Security Problems in the Enterprise Are No Accident

Carl Weinschenk

Palo Alto Software is introducing a new firewall, the PA-4000. In order to generate a little publicity around the launch, the vendor released a study with information culled from pre-deployment assessments at 20 enterprises. The results, outlined at Dark Reading, are extremely interesting and a bit disconcerting.


The troubling part is the high level of sophistication with which employees are circumventing security. Somehow, it's reassuring to think that most problems are caused by ignorance, laziness or by people who are using the PC on their desk to check a score or send a personal e-mail. Chastise them -- even frighten them a bit -- and they will become far more conversant with rules and regulations and the problems will subside. Along the same lines, security vulnerabilities inadvertently created by non-experts almost certainly will be easier to identify and fix.


Unfortunately, it seems that the overwhelming percentage of people are neither ignorant or lazy: They are proactively seeking ways around their employer's security structures to do more substantial things than get a price on a toaster oven from Sears.


For instance, the survey says 80 percent of enterprises are using proxy servers which, as a Palo Alto executive points out in the piece, have no business-related use in the enterprise. The implication is that people with more than a little know-how are installing them in a premeditated attempt to bypass security. That's a far cry from picking up a virus by carelessly opening a bogus e-mail. Other tools being used include tunneling protocols. Palo Alto's new firewall can identify those approaches and, presumably, allow IT managers to more effectively enforce policies.


This is another sign, as if we need one, that strong security policies are vital. The Palo Alto firewall and others that can identify traffic, along with related deep packet inspection (DPI) equipment and other gear that looks at packets in a granular fashion, can give policies much needed teeth. Now, security folks have a much better chance to identify those in the enterprise who are trying to take unfair advantage.


The image of the workforce as a seething cauldron of evil doers -- or, a bit more prosaically, folks who will try to get away with what they can -- is reinforced by this blog. The writer does one thing well and one badly. The good step is amassing a lot of data on how people are spending their time at work. Unfortunately, he doesn't source most of it, so it must be taken with a grain of salt.


Regardless, it is worth a look: The writer says workers spend an average of 18 hours a week online and more than 35 percent of Internet use is not related to business. More than half use the Internet for personal reasons. In one fact that indeed is sourced, the writer quotes IDC numbers that 30 percent to 40 percent of online work time is spent browsing and 60 percent of online purchases are made from the office. Thirty percent of employees say they constantly surf at work and 60 percent of corporate breaches occur behind the firewall.


It's not going to get better, either. Symantec's Samir Kapuria, both in this article and during an IT Business Edge interview in January, discussed the emerging millennial work force. The bottom line is that the kids are technically savvy and have a more open online attitude than their predecessors. Unfortunately, their zeitgeist is at cross purposes with good employee behavior.


Kapuria says kids use Web 2.0 and other applications more frequently, are more willing to use non-company gear, don't think using corporate equipment for personal use is wrong, and tend to store company data on their own devices. The bottom line is that these youngsters represent a new reality, and security managers must react before those attitudes result in big problems.

Subscribe to our Newsletters

Sign up now and get the best business technology insights direct to your inbox.


Add Comment      Leave a comment on this blog post
Apr 21, 2008 2:09 PM evan evan  says:
I think you mean Palo Alto Networks, not Palo Alto Software... Reply

Post a comment





(Maximum characters: 1200). You have 1200 characters left.




Subscribe Daily Edge Newsletters

Sign up now and get the best business technology insights direct to your inbox.

Subscribe Daily Edge Newsletters

Sign up now and get the best business technology insights direct to your inbox.