Building a
Blueprint for Network Security
December 29, 2003
By Paul Rubens
An Overall Security Architecture
OK, so far these
have all been stopgap measures, but what’s really
needed (in fact required — but more on that later)
is an overall security architecture rather than a
series of ad-hoc measures. “A high-level security
architecture is a set of guiding principals, an
orderly arrangement of security components,” says
Mark Bouchard, a senior program director at Stamford
CT-based Meta Group.
A security
architecture should define roles, responsibilities,
and a policy framework all the way down to the
finest detail in a hierarchy. And the buck must stop
with a Head of Information Security, who takes
ownership of – and responsibility for – the
architecture.
A corporate
security architecture will probably include a
business process catalogue and a domain structure
that divides the organization into manageable –
and meaningful – portions with different security
requirements. Clearly, valuable R&D data has a
different value — and as a result needs a
different level of protection — than customer
contact details, so these would be in different
domains.
Other domains could
include an executive domain and a typical user
domain. Using a series of tools, models, and
templates, appropriate security measures should be
defined right down to the level of firewalls and
passwords.
The purpose of this
division by domains is quite simple — it’s all
about risk management. It’s not worth spending
$100 on a fence to protect a $10 horse — in other
words, the security measures you take should be
proportionate to the value of the information
you’re protecting.
The purpose of the
architecture is to use this process of risk
management and codify it into a set of rules with
which you can engage business users, who are
understandably more interested in doing their jobs
than in protecting your company’s assets.
Ultimately, a
security architecture is a blueprint for all your
security efforts. “Without one to guide you,
investments in security will be tactical, reactive.
Instead of fixing things, you will probably fix one
thing and introduce new vulnerabilities at the same
time,” says Bouchard.
There’s one
further point in favor of ensuring you have an
effective security architecture in place — it’s
obligatory. Regulatory and fiduciary
responsibilities demand that you take security
seriously and address it thoroughly, and the Federal
Trade Commission says you need to have a plan. Your
security architecture is this plan.
More
>>
CERT
and OCTAVE Strategies
|
