A common problem most enterprises face when they decide to go 'online' and throw open previously internal facilities for public use is the sudden need to secure their networks and, quite critically, their data. As long as the network is available only to a select few that are connected to it over a well-known LAN, the problems are known in advance and controllable easily. There is only one mode between this network and the outside world. But when you expose a part of this network to the Web, a plethora of new problems surface and dealing with those may not be as easy. And this is what the Indian Airlines faced when they went online with their passenger services portal. We found that our internal leased-line run network was not secure enough and we had to race to protect it. Their methodology in tacking this meant we had to classify our data, determine where it would reside and then plan firewall and IDS/IPS systems. We had to ensure that traffic from the Internet did not interfere and harm the data within our network. Finally we decided on a three-level strategy. At the first level, there were firewalls that filtered malicious traffic. Then the application itself would filter out and place access control. Finally, strong checks within the application logic would ensure proper disposal of requests and commands.
The protection offered by the system's OS was also roped in to bolster security. The biggest challenge we faced in the implementation part was in acquiring the relevant solutions from the vendor and then verifying if it satisfied their needs. But, a lot of security still works based on trust and depending on the malicious user in not knowing what data to take. Our policy simply involved user-level security and enforcing periodic password change. Different kinds of users are also required to have different kinds of passwords according to their access levels. For instance, system administrators, travel agents, passenger-users and internal users all require different types and levels of access and the more sensitive a user's role is and the wider the pool and scope of the data he uses, the stronger should be the password for that user. Everything is logged and these logs are checked. If a threat was perceived, action is taken. However, there are still no written policies on data security within Indian Airlines. We are yet to come across a user trying to go beyond his authorized area.
Awareness is the key
Awareness levels in India lie at the desktop and firewall level. Companies must adopt a more proactive approach to security and must focus on other areas as well. A key challenge for enterprise information security is the heterogeneous nature of today's IT environment. Enterprise security solutions need to integrate with a variety of third-party products and support multiple platforms ranging from Windows to Unix/Linux and mainframes. Also, many times the products used have no standard way of integrating with each other.
User compliance is also an issue. Even the best security system can fail if the user does not use it effectively. For this, proper patch management, adequate security policies and procedures, centralized response and monitoring system and border system security are all vital.
Kartik Shahani McAfee