Did you miss the bus regarding Network Security ?

"Network is computer" - Sun microsystem's network vision is more than a reality.With the use of networks for sharing information, come additional risks that contribute to the network security concerns.

1)Distributed File Storing - Concerns

File servers can control users' accesses to various parts of the file system. This is usually done by allowing a user to attach a certain file system (or directory) to the user's workstation, to be used as a local disk. This presents two potential problems. First, the server may only provide access protection to the directory level, so that a user granted access to a directory, has access to all files contained in that directory. To minimize risk in this situation, proper structuring and management of the network file system is important. The second problem is caused by inadequate protection mechanisms on the local workstation. For example, a personal computer (PC) may provide minimal or no protection of the information stored on it. A user that copies a file from the server to the local drive on the PC, looses the protection offered by the file when it was stored on the server. For some types of information, this may be acceptable. However, other types of information may require more stringent protections. This requirement focuses on the need for controls in the PC environment.

2) Remote Computing - Concerns

Remote computing must be controlled so that only authorized users may access remote components and remote applications. Servers must be able to authenticate remote users who request services or applications. These requests may also call for the local and remote servers to authenticate to each other. The inability to authenticate can lead to unauthorized users being granted access to remote servers and applications. There must be some level of assurance regarding the integrity of applications utilized by many users over a network.

3) Topologies and Protocols - Concerns

The topologies and protocols used today demand that messages be made available to many nodes in reaching the desired destination. This is much cheaper and easier to maintain than providing a direct physical path from every machine to every machine. (In large networks, direct paths are not feasible.) The possible threats inherent include both active and passive wiretapping. Passive wiretapping includes not only information release but also traffic analysis (using addresses, other header data, message length, and message frequency). Active wiretapping includes message stream modifications (including modification, delay, duplication, deletion or counterfeiting).

4) Messaging Services - Concerns

Messaging services add additional risk to information that is stored on a server or in transit. Inadequately protected email can easily be captured and perhaps altered and retransmitted, affecting both the confidentiality and integrity of the message.

5)Other Network Security Concerns

Other network security problems include

· Inadequate network management and security policies
· Lack of training for proper network usage and security
· Inadequate protection mechanisms in the workstation environment
· Inadequate protection during transmission.

A weak security policy also contributes to the risk associated with a network. A formal security policy governing the use of networks should be in place to demonstrate management's position on the importance of protecting valued assets. A security policy is a concise statement of top management's position on information values, protection responsibilities and organizational commitment (Security strategy and implementation are discussed later). A strong network security policy should be in place to provide direction and support from the highest levels of management. The policy should identify the role that each employee has in assuring that the network and the information it carries are adequately protected.

The Network security policy should stress the importance of and provide support for network management. Network management should be given the necessary funding, time and resources. Poor network management may result in security lapses. The resulting problems could include security settings becoming too lax, security procedures not being performed correctly, even the necessary security mechanisms not being implemented.

The use of PCs in the network environment can also contribute to the risk of the network. In general, PCs have a relative lack of control with regard to authenticating users, controlling access to files, auditing etc. In most cases, the protection applied to information that is stored and processed on a server, does not follow the information when it is sent locally to a PC.

Lack of user awareness regarding the security of the network can also add risk. Users who are not familiar with the security mechanisms, procedures etc. may use them improperly and perhaps less securely. Responsibilities for implementing security mechanisms and procedures and following the policies regarding the use of the PC in a network environment, usually fall on the user of the PC. Users must be given the proper guidance and training necessary to maintain an acceptable level of protection in the network environment.

Section 404 SOX Compliance

A complete federated identity access management and collaboration platform to comply with Sarbanes-Oxley.
Business problem
Sarbanes-Oxley Act (SOX) was passed to reform the accounting practices, financial disclosures and corporate governance of public companies.

Section 404 of SOX requires the management to perform an annual assessment of internal controls over financial disclosures and obtain attestation from external auditors.

Compliance requires major changes in corporate governance, accounting, auditing and financial reporting practices. It requires companies to strengthen and document their internal controls and corporate IT systems to support the affected business processes. It requires adherence to structured, documented identity access management security practices that protect information.

Compliance creates new demands on IT. Systems once thought to be secure and capable of maintaining user confidentiality must be readdressed. Unauthorized access to systems and the data they contain may unwittingly permit individuals to alter information or commit acts of fraud that may damage the company and cause it to violate regulatory standards.
SOX is just one of many pieces of legislation that require this level of compliance: Gramm - Leach - Bliley Act (GLB), 21 CFR Part 11, HIPAA, and the California Database Security Breach Notification Act are examples of the many items enacted within the last several years.
Solution

Properly protecting systems is a three-fold process.
Ensure that only authorized users are allowed access to systems.

Employ access granularity that specifically defines what people can view or actions they can take once they have gained access to the systems. For example, a financial analyst may be granted access to view financial data for report construction but not be allowed to initiate a transaction or modify the information.

Maintain centralized control over who is authorized to access particular systems, what information within the system they are authorized to access, and when a user leaves the company, ensures their access rights are completely revoked from all systems.