How to Ensure Your Organization’s Network Is Safe From Intrusion

Establishing trust between the enterprise and its IT infrastructure is an essential part of security. Organizations must be confident that valuable data transmitted across a network is safe from theft and intrusion. This notion of trust implies the need for independent bodies to define what constitutes a secure solution. The National Institute of Standards and Technology (NIST), Common Criteria and ANSSI have established guidelines for all aspects of secure IT solutions, including hardware and software design, supply chain and process control. For the enterprise, trust is established through solutions that are evaluated by independent laboratories for compliance with these standards. In this eWEEK slide show, using industry information from Nokia security expert Chris Janson, we examine some of those criteria.

A house is thought secure when its doors and windows are locked, protecting against intruders. The comfort of security comes through trust in the locks and integrity of the doors and windows. Security is based on the trust we place in mechanisms that protect something of value.

Encryption is the most commonly used data protection mechanism in networks. But encryption alone is not enough: Strong keys, intrusion protection, standards-compliant trusted platforms and other elements are also essential.

AES-256 is what you need to encrypt data in-flight. Developed in 1997, it has yet to be cracked and will provide excellent protection for years to come.

Security is only as strong as its weakest link. High-quality and high-strength keys must be used to ensure maximum encryption strength and minimize danger of compromise as quantum computers become a viable threat.

Hardware and software systems must come from trusted, reliable sources where controls are in place to avoid malware and malicious bugs. Beginning in the design phase and continuing through manufacture, delivery and operation, a trusted supply chain ensures process integrity.

Building trust requires independent standards and testing for compliance to those standards. Several bodies have defined what is required of cryptographic modules, with specific needs varying by region.

In the United States, NIST defines cryptographic requirements in its Federal Information Processing Standard 140-2 document. Four levels are defined, ranging from basic cipher algorithms to tamper-evident physical enclosures and automated response to unauthorized access.

Common Criteria (CC) Evaluation Acceptance Level (EAL) is an international framework for IT security, developed cooperatively among several nations. CC EAL levels provide confidence grades that the system’s security features are reliably implemented.

ANSSI is a French government agency that defines security standards to ensure integrity of data essential to national security. ANSSI is recognized as a leader in cyber-security standards within and beyond the European Union.

Security solutions must be built upon trust with the vendors supplying them. Security features and compliance with independent standards should be verified through independent laboratory evaluation.