Just how valuable is the data on your hard drives? That's the bottom-line question any organization must ask when considering an investment in on-line security. Virtually every enterprise now stores, transports or manages critical information electronically ­ a data spectrum ranging from mundane company records upward to confidential customer information, crucial product information and even national security intelligence. The more valuable the data, the more likely someone may want to steal or destroy it, and thus the greater the need for an investment in on-line security protection. Ask yourself what it would mean if, at the start of business tomorrow, you discovered that key elements of your core databases were lost or compromised. If the answer is simply too grim to contemplate, now is the time to take a closer look at network security.

Good on-line security means knowing who is on the network, controlling where each user is allowed to go and ensuring the appropriate level of privacy for all network data. To reach that objective, we must start by understanding the basics of the underlying computing landscape.

Many organizations today operate within what is known as a Distributed Computing Environment (DCE) in which multiple servers are linked to form a single enterprise-level network. DCE can be visualized as a high-level application that rides on top of the industry-standard TCP/IP layer in a multiple-machine arrangement. DCE is, in effect, a set of software services that provides seamless access to a wide range of computing tasks such as data storage and access, specific work-related applications, network load balancing, authenticating and authorizing network users, and securing the privacy of the data moving across the network.

While the distributed environment forms the landscape upon which resources can be disseminated and shared, opening the network to hundreds and even thousands of users vastly complicates the organization's on-line security exposure. Fortunately, a new generation of network technologies has emerged that is now making distributed computing safer and more secure.

One such technology, called the Distributed File System (DFS), is a particularly elegant means by which system administrators can organize, manage and provide convenient access to file resources within a Distributed Computing Environment. DFS, which can be thought of as NFS on steroids, is developed and marketed by Transarc, an IBM company. DFS, a DCE application, provides a highly cached file management system that greatly simplifies the job of adding new machines, relocating volumes, replicating data across machines and accomplishing other tasks necessary for distributed file access.

In addition to these powerful file management capabilities, the DFS also lends itself ideally to the establishment and application of advanced network security technologies. In fact, the very file management tools used by the DFS to provide global administrative capabilities can also be used to set up and enforce a sophisticated regimen of network security.

At the critical network/user interface, as discussed in our previous column on security basics, we apply user names and passwords to ensure authentication and authorization. These security checkpoints make use of an authentication engine called Kerberos. Kerberos was developed at MIT and is widely accepted as an industrial-strength distributed authentication engine. Kerberos is the underlying authentication component for DCE security.

Kerberos basically scrambles, or encrypts, all passwords sent anywhere on a network, making it extremely difficult for a cyber-thief to "sniff" and steal this valuable information. The Kerberos authentication engine also accepts, evaluates and either approves or rejects the input of user IDs and passwords. Once Kerberos authenticates a user, the user is given credentials. DCE services, such as DFS, compare the user's credentials with administratively defined Access Control Lists (discussed in last month's column), to determine if the user is authorized to access the desired resource.

The Kerberos method also greatly simplifies secure network access by granting approved users access to the DCE environment for a set period of time. This "single log-on" approval is similar to the lift tickets sold at ski resorts. Once Kerberos identifies you and gives you credentials, you are free to move about the network during a predetermined period of time. This unique DCE feature makes it easy for high-activity users to move from place to place within the network, while greatly reducing the opportunity for potential security breaches.

These then are the building blocks of any good electronic security strategy, from the global capabilities of the DCE to the sophisticated gatekeeping protection of the Kerberos engine. They can be applied to create a secure platform for any internal network ­ or, as we will see in my next column, these same technologies can be applied to extend beyond the physical enterprise to establish the Virtual Private Network of the future.

Register or login for access to this item and much more

All Information Management content is archived after seven days.

Community members receive:
  • All recent and archived articles
  • Conference offers and updates
  • A full menu of enewsletter options
  • Web seminars, white papers, ebooks

Don't have an account? Register for Free Unlimited Access