To secure, or not too secure?

When is security too secure and how can new approaches help to overcome the security needs of service-oriented solutions?

Network security is front of mind in business computing. The wide use of service-oriented applications that allow deep access to internal networks via remote connections have raised the bar on security in terms of network permeability. The true perimeter of the network is now more abstract than ever as businesses attempt to balance high functionality with adequate security.

But higher levels of security can present a problem in terms of user access and general experience. As such, security can begin to impact on productivity, as users are required to jump through hoops before being allowed access to the resources they need in order to do their jobs. This situation can be avoided by improving IT efficiency and also by utilising technologies such as virtualisation, which, if correctly implemented, can circumvent many of the problems facing remote network penetration for users.

Forrester recently surveyed over 1 200 European technology decision-makers in both the SMB and enterprise markets in preparing its 'The State of Security in SMBs and Enterprises' report, released in February 2007. Among the findings in the report, Forrester remarked that upgrading security environments is a top priority for enterprise customers.

Furthermore, European decision-makers consider manageability a key factor for security purchases, with ease of management topping the overall list of factors that firms consider when making purchasing decisions for security technology. The centralised approach to management is most favoured.

It is also interesting to note that nearly two-thirds of European SMBs prefer to deploy dedicated security hardware that is either integrated into their network or wrapped into an all-in-one security appliance.

All in all, it seems the current environment demands improved IT efficiency, gained by consolidating systems and data under the central control of technology teams. The focus is on accelerated application delivery, improved security, availability, performance and the management of enterprise resources. So everything really, but with a straightforward and simple management framework.

Security can begin to impact on productivity, as users are required to jump through hoops before being allowed access to the resources they need in order to do their jobs.

Nick Keene is country manager at Citrix Systems South Africa.

But how is this overall efficiency gained? Surely in balancing efficiency in other areas with adequate security, sacrifices must be made on either side? It is true that compromises must be made when dealing with conventional approaches to security, but the notion that higher levels of security restrict other areas of effectiveness become moot when using virtualisation technology and following a firm technology strategy that holistically caters for security.

As part of this strategy, secure user access must be simplified and consolidated. The extension of remote access is considered a permanent trade-off between security and user-friendliness. But this is not true if use is made of one access point with a universal SSL VPN appliance that provides a secure, always-on, single point of access to any required resource.

Passwords are also controversial in their effectiveness and the debate continues as to how passwords should be implemented. If a security strategy is holistically integrated, however, centralised single sign-on is possible for multiple resources.

This means that users are not over-exposed to multiple credential sets and security can be enhanced while support costs are potentially reduced.

This seems to be the optimal approach to password-based security, but only if security is implemented end-to-end.

The automation of sign-on with propagated policy enforcement and regular password changes can also eliminate security breaches common when users have more passwords than they can manage.

Of course, this strategy must also include ensuring data is kept in the safest possible place while keeping sensitive data confidential - especially when serving millions of customers online. Role-based security policies and identity management come into play in providing this level of security.

It is challenging to blanket an entire infrastructure with security. Instead, security is often either on or off, depending on which part of the network in question. But the "dimmer-switch policy" is also possible where the level of security or access is dependant on where you are and how secure the connecting device is.

Forrester concluded in its report that the demand for effective, centrally-managed security solutions is not set to dissipate anytime soon. The challenge to implement effective security that is not a constraint on convenience or productivity is not a problem that will just 'go away' - the time has come to get it right.