Manufacturers know that you can’t build on a weak foundation and expect a product to stand up over time, but many don’t realize the same principle applies to computer networks. To ensure yours is built and running on a stable structure, you need to look at your security architecture.
Security architecture is the structure and behavior of an organization’s information security systems and processes. It addresses business needs, business optimization and risk to prevent the disclosure and loss of private data. Your business objectives, employee tasks, Internet Technology (IT) and cybersecurity all must flow together to create a unified and secure system. If the network has not been set up with proper security precautions and been maintained over time, there could be many vulnerabilities an attacker could exploit. A security architect can help you analyze your network and create a design that reduces vulnerabilities and risk, and is compatible with business objectives.
Most networks have been built by people who toss in whatever they’ve been told is needed at the time, throwing pieces together so employees and customers can connect to one another can accomplish some task. However, if one piece of that new network design is not secure, none of the connecting pieces will be either. Information systems need to flow so that the data is available and unable to be changed by anyone other than by an authorized person.
Security architecture addresses the following security concerns:
- Authentication - substantiates the identity of a person
- Authorization - grants or denies access to a network resource
- Audit - shows who has accessed a computer system and what operations he or she has performed during a given period of time
- Availability - ensures that the network is always available without service interruption
- Asset Protection - protects information assets from loss or unintended disclosure, and resources from unauthorized and unintended use
- Administration - allows administrators to add and change security policies and the people and groups who use systems
- Risk Management - manages risk continually
Even though security may not have been top of mind when most networks were created, it is never too late to bring a security architect into your security strategy. The longer you wait to create a security architecture design, the more difficult, time consuming and more costly the job becomes.
A professional security architect who understands network and business policies, risks, and budgets can design a plan that fits your needs over a specified time period. The architecture should follow a security framework by one or more of the world’s most trusted cybersecurity organizations, such as the National Institute of Technology (NIST), SANS, ISACA, or the International Standardization Organization (ISO).
SANS organizes Security Architecture into five phases:
No. 1 - Security Assessment: The security assessment looks at the security of your network at present by evaluating threats and vulnerabilities, and looking at the architecture of your data, applications, and infrastructure. The assessment should include a Business Impact Analysis to help determine appropriate controls throughout the layers of your network.
No. 2 - Target Design: Based on the results in phase 1, the design should list recommendations for changes to infrastructure, policies and security controls.
No. 3 - Policies and Procedures: The policy structure starts with corporate policies, then department policies and then subject policies, which enumerate what type of information must be protected and how it should be protected. When referring to security, you will often hear the term “policies.” There are two types of policies, one that I call “written policies” and one that I call “computer policies.” A written policy cannot physically be enforced, whereas a computer policy can. For example, there could be a written policy, or stated rule, that says all employees must classify all documents pertaining to finance as “confidential,” but if someone incorrectly classifies it as “private” or “public,” you can’t prevent that. A computer policy, however, implements controls that either physically allow or disallow certain actions. For example, if there were a written policy that states, “The marketing department may not view any HR documents,” the systems administrator could create a computer rule that controls access to certain files or drives, prohibiting the marketing department from accessing HR files.
No. 4 - Target Design Implementation: Develop a plan with timelines, funding and resources to meet your organization’s needs.
No.5 - Integration of Security: Since security is just a state in one moment of time, you need to integrate security into two process:
A. Change management process
This is the sequence of steps that your IT team must follow to apply any changes to the network or infrastructure components. The process should include what needs to be done to prepare for the change, how changes will be managed, and what types of data and action you will take after you analyze the change after it has been implemented.
B. Project management methodology and guidelines
You need guidelines that integrate security into all IT projects.
In addition to an assessment of your policies and procedures, you need an assessment of most everything and samples of things that are the exact same in your network. For example, if your network has 50 firewalls, and 30 of them are the exact brand and model and are configured exactly the same as the others, then you may only want to assess seven of the 30 as well as the other 20 firewalls that are all different. Your security architect should provide you with an in-depth report of findings and recommendations, written in simple non-technical language that is easy to understand. It may sound overwhelming, but the report is often more than a hundred pages because it’s extensive. You will never get the perfect network, but you can get it well built and maintained to stop the enemy.
Jeff Multz is Director and General Manager of Japan for Dell SecureWorks.