In-Depth
Securing Your Enterprise with a Many-to-Many Software Deployment Model
How deploying hardware in the data center that runs a centralized security suite that handles multiple security configurations can protect a diverse set of end users.
by Joel Silberman
Enterprises today face the twofold challenge of adopting highly effective, customizable information security solutions while reducing complexity and costs. Many enterprises have deployed point solutions for various security problems, which has created complex infrastructures that are extremely expensive to manage and maintain, highly prone to human error, and poorly integrated. Many security vendors have claimed to solve this problem by acquiring multiple point products and bundling them as "suites." However, when security products are built by different companies, integration is often difficult and expensive, hence many "suite" offerings are really a professional services engagement disguised as a software sale.
Natively integrated secure Web gateways aim to eliminate the costs and complexity of managing individual security solutions while improving the overall security of an enterprise. For natively integrated secure Web gateways to successfully consolidate content security, they need to deliver several key benefits. First and foremost, they must provide high flexibility and be capable of scaling for rapid enterprise growth. Second, they must be easy to customize and manage, which reduces overall security management costs. Finally, these secure Web gateways need a simple, centralized management console to seamlessly tie together all of the products (e.g., anti-virus, anti-spam, and URL filtering) in the gateway.
IT administrators have typically considered customizable security solutions to be expensive. This assumption is due to the prevalence of the one-to-many software deployment model, in which an enterprise "pushes" instances of a single, static security suite to a large group of users. In this scenario, cost and complexity are kept under control by accepting that the same configuration of the suite will be delivered to each end user. The drawback to this approach is that not all users have the same security requirements. An employee using a poorly-suited security application risks having productivity hampered by overly restrictive or sensitive filters. Even worse, an enterprise could risk having business-critical information be compromised when the filters are not sufficiently sensitive.
The one-to-many model can work well for an enterprise that does not need to define different security policies for its employees and when the enterprise is not geographically distributed. However, for an enterprise to add new security policies or branches offices, it is often necessary to add new appliances or servers in the data center, which quickly increases both costs and complexity.
A new model is emerging in enterprise security, the many-to-many model, which is made possible by multi-instance/multi-tenant security solutions. The many-to-many model consists of deploying hardware in the corporate data center that runs a centralized security suite capable of delivering many configurations of the security software to a dispersed group of end users.
The many-to-many model presents numerous advantages to enterprises, including scalability and customization. Enterprises deploying this model can scale to meet the needs of hundreds of thousands of end users from a single box. This scalability saves enterprises both real estate and power costs as less rack space is needed in the data center to host the security software and less power is consumed. The many-to-many model provides high degrees of customization and flexibility and allows an enterprise to specify security policies by location, individual, and group. This granular control makes the overall security practices of the enterprise more effective and secure.
For example, if a company's anti-spam or Web-filtering applications were overly sensitive for the work requirements of a specific user, the sensitivity of both applications could easily be adjusted remotely for that user only by an administrator using a Web-based console that controls the centralized security suite. This ability to quickly fine tune the sensitivity of these filters minimizes over-blocking and improves end-user productivity.
Centralized management of security policies from a single console is one of the key benefits of the many-to-many security model. Without being able to easily view and access each policy, overall security management becomes more complex and error prone. Likewise, centralized management capability allows enterprises that are geographically distributed to house all of their security IT infrastructure and management in a single, centralized location, eliminating the need and expense of deploying and managing security point solutions at branch offices.
Enterprises should beware of security "bundles" that aren't integrated and can't be centrally managed. Some best-of-breed vendors sell centralized management tools separately from their security suites, mainly because the centralized management tools were developed after all of the elements of the bundle were cobbled together. The effectiveness and ease of use of the management tools is typically not as good as centralized management consoles that are designed from the ground up in natively integrated content security suites.
Finally, enterprises should always factor in the total cost of ownership when deploying content security suites. Some security bundles might seem inexpensive at first, but the cost of managing them can be significant if it is difficult to customize and centrally manage the suite. Companies should also factor in the need for scalability and chose a security suite that can easily scale. Not all integrated security suites are created equal, but with careful planning, enterprises can find one that rises to meet the complex scalability, customization, performance, cost, and reliability requirements that today's high-performance networks demand.
- - -
Joel Silberman is the vice president North America, Optenet. You can reach the author at jsilberman@optenet.com