Home > Ask the Security Experts > Application Security Questions & Answers > Will an application usage policy best control network bandwidth?
Ask The Security Expert: Questions & Answers
EMAIL THIS

Will an application usage policy best control network bandwidth?

Michael Cobb, featured expert EXPERT RESPONSE FROM: Michael Cobb, featured expert

Pose a Question
Other Security Categories
Meet all Security Experts
Become an Expert for this site


Network Security Tactics
Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us    Add to Google


>
QUESTION POSED ON: 25 May 2009
According to research from Palo Alto Networks, nearly half of all bandwidth within corporate environments is consumed by personal applications such as YouTube, peer-to-peer file sharing and various other consumer applications. Is it better to control this with technology or with an application usage policy? What's more effective?

>
At the end of the day, you will need both technology and policy. An acceptable application-usage policy can state which of these applications can be used, by whom, and for what purposes, along with strict guidelines about what information can be shared using them. Awareness of this policy should be part of staff training so that everyone understands the purpose behind the rules, as well as the potential risks involved in using third-party tools. Employees should be required to sign off on their awareness of, and agreement with, the guidelines and policy.

If you want to keep your network free of certain applications, such as Skype, your policy must clearly state that they are prohibited. It must also present the penalties for any employee found using them.

It's always helpful to state why certain rules and restrictions are in place. Use of a particular application, for example, could slow down the network for essential tasks and communications. I'd back this up with graphs or statistics showing the effect certain apps have on the availability of bandwidth. People are far less likely to circumvent or ignore policy rules if they understand the logic behind them.

Just having a policy, however, is not enough. To make policy enforcement the norm within an organization, you must be able to detect and punish violators, and this requires technology. There's an abundance of products to choose from that control users' network activities. I personally like Web security gateways, such as the Web Security Gateway from Websense Inc. Deploying this type of technology, along with sensible rules, will manage your data and control employees so that your organization can benefit from social networking tools while avoiding many of the dangers. A tool like Microsoft's Windows SteadyState can also help system administrators control what users can and can't do, such as access programs, configuration settings, removable storage devices and websites.

A security policy is essential to manage how enterprise resources, like bandwidth, are used as it's the document that binds all of your security controls together, making sure they complement and strengthen each other. Failure to enforce your policy and apply the stated penalties, however, will render it moot. This is why you need to back it up with technology to not only monitor any misuse, but also to preempt any attempted misuse, either intentional or through simple oversight.

For more information:

  • Read more "Ask the Expert" responses from application security expert Michael Cobb.


    • BROWSE BY TAG
    Application Security,   Application and Platform Security,   Web Security Tools and Best Practices,   Web Application Security,   Network Security: Tools, Products, Software,   Network Device Management,   Enterprise Network Security,   VIEW ALL TAGS

    Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us    Add to Google



    RELATED CONTENT
    Application Security
    Do Facebook URL security concerns justify blocking social networks?
    Is there a way to block iPhone widgets that bypass Web filters?
    Should enterprises be concerned with Twitter in the workplace?
    Are there still Google Desktop security problems?
    Can an IP spoofing tool be used to spam SPF servers?
    How can URL-shortening services be manipulated?
    Is my security program ready for Web application firewall deployment?
    How to ensure the security of a shopping cart application
    When to use the service features of the Metasploit hacking tool
    Preventing cross-site request forgery attacks

    Web Application Security
    Black box and white box testing: Which is best?
    InZero Systems launches hardware-based security gateway
    Web application vulnerability assessment shows patching progress
    Preventing SQL injection attacks: A network admin's perspective
    Cisco acquires SaaS security vendor ScanSafe
    Web application firewall use goes beyond compliance, company finds
    Gumblar Trojan drive-by exploits spike following Adobe update
    Some Facebook applications lead to Russian attack sites
    Barracuda acquires Purewire expanding Web security reach
    An enterprise strategy for Web application security threats

    Network Device Management
    How to prepare for a secure network hardware upgrade
    Researchers find thousands of flawed embedded devices
    Is there a way to block iPhone widgets that bypass Web filters?
    What is the difference between static and dynamic network validation?
    How to manage network bandwidth with distributed ISP bandwidth
    DNSSEC deployments gain momentum since Kaminsky DNS bug
    Firewall rule management best practices
    What are best practices for fiber optic cable security?
    The requirements for being a PCI DSS-compliant service provider
    Enterprise UTM security: The best threat management solution?

    RELATED GLOSSARY TERMS
    Terms from Whatis.com − the technology online dictionary
    anonymous Web surfing  (SearchSecurity.com)
    buffer overflow  (SearchSecurity.com)
    cache cramming  (SearchSecurity.com)
    cookie poisoning  (SearchSecurity.com)
    dictionary attack  (SearchSecurity.com)
    distributed denial-of-service attack  (SearchSecurity.com)
    JavaScript hijacking  (SearchSecurity.com)
    National Computer Security Center  (SearchSecurity.com)
    threat modeling  (SearchSecurity.com)
    trigraph  (SearchSecurity.com)

    RELATED RESOURCES
    2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems
    Search Bitpipe.com for the latest white papers and business webcasts
    Whatis.com, the online computer dictionary



    Search and Browse the Expert Answer Center
    Search and browse more than 25,000 question and answer pairs from more than 250 TechTarget industry experts.
    Browse our Expert Advice



    Find Security Solutions for Your Business
    TechTarget Security Media
    Information Security View this month\\'s issue and subscribe today.
    Information Security Decisions Apply online for free conference admission.
    		SearchSecurity.com
    HomeNewsMagazineMultimediaWhite PapersLearningAdviceTopicsEventsAbout Us
    SEARCH :     Site Index Powered by: Search Powered by Google

    About Us  |  Contact Us  |  For Advertisers  |  For Business Partners  |  Site Index  |  RSS
    TechTarget provides technology professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective purchase decisions and managing their organizations' technology projects - with its network of technology-specific websites, events and online magazines.

    TechTarget Corporate Web Site  |  Media Kits  |  Site Map




    All Rights Reserved, Copyright 2003 - 2009, TechTarget | Read our Privacy Policy     		  TechTarget - The IT Media ROI Experts