A Global Network Secure Access Zone for The Coca-Cola Company

A Global Network Secure Access Zone for The Coca-Cola Company
Submitted by

Wade Lemon and Kimberly Fey

What is a Global Network Secure Access Zone?

To put it simply, a Global Network Secure Access Zone is a space created to monitor and manage access to a network and information. Different technologies are employed, in conjunction with each other, to create these Secure Access Zones (SAZ). Think of it as a house. The inside of the house is the secured space and the doors and windows, with their keys and locks, are the security that monitor and manage the flow in and out of the house. Different factors will influence the architecture of this SAZ:

Level of security required for the information

Methods users will have to access the information, i.e., Internet, virtual private networks, etc.

Geographic coverage required

Type of information being transmitted, i.e. transactional information would be latency sensitive

Why does The Coca-Cola Company need a SAZ?

The Coca-Cola Company is made up of a network of different groups around the world that need to be able to share information. There are primarily three types of users that need access to the global data network:

Third party organizations like Bottlers and Customers

Remote users like telecommuting employees

Company locations throughout the world

The current security infrastructure and policies have grown over time and consist of various solutions. Consistence needs to be brought to the security of the network so current security requirements may be met and access to the network may be streamlined. There are growing demands and performance expectations placed on the global data network to have it perform faster, more reliable, and to be scalable. These goals may only be met with a network security that is well thought out and executed globally.

The History of Global Network Security

As mentioned above, most corporations and governments developed the security for their networks over time. They addressed imminent security issues and implemented technologies, as they were proven effective.

Companies started out by placing firewalls between ëoutsideí users and the network. These worked great at first, but, with time, applications became more sophisticated and ëholesí had to be placed in the firewall to allow users the ability to access the information they required in a timely fashion. The hole degraded the firewall effectiveness.

Haphazardly, companies and governments began to see intruders on their networks.

They didnít have systematic methods for monitoring the network security. Intruders might be caught because a technician would notice an unusually high number of login attempts in a short period of time.

The US Government was a prime target for intruders and, consequently, they reacted quicker than most corporations. They upgraded their network security. As a result, threats against US commercial enterprises are on the rise.

Most corporations do not have adequate infrastructure protection from top attackers: Internal Associates, Developers, Hackers; Organized Crime; General Crime.

Some daunting facts:

On average, a new Web server installed on the Internet will be attacked within 1 hour

By year-end 1997 there were 30,000 known viruses. In the beginning of 2001 the number was 50,000

87% of viruses come in the form of attachments sent through networks

What makes up a SAZ?

A SAZ would consist of highly available firewalls, virtual private network switches, network intrusion detection, application servers, and applications. The SAZ can be broken down into three layers:

Red ñ Untrusted Networks. These networks would be the user networks and the

Companyís outbound Internet communication.

Yellow ñ Secure Access Zone. Some Company applications and application servers

would be here along with the network intrusion detection. This would be the private IP address space.

Green ñ Company Intranet. The green space would consist of the global WAN and some applications and application servers.

Strategic Suppliers

A Company has two options in executing network security strategies. Either a firm employs resources directly to design, build, implement, monitor, and manage a SAZ or they hire an outside firm. In the case of security, there are several pros to ëoutsourcingí most of the SAZ functions.

The primary reason is the technology and risks are changing at a rapid pace

It is difficult to keep talented security technologists

There are economies of scale in building, implementing, and especially monitoring and managing the SAZ

Below is an outline of the firms that provide outsourcing services:

Service	Top Suppliers
Designing the SAZ	PWC, IBM
Building and Implementing the Global SAZ	IBM, Equant
Monitoring the SAZ	IBM, ISS
Managing the SAZ	IBM, Equant, AT&T
Complete Outsourcing	IBM

Critical Success Factors

There are several critical success factors that need to be managed to mitigate risks:

Risk Area	Mitigating Action
Transition Management	Put in place a Transition Project Management Office
Cultural Acceptance	Build an Effective Marketing plan
Applications	Sunset applications that are too expensive to move into the SAZ
Response Time	Implement additional network capacity
Supplier Contract	Review baseline volumes and service levels regularly and adjust pricing
Supplier Relationship	Joint Supplier/Company steering committee: Audits, QA reports and Escalation Procedures

Recommendation

The recommendation is to create a

Scalable, extensible, redundant Network SAZ architected by a

Supplier

A turnkey Supplier managed security service with service levels

Supplier hosts environments and manages all hardware and software

Service level +99% availability

Migration planning conducted jointly for third party lines, remote access users and applications

Application development guide for new environment

Security policy

Glossary

Firewall: A system designed to prevent unauthorized access to or from a private network. Firewalls can be implemented in both hardware and software, or a combination of both. Firewalls are frequently used to prevent unauthorized Internet users from accessing private networks connected to the Internet, especially intranets. All messages entering or leaving the intranet pass through the firewall, which examines each message and blocks those that do not meet the specified security criteria.

Intruders: Any entity that accesses a network without proper authority. It could be an internal employee, a developer, a hacker, etc.

Virtual Private Network: A network that is constructed by using public wires to connect nodes and use encryption and other security mechanisms to ensure that only authorized users can access the network and that the data cannot be intercepted.

IP: IP, or Internet Protocol, specifies the format of packets and the addressing scheme. IP is something like the postal system. It allows you to address a package and drop it in the system, but there's no direct link between you and the recipient. TCP/IP, on the other hand, establishes a connection between two hosts so that they can send messages back and forth for a period of time.