01 Mar Proxy server: How to build a highly efficient policyTempo de leitura: 7 minutos
This issue is a constant challenge for many companies and there is no rules to minimize the negative impacts of misuse of the Internet on corporate environments. This is easily understood because each business has its particularities and needs, so there is a complexity involved in what is efficient, for each reality, requiring that the process be highly personalized.
Many people think an efficient policy strongly restricts users’ access to the Internet, which in some cases may be a valid premise, we know that the restriction can cause negative impacts mainly associated with productivity, different from what is commonly thought.
On the other hand, leaving the accesses uncontrolled can present a high risk of security, since it allows intentional attacks, as well as the diversion of information and some opportunists, generated by an access to some website that contains malicious content, which later takes control of the equipment and may cause some damage to the company. In addition, accesses released on users with little awareness can negatively affect productivity. In addition, accesses released on users with little awareness can negatively influence productivity.
Placed these counterpoints and reflections serving as an introduction, it ratifies that the theme is complex. This means that there is no common solution; however, some points can be understood so that you can build a highly efficient proxy policy.
Highly efficient means basically defending the organization’s interests in terms of security, productivity and other items, ensuring that employees can maximize their activities with the use of the Internet, without harming the company. In this guideline, each segment and company with its business maturity will be able to structure an appropriate policy, which respects these basic pillars.
Small businesses are those little computerized ones or that have few computers in their structure. Many people also think that this kind of business does not have to be protected, which is a great mistake. Any company connected to the Internet, conducting processes by use the internet, or the ones that stores internal systems, should take security seriously.
For these business, security is not expensive, since there are solutions for all budgets, so the important thing is to protect yourself. In this sense, a commonly used policy for small businesses is a global list of banned or allowed websites.
If the small business needs a very high level of control, it prefers to block absolutely everything and only release what is known and is linked to work activities, this potentially avoids the risk of security incidents, although it is a little more complex to mount this list, this is why many websites currently carry content from other addresses.
It is natural, in these cases, that some websites seem misconfigured, but a good security company will know how to apply settings and map the requirements so that the user can fully access the websites of interest to them.
If the company needs to granulate the accesses, it means creating different policies for each equipment, it is also possible, but it considerably increases the complexity of management, which may escape the initial need.
Before continuing in the post, it is worth a very important caveat: policies have to work for everyone otherwise the company takes risks. It is often said that a security policy or architecture is as strong as its weakest link.
This means that creating access policies for an entire organization and keeping exceptions to the rules on management positions is a very high risk because the point of attack or contamination may come from computers with higher levels of access.
If the policy allows it, ensure that either these devices are properly isolated, physically or through VLANs; this potentially prevents the escalation of access to other networks, invalidating any policy created.
In many organizations it is common for some accesses to be allowed and blocked globally, this means that it is valid for all computers and users. This is an interesting and very common measure because it allows known addresses to be classified, without having to be repeated for each sector or user, for example.
In this case, there is a minimum list of allowed addresses that do not present risks or discomfort with the policy of accesses and another with content to be blocked, so they will never make sense to be accessed within the business environment.
If someone needs to access a particular website in this structure, then it should be removed globally and replicated to those sectors that need such access.
Depending on the size of the company, there is a very clear differentiation of the access needs among sectors and people in higher positions.
In these cases, it is common that there are global access permissions, but there is an unfolding of the policies for the sectors, leaving the access more personalized and consistent with the activities of the same.
This concept of access rules based on sectors or people/computers can also be deployed with access levels, which is independent of the area, but is linked to the default access profiles created.
For example, you can have Level0 with unrestricted access to any content, Level1 with access to everything except a list of banned websites, Level2 that has no access to anything except list of allowed websites, among others. Thus, instead of working by sector, one can link groups or users/computers to levels, which considerably reduces the complexity of managing access policies.
This granularity is extremely important because it ensures you securely meet different access needs, based on sectors or access levels.
An interesting additive in many proxy solutions is website categories, usually a large database that contains sites organized by interest categories (entertainment, news, games, etc.).
This feature greatly facilitates the definition of access-by-interest policies. For example, employees in the company’s marketing sector may have accesses allowed only to sector-related content categories. Collaborators in the financial sector may have access only to categories of banks and related matters.
Proxies with pre-defined website categorization, where the base is qualified, facilitates the creation of access policies respecting the interest of company and users.
Often overlooked, but important to audit access policy regularly, especially if there is more than one person or team responsible for managing the proxy. This will ensure policy compliance with what is actually running on the proxy. In many situations the rules are created and changed without any compliance with the policy; be aware of it!
Another important success factor for implementing a highly efficient policy is to track users’ accesses and check if they comply with the policy. Several solutions offer automated reporting sent by e-mail, to sector managers and the like.
This decentralizes the technology sector’s responsibility to audit accesses, having a policy without auditing or tracking access may be a myopic view that the environment is in fact secure.
One of the most important aspects of building and maintaining an access policy is to dialogue with employees and to raise awareness of their importance. It is necessary to remove the stigma that this type of action only serves to restrict access. By participating in this process, users take more awareness and knowledge, truly helping the organization.
There are market segments that cannot flex their policies because they deal with very sensitive information. In these cases, the policy needs to be tightened by the nature of the business. However, most segments allow flexibilities without losing the level of security.
Talking to users, creating internal security awareness policies, are key points to complement the technical side of any solution. The human side is always a weak link, so it is important to train them.
As reported at the beginning of this post, there is no standard access policy that fits all business; we brought some points of reflection that serve to create the most efficient policy for your business.