Abstract: One aspect of the invention is a method for providing restricted access to confidential services without impacting the security of a network. The method includes using a gateway to isolate one or more components providing confidential services from one or more other portions of an enterprise network. A first communication directed to a selected one of the one or more components may be received at the gateway. A determination may be made as to whether the first communication is user traffic or management traffic. The first communication may then be authenticated. If the first communication is user traffic, the first communication is forwarded to a component providing the confidential services. If the first communication is management traffic, the first communication is encrypted and forwarded to a component providing the confidential services. Additionally, components of the sub-network may be monitored to identify malicious changes.

Abstract: According to one embodiment of the invention, a method for managing security for an organization is provided. The method includes receiving a plurality of requests from a plurality of parties. Each request is a request for permission to implement a deviation from a security rule. Each request includes a statement describing a benefit associated with the deviation. The method also includes determining a risk associated with the deviation. The method also includes deciding whether to approve each request based on the determined risk and the statement. The method also includes storing the requests and a status of each request. The status indicates whether the request is approved. The stored requests includes at least one approved request. The method also includes deciding, after a predetermined time period, whether to continue an approval of the approved request.

Abstract: One aspect of the invention is a method for providing restricted access to confidential services without impacting the security of a network. The method includes using a gateway to isolate one or more components providing confidential services from one or more other portions of an enterprise network. A first communication directed to a selected one of the one or more components may be received at the gateway. A determination may be made as to whether the first communication is user traffic or management traffic. The first communication may then be authenticated. If the first communication is user traffic, the first communication is forwarded to a component providing the confidential services. If the first communication is management traffic, the first communication is encrypted and forwarded to a component providing the confidential services. Additionally, components of the sub-network may be monitored to identify malicious changes.