| Most small business networks grow and evolve as the | | | | organization. This business consisted of about eight |
| business grows. In one way, this is good. It shows the | | | | employees and the two owners. With the assistance |
| business is growing, becoming stronger. Unfortunately, | | | | of the owners we defined three user groups. |
| from a network perspective, it can be a disaster in the | | | | The owners group was granted full and complete |
| making. | | | | access, while each of the other groups received |
| Most small business networks are setup in a | | | | lesser and different accesses. The admin group |
| peer-to-peer (P2P) format. In contrast, large corporate | | | | received access to the financial and administrative |
| networks are setup in a domain format. What does | | | | functions, and the sales groups receive assess to the |
| this mean to you? | | | | sales and customer management data. Specifically, |
| First, let us define the two network formats. In a P2P | | | | they were excluded from the financial and |
| format every PC is responsible for its own security | | | | administrative and the owner's functions. |
| access. Basically, each PC is equal to every other PC | | | | Additionally, we setup auditing of both successful and |
| in the network. These networks generally consist of | | | | unsuccessful attempts to view certain types of data. |
| less than ten computers and require a large amount of | | | | We did this to add a layer of accountability to the |
| administrative overhead to function securely. | | | | network. This increases the security of their |
| In this format the attitudes of the user population is of | | | | customer's data because we can now tell who and |
| prime importance. If they have a high level of security | | | | when the data was accessed. |
| conscience then your network will be more secure, if | | | | Network security personnel know that most network |
| they don't your network will be wide open to insider | | | | security breaches occur from the inside! |
| exploitation. | | | | In my experience most small businesses use the P2P |
| You can see the problem. Ten computers and ten | | | | format because it is the easiest to implement and |
| administrators equal little accountability. | | | | because they don't know the security compromises |
| In a domain system there is a single point of | | | | they are working under. |
| administration, your network administrator. He is | | | | This can be a ticking time bomb for your business. |
| responsible for maintaining the network. | | | | Eventually, you will experience a security lapse that |
| A network setup in this format consists of at least one | | | | could land you in court. |
| server, a domain controller, to administrator the rest of | | | | For instance, you have an employee leave your |
| the network. This domain controller manages user and | | | | business. This employee downloaded all of your |
| computer access, freeing the network administrator | | | | customer data before he left. Next, he sells this data |
| from the necessity of touching every PC in the | | | | to someone who uses it to steal the identity of several |
| network. | | | | of your customers. Eventually, this theft is discovered |
| When a user logs onto her PC in a P2P network she | | | | and traced back to your employee. |
| only authenticates on it, in a domain system it is a little | | | | Your former customers in fully justifiable outrage take |
| more complicated. | | | | you to court charging you with negligence. Specifically, |
| In a domain system she logs onto her computer, her | | | | they hold you responsible for failing to safeguard their |
| login ID is first checked with the domain controller. If it is | | | | personal information. |
| found she is granted access to the network resources | | | | Your case will be much stronger if you can show you |
| assigned to her. Then she is allowed to log on to her | | | | have positive control of your network. You can point |
| desktop. If her ID isn't found then she only has access | | | | out your security procedures. Employee logon auditing, |
| to her local PC. | | | | security updates, acceptable use agreements, etc. In |
| Now that you know a little about the two network | | | | short you can show that you have taken the steps |
| structures you can see the advantages of the domain | | | | that a reasonable person would take to secure your |
| design. | | | | network and customer data. |
| As stated earlier this format requires planning to | | | | Hopefully, your lawyer can then place the blame |
| achieve. You must sit down and outline what you want | | | | directly where it belongs. On the employee who stole |
| your network to accomplish. | | | | the information in the first place. Ask you attorney |
| Consider what access your users really need to do | | | | about this! Don't just take my work for it, I'm not a |
| their jobs. In the computer security world this is called | | | | lawyer. |
| granting the least amount of access required to do the | | | | Remember, network security is a result of through |
| job. Do your sales reps really need access to your | | | | planning, not hap hazard improvisation. Give your |
| financial files? What about external vendors? | | | | network the same attention you give to the rest of |
| All of this needs to be thought out and addressed. | | | | your business. |
| Here's an example of how I setup a small sales | | | | |