Developing a simpler security architecture
Most companies add individual security systems when new threats arise. The result is often a complicated, patchwork security architecture that's difficult to manage and potentially insecure.
In Summary:
| • | Conduct a risk assessment and create a comprehensive security plan that minimizes complexity. |
| • | Get rid of redundant systems and configure your remaining defenses to share information wherever possible. |
| • | Outsource security functions that a reputable third party can handle better, faster, or cheaper. |
Most companies didn't design their current security architecture; rather, they built it over time, based on need: a firewall here, an intrusion prevention system there.
As a result, many businesses rely on a bewildering collection of stand-alone security systems. That's a problem in two ways. First, without a clear understanding of how all your defenses fit together, it's impossible to know if they provide complete protection. Second, managing and integrating all those systems costs time and money.
 | Centralizing authorization and auditing in Active Directory is a wonderful way to more effectively secure your environment, reduce costs, and reduce complexity. |  | | David Ryan
Practice manager for security,
Intrinsic Technologies LLC | |
|
That's why many midsize organizations desire ways to simplify their security architectures. The method, experts advise, is to address threats proactively and collectively.
Get organized about security management
As a first step, place one person in charge of security for the entire company. Many businesses let their networking and application specialists handle security chores separately, but this can result in redundant systems or incomplete protection.
Next, conduct a risk assessment study and draft a comprehensive security plan. Too few companies take the time to identify the right technologies for their unique security needs, security consultants say. With a complete list of your company's risks, you can match security technologies to each one.
Weed out ineffective or isolated applications
If you're committed to reducing complexity, you will likely need to eliminate some systems and integrate the rest. Eliminating systems makes sense when newer technologies that perform multiple functions become available. For example, supporting secure sockets layer (SSL) virtual private networking (VPN) and IP security (IPSec), two protocols for securing remote network access, used to require separate tools. Today, one product, such as Microsoft Intelligent Application Gateway 2007, can often support both of them. Underused functionality in products you already own may provide further opportunities to shed security systems. For instance, Windows Vista comes with its own firewall and anti-spyware software.
Similarly, Microsoft Internet Security and Acceleration (ISA) Server 2006 and the Active Directory component of Microsoft Windows Server 2003 both support digital certificates, a powerful yet simple authentication technology. Many businesses spend heavily on expensive VPN systems to authenticate remote users. "You could use certificates and ISA [Server] to do the same thing," says Tom Raisbeck, vice president of professional services at Nortec Communications, a Microsoft Gold Certified Solution Provider based in Falls Church, Virginia.
When eliminating systems is impractical, integrating them can be an effective alternative. For example, use Active Directory as a central identity repository for all of your business applications and other systems. "If a company has 10 applications, having 10 identity stores is much more likely to result in incorrect permissions, access being left in place when employees leave," and other mistakes, observes David Ryan, practice manager for security at Intrinsic Technologies LLC, a Microsoft Gold Certified Solution Provider based in Lisle, Illinois. "Centralizing authorization and auditing in Active Directory is a wonderful way to more effectively secure your environment, reduce costs, and reduce complexity."
Of course, connecting systems will be simple if you use open, interoperable products, so put ease of integration ahead of fancy features when choosing security technologies. Buying pre-integrated suites of security products from a single vendor, such as the applications in Microsoft Forefront, is another effective way to simplify your security architecture. Though sometimes ill-suited to the demands of large businesses, such integrated product families are often a sensible choice for midsize companies.
Selective outsourcing can help a small IT staff
Outsourcing security functions can help reduce architectural complexity while reducing the role of management. Rather than give up all your security responsibilities to a third party, however, experts recommend outsourcing a few selected functions – those that someone else can do faster, better, or cheaper. Threat detection and vulnerability management are good candidates. Choose your outsourcing partner carefully, though, especially if you plan to entrust them with confidential information.
Finally, remember that small measures can have a big impact on a security architecture's complexity. "Just making sure that all of your desktops are actually in a domain and configured consistently is a wonderful place to start," Ryan says. Prohibiting employees from installing unapproved firewalls and antivirus systems on their PCs can dramatically cut the number of systems you must support.
 | Rich Freeman is a Seattle, Washington-based freelance writer specializing in business and technology. He has more than 14 years of strategic marketing and communications experience in the IT industry. |
