The ISCS (Integrated Secure Communications System) is not a new security tool. It is an innovative system to manage existing security tools such as VPN tunnels, firewalls, application proxies, user authentication, intrusion detection, content filtering, virus scanning and remote user IP administration. For most, the biggest security problem is not the lack of tools but the lack of time, expertise and budget to deploy and fully exploit the tools available to us -- in short, security management is a bigger problem than security tools. By addressing the security management problem, ISCS creates secure data networks that are:
The ISCS approach to Access Control is typical of the efficiencies of ISCS. The two principle features of ISCS access control are:
Arrange security requirements to reflect an organizational hierarchy with inheritance so that complex and granular security architectures can be implemented by the security administrator with the least number of policies.
Automate the translation of those policies into the many device specific rules needed to enforce the policies and automate the distribution of those rules to the security devices.
In practical terms, ISCS allows the security administrator to focus on security architecture rather than being an overpaid data entry clerk who must type line after mind-numbing, redundant line of device specific rules. The result is not only a happier security administrator but a 90% reduction in the cost of data network security compared to rules based security systems.
If the security environment cannot be easily managed, it will not be secure no matter how good the underlying technology is. Only 8% of security failures are purely technical failures while human error is the principle cause in 63%1. ISCS allows the security administrator to architect the security structure but delegates the tedious and error prone security rule creation process to the system. Easier administration and less opportunity for human error means a more secure environment.
Time is money and expertise is expensive. Both principles are at work in ISCS. ISCS allows the security administrator to create a small number of high level, business process oriented policies such as "Sales has access to Sales data" and then let the system do the mundane, repetitive work of turning that statement into hundreds or thousands of device specific rules and distributing them to hundreds and thousands of devices. The policies can be created in less than 10% of the time it would take to create and distribute all those rules by hand. A 90% cost reduction is a palpable savings.
Because ISCS handles all of the physical device management, the security administrator only need be expert in ISCS and not in each device from each vendor. Device level expertise is always helpful but is also expensive and not always easy to find.
Security implications should be an important consideration in any request for IT service. However, when security considerations delay or derail implementation, the security department becomes part of the problem rather than a partner in the solution. When that happens, business units seek to bypass security and everyone suffers. The ease with which network security may be managed through ISCS allows quick and flexible responses to the security considerations of IT service requests.
ISCS is modular and can work with any device for which a module is written. Thus, ISCS potentially provides a single point of administration for a multi-vendor environment. Vendors can be changed and interchanged without recreating the security environment or learning a new set of management tools. The need to be expert in multiple vendor technologies is minimized. End users are able to preserve their investment in existing systems and even add ISCS functionality to their current equipment. The benefit extends to vendors when an organization and a new vendor wish to do business but face the obstacle of the incumbent investment.
ISCS can be used to implement traditional Internet perimeter security but with all of the advantages described above. The low cost of managing this security allows perimeter security to be distributed to branch offices rather than handling all Internet security in the hub offices. Once Internet-bound branch office traffic is no longer hauled through the WAN to the hub offices for security evaluation, WAN traffic may drop precipitously. WAN costs may be reduced through bandwidth reduction or more bandwidth may be made available for mission critical applications.
The low cost of ISCS managed security allows the implementation of Internet style security on Internal networks. Security experts have long known that 70% of security compromises come from inside the organization. The problem is growing as organizations add more small offices with questionable physical security to the WAN. It is further compounded by Remote Access users, mobile, embedded and hand held computing devices and partner Extranets. Why have we let this 70% security exposure go unaddressed? Why do we allow a branch office that generates less than 1% of revenue be a potential point of attack against a hub office that generates 40% of revenue? Because it was previously too expensive to implement Internet style security internally. ISCS removes that barrier and can finally do something about the largest remaining security exposure - internal security.
The sophisticated security management and strong user authentication features of ISCS allow us to implement user security at the network layer. By front-ending legacy applications with an ISCS managed security device, advanced security features such as PKI can be enabled without rewriting a single line of legacy code. Of course, this is a much less sophisticated approach to truly integrating sophisticated user authentication into the application and can do nothing to control access within the application, but it is a very inexpensive, simple and non-disruptive approach.
Traditional security products cannot scale to the number of rules and, most importantly, the rate of change of the rules necessary to cost effectively manage the sophisticated security of modern distributed, mobile and collaborative environments. If the security environment cannot be easily managed, it will not be secure no matter how good the underlying technology is. Manually created, order dependent access rules are far too labor intensive and prone to human error in a constantly and rapidly changing environment. Thus even the most advanced access control management tools are entirely inadequate for contemporary security needs and will be as long as they rely upon manual rule creation.
The ability to quickly create, change and distribute security configurations in a distributed environment -- the ability to cope with change is the key differentiator for ISCS. IT departments do not lack security tools. They lack the time, expertise and budget to implement the security they know they need. If that describes the ticking security time bomb you are sitting on, take a look at ISCS. It will help you gain control of your security environment.
For more information and an in-depth white paper on what ISCS is and does, please visit http://iscs.sourceforge.net
1"Committing to Security: A CompTIA Analysis of IT Security and the Workforce," CompTIA, 2003