and scope of an individual firm should be the goal of every information security officer. When one realizes that "the nature of a physical security for a data should be one of concentric rings of defense -- with requirements for entry getting more difficult the closer we get to the center of the rings" (Peltier, Peltier & Blackley, 2005), this fundamental insight should guide the subsequent construction of a physical security system. The entrances to a firm's server farm location should immediately be secured through the installation of key card locking mechanisms, or better yet, facial recognition software, to preclude unwanted intrusions. A secondary system of physical security can also be implemented by ensuring that, if and when a breach does occur, that the valuable data stored within a server farm cannot be tampered with or taken. These contingency plans are usually based on the discharge of water or gas within the server farm containment room, with the goal being the physical degradation of stored data before it can be externally accessed. By implementing a combination of these methods which is customized to fit one's individual firm, an information security officer can be assured that the servers and hardware under his or her stewardship are as safe as the data they store.

When the late Rear Admiral Grace Murray Hopper, a retired general who was lauded for ushering the United States Navy into age of modern computing, prognosticated in 1987 that "someday, on the corporate balance sheet, there will be an entry which reads, 'Information'; for in most cases, the information is more valuable than the hardware which processes it," even she could not have fathomed the omnipresent influence that data management now exerts. Literally every aspect of private enterprise is now meticulously recorded and archived for posterity, and while this process digitization has undoubtedly enhanced the efficiency of contemporary commerce, data of every distinction has become a valuable commodity targeted by thieves and other threats. The field of information security has emerged in conjunction with the rise of computerized recordkeeping, with the management and protection of sensitive data standing as the central tenet of the profession. The increasingly complex nature of multinational corporate structuring requires thousands of employees, each with varying skill levels and superiority, to interact with the same informational systems, and in order to assure that the wrong people are not able to access the wrong information various access control methods have been developed and implemented. In addition, the continual publication of "expanded material on peer-to-peer networking, content distribution networks, mobility and mobile IP, wireless networks, BGP, multimedia network security" (Kurose & Ross, 2012) serves to add further dimensions to the pursuit of effective network security. The majority of information security experts agree that "the combination of authentication (who you are) and authorization (what you can do) is generally referred to as 'access control' and it underlies nearly every security design widely in place today" (Geer, Jr., 2004), and today the difference between a company's ultimate success or failure can often be directly attributed to its ability to control access to trade secrets, financial documents, or other sensitive data.

As with any preventative measure, the efficacy of information protection strategies is directly dependent on the ability of managers to properly deploy access control methods. It has been said that "when you consider the access control model, you have what amounts to a matrix: One row for each person (or thing) that can ask for access to a system resource; one column for each system resource that these people can ask for" (Geer, Jr., 2004), but this seemingly binary process can become extremely convoluted as a company expands its operations. While the concepts of user registration and privilege management must be applied within any complex organization which relies on the free exchange of data, information security managers must be cognizant of balancing access control with overall productivity. When too many layers of protection are utilized in an effort to provide total data protection, internal problems will invariably arise as employees seek shortcuts to expedite the completion of the everyday tasks associated with their position. When leaders in the information security field observe that "access control is a key concept in information security, and organizations should & #8230; compare their current environment against the controls & #8230; to find areas for improvement" (Layton, 2007), they are tacitly sounding a warning to savvy managers, signaling that an overabundance of certain access control methods may ultimately prove to counterproductive.

Organizations of every size and variety have embraced the digital revolution, producing a proverbial avalanche of data from hospitals, businesses, media outlets, and other complex institutions. Recordkeeping, file storage, internal accounting, and a vast array of other organizational processes all create unique collections of digital information which must then be archived, monitored, and secured against the threat of theft or manipulation. The specter of anonymous computer hackers wantonly wreaking destruction on the privacy of a company's client list, or rival firms stealing and replicating proprietary software, has motivated many managers to reassess the access control methods used by their organization to secure its valuable data. Within the information technology (IT) field a growing consensus regarding data protection has emerged, and most experts now agree that because "information is a business commodity and it should be protected and controlled & #8230; a series of access-related controls should be developed and implemented by management, ranging from policies, guidelines, and processes to actual safeguards that control access to information and data" (Layton, 2007). The tools and techniques used by information security personnel to control access to information include user registration, privilege management, user password management, and the review of user access rights (Layton, 2007), so developing a thorough understanding of how these processes work, and when they should be applied, is essential for qualified leaders tasked with managing complex entities and enterprises.

As any office worker or student can attest, the process of user registration and deregistration can become overwhelming when dozens of accounts must be juggled, and this problem is only multiplied from the managerial perspective. For organizations that employ hundreds or even thousands of employees on a revolving basis, with the continual progression of hiring and firing workers necessitating the creation and deletion of user accounts, controlling access to information processing systems and applications through user registration alone may prove to be unfeasible. In order to augment the strengths of a user registration approach to data protection, the restriction of access along hierarchal lines has been achieved by the concept of privilege management. Again, in the case of highly complex organizations like corporate conglomerates, with executives heading a multilayered chain of command, the use of strict privilege management controls can eventually produce counterproductive results. When one considers the admonishment of IT security professionals, who universally believe that "a security program that has as its goal one hundred percent security will cause the organization to have zero percent productivity" (Peltier, Peltier & Blackley, 2005), it becomes apparent that erecting impassable barriers between employees and the information they need to conduct their work may hinder an organization's efficiency and effectiveness. The most effective access control policy would be one based on a the fundamental belief that "the risk analysis process has two key objectives: (1) to implement only those controls necessary and (2) to document management's due diligence" (Peltier, Peltier & Blackley, 2005), which means a comprehensive data protection program relying on a combination of responsibly deployed access control methods is the most sensible approach.

As the smartphone continues to evolve into an essential tool for navigating the modern world, reshaping the way organizations and their individual members interact and communicate, the concept of telecommunications and network security has been thrust to the forefront of the information security field. The typical corporation or similarly complex institution now requires the transmission of massive amounts of voice and data communication, often through an intricate networking scheme that combines local area, wide area, and remote access networking capabilities. The strength of every network is entirely reliant on proper design, which should be based on a thorough Network Security Architecture Evaluation that is conducted with the ISRAM and GISAM methodologies in mind (Layton, 2007). It is for these reasons that information security officers typically rely on the virtual private network (VPN), which is "a secure private network that uses the public telecommunications infrastructure to transmit data," to secure "both extranets and wide area intranets using encryption and authentication & #8230; maintaining privacy and security" (Peltier, Peltier & Blackley, 2005). The advent of VPN usage by expansive and multifaceted enterprises has enabled information security professionals to ensure telecommunications and network security without incurring the often prohibitive costs of owning or leasing private communication lines. The ubiquitous use of smartphones and other internet accessible devices poses several risks to an organization's internal and external IT network security, because although "several systems have been developed to provide physical and virtual identity management systems, most have not been very successful & #8230; (and) many of the available systems do not provide the feature of virtual access on mobile devices via the internet; this proves to be a limiting factor in the usage of the systems" (Alotaibi & Wald, 2012).

Another niche within the field of information security and data protection which has increasingly become the focus of IT professionals is the concept of application security. With the ability to create customized applications designed specifically for a company's private use now in the hands of every in-house coder, information security officers are now confronted with an unending stream of proprietary software and applications which are distinctively designed and implemented. The sheer volume of new programs and applications being produced, tested and installed by large organizations has given IT professionals a new series of threats to monitor, and it is important to remember that "when a custom application is written for your organization, each component or module of the application must be checked for security holes and proper coding practices" (Peltier, Peltier & Blackley, 2005). While custom applications can produce significant improvements in terms of both efficiency and effectiveness, from the office to the supply chain, the fundamental precepts of information security require an abundance of caution be used before an application is deemed to be safe for widespread use.

Similar to application security, operational security involves the careful construction of barriers to precisely guide the operations of a system's multitude of individual users. The fact that "an operational control that is action- or task- oriented and nontechnical in nature" (Layton, 2007) means that information security officers must think outside of the proverbial box, by anticipating the most likely ways average office workers and other employees will operate systems throughout the course of their own work day. Operational security represents the IT professional's attempt to mitigate the human element of error which so often seems to foil even the most exquisitely designed computer systems. Because every company institutes individualized policies in regards to operational techniques, from the rigid adherence enforced by the IRS to the freewheeling creative bursts encouraged by Google, those companies engaging in mergers and acquisitions must emphasize operational security, because "the acquiring organization must fully understand the information security risks within the applications, operations, and environment of the target company" (Layton, 2007).

The advent of cloud computing has alleviated much of the traditional risks associated with data theft, piracy, and other internet-accessible network security issues, but anytime computers are used to augment the procurement process there will be an enormous amount of data which is generated, exchanged, and stored. This cycle will involve multiple connections with foreign networks, with sensitive data being encrypted and concealed for protection, but the threat of corporate espionage, targeted hacking activities, and other invasions of privacy are prevalent when computer-based procurement tools are utilized. During the design phase of a new line of shoes, for example, a single hacked upload of photos depicting proprietary information could be extremely advantageous to competitors, while immediately decreasing the new product's potential value on the market. Despite the vastly increased convenience offered by cloud computing -- or perhaps because of it -- IT security analysts have expressed alarm over the accelerated rate of implementation for this emerging technological advancement observing that because of "hardware virtualization, multiple users can now share the same physical infrastructure, which runs their distinct application instances simultaneously. Although it increases resource utilization, this unique multitenancy feature also presents new security and privacy vulnerabilities for user interactions" (Ren, Wang & Wang, 2012). Although a comprehensive security protocol in regards to cloud computing technology has not yet been fully implemented by the IT industry at large, the prevailing view among network security experts holds that "a multi-level cloud security model that integrates traditional access control systems with concepts such as location-based access control, data at rest encryption, data leakage prevention and data ownership ultimately should be in place to best protect agencies' sensitive data" (Berger, 2012).