Securing your peer-to-peer networks

Rather than invest in servers that can be bulky and costly, some companies are choosing to set up peer-to-peer (P2P) networks. While P2P networks can be cost effective by harnessing the computing power of existing computers, they can also leave corporate networks open to security risks and financial losses. In P2P, each computer functions as both a client and a server.

Large and small corporations, as well as workgroups, can benefit from using P2P networks, said Cheryl Currid, president of Currid & Co., a Houston-based research firm. "P2P will give organizations super computing power by utilizing assets that they own or can rent for low fees."

P2P networking is a cost-effective model for legitimately sharing IT assets across a network," said Frank Bernhard, managing principal of the supply chain and telecommunication practice at Davis, Calif.-based Omni Consulting Group LLP.

There are also benefits for highly mobile users, Bernhard said, due to the low cost of implementation. "To put a really robust frame relay network in place costs a lot of money," he said.

In addition, with P2P, companies can have a user-to-user interface for training, such as with the Macintosh application Timbuktu. In a help desk environment, the support technician can see the user's screen, Bernhard said.

Yet with the convenience and low cost of P2P networks come security risks. "P2P, as an architecture, has no security," Currid said. "Unless an application provides security, there is none. Most applications, including Napster, do allow for some form of security."

Additionally, it is difficult to authenticate users inside the organization, Bernhard said. A user may give out or otherwise compromise a password, for example. "Think about users who may or may not be who they are on the network," he said. "There is no way to truly authenticate users into the network environment." This can lead to a loss of the company's secrets and intellectual property. Bernhard estimated that companies lose 5.57% of their gross revenue this way.

P2P networks, as unprotected environments, also open systems to viruses, Bernhard said.

To thwart security problems, companies should check the application carefully, Currid said. "If [the application] meets an organization's risk management limits, then there should be no problem," she added.

"Design a security policy that works and governs effectively," advised Bernhard. Additionally, make sure employees understand the value of the intellectual property. For example, if a laptop is stolen, it's not just the $2,000 for the machine that the company loses, he said. The company also loses the time that went into a project plan, which is stored on the computer.

"Reward people to positively protect assets," Bernhard said. Organizations should also audit their security policies and look for any holes, he said.

In some cases, P2P is implemented by giving each computer on the network both client and server capabilities, while in other cases, applications (such as the infamous Napster music file-sharing program) allow users to use the Internet to exchange files.

To maintain security across users, the IT staff of an organization needs to be trained on the different P2P applications, Currid said. "Since security currently resides within an application, then it's important for the corporate IT staff to understand the nuances of each P2P application," she said.

Some products do integrate security better than others. Currid cited applications from Groove Networks, Applied Meta, Popular Power, United Devices and Entropia as having already tackled security issues.

"Organizations will need to test the waters and decide whether they want to implement P2P exclusively behind the firewall or a more public system," Currid said.

"P2P offers a lot of promise and benefit," Currid said. "I know that security concerns will scare many IT managers -- but it shouldn't stop them."