were five years ago or even a year ago. As both networks and attacks
grow in complexity, it takes more time, skill and energy to protect a
company’s information and its very viability.
Ken Xie, president and CEO of Fortinet Inc., a Sunnyvale, Calif.-based
network security company, says IT administrators and security officers
are under a lot more pressure than ever before. Expanding perimeters,
leaky hand-helds and virulent viruses are just part of the expanding job
they’re dealing with today.
Here Xie talks with Datamation about one of the toughest jobs in
IT and what administrators can do to make it a little easier.
Q:How much more difficult is a CIO’s or IT administrator’s job now
than it was five years ago? What has changed?
In today’s business environment, CIOs and IT administrators face many
new challenges that were either not present or not as extensive five
years ago. Following the dot-com bust of the late ’90s and early 2000s,
IT budgets and staffs became the focus of drastic cuts in most
organizations. IT spending has yet to return to pre-bust levels. As a
result, CIOs and IT administrators are being forced to do more with less
— from integrating new technologies with legacy systems to extending
support for mobile workers with limited infrastructure investment.
This challenge has been exacerbated by the increasingly mobile nature of
business across industries and by the growing demand for ubiquitous
access to information from any device and any location.
Another major change is that today’s CIOs and IT administrators are
facing new and increasingly virulent security threats and new
regulations from the government.
Q: Many employees work remotely every day or spend many days working
on the road, carrying laptops, cell phones and PDAs. How much more
difficult does this make it to secure a network?
There is no doubt the increasing number of remote workers and the mobile
devices they rely on are creating new security challenges. If the proper
precautions are not taken, it is possible for a single device to act as
a point of compromise for an entire network. Threats can include mobile
devices that do not have strong user authentication systems and fall
into the hands of unauthorized users, providing avenues for access to
company networks and sensitive company information.
Another security threat that is not widely recognized is the
vulnerability of wireless devices and wireless networks to content-based
threats like viruses and worms. Many users do not understand that when
they connect to a wireless access point, they join a community of users
from whom they have little protection. A user could easily pick up a
virus or worm during a wireless work session at their local Starbucks
and transmit that virus throughout their network upon returning to the
office.
We often joke that your morning coffee could end up costing your
employer upwards of a $100,000.
Q:Because of the abundance of mobile workers and mobile
technologies, along with strings of business partners, consultants and
connected clients, can anyone really know where the network begins and
ends now?
The disappearing perimeter is something we talk with customers about
every day. The virtual enterprise brings businesses a whole spectrum of
cost and productivity savings. It helps companies tap into new sets of
human resources. It makes small businesses look like global companies,
and enables global companies to deploy resources to even the smallest
regions of the world. This is why there is no longer a single point of
compromise, and why the IT security industry, as a whole, has been
preaching a layered, multi-faceted approach to security for several
years.
It starts at the endpoint, be it a desktop or laptop computer, connected
to a wired network or wirelessly. You must then place the proper
barriers at the edge of the corporate network, or the gateway. This is
probably the place where the strongest and best performance security is
required. This is the point where people either get in, or are kept out.
Once inside the gateway, or firewall, it’s important to segment
business. Security should be taken down to the departmental level,
segmenting off portions of the company so attacks can be quarantined.
To all of this, you must add strict but applicable security policies,
and end-user education.
Continue on to hear what Xie has to say about Linux security, the dangers of spam and users who keep downloading viruses….
it’s more secure than Windows? How dangerous can life be on the Linux
platform?
I think it’s probably too early to tell.
It is certainly true today that the most damaging attacks have afflicted
Windows-based systems and that, by comparison, Linux has been relatively
immune. However, there are real questions as to the true reasons for the
apparent safety of Linux.
The first and most important issue is prevalence. Just as in biological
systems, dense populations are most conducive to the spread of
contagions. And in contrast, more dispersed populations are more immune
to rampant, fast-spreading attacks. Thus Linux, with its more sparse
installed base — and absence from the desktop — will be inherently
more secure than Windows, as long as Windows maintains such a dominant
share of installations.
Another potential characteristic in favor of Linux is the degree to
which Microsoft is viewed as a more ”deserving” target of attack
compared with Linux. In addition, some believe that Linux code, because
it is open, is more heavily scrutinized and therefore benefits from the
security expertise of thousands of developers, while others say that it
is far easier to find security flaws by exercising object code rather
than by analyzing source code.
These factors are all extremely complex, so it will be interesting to
see how the security posture of Linux evolves as it becomes more
widespread.
Q: Worm after worm continues to hit the Internet. Users are still
clicking on attachments and downloading damaging viruses. How can we
stop the cycle?
Social engineering has always been one of the greatest challenges to
security. Those who wish to do harm always seem to play upon natural
human curiosity and weakness.
This will always be a problem. While user education is important, we are
firm believers that the only truly effective way to stop these threats
is to do so before they have the opportunity to reach end users. By
implementing effective security solutions at the network gateway and
preventing attacks from ever reaching users, companies can take great
strides to protect themselves against these threats.
Q: A lot of people still think of spam as a nuisance. How big of a
security risk has spam become?
Spam has become a real security issue as the lines between spam activity
and malware have become blurred. We believe that, in addition to using
intelligent filtering and content analysis technologies to reduce the
amount of undetected spam, it will be necessary to raise the ”cost” of
sending spam to the point where the return is no longer attractive in
order to truly curtail the practice. There are, of course, many
parameters to the notion of ”cost”, so it should be possible to make a
big dent in spam activity without necessarily charging for email.
Q: What do you see coming down the road in terms of security
technology?
The key challenges — and opportunities — will be to deliver security
technologies that are enablers of all of the new and exciting
applications that have only started to show their promise, such as voice
and video, instant messaging, real-time collaboration, e-commerce, and
more. The individual piece parts — encryption algorithms,
authentication systems, and the like will continue to improve. But the
real benefits will come when security becomes embedded with, and
ultimately as ubiquitous and invisible as the network itself.