How to secure today's enterprise

These days safeguarding the corporate network requires more than just a firewall. Elizabeth Biddlecombe outlines the keys to success.

'De-perimeterization' is the buzzword among enterprise security specialists. Like all fad terms it captures a very real trend: there is no longer a clear line between who is in and who is out, who is trusted and who is not.

Insiders are outsiders when full-time staffers are logging onto the network from the road; and even if they are desk-bound they might use their PDAs and smart phones when at a cafe.

Meanwhile outsiders such as temporary staff, contractors and consultants are becoming insiders, using corporate laptops, plugging in IP phones and logging on to the server. No longer is it enough to put security personnel at the front desk and install a firewall on the network. But the starting point is the same - you need to decide what information it is you are trying to protect.

The answer may not be cut and dried. Paul King, principal security consultant at Cisco UK, says different information requires different levels of protection. Sensitive information might not just be contained in document form either. King points out that if you use an instant messaging, voice conferencing or video conferencing application provided by a third party, your conversations are leaving the company even if you are communicating with a colleague in the same room. Similarly you must remember to secure your primary domain control for Active Directory to keep all those passwords safe.

Once you've identified 'the crown jewels', the next step is to set rules on who gets to see them. You might decide it is worth asking even internal employees for a password before seeing certain types of information. The key, says Rob Enderle, principal analyst at the Enderle Group, is the 'rule of minimum' - if someone doesn't need have access they shouldn't have it. Approval must be required for access to every level of information, he advises.

If a visiting worker can do their job by accessing public websites then they should stay on the outside of the network. (And certainly no visitor should be able to access company systems via an unsecured Wi-Fi network.) If the visitor is only there for a short while or will only need information access every few days then Enderle recommends they call a more trusted employee to get that information.

Frequent access to corporate networks should be contingent on the approval of the visitor's line manager's manager, he says, and a time limit should be set on that approval. "A lot of mistakes in the past come when nobody remembers to turn it off," he says.

But before the contractor has even entered the building you must make sure they are who they say they are.

Ken Munro, managing director of ethical hacking company SecureTest, says: "Check people's history. Bogus employees get in because people don't have time to check their references." If they are going to be doing really sensitive work, check for a police record, he adds.

It is also important to make sure the facilities department knows which IT assets are important. People who claim to be fire inspectors are often offered unsupervised access to the server room, Munro has found. "As soon as someone assumes you are who you say you are, suddenly they are busy," he says.

And it makes sense to ensure that temporary staff, consultants and employees of suppliers are not left alone in sensitive areas.

From the other perspective, a VPN is the obvious way to ensure that when in-house staff are on the road they can tunnel into corporate systems. However, the Enderle Group's Enderle cautions that the rule of minimum should still be applied: VPNs are by their very nature dangerous because they are drilling through firewalls. "If hackers breach your email, all they get is your email. If someone breaches your VPN they get everything," he says.

Smart cards and tokens can help secure the authorisation process but again, human fallibility comes into play here. As Munro says, educate users not to leave their laptops in their cars where they can be stolen, not to leave the token in the laptop bag and not to write the PIN on the back of the token.

Plus, he advises: "Strongly encourage people to report thefts on a 24/7 emergency number."

Despite the welter of technologies you will want to deploy to secure your business - document encryption, intrusion detection systems, WEP for Wi-Fi, virtual LANs - it is often human fallibility that is your weakest link. Just in case something does go wrong, make visiting workers agree to all the standard policies that your in-house employees submit to, whether they govern health and safety or email usage.

Charlotte Walker Osborn, a technology lawyer with Eversheds, says if you deal with a contracting company: "You want the overall company to take responsibility for informing their employees of your policies." Then should something untoward take place, they are legally liable.

Ray Stanton, global head of security services at BT, says it is here that standards such as BS 7799, IS 17799 or the Standard of Good Practice published by the Information Security Forum have a role, since they can not only provide a baseline for your internal measures but also help gauge the risk presented by suppliers such as recruitment agents or even managed security providers.

Most companies will want to meet your terms and conditions, says lawyer Osborn, because, "they just want the business".