Page 1 of 2   next page »

Information security is a top priority for many companies. Protecting information from external threats such as hackers, viruses, and spam, as well as governmental regulation requirements (SOX, HIPAA, NISPOM, etc.), are driving IT purchases beyond ROI as C-level executives seek to assure shareholders (and themselves) that assets are secure within the company complex. Viewed as today's growth market, many software/hardware/service companies are creating offerings to mitigate perceived risk or actual liability.

The security environment within some organizations may be somewhat lax - "safe" behind the routers, IDS, and firewalls. In this article, I'll discuss how to create a security architecture, including analysis, planning and prioritizing security needs, and I'll examine the following topics:

• Understanding security architecture
• Balancing threats, costs, and the value of secured assets
• Creating an architecture that fits the business framework
• A layered examination of security, including network access, application access, external access, and physical access

Understanding Security
Security architecture differs from other kinds of security in that it addresses requirements from a high-level perspective as opposed to a tactical perspective. When possible, you should understand your company's security requirements before specific security issues are implemented. It's as important to know your own assets, where they are deployed, and what they're worth to your company, as it is to know what threats they are facing.

Security architecture can become very complex. By looking at security from multiple perspectives, including external access and physical security, network security, application and computer-specific security, you'll be looking from the outside in as well as from the inside out. These perspectives must also be balanced against other business requirements, financial and otherwise. Whatever model or security architecture you use, you are trying to ensure that your assets are available, reliable, and safe. Consider Figure 1.

The confidentiality perspective prevents your competition from siphoning off the cream of your company's products. The integrity perspective protects your information from unauthorized modification with verifiable, auditable access records. The availability perspective ensures that information within your business is accessible at all times. Your security architecture should focus on delivering these three attributes. Securing your information while keeping the click-and-mortar business open and vibrant is a very challenging task.

Dollars and Sense
When planning your security architecture, you are governed by overriding factors including time and money. In some cases, spending one makes more sense than the other. For example, a small company pushing their first product into the marketplace may require a security architecture overridden by cost above all (if the product doesn't make it to market, having a safe infrastructure doesn't matter). They may have to phase in security measures over time. At the other end, non-compliance with a regulatory security standard could cost a company a large account, or even threaten its ability to remain open for business (see Figure 2).

It's also important to understand that the strategic view of your enterprise security architecture is a view of where you want to be. Few companies can afford to start from scratch with regard to implementing security. For example, your company may currently address physical access with Intrusion Detection Systems, gateways, and firewalls. These are integral elements of a good architecture, but alone they may not adequately address the risk to your company.

To create the appropriate architecture for your business, you need to strike a balance between the value of assets being protected and the cost of the protection. As a general guideline, protect the highest valued assets most stringently. This may be your source code and the servers it resides in, or perhaps the marketing info including the initial public offering data. Tape backup into an offsite location may provide adequate protection for some businesses (based on the cost/value analysis), while others may require biometric access to the clean rooms where prototyping is occurring. Secure higher-priority assets first, and keep moving forward with planned steps to reach a secure destination.

Create a Security Architecture That Fits the Business Framework
As we have seen, there are multiple perspectives in a security architecture. Many models exist that may match one, some, or all of the important perspectives. There are many framework examples, including the Lattice, the Federal Enterprise Architecture Framework, the Clark-Wilson or Biba models, and many other reference models (see the hyperlink section for reference links to these and other frameworks). In each case, the common goal is to create a balance between the business needs and the information systems that support them. Understanding what is important in relation to other things in your business helps you value both the assets and the corresponding protection you will afford them.

For example, Figure 3 is an X-Y graph that shows assets increasing in value (up the vertical axis), facing increasing risk over time (on the horizontal axis extending to the right).

This simplistic representation shows the most highly valued assets facing the least exposure to risk over time, descending in value to assets that can withstand increased exposure to risk over time. Whatever method you use, the value of assets in your enterprise needs to be determined. Revisit these models when you acquire additional assets so that their value is properly established and defended. In this way, there is an ongoing evaluation of what assets are present and their security needs within the business framework.

Network Security Architecture - It's Not Just Firewalls Anymore
As your customer community grows more sophisticated and begins to expect more protection from your products or services, the potential for accidental or intentional misuse or attack within your company grows as well. A majority of data loss in companies today occurs via credentialed accounts. Similarly, reliable and correct delivery of information on your LAN or WAN is no longer guaranteed via TCP/IP, with address spoofing and snooping available to anyone on your network, unless network security is active from the inside-out as well. Evaluate this short list of network security mechanisms as potential additions to your security plan:

• Data integrity checks and data encryption: Stored before and compared after critical data transmission, integrity checks can include encrypted totals, which can identify data transmission errors. Network transmissions using encrypted totals need to use the same encryption at each end of the transmission, either via the network or via the application after delivery. Using different encryption methods for different types of transmissions or different data streams makes data transmission even more secure. SSH, SSL, and Secure Telnet are examples of network applications that encrypt their data in transmission. If you have multiple locations (i.e., R&D in one office, finance in another), data transmission between the offices should be encrypted and the contents verifiable.
• Transmission logging: Storing an audit trail for transmissions or applications that transmit data can include the transmission date, time, transmission type, source, and destination.
• Transmission loss: In some cases, data loss on an otherwise reliable network can indicate port-scanning activity (i.e., someone viewing transmission samples looking for vulnerabilities). With 65,535 TCP ports on a system (using TCP/IP as the lion's share of network traffic), active data transmission to well-known ports such as http (port 80) or telnet (port 23) are the tip of the iceberg, but are often the first point of attack. To defend against this activity, keep port-scanning tools off of the network with a published mandate in security policies known to all employees, backed up by a periodic review of hardware and software inventory on computers. Keeping unused ports closed and current network patches on systems also enhances network security.
• Change control review: While many system and network administrators view change control as an impediment, reviewing network devices or software before they are introduced allows a larger perspective, including the security and business framework. The extra time spent here is inexpensive insurance over the system's life cycle. This is particularly true when your company is starting up operations. Documenting and following best practices produces repeatable, reliable results.

Page 1 of 2   next page »