Enterprise Information Technology Management

Most competent organizations adopt a base set of security standards for technology they deploy.  Over time, though, those standards must be revised to account for new information, new vulnerabilities, etc, as well, the technology components themselves will diverge from the desired security settings.

A critical element of an enterprise security policy is to periodically revalidate the physical technology infrastructure against the current security policy requirements.  This implies three things:

1. We know about all of the technology components that exist in the enterprise infrastructure
2. We know who is responsible for maintaining each component
3. We have some scalable mechanism for performing the validation

Providing a feed-back loop from the validation system to an enterprise trouble ticket system will allow the person responsible for a non-compliant component to be notified of the non-compliance, and will allow for a uniform escalation process of unresolved issues. 

Highly decentralized organizations may find that centralized enforcement is not a possibility.  In those cases, relying on individual business areas to perform their own validations is required.  Internal audit function play a vital role in organizations that wish to maintain control and accountability without a central ability to validate policy compliance.

It is also vital to accomodate the situations where compliance is not possible.  It should be mandatory to implement some form of mitigating control to reduce the risk to the orgnization caused by the non-compliance.  Additionally, requiring secondary controls will reduce the attractiveness of being out of compliance by system owners.

Many times, enterprise WAN topology grows without much forethought, expanding on an existing infrastructure. Changing topologies mid-stream is often costly and falls behind other initiatives. Because of that, it’s important for the CIOs and network architects to have a good handle on the topology options and some of the benefits and drawbacks of each.

Meshed WAN/VPN On Top of the Internet

The pervasive availability of reliable Internet bandwidth provides an attractive option for interconnecting global offices. Particularly in countries such as India, Brazil, and much of Europe, it is considerably cheaper to procure Internet bandwidth from local sources. For many reasons, the big players like ATT and Verizon Business simply cannot be competitive in certain countries due to local telecom laws, partnership agreements, etc. The cost savings can be substantial.

Certain tools, like Checkpoint’s Firewall-1 make not only securing and managing the distributed firewall base easy to handle, but also abstracts inter-office VPN transport.

The pro’s:

• Monthly recurring fees are typically cheaper
• Still get the connection savings from using a central supplier, like ATT, where they are the cheaper option.
• Capacity costs are considerably less that in the private line, frame or MPLS world.

The con’s:

• Requires an Internet gateway at each site, and all associated management, equipment and process that an organization places on such a thing.

• Implementation of new Internet security devices (data loss prevention, for example) requires the investment needed to duplicate the environment across all sites. This may create situations where new technology cannot be deployed, or cannot be deployed consistently across all sites.
• Complex environment that often requires local staff to manage ISP contracts and equipment.

MPLS WAN with Geographic theater-based Internet gateways

In the past, private lines and frame relay connections were point to point - completely hub and spoke. Redundancy, fail-over, etc, were made difficult by that fact. MPLS has essentially provided organizations with a “private Internet”, where each site can connect into and route to any other site, allowing a great degree of flexibility on issues like fail-over and keeping costs down relative to point to point connections.

In this architecture, each site has an MPLS connection to a provider’s network. Certain sites act as a bridge to the Internet. Routing can geographically segregate ingress and egress points to the nearest available Internet gateway, and provide the ability to fail over to another site, in the event of an outage.

The pro’s:

• the ability to centrally manage and deploy new Internet security devices.
• provides a very homogeneous WAN environment, which can simplify WAN management, it can leveraged for reducing costs on contract negotiations or allow for total environment outsourcing.

The con’s:

• typically, much more will be spent on monthly line costs vs. Internet-based, site-to-site VPN’s.

What’s the best option?

The best option will vary from one organization to the next. Large, process driven organizations will want to go with an MPLS WAN, in general. Entrepreneurial companies will find the lower cost and local control of the site-to-site VPN much more appealing.

What do you think?