Network Security – Not With a Peer-toPeer Network!
Most small business networks grow and evolve as the business grows. In one way, this is good. It shows the business is growing, becoming stronger. Unfortunately, from a network perspective, it can be a disaster in the making.
Most small business networks are setup in a peer-to-peer (P2P) format. In contrast, large corporate networks are setup in a domain format. What does this mean to you?
First, let us define the two network formats. In a P2P format every PC is responsible for its own security access. Basically, each PC is equal to every other PC in the network. These networks generally consist of less than ten computers and require a large amount of administrative overhead to function securely.
In this format the attitudes of the user population is of prime importance. If they have a high level of security conscience then your network will be more secure, if they don’t your network will be wide open to insider exploitation.
You can see the problem. Ten computers and ten administrators equal little accountability.
In a domain system there is a single point of administration, your network administrator. He is responsible for maintaining the network.
A network setup in this format consists of at least one server, a domain controller, to administrator the rest of the network. This domain controller manages user and computer access, freeing the network administrator from the necessity of touching every PC in the network.
When a user logs onto her PC in a P2P network she only authenticates on it, in a domain system it is a little more complicated.
In a domain system she logs onto her computer, her login ID is first checked with the domain controller. If it is found she is granted access to the network resources assigned to her. Then she is allowed to log on to her desktop. If her ID isn’t found then she only has access to her local PC.
Now that you know a little about the two network structures you can see the advantages of the domain design.
As stated earlier this format requires planning to achieve. You must sit down and outline what you want your network to accomplish.
Consider what access your users really need to do their jobs. In the computer security world this is called granting the least amount of access required to do the job. Do your sales reps really need access to your financial files? What about external vendors?
All of this needs to be thought out and addressed.
Here’s an example of how I setup a small sales organization. This business consisted of about eight employees and the two owners. With the assistance of the owners we defined three user groups.
The owners group was granted full and complete access, while each of the other groups received lesser and different accesses. The admin group received access to the financial and administrative functions, and the sales groups receive assess to the sales and customer management data. Specifically, they were excluded from the financial and administrative and the owner’s functions.
Additionally, we setup auditing of both successful and unsuccessful attempts to view certain types of data. We did this to add a layer of accountability to the network. This increases the security of their customer’s data because we can now tell who and when the data was accessed.
Network security personnel know that most network security breaches occur from the inside! In my experience most small businesses use the P2P format because it is the easiest to implement and because they don’t know the security compromises they are working under.
This can be a ticking time bomb for your business. Eventually, you will experience a security lapse that could land you in court.
For instance, you have an employee leave your business. This employee downloaded all of your customer data before he left. Next, he sells this data to someone who uses it to steal the identity of several of your customers. Eventually, this theft is discovered and traced back to your employee.
Your former customers in fully justifiable outrage take you to court charging you with negligence. Specifically, they hold you responsible for failing to safeguard their personal information.
Your case will be much stronger if you can show you have positive control of your network. You can point out your security procedures. Employee logon auditing, security updates, acceptable use agreements, etc. In short you can show that you have taken the steps that a reasonable person would take to secure your network and customer data.
Hopefully, your lawyer can then place the blame directly where it belongs. On the employee who stole the information in the first place. Ask you attorney about this! Don’t just take my work for it, I’m not a lawyer.
Remember, network security is a result of through planning, not hap hazard improvisation. Give your network the same attention you give to the rest of your business.
If you do not have the skills or the time to be your own network administrator, you can contract with someone to handle this for you on a part-time basis. Just make sure they are reputable, you are putting your business in their hands.