Managed Network Security

CTP is a Managed Technology Services company. We have customers ranging in size from less than 5 up to 200 employees. our services are tailored to the needs of each of our customers, and range from full network support of end-user devices, networking and servers to some portion of this – typically integrating with an internal IT person or team.

Cloud-based or Not

Many of our customers are, as we say, allergic to the cloud – and prefer to keep all information on-premises, perhaps replicated to off-site dedicated virtual machines for disaster recovery / availability purposes.

Others of our customers are cloud based, with no servers or network infrastructure on-premises. In fact, members of such a company can work equally well from a company office or connected to the Internet from any location.

Server-centric or Not

Some companies are server-centric, operating with dedicated servers, generally as virtual machines (cloud technology) hosted on-premises (private cloud) or in a shared public cloud.

Other companies rely entirely on hosted services: e-mail, file share, collaboration (perhaps via Microsoft Office 365), CRM, accounting, and applications specific to the particular business.

Network Security

All of these companies have a common group of network security concerns:

  • MFA – Multi-Factor Authentication, to protect against authentication with stolen credentials.
  • Policy based management of end-point devices.
  • Internet Web Security (IWS) with Data Loss Prevention (DLP), scanning all data transferred via web services.
  • End-point protection – anti-virus, management of USB storage, DLP
  • Data sharing, secure, within and outside the company.
  • Monitoring and detection of intrusion
  • Backup of all internal information.
  • Forensics

Network Security

The IT network of many small businesses can typically be described as this:

  • Client devices – PC, laptops, macs, netbooks, mobile devices
  • e-mail
  • Office apps – documents, spreadsheets
  • File storage for sharing
  • Business apps – CRM, financial, apps specific to your line of business

Network security used to mean a firewall and anti-virus on all of the PCs. Security requirements, even for the small business, have expanded.

  • Authentication (verify the person) and authorization (verify access rights) – requiring identity services.
  • Multi-factor authentication (MFA) and strong passwords
  • Encryption of information in motion, at rest, and in some cases file level encryption.
  • Policy based device management, enforcing security best practices on client devices.
  • Internet web security, for inspection of all web traffic to and from the company. This technology can include decryption and Data Loss Prevention (DLP), 

Cloud technology – private or public?

Network services – cloud service or private VM?

Most on-premises data centers, even for the smallest businesses, operate with cloud technology, hosting several or many virtual machines on one or a few physical host servers. For the smallest companies this is becoming the case as hardware comes to end-of-life, leading to a decision of migrating to new hardware on-premises (private cloud) or off-premises. 

Once a company is operating with Virtual Machines, the location of where that VM is hosted can become a detail – hosted on-premises, in a regional data center or with the largest services. 

For the case of a company supporting a server simply to host e-mail and file share services, a natural next step is to move each of these to hosted services, similarly to the CRM, accounting and specialized business services. E-mail to Office 365 or gmail, file share to SharePoint or Google Docs.

The security requirements identified two points above can be implemented with any of the on-premises or could services just mentioned.

The security requirements outlined two points above can be implemented with any of means of service delivery – on-premises data center, regional or global hosted private virtual machines, or hosted services. This is necessarily so, one might say, due to the importance of network security and the market pressure for cloud services to provide for that security.

The means for delivering security on-premises include use of Active Directory Group Policy to apply consistent policies to all computers connected to the domain. Management of security for the Active Directory domain, shared files, authentication and authorization of users for access to network services are all well understood and managed on-premises.

Private Virtual Machines hosted by cloud services can be similarly managed – the architecture is generally the same – it is just that the VMs are now located in a public cloud off-site. Some of the details behind the management technology do change, but this is well understood.

Microsoft Office 365 and Azure services have come the closest to replicating the services that are available on-premises, as might be expected of Microsoft. CTP has experience with introducing good security practices to companies operating on an all Office 365 / Azure Active Directory platform.

CTP NETWORK SECURITY

Security Tools

  • Intrusion detection
  • Web security server
  • Enforced strong passwords.
  • Two factor authentication
  • Data Loss Prevention (DLP)
  • Encryption

Certificates – Secure Communication & Verification of Identity

  • Internal PKI (Public Key Infrastructure)
  • Basis of advanced web security
  • Secure network communication

Experience has shown that small company networks are just as much a target, and maybe more so, than the big guys. Breaches are not as newsworthy as the multi-million compromised accounts or high profile e-mail breaches. On the other hand, small company networks are generally easier to penetrate, and cybercriminals are finding these to be a profitable target.

Some questions follow:

  • What information might your company have – would theft of that information be an inconvenience/embarrassment or would it put your company at risk? Perhaps proprietary information that forms a basis of the value of your company, or specific information pertaining to your clients – such as financial, personal, or health information.
  • How are cyber criminals able to penetrate your network?
  • What measures might be taken to protect your network? And at what cost to implement and maintain.

The answers to the first question, what information is stored on your network, will be important in determining the security measures that are justified.

For the second question – how are cybercriminals able to penetrate your network – for some time this has been most easily done by tricking someone within your network into opening an attachment or clicking a web link. The typical small company network is generally good at preventing connections from the Internet in to the internal network, while being openly permissive to connections from the inside out. It follows that malware or other mechanism operating within the network may open a malicious connection to the outside, through which a cybercriminal may now enter. How is this outbound connection initiated? Most commonly through an employee opening an attachment or clicking on a malicious web link!

It can be difficult to detect / visualize a network attack or breach – leading to a range of problems – false sense of security on the one hand, anxiety on the other, and difficulty in responding to an attack. And yet, this problem can be rationalized to become much more manageable. Consider:

Access / perimeter control: prevent the attack in the first place. Hopefully your company has already a reasonable firewall and anti-virus software on all computers. Common sense measures include authentication, and good training of all employees regarding best practices around opening attachments or clicking on embedded links.

Intrusion detection: upon successful penetration of a network, an agent or person will typically begin to explore your network, searching out information of interest. This activity can often be detected, leading to an alert, and raising the intrusion from invisible to visible and known.

Control of outbound information: a successful penetration is not of value if information cannot be exported from your network. There are good measures and technologies that can help with this.

Make the Move

For a small business, moving to the cloud is a no-brainer. You get scale, power, redundancy, reliability, disaster recovery, accountability, professional management, maintenance, and security but, perhaps most importantly, you get freedom from managing business technology yourself — a perennial headache if there ever was one. Move IT Infrastructure to the Cloud?

What SMBs Need to Know: By Allen Bernard Samll Business Computing.com

Testimonial

“As the IT Director at Bridge Energy Group, I grew to rely on CTP for my Microsoft centric application projects.  From a messy exchange migration that was handled expertly which drastically improved both performance and reliability, to a complex sharepoint implementation, to a complete configuration of SCCM, I know I can always count on the expert staff at CTP to execute in a friendly, professional manner. Do it with CTP, and do it right the first time!”

– Mike Davis