Five steps to secure your environment

Historically, when companies considered the implementation of a security solution, the options were limited to a small number of unwieldy, inflexible systems. Today, security has become a universal concern, and the number of "solutions" and vendors has exploded, which in turn has led to a crowded space and overwhelmed executives. Sorting through the options and determining the best fit for their companies can be a trying and time-consuming task.
These five tips will guide decision-makers through the complex world of IT security.

1. Ignore the hype.

In today's e-business world, security vendors are quick to exaggerate the safety and protection problems of potential customers, recommending complicated and expensive products where often a more straightforward application would suffice. It's this increased hype that adds to the distorted perception that all data and messages are vulnerable and that no transaction is safe without authentication.

Security answers are out there, and the correct fortifications are often less convoluted than one might think. To be sure, mission-critical and sensitive data and message traffic need to be secured. But that doesn't include the companywide announcement about the annual holiday party.

2. Know your options.

When initiated by some security vendors, commercial and government organizations are led to believe that there's only one right answer: an all-or-nothing approach. Since most companies can't afford to risk the "all," they are confused into doing nothing.

In fact, an infrastructure overhaul is rarely necessary, and the best security solutions often involve the use of specific, targeted applications to particular areas of the network.

3. Educate yourself.

Security decision-makers need to learn what the real-life risks are and how to address them. Determining one's protection needs is daunting, especially with all the options available. Implementing a secure message system, for example, is no small undertaking, so it's important to design one carefully.

Stay current on industry and market initiatives such as the President's Critical Infrastructure Protection Board's Draft Standard. (Many think its recommendations are obvious and lack teeth, but if your organization isn't doing at least this, you're at risk.) The Liberty Alliance Project is tackling many of the issues of authentication and business-to-business trading federations. Also, the Electronic Financial Services Council's SPERS initiative is creating standards for digital authentication and signatures.

4. Begin with the fundamentals.

Organizations taking their first steps toward security should begin by securing the message transport using Secure Sockets Layer and encryption techniques as well as XML digital signatures to secure important data.

Next, enable trading relationships by adhering to industry standards such as XML-based authentication, Security Assertions Markup Language and the Liberty Alliance.

To ensure remote access, use technologies that enable Web services security, smart cards and tokens. As volume increases, plug in cryptography accelerators that will allow your systems to function more efficiently. And since not all vendors allow customers to pick and choose which elements of security to employ, make sure the vendor you select will provide this step-by-step approach.

With the option to build security fundamentally, layer by layer, companies have the opportunity to make decisions that fit their size and address their specific security requirements.

5. Demand flexibility and standards.

IT executives can make the best use of their time and money by avoiding a solution they don't need to fix a problem they don't have. It's important to make sure that you employ a security solution that conforms to your specific business needs and not vice versa.

Your company's security depends on an educated response to specific security vulnerabilities. Although evaluating and addressing your security needs may at first seem daunting, it's the key to determining the most flexible, scalable and appropriate solutions to best fit your business.

Source: Computerworld