How to protect with pragmatic network security

Role-based Security: "This can be useful for some applications, and SAP, for instance, employs it," Rothman said. However, it has its limits, and Sarbanes-Oxley, for instance, requires that individuals accessing regulated corporate financial information be individually identified, and that everything they do with or to that information be logged under their name.

Virtualised Organisations: Security does not stop at the corporate perimeter. Today, companies commonly create close partnerships with subcontractors and other business partners for specific projects, but those partners could be competitors in other areas of business activity. Many companies also outsource parts of their infrastructure containing highly sensitive information that employees must be able to access securely. Rothman sees federated identity management as becoming important because it relieves the organisation of the need to manage the identities not only of its own employees but those of business partners as well, making security administration easier and eliminating the requirement for legitimate users from outside to use a special password to get into the network. Message security, including encryption, is also increasingly important in this increasingly virtualised environment.

Network Access Control: With increasing numbers of employees carrying portable computers and intelligent mobile devices, and with Wi-Fi-enabled smart phones beginning to appear, "the enterprise must be sure that the right people are accessing the network, from the right places, using the right devices, and that their devices have the right antivirus updates operating, Rothman said. "If they do not, then you want to quarantine them until the situation can be rectified."

Network Traffic Management: "Once I know who is on the network and what they are doing, I can manage traffic to restrict access to specific databases only to those who are authorised to see them," Rothman said. This is the next level of network-based security. The concept is that users who are not authorised, for instance, to see HR data on employees, don't even see the server or application that contains that information on their version of the network. "This takes a lot of network intelligence, and many organisations are not there yet, but it is definitely on the horizon," Rothman said.

Deprovisioning: "This is as important as provisioning in the first place," Rothman said. "It is where the rubber meets the road." Too many companies neglect to cancel network access for individuals who leave the company, or to cancel access to specific data when an individual's responsibilities change and he no longer requires access to those applications. In some cases, former employees continue to have access to corporate networks and data long after they have leave, and that's a security nightmare. Federated identification management can help by allowing some deprovisioning to be handled by business partners.

Oversight: The Sarbanes-Oxley Act and other regulations require reporting on access to specific information. However, it was important to realise that you were not just trying to impress the auditor, Rothman said. "Ultimately, you have to define what success means in terms of data security, and your reporting needs to demonstrate that you meet that level of success," he said. "But people should not think that reporting is someone's job. The job is security, and reporting is part of that."