Why Security is Important

Previous page
Table of content
Next page

If your intranet users will have access to any data that should not be available to all of them, then having a security framework in place is essential; it should be a consideration from the start, not a last minute afterthought. Some degree of user authentication must be implemented to restrict access to only trusted users who will be responsible with it. If this isn't done - or is done inadequately - then your organization should be prepared for the possibility that one day the data will no longer be proprietary (not to mention the headaches and liability issues that can arise when your customers' personal data ends up on Google).

Another major concern to be taken into account is that the intranet can serve as a staging area for more serious attacks on the machine or network where it's hosted, or on other enterprise networks. All access to resources with a company, whether publicly available or otherwise, should be monitored and regulated. Even if your intranet isn't carrying content of much value, its lax safety measures can prove to be the weakest link in the chain fence of your entire organization's IT security policy.

If you're in charge of only a part of your corporate IT system, but that part represents a potential security risk to the entire enterprise, then your concerns are no longer limited to what happens when an intruder hacks an Internet site or has access to private and insecure data. The related costs come into the picture: help desk calls; emergency network services; data recovery experts; network analysts; a security audit; and the inevitable after-the-disaster planning for security precautions that should have been implemented in the first place.

In a worst-case scenario where the system goes down completely (cross your fingers that it's only a temporary situation and that the backup process has not failed due to laziness or ineptitude), calculate the number of people who can't use the system times the number of hours the system is down for. In medium-sized or large organizations that are entirely network-dependent, the costs can quickly become exorbitant and frightening, making any up-front security quotes paltry by comparison.

All that being said, however, it's hard to sell people on worst-case scenarios. The macroscopic consequences of an intranet breach should be mentioned to your stakeholders, but the real planning for network security issues should be the responsibility of your corporate IT team. Your role is to explain why the intranet in particular needs to have security.

The necessity for guarding information in a corporate intranet can best be explained to stakeholders through a walking tour of a real-world office. Most companies have locks on their front door and a receptionist that greets visitors and reacts appropriately. If a delivery or meeting request comes through that front door when it is unlocked during office hours, the receptionist can guide the person or package to the appropriate destination. If a door-to-door salesman or incorrectly addressed package arrives, the receptionist can send them away or call security. Outside office hours, the only people who can walk through that front door are trusted staff with their own keys. This security is all in place to regulate and authenticate traffic from the outside world into the physical space of an organization. Inside the building itself there will typically be further layers of security such as lockable filing cabinets and office rooms, where very sensitive proprietary data can be kept. These cabinets will typically be for storing and managing data for employees and departments like Human Resources, and the locks on them exist to prevent other staff, authenticated visitors, and unauthenticated visitors (who somehow bypassed the front door and reception) from accessing the data - none of which is intended for wide circulation inside or outside the company. If your company has data in a locked cabinet behind a locked door that can only be reached by someone with the right keys after getting past the front door and the receptionist, then there is no acceptable rationale for making that data available on an unsecured intranet.

Even if your intranet is on a private network that is not connected to the Internet, there will be some system users who should not have access to some data. This isn't because these users are untrustworthy, but rather because an electronic security policy should mirror an enterprise's existing information access requirements. Digital access can be defined parallel to physical access (who has the keys for a locked cabinet? The same person should have the equivalent passwords on the intranet). If someone needs to be a director to see data relating to a stock's listing on an exchange, or a manager to see staff salaries, then these information security rules - a subset of an organization' broader business rules - should be the same online as they are offline.

These rules, in the context of an intranet, are commonly referred to as a security policy.

"An electronic security policy should mirror an enterprise's existing information access requirements"



Previous page
Table of content
Next page
Practical Intranet Development
Practical Intranet Development
ISBN: 190415123X
EAN: 2147483647
Year: 2006
Pages: 124
Authors: John Colby, Inigo Surguy, Rudiger Voigt, Jeffrey Haas, Frank C. Pappas
BUY ON AMAZON
Database Modeling with MicrosoftВ® Visio for Enterprise Architects (The Morgan Kaufmann Series in Data Management Systems)
VBScript Programmers Reference
File System Forensic Analysis
Web Systems Design and Online Consumer Behavior
HTI+ Home Technology Integrator & CEDIA Installer I All-In-One Exam Guide
GDI+ Programming with C#
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy