Keeping everyone in the organisation happy while providing the right people with secure access can be a challenge. Three companies share their best practice experience with Computing.

Case study: Dyson
"Be completely paranoid" is the advice Dyson's support and technology officer Simon Lambe offers about IT security.

The appliance manufacturer cannot afford to let the dust settle on its security strategy because, as Lambe explains: "We are very protective of intellectual property.

"It's vital to safeguard information. The smallest piece of malicious software has the ability to sniff traffic and we can't have that.

"The importance of that goes right to the top, to Mr Dyson himself. It makes acceptance of security measures straightforward for the whole company."

Dyson's security strategy has matured along with its network over the past five years. From running a number of standalone Apple Macs, its network has grown to more than 70 servers in the UK with 1,000 users, and a further 20 servers and 250 users internationally.

A critical part of its wide area network is a virtual private network (VPN) connection between Dyson's head office in the UK and its manufacturing operations in Malaysia.

However, its VPN was also acting as the main firewall, and there was concern that increasing traffic across this link was creating a potential single point of failure.

"A breach of this link would take down too many services," Lambe recalls. "We needed a reliable and secure solution for the business on a 24x7 basis."

Dyson decided to maintain a dedicated firewall and install a separate VPN from SonicWall, with encryption capabilities at head office to minimise risk. It was later extended to the company's international operations.

Lambe can now "sleep better at night", but is still not complacent.

"The propagation of email-borne viruses is increasing around the world and companies are coming under more and more attacks," he says.

To guard against these threats, Dyson has a very strict security policy.

"Contractors are not allowed to connect private machines to our network; we provide them with a Dyson machine. We also use multiple antivirus vendors on our gateway so we have three-stage antivirus protection," he says.

Looking to the future, Lambe is attracted by the possibilities of wireless technology, but his paranoia about security makes him cautious.

"We have a trial wireless network in the IT department, but I am more paranoid about wireless. A physical network has the controls of the boundaries, but wireless networks don't."

Case study: ICI
Having completed a huge six-year business transformation, international chemicals firm ICI wanted to secure its largely outsourced network infrastructure.

The company, which makes paint, foods, fragrances and personal care products, now consists of four international businesses, having sold more than 50 subsidiaries.

The transformation presented a huge security challenge. ICI's 400 web addresses were targets for attacks on data, applications and the corporate identity.

"We needed a clear and accurate picture of which devices were exposed to attacks," says ICI global information security director Paul Simmonds.

"Intelligent decisions for security management require precise details for every attached system. If you can't measure security, you can't manage it."

ICI had previously followed common strategies such as an annual penetration test, and relied on service level agreements with third-party IT providers.

These static measures did not generate enough useful information for ICI's fluid infrastructure, which changes on an hourly basis.

To ease the problem, the company implemented the QualysGuard Enterprise web service.

"We sat down on a Thursday afternoon at 2pm and finished by 4pm," says Simmonds. "The two-hour set-up allows us to immediately scan security on all outsourced network infrastructure, including all third-party global suppliers."

To use Qualys, the only thing ICI staff need is a web browser. "It is rare for products and services to work this well out of the box. Not many security or IT products do this," Simmonds observes.

Scanning the infrastructure used in third-party networking services was a crucial step in ICI's security strategy.

It now includes the 'right of audit' in all supplier service contracts. ICI scans all global infrastructures for vulnerabilities at least once a week, and automatically sends copies of results to each supplier.

Case study: AMEC
A rapidly-expanding mobile workforce demanding remote access posed a serious security problem for international engineering services giant AMEC.

While the company wanted as secure a system as possible, it was essential that it was also user-friendly.

"We have a lot of workers on client sites, at airports or at home, who need to access information easily and securely," says AMEC UK IT infrastructure manager Nigel Bacon.

"We looked at authenticating access to the network on the firewall, but it was clunky and not simple, because users had to know the exact URL to get the information they wanted."

Achieving a high level of granular control over who could access what information was a major security requisite.

"The nature of our business means we have many partnering arrangements. Users must have access to systems hosted internally for project-related information, but we don't want them having free-for-all access and wandering around the whole network," explains Bacon.

Meanwhile, senior managers travelling regularly require consistent access to more sensitive information.

AMEC piloted two rival VPNs to determine the strength and user-friendliness of their security features. In the end it opted for Whale Communications' e-Gap remote access appliance.

Now Bacon can define access by user as well as authentication method.

Users who log on to the portal using Microsoft's Active Directory Single Sign-On can have corporate email and intranet access, while partners can view specific pages on the intranet, eliminating the need to create separate 'websites' per partner.

Nailing secure remote access is vital to AMEC's bottom line.

"Part of our company strategy is to win more business overseas - up to 50 per cent in the future," says Bacon. "We must prepare for that by ensuring tight security to the corporate network from remote locations."

However, he is aware that users must be comfortable with the security demands placed on them.

"We are here to serve users. If they are not happy with the security systems, they will find ways of getting around it or persuade people to do that for them."