Denis Zenkin (Russia) - Intranet Security: Tears in Rain

There is a common problem in many organizations' approach to intranet security - they treat intranets as an internal tool hidden deep in the corporate network and somehow immune from external attacks. This is far from the truth.

The latest IBM X-force 2009 Trend and Risk Report shows that web applications are the largest source of security threats, making up 49% of all vulnerabilities detected last year. An intranet is basically a web application exposed to hostile environment the same way as the corporate website and therefore vulnerable to the same scope of threats. The fact that it is intended for employees and trusted parties doesn't guarantee anything against hacker attacks, viruses and spam.

Failing to introduce a dedicated intranet security policy entails a range of risks associated with sensitive information leakage and data loss. For many businesses, safeguarding intranets is even more important than protecting their websites. Intranets usually contain extremely confidential assets crucial for both day-to-day activity and strategic business development. A successful attack may result in disruption of the organization's operations, significant reputation damage and infringement of legal regulations.

To avoid unexpected embarrassment after launching an intranet, organizations must carefully evaluate the solution's capability to cope with security issues. I suggest considering the following options when choosing an intranet solution.

Integrated security framework
Vendors normally claim they do have security features in place. Don't be reluctant to check what specific features they offer. Most probably, intranet security will be limited with user rights management and SSL encryption, thus leaving the stand-alone system vulnerable for web attacks.

Proper security tools in place
Check the list of must-have security features for an intranet solution. The shortlisted items include: web application firewall, web anti-virus, one-time passwords, anti-phishing protection, data integrity checker and backup.

Follow the best intranet security practices
Security tools only work when they are properly managed. Security measures act as oil that makes your car move. This includes patch management (with special attention to the intranet's third-party plug-ins), regular software updates and correct configuration of the security framework. Third-party security tools like IDS/IPS systems should also be considered as they may help complete the overall security concept, covering important areas not protected by the intranet solution.

Intranet security policy
Security is something that has to be woven into the fabric of an IT environment. Development of a dedicated intranet security policy is just the first step towards protecting your internal assets. It has to be tightly integrated with the enterprise-wide security policy to ensure that everything works in concert. Most importantly, intranet security is a process, not a one-time state. It requires regular updates and constant attention to tackle the latest security challenges.

External advice
Even if your organization can afford a security expert it is very important to have a third-party advice at all stages of intranet deployment and maintenance. Regular external security audits bring an additional value to your intranet protection.

User awareness
The human is the weakest link in the security chain. With best of breed tools in place, an organization may still fall victim to a web attack with social engineering tricks involved. Therefore, it is crucial to train intranet users about basic rules of web hygiene rules.

Unfortunately, however, the biggest problem in intranet security is that vendors often neglect to integrate security features in their products, leaving customers one-to-one with serious business continuity challenges. This is a disturbing trend that misleads customers, giving them a false sense of security. Vendors prefer to concentrate on the basic functionality, appealing to third-party security solutions to fill in the blanks. As a result, organizations are required to determine for themselves how best to protect their intranet assets. This method is simple for the vendor, but leaves the client with increased project and implementation time and costs as well as additional manageability issues.

However the security of the intranet is addressed, it's hard to underestimate the importance of proper integration of the intranet security policy with the enterprise-wide security policy. Without this integration, your intranet may end up as the weakest security point of your IT assets.

For more information read Bitrix's recent white paper "Web security is within your reach. 10 ways to keep hackers in check and ensure safe web resources".

Denis Zenkin has 15+ years' experience in marketing high-tech products. He currently leads global marketing at Bitrix, Inc. - a multi-national developer of intranet solutions with a special focus on small and medium-sized businesses.



« Omar Alvi (Dubai) - Data masking: Safeguard against Internal Threats


Louis Leahy (Australia) - Authentication for the 21st Century »


Do you think your smartphone is making you a workaholic?