Business Innovation Homepage > Governance

Protecting information assets is a critical component of risk management: Security breaches can lead to monetary losses, regulatory fines, bad publicity and other negative results. And protecting the gateways, the entry points into and out of enterprise networks, is an essential part of any information security strategy.

Providing gateway security has long been a high priority for organizations. But it’s becoming increasingly complex with the continuing growth of mobile computing, the increase in distributed environments and the emergence of more sophisticated security threats.

“As workers become more distributed — and our research shows that 70 percent of people work outside of a headquarters location — as well as more mobile, then gateway-level controls are necessary to protect sensitive [applications] and data,” says Robert Whiteley, senior analyst, Network Operations and Architecture, at Forrester Research. “ Moreover, gateway-level security also helps [organizations] audit and log user activity, which is critical for regulatory compliance.”

An effective gateway security strategy entails “finding the appropriate mix of controls to manage enterprise risk without preventing business from taking place,” says Eric Maiwald, vice president and service director, Security and Risk Management Strategies, at Burton Group.

“This means that we don’t just install controls because the newspapers say that we should. The enterprise needs to identify sensitive data and systems, identify the negative consequences that may occur if a breach happens, and then use controls to manage the risk to the enterprise.”

At the very least, organizations need gateway security devices where there are major access points to networks, such as wireless LANs, Internet connections, partner or extranet connections, remote access, etc., Whiteley says. But increasingly organizations are putting more gateway-level security products closer to applications and information within their data centers.

“It's also important to make sure you don't have just network-level gateway security devices,” Whiteley says. For example, he says, Secure Sockets Layer (SSL) virtual private networks (VPNs), application firewalls, entitlement management controllers and proxies help protect at the application layer of the network. Other reliable gateway security products include antispam, antivirus and content-filtering software.

Some of the most promising new security technologies are those that can provide Layer 7 access control, Whiteley says. “These help add additional user and application context to standard gateway controls,” he adds. Another potentially effective security technology is gateway-level data-leak prevention (DLP). “These will ultimately deemphasize — if not replace — the need for traditional devices like IPS [intrusion prevention systems] and network firewalls. However, this is at least five to 10 years off.”

Gateway security is more essential “as we continue to see attacks aimed at our important resources,” Maiwald says. “Think about breaches that disclose sensitive information by attacking Web sites on one hand and by compromising the [wireless LANs] on the other. Clearly, as attacks get better — and they never get worse! — the perimeter around our sensitive resources must also get better.”

On the other hand, Maiwald says, network perimeter security is becoming less essential as more end users move around. “The mobility of employees and their systems take them outside of the protective ‘hard candy shell’ that the network perimeter provides, so the perimeter becomes less valuable in protecting these systems,” he says. “However, while the network perimeter becomes less valuable, the perimeter around the endpoint — system firewalls, host intrusion prevention, encryption, etc. — becomes more valuable. Now the mobile end point must take care of itself in a dangerous world.”

Click here for more Governance articles