Managed
Security Services
Prepared by
Martin Dipper
T h e C h a l l e n g e
Most companies operating in today’s global and uncertain marketplace would agree that security is an issue that has most definitely been elevated to the boardroom. Only a few years ago, securing company data used to be a much more straightforward issue. An IT manager simply kept the company’s servers under lock and key and begrudgingly gave a few mobile workers remote access to their email accounts. The situation today is dramatically different, since up to several thousand people may require access to a full suite of business applica-tions that can be accessed across the Web, across DSL and even across wireless connections. With the expansion of extranets encompassing suppliers, partners and customers, the users may not even be employees, creating a challenge for IT policy enforcement.
Companies have to wake up to the real threats posed by opening up their mission-critical information servers to the outside world. No CIO would wish to explain to company shareholders how the competition has come to have sight of strategic business plans or that a hacker has gained access to customer credit card numbers and is now threatening blackmail. The statistics for security incidents highlight the growing vulnerability of corporate systems:
It is acknowledged that hackers have grown in sophistication and numbers, with the availability of powerful home-based systems and hacking kits that can be downloaded from hundreds of Websites. Yet whilst high profile acts of terrorism from organised bodies have heightened awareness of the potential threats that exist from external sources, in reality security breaches are just as likely to come from a disgruntled employee. Many incidents occur as breaches from within the corporation either by accident or by design. They often are a direct result of individuals breaking into servers using passwords they are not supposed to have. Possibly the easiest route to any company information is the ubiquitous Post-it note with a scribbled password stuck on the front of a PC.
Although there has been much scare mongering, there is no doubt that the security risk for a global corporation has increased with the growing threat of politically or criminally motivated attacks. It is multinational companies that often put themselves at risk by failing to develop and implement an integrated global security policy. This problem is most certainly exacerbated by the lack of coherent legislation across borders.
In the U.S., the Gramm-Leach-Bliley Act (GLBA) states that it is the responsibility of enterprises to respect the privacy of their customers and to protect the security and confidentiality of customers’ non-public personal information. This legisla-tion specifically applies to all financial institulegisla-tions and business entities as well as third-party Web-hosting firms that are part of a financial firm’s Web infrastructure. Other U.S. industry sectors are obliged to comply with similar industry-specific legislation. For example, the Health Insurance Portability & Accountability Act (HIPAA) requires healthcare organisations to protect individual’s private medical information. There are many other acts such as Basel II, Sarbanes-Oxley and EU Data Protection that all mandate the secure storage of business information.
>> Reports indicate that cyber criminals have a 65% success rate when they attempt to penetrate a corporate network.
>> Over one third of companies could not measure the cost impact of a security breach.
>> Over 2,500 new vulnerabilities were documented in the previous year.
>> Cyber attacks are global, with up to 1000 known, as well as organised hacking groups.
In Europe, the EU Data Protection Directive sets standards for protecting personal data within the European Union. It is designed to enable the free movement of data across European borders, while still protecting the individual’s privacy. The legislation applies to both European organisa-tions (with the exception of law enforcement bodies and those that are regulated by national laws) as well as foreign enterprises that process personal data within the EU. Any violations or breach of legislation can result in both civil and criminal penalties, and of course as witnessed with other corporate scandals any high-profile breach could potentially bring down a company’s brand literally overnight.
The other challenge that companies must overcome is the threat posed by the growth in popular wireless connectivity solutions and deployment of wireless LANs by enterprises that want to give network access to employees who are not bound to their desk throughout the working day. As the door to the VPN is pushed further and further out, the security risk is increased and corporations must ensure layered security solutions are deployed.
The risk of malicious attack from within the company has risen with trends towards remote access at the unmoni-tored edge. After all, it is impossible to absolutely verify who is connecting to an enterprise’s network — often all that is known is that it is ‘a device’. There is no informa-tion on whom is driving that device, on whether someone has hijacked the session, or if the user has turned off the device’s security feature. This is where policy enforcement is important. As the VPN extends outwards into uncharted territory, policy enforcement should define the minimum security services that must be running before a connection to the corporate network is allowed and then define what can be initiated from that location.
Global organisations must therefore take a global approach to ensure that they implement security policies that meet the highest levels of security, regardless of the geographi-cal spread of their users. Clearly defined policies of whom, what, where, when and how data can be accessed are vital to the monitoring of network security. The development and implementation of a comprehensive security policy is therefore vital to guaranteeing the ongoing survival of multinational organisations.
The threat from both organised cyber criminals and ‘script kiddies’ is real. Multinational enterprises need to under-stand the exposures and react with appropriate force.
T h e A n s w e r
So what is the way forward for today’s multinational enter-prises? It is essential that the boundaries of any solution they implement are understood. Policies should be devel-oped for all access to corporate resources to mitigate any business risk. The only way this can be achieved is by devolving responsibility across multiple groups within the same organisation. Security undoubtedly means different things to a network manager, who will look after firewalls and authentication, than to a CIO whose main concerns will be about risk assessment and security policies. All aspects are important, which is why security needs to be coordinated across the multinational by a security officer.
Security also works best when it is layered, so that there are multiple locks that the potential thief must “pick” to gain access, which increases the likelihood that the attack-er will be detected earliattack-er. Corporations need to ensure that they protect all aspects of their IT infrastructure by implementing layered security defences as follows:
>> The device being used to communicate with the company
needs protection, commonly called desktop or device protection.
>> The communication between the device and the
corpo-rate network needs to be evaluated. If using an insecure network, it is normal to encrypt the communication between device and gateway using common protocols such as SSL or IPSec.
>> The gateway to the corporate network needs, at the very
least, to challenge the user and request strong authenti-cation. The smarter gateways today also enforce policy and authorise the user to only perform certain specific functions, acting at the applications level.
>> Site infrastructure and servers where the mission-critical
information is situated needs to be protected through the deployment of three elements — a perimeter firewall; a network intrusion and protection system to track all traffic and a server intrusion protection system. These systems act as the alarm system and check for unauthorised activity and anomalous behaviour on the site infrastructure.
Remote scanning and vulnerability assessment must also be a key part of any company’s arsenal as it provides valuable information on weaknesses, which others could exploit. It is best if you close the open doors and weak-nesses before the hackers find them.
Many companies believe that security is just too big an issue to deal with by themselves, given the complexities and the need to acquire the necessary in-house skills to ensure that every possible security measure has been taken to protect mission-critical business processes and corporate brand. Instead, many companies mitigate risk and use experienced providers who can provide a number of key benefits. The most obvious is the provision of around-the-clock world-class security protection with guar-anteed response, often within minutes, to any intrusion on
an enterprise’s network. The managed security provider’s sole purpose is to protect a company’s network and to react quickly and effectively when an intrusion occurs. The cost of deploying the equivalent security skills 24/7 in-house would be huge and using an outsourced specialist to protect the corporate assets can dramatically reduce the total cost of ownership. Security technologies are moving at a very fast pace, and companies can never expect to have the depth of expertise that security specialists have who see incidents occurring every day and know how and when to respond.
The answer to keeping your company secure in an
insecure world is the Infonet®Managed Security Services
portfolio.
I n f o n e t M a n a g e d S e c u r i t y S e r v i c e s
P o r t f o l i o
Today more than ever, we need to keep an eye on world events and understand the growing threat from organised attacks against the corporate structure. As the door to the VPN moves further and further out incorporating Internet, wireless and broadband technology, multinational enterprises need layered security to ensure their business systems and assets are not compromised.
Infonet is focused on providing integrated state-of-the-art secure communications services for multinational
clients. We have developed The World Network®providing
connectivity to 180 countries and over 3000 cities. In addition, Infonet offers secure solutions across the public Internet allowing multinational corporations to choose the connectivity they require and have Infonet integrate the solutions acting as a single source supplier. Infonet offers multinationals a unique combination of Private and Public services as well as a full set of Managed Security Services.
Whether network security concerns are confined to the intranet (for internal applications), extranet (for communi-cations with business partners, suppliers and clients), or Internet (for browsing and e-commerce) security is an inte-gral component of any global organisation's business plan-ning and execution. To assist corporations in this activity, Infonet provides a full range of Managed Security Services (MSS) which focus on layering security on the device, across the network, on the gateway, around the site perimeter and inside the site.
The services are focused around three specific areas:
The services are closely integrated with a security portal that provides an interface to online tools for all clients.
Secure VPN Services
Depending on your network infrastructure (whether your corporation operates mainly over intranets, extranets, or the public Internet), Infonet offers layers of the latest
security technology that are tailored to your needs. Clients can use customised and integrated solutions that include encryption (IPSec), authentication (Public Key Infrastructure [PKI] and digital certificates) and options that integrate Cisco CPE and VeriSign Certificate Authority services that are available globally. These security services are available for IP VPNs, Internet-based VPNs, ATM and Frame Relay VPNs. If the need is for secure mobile user access, Infonet has a range of remote access services that provides mobile and remote users with a reliable, flexible, secure and straightforward way to access their corporate networks using private dial or public connectivity integrated with strong authentication methods.
Infonet is continually focused on providing integrated, state-of-the-art global communication services for
multinational clients. Today these solutions include MPLS-enabled IP VPNs, Application Defined VPNs, converged networking (voice/video/data) and enhanced security. The MPLS-based class of service (CoS) networking capabili-ties, for example, match the network needs of client appli-cations on a user priority basis. Coupled with our security capabilities, Infonet provides one of the highest levels of protection available today for clients using encryption (for data integrity), digital certificates (for authentication) and firewall services (for authorised access).
Secure Site Services
As part of the layered security approach, site services involves protecting the perimeter of the site and protecting and defending the internal site infrastructure. This
requires firewall and intrusion protection services as detailed below.
Managed Firewall Services
Infonet Managed Firewall Services are aimed at multina-tional companies who wish to implement perimeter securi-ty to protect sites within their network from unauthorised >> Secure VPN Services
>> Secure Site Services
access and misuse. There are three services, the Network Firewall Service, the Premise Firewall Service, and the Branch Office Firewall Service:
>> Network Firewall Service (NFS)
Network Firewall Service is a fully managed firewall solu-tion installed in an Infonet network firewall farm. These farms, located in secure data centres with high speed Internet access, sit between Infonet’s The World Network and the Internet and all client sites in the one region can be protected by one firewall with 24/7 global expertise and support. The Infonet Network Firewall Service is an extremely cost-effective way for multinationals to protect multiple sites within the same region for the cost of one managed firewall.
>> Premise Firewall Service (PFS)
Premise Firewall Service is a fully managed client premis-es-based firewall solution, which can be used to protect the client site when combined with either Infonet's or other connectivity offerings. Infonet installs, configures and manages this firewall on the clients’ premises to successfully stop security breaches and respond to secu-rity incidents. This service provides the necessary isola-tion between a client’s internal network and an external network, permits secure site-to-site connections to be established and provides safe Internet access.
>> Branch Office Firewall Service
Many clients have remote or small office sites connected to the corporate VPN using either public or private connectivity. Branch Office Firewall Service is a fully managed client premises based firewall solution, based on a hardware platform specifically designed for smaller sites. The service delivers the same levels of protection as the Premise Firewall Service but at a level that is cost effective for remote or small sites.
The managed firewall services delivers 24/7 management of firewall for outages; systems health; maintenance; and changes to policy and configuration.
Infonet firewall services allow the client to outsource security policy installation, implementation and manage-ment while retaining control of the policies. In addition, this allows the client to leverage Infonet’s significant expertise in the security business.
Managed Intrusion Protection Service
Infonet Managed Intrusion Protection Service is an auto-mated service that uses secure sensors to monitor a corpo-ration’s traffic for unauthorised access and malicious activ-ities. This comprehensive service protects corporate assets from attack or abuse by identifying potential threats and responding with appropriate force to minimise risk to clients. Remotely connected security personnel, experts in threat detection and response, are available 24/7 and will respond within minutes if the corporation is under attack from outside or within. There are two services:
>> MIPS — Network Intrusion Protection
The Network Intrusion Protection Service is delivered using the world leading Internet Security Systems Proventia platform. This platform is the latest generation of inline intrusion protection sensor technology and is designed to protect multinational assets in real time by automatically blocking malicious attacks before damage can be done. Network Intrusion Protection provides detection and prevention in a single, centrally managed service. The service places a fully managed sensor on the client network, positioned where it will capture intended attacks and offer the most protection to the client’s information and servers. The sensor is delivered with a pre-defined policy that monitors for all known security alerts and incidents. The policy is created as a result of a thorough review of the highest risks facing client networks today and is reviewed and automatically updated on each new significant threat alert. In addi-tion, a policy can be created to alert and potentially kill any specific local activity that is deemed undesirable on the client network.
>> MIPS — Server Intrusion Protection
Server Intrusion Protection is an extra layer of protection for any client that needs 24/7 protection of email, Web, database and other types of servers against hacker threats and intrusions. Whereas Network Intrusion Protection detects threats across the network, server-based protection uniquely focuses on the threats to the ultimate object of attacks, by installing a managed sensor on mission critical servers. Server Intrusion Protection is based on Internet Security Systems RealSecure technology.
The Managed Intrusion Protection Service protects the client’s critical business assets, the network, devices and information servers which the company needs to run its business and is a key service for clients to secure their corporate assets from attack or misuse.
Managed Threat Reduction Services
In addition to the core security services, Infonet delivers value-added features that reduce the risk of attack or dam-age to the corporation by layering additional security on top of existing security. As well as implementing managed solutions around the perimeter of the client site and inside the client site, corporations have to recognise the dangers caused by employee actions, viruses and malicious code. Separate services, overlaid and integrated with the core services, are needed to deliver protection against these threats as follows:
>> Employee Threat Management >> Website Blocking
Many Web sites contain unwanted, intrusive or even pornographic content that may be inappropriate in a business or professional environment. In fact, some corporate policies prohibit access to such content and there are legal, IT and HR issues if a corporation is found to possess or distribute offensive or undesirable content. Website Blocking is used to restrict access to
Web pages based on categories selected by the client. In conjunction with a client’s corporate security policies, this ensures that employees can only retrieve and access appropriate Web content relevant to the business day.
>> Internet Accelerator
Many customers want to speed up the performance of their Internet connectivity, make users more productive, reduce bandwidth requirements and make the Web experience more productive. Infonet has deployed the Internet Accelerator service to intelligent-ly manage user requests for content, allow Web content to be delivered faster to end users and also to hide the internal intranet structure from public scrutiny. Internet Accelerator is ideal for corporations with a need for a high performance Internet solution.
>> Internet Threat Management >> Virus Protection
Many viruses enter the corporation from the Internet or in email traffic. Virus protection can be applied in two obvious places, at the Internet gateway or at the email gateway. Infonet offers scanning of all traffic entering the corporate network, at the Internet gate-way or email gategate-way, protecting clients by detecting the latest viruses and worms before they enter the network.
>> Malicious Code Protection
Many Web sites use Java and Active X code to improve the Web experience. However, how do you know what the code is doing? This code has the abili-ty to read and write to the PC disk, perform hostile activity and damage servers and networks. Malicious Code Protection will proactively inspect all code entering the network to understand its behaviour and any content that violates security policies is logged
and blocked at the gateway, while end-users are notified with an onscreen alert.
>> Threat Analysis
>> Vulnerability Analysis
Keeping the corporate infrastructure secure is a major concern and all corporations need to understand their exposures and vulnerabilities at the point the private VPN meets the Internet. Vulnerability Analysis is a unique service that reduces the significant security risks associated with global access and online business transactions. Based on Internet Security Systems’ award-winning Internet Scanner technology, Vulnerability Analysis examines vulnerable points in your corporation’s infrastructure, such as where your network touches the pubic Internet, identifies weak-nesses and delivers a compete set of reports detailing your security exposures and risks.
This powerful combination of automated analysis and easy to understand reporting enables you to make decisions that reduce online business risks without taxing valuable internal resources.
Secure Client Services
Continuing the layered security approach client services delivers secure remote connectivity into the VPN from any-where at anytime. It does this by protecting the remote device from attacks, ensures the device establishes a secure encrypted connection and enforces that the remote connection is identified, strongly authenticated and access policies applied. Security needs to be appropriate, mean-ing that rules may differ dependmean-ing on the systems bemean-ing accessed and the user group involved. Access to mission-critical applications for internal users from an airport location needs to be handled differently than access from a business partner to a Web page on an inventory server.
The trend to utilise the Internet and encryption technolo-gies for remote access has grown dramatically as compa-nies either offer such connectivity as a new service, or use it to replace dial-in facilities for remote access. By leveraging the ubiquity of Internet connectivity, while using encryption to ensure privacy of the communications, organisations have been able to realise cost savings whilst enhancing many aspects of connectivity to internal computing resources for remote users.
Secure Client Services delivers full implementation, provides for authentication of users, the set-up of encrypt-ed sessions between Internet users and host applications, user management via customer Web portal, policy driven access to corporate resources and immediate changes to the user community. In addition, clients can use a variety of client, clientless and on demand connectivity options that deliver anywhere access to any application and enter-prise-proven security. Importantly, the client is able to define all elements of security policy ongoing, with Infonet simply working to enforce security levels. The Infonet plat-forms enable security and access policy to be managed evenly across a very broad range of applications without the need for application modification. Policies can be enforced at any level of granularity from user to group level allowing quick one touch admin for extranet creation. Policies can be modified dynamically either by Infonet or trusted customer administrators.
Infonet has two options for remote user connectivity across the Internet, both options use secure protocols and strong authentication services to enable applications to be dis-tributed to any location.
Mobile SSL VPN
Mobile SSL VPN provides an encrypted, trusted infrastructure that enables enterprises to extend
applications to partners, customers and employees over the Internet, enabling organisations to build end-to-end Extranet communities that are fully supported 24/7 by Infonet. The service is network agnostic supporting connectivity across Dial, LAN, DSL and wireless networks.
The Mobile SSL VPN platform is situated between the Internet and The World Network and uses Secure
Sockets Layer (SSL) for security and integrity. The service provides for authentication of users and the setup of encrypted sessions between Internet users and host applications using a proxy approach, meaning Internet users never directly access the corporate network. In addition, all access is policy driven. All users are assigned access permissions based on their requirements and are only allowed to access the applications and resources specified in their profile. Access can be client or clientless allowing users to access from any public Web system if appropriate over any connectivity.
This service delivers secure policy driven end-user access into corporate applications across any connectivity and is ideal for the creation of mixed extranet communities.
Mobile IPSec VPN
Mobile IPSec VPN provides safer connectivity for mobile users or telecommuters to securely access corporate data and applications from anywhere, across any public or inse-cure network. The service is network agnostic and lever-ages the reach of the public Internet across various net-work access infrastructures — i.e. PSTN, DSL, Cable, Wireless. It delivers robust security using standards-based IPSec encryption to encode traffic through the public Internet. Security policies can be downloaded to the mobile user’s computer to protect against viruses, Trojan horses and other malicious threats. The service delivers secure connectivity from any location and uses a personal firewall to protect the device from attacks whilst online.
Mobile IPSec VPN protects the network and the device from unauthorised access and intrusion, reducing the risk of access from insecure locations.
C l i e n t B e n e f i t s
Multiple layers improve security and the ability to
implement defence in depth is important for multinational corporations. However, security is complex requiring specialist knowledge and continual management. The Infonet approach delivers the security that corporations need as a fully outsourced managed solution without any of the internal administrative or management problems.
The Infonet portfolio of managed solutions delivers the following benefits:
>> Enhances the Corporation’s Security Profile— as the risk of exposure and compromise is reduced by imple-menting expert services, protecting the company image and reputation.
>> Reduces Cost of Ownership— using the service provider experts allows you to outsource the security tasks and focus internal personnel and resources on your key business initiatives. By using Infonet’s economies of scale and global expertise, Infonet can deliver premium 24/7 services more cost effectively than using
in-house teams.
>> Delivers Best of Breed Support— Infonet Managed Security Services are supported by security experts working in a continuously updated knowledge cycle, working only on security issues and the protection of multinational clients. Their proactive response and experience means they can prevent attacks occurring but just as importantly, know exactly how to react to stop an attack in progress.
>> Advance Warning and Notification— to protect, you have to detect. The Infonet approach of globally detecting attacks ensures that all our clients receive timely notification of attacks relevant to them. We call this Global Detection — Local Protection.
>> 24/7 Support— security incidents occur outside of business hours as well as during the business day. The managed service not only delivers automated protection but also provides global expertise 24/7 so that whenever an attack occurs, proven procedures will deal with the incident efficiently and thoroughly.
>> Visible Results— through the Infonet security portal corporations have access to the latest security informa-tion and reports that are specific to them. These reports can be used to demonstrate the company is protected and to highlight any areas of improvement where they may be vulnerable today.
>> Flexibility and Customisation— the strength and depth of the Infonet portfolio allows clients to choose the appro-priate service and then have it tailored by Infonet to their environment.
In addition, Infonet acts as a single supplier across the globe, integrating the security services with the global net-work and acting as a single point of contact for all issues. Infonet can manage the ordering and deployment of new services and deliver support of your security services globally with a single phone call.
On average ten new vulnerabilities are discovered each day (CERT). It is very difficult, often impossible, for in-house teams to stay up-to-date with the latest vulnerabilities and attacks and update the corporate security defences accord-ingly. The Infonet approach ensures your company can
make accurate decisions that will reduce online business risks and protect corporate resources.
C o n c l u s i o n
Security is a necessary and strategic part of business planning for multinational corporations. Without effective security procedures and services the integrity and privacy of corporate information cannot be maintained or guaran-teed. The costs of applying security to your business must be viewed as the cost of staying in business.
Infonet has been providing global value-added communica-tions to its clients for over 33 years. As a leading supplier of global communications, our clients select us because our solutions enable their strategic initiatives and ensure they can globalise their critical business applications. Whether the solution is private or public, Infonet provides the infra-structure for business success layered with the appropriate levels of security.
Infonet has always focused on security as its number one priority, leading the industry with an extensive range of pri-vate solutions running securely across The World Network. With the delivery of client-based solutions and site-based solutions overlaid across The World Network and the Internet, Infonet has delivered end-to-end networking and security for multinational clients.
Infonet’s suite of Managed Security Services provides businesses with the industry's most comprehensive range of layered security services by adding security layers onto the client, across the network, at the site perimeter and inside the site itself, all backed up with 24/7 local language assistance and Infonet’s award-winning customer care.
For more information about Infonet’s layered approach to security using Secure VPN Services, Secure Site Services and Secure Client Services, contact your local Infonet Services Corporation Representative for more information or visit us at www.infonet.com.
A b o u t I n f o n e t
Infonet Services Corporation, known for its quality of service, is a leading provider of managed network communications services for nearly 3,000 multinational entities. Our people are our first line of defence. Infonet employs full-time CISSPs (Certified Information Systems Security Professionals) and CISAs (Certified Information Systems Auditors). Security training for all employees is mandatory, frequent and ongoing. Our CERT (Computer Emergency Response Team) ensures immediate global emergency response to security threats following standardised procedures. We employ third-party ISO9001 and SAS70 audit organisations to validate our global information security poli-cies and procedures and to validate our ongoing internal and Internet security audits.
Employing a unique consultative approach, Infonet offers integrated solutions optimising the complex relationship between enterprise applications and the global network. Extensive project management capabilities are the foundation for the services and solution offerings (broadband, Internet, intranet, multimedia, videoconfer-encing, wireless/remote access, local provisioning, application and consulting services) positioning Infonet as a single-source partner for multinational entities. In particular, Infonet IP VPN solutions offer multinationals a unique combination of Private and Public IP services as well as a full set of Managed Security and Mobility Services.
Rated "Best in Class" overall in Telemark's survey of Global Managed Data Network Services, Infonet has also won "Best Customer Care" and "Best Carrier" at the World Communication Awards. Founded in 1970, Infonet owns and operates The World Network, accessible from more than 180 countries, and provides local service support in over 70 countries and territories.
Infonet's stock is traded on the New York Stock Exchange under the symbol IN. Additional information about the company is available at www.infonet.com.
Worldwide Headquarters
Asia-Pacific 8 Temasek Boulevard #36-01 Suntec Tower Three Singapore 038988 Tel: +65 6820 3510 Fax: +65 6820 3520 Europe, Middle East & Africa 350/358 Avenue Louise Box 3 B-1050 Brussels, Belgium Tel: +32 2 627 39 11 Fax: +32 2 640 97 41 Latin America Mardoqueo Fernandez 128 Piso 7
Providencia, Santiago, Chile Tel: +56 2 368 9400 Fax: +56 2 368 9415 North America 2160 East Grand Avenue El Segundo, California 90245-5024 usa Tel: +1 310 335 4700 Fax: +1 310 335 4507
