Security, like lima beans, is one of those things that's good for you but hard to swallow. If you're motivated by fear, there's no shortage of scare stories to make you want to serve those security lima beans to every one of your users. Take the August attack on the Department of Justice Web site. Or the entertainment company that gets hundreds of attacks on its Web site every day. Few organizations want to publicize their break-ins because no one wants to make a career out of publicizing mistakes or carelessness. Bragging about security measures isn't popular either, because no one wants to inadvertently challeng e a would-be hacker.

There's no better time for you to examine your organization's security policies and practices. Although the allure of a technology solution is always strong to the IS person who is motivated by technology, the biggest part of security is administrative. Security is policy, awareness and enforcement. Examine the security health of your entire network , from user to CIO, from within the corporation as well as from outside. And it requires constant vigilance to be aware of hacking attempts.

Accessible Means Insecure While you're securing the perimeter and the inside of the network, pay particular attention to your new (or forthcoming) intranet. An intranet is all about making information easily accessible to those within your organization as well as to your business partners and customers. It's hard to find information on client/server networks because the users have to know on which server and in which directory the data resides, and you must have the same application as the creator of the data. The confusion provides a level of security. Easily navigated intranets promise to change all that.

Remember the adage that says the biggest threat to your corporate information comes from your employees, not outside hackers? It's doubly true for intranets. While you may be focused on ensuring that your business partners only access exactly what they need, your employees are the ones who have enough knowledge to know what information is valuable and how to get it. (Worst-case scenario, they know which competitor would buy it.)

Now you have your mainframe data published through a Web server, and anyone with a browser, having assumed the right permissions, has direct access to your most critical business systems. Your organizations' product pricing information and inventory levels are easily available, and without the right security, they can be available to those who do not need to know. Intranets and need-to-knows can seem at cross-purposes.

Once your security policies are set, you must weave a patchwork of security protocols that operate on different layers into a single security blanket. Most technology solutions involve encryption, which, if it is sufficiently strong, has export restrictions, and, on a more local level, require much processing power. On the application level, Web servers offer Secure Sockets Layer (SSL) and Secure Hypertext Tr ansport Protocol (SHTTP) for encrypted transactions. On the network layer, IPsec will enable you to use encrypted IP to build virtual private networks among your offices using the Internet (response time problems being resolved, of course) so that you can forgo expensive leased-line connections. RSA Data Security, along with many other vendors, is running a trial of IPsec with its SWAN effort. On the dial-in side, Microsoft is proffering the Point-to-Point Tunneling Protocol (PPTP), or encrypted PPP to NT servers. Pay close attention to intranet security and define your solution carefully and with the right tools. An intranet and its attendant applications that is built with both eyes toward security will provide a feast of corporate information that's readily available to the right users at any time.

Patricia Schnaidt can be reached at pschnaidt@nwc.com.