Blog-N-Play.com
Daniel O’Brien over at Cracked.com has a pretty funny tongue in cheek column about kidnapping Sasha and Malia. I couldn’t help but think of how the Clintons were so obsessed over treatme
Read Digital Edition


ADS BY GOOGLE
Top Three Links You Must Click On


How To Design and Implement an Enterprise Open Source Security Architecture
Ensure Your IT Assets Are Available, Reliable, and Safe

Information security is a top priority for many companies. Protecting information from external threats such as hackers, viruses, and spam, as well as governmental regulation requirements (SOX, HIPAA, NISPOM, etc.), are driving IT purchases beyond ROI as C-level executives seek to assure shareholders (and themselves) that assets are secure within the company complex. Viewed as today's growth market, many software/hardware/service companies are creating offerings to mitigate perceived risk or actual liability.

The security environment within some organizations may be somewhat lax - "safe" behind the routers, IDS, and firewalls. In this article, I'll discuss how to create a security architecture, including analysis, planning and prioritizing security needs, and I'll examine the following topics:

  • Understanding security architecture
  • Balancing threats, costs, and the value of secured assets
  • Creating an architecture that fits the business framework
  • A layered examination of security, including network access, application access, external access, and physical access
In addition, references are provided at the end of the article with links to useful information.

Understanding Security
Security architecture differs from other kinds of security in that it addresses requirements from a high-level perspective as opposed to a tactical perspective. When possible, you should understand your company's security requirements before specific security issues are implemented. It's as important to know your own assets, where they are deployed, and what they're worth to your company, as it is to know what threats they are facing.

Security architecture can become very complex. By looking at security from multiple perspectives, including external access and physical security, network security, application and computer-specific security, you'll be looking from the outside in as well as from the inside out. These perspectives must also be balanced against other business requirements, financial and otherwise. Whatever model or security architecture you use, you are trying to ensure that your assets are available, reliable, and safe. Consider Figure 1.

The confidentiality perspective prevents your competition from siphoning off the cream of your company's products. The integrity perspective protects your information from unauthorized modification with verifiable, auditable access records. The availability perspective ensures that information within your business is accessible at all times. Your security architecture should focus on delivering these three attributes. Securing your information while keeping the click-and-mortar business open and vibrant is a very challenging task.

Dollars and Sense
When planning your security architecture, you are governed by overriding factors including time and money. In some cases, spending one makes more sense than the other. For example, a small company pushing their first product into the marketplace may require a security architecture overridden by cost above all (if the product doesn't make it to market, having a safe infrastructure doesn't matter). They may have to phase in security measures over time. At the other end, non-compliance with a regulatory security standard could cost a company a large account, or even threaten its ability to remain open for business. (See Figure 2)

It's also important to understand that the strategic view of your enterprise security architecture is a view of where you want to be. Few companies can afford to start from scratch with regard to implementing security. For example, your company may currently address physical access with Intrusion Detection Systems, gateways, and firewalls. These are integral elements of a good architecture, but alone they may not adequately address the risk to your company.

To create the appropriate architecture for your business, you need to strike a balance between the value of assets being protected and the cost of the protection. As a general guideline, protect the highest valued assets most stringently. This may be your source code and the servers it resides in, or perhaps the marketing info including the initial public offering data. Tape backup into an offsite location may provide adequate protection for some businesses (based on the cost/value analysis), while others may require biometric access to the clean rooms where prototyping is occurring. Secure higher-priority assets first, and keep moving forward with planned steps to reach a secure destination.

Create a Security Architecture That Fits the Business Framework
As we have seen, there are multiple perspectives in a security architecture. Many models exist that may match one, some, or all of the important perspectives. There are many framework examples, including the Lattice, the Federal Enterprise Architecture Framework, the Clark-Wilson or Biba models, and many other reference models (see the hyperlink section for reference links to these and other frameworks). In each case, the common goal is to create a balance between the business needs and the information systems that support them. Understanding what is important in relation to other things in your business helps you value both the assets and the corresponding protection you will afford them.

For example, Figure 3 is an X-Y graph that shows assets increasing in value (up the vertical axis), facing increasing risk over time (on the horizontal axis extending to the right).

This simplistic representation shows the most highly valued assets facing the least exposure to risk over time, descending in value to assets that can withstand increased exposure to risk over time. Whatever method you use, the value of assets in your enterprise needs to be determined. Revisit these models when you acquire additional assets so that their value is properly established and defended. In this way, there is an ongoing evaluation of what assets are present and their security needs within the business framework.

Network Security Architecture - It's Not Just Firewalls Anymore
As your customer community grows more sophisticated and begins to expect more protection from your products or services, the potential for accidental or intentional misuse or attack within your company grows as well. A majority of data loss in companies today occurs via credentialed accounts. Similarly, reliable and correct delivery of information on your LAN or WAN is no longer guaranteed via TCP/IP, with address spoofing and snooping available to anyone on your network, unless network security is active from the inside-out as well. Evaluate this short list of network security mechanisms as potential additions to your security plan:

About Richard Williams
Richard Williams is director of education for Symark Software in Agoura Hills, California. With over 20 years of experience in systems administration, architecture, and design, Richard oversees the development and delivery of Symark's University Training Program in providing customer support to global enterprise customers.

In order to post a comment you need to be registered and logged in.

Register | Sign-in

Reader Feedback: Page 1 of 1

How is article in anyway related to open source?

Information security is a top priority for many companies. Protecting information from external threats such as hackers, viruses, and spam, as well as governmental regulation requirements (SOX, HIPAA, NISPOM, etc.), are driving IT purchases beyond ROI as C-level executives seek to assure shareholders (and themselves) that assets are secure within the company complex. Viewed as today's growth market, many software/hardware/service companies are creating offerings to mitigate perceived risk or actual liability.

Designing and Implementing a Security Architecture. Information security is a top priority for many companies. Protecting information from external threats such as hackers, viruses, and spam, as well as governmental regulation requirements (SOX, HIPAA, NISPOM, etc.), are driving IT purchases beyond ROI as C-level executives seek to assure shareholders (and themselves) that assets are secure within the company complex. Viewed as today's growth market, many software/hardware/service companies are creating offerings to mitigate perceived risk or actual liability.

{{{governmental regulation requirements (SOX, HIPAA, NISPOM, etc.)}}}

Are there any good online resources on these, on SoX for examle?

}}} reliable and correct delivery of information on your LAN or WAN is no longer guaranteed via TCP/IP, with address spoofing and snooping available to anyone on your network {{{

How true. Sadly.


  Subscribe to our RSS feeds now and receive the next article instantly!
In It? Reprint It! Contact advertising(at)sys-con.com to order your reprints!
Subscribe to the World's Most Powerful Newsletters
Linux Links You Must Click On !


Lo Ultimo
Hoy comienza en El Cairo una competición para 444 estudiantes procedentes de 124 países y regiones e...
Mars mostrará su programa de sostenibilidad de cacao como parte de una exposición de sostenibilidad ...
ADS BY GOOGLE
SYS-CON Events announced today that Yahoo!, a leading global Internet brand and one of the most traf...
With an ever-increasing number of companies now buying computing, storage, and networking power as t...
Yahoo! is investing significantly in Cloud Computing to support the company's global applications an...
SYS-CON Events announced today the latest event in its innovative series of real-world technology co...
ESRI, the leader in geographic information system (GIS) technology, was selected as one of two final...
Aster is seeking to level the playing field on the data warehousing entry front, and that message sh...
"What's fueling the interest in RIA?" asked Regev Yativ, President & CEO of Magic Software Enterpris...
The concept was very well received by non-developer IT Pro's and developers that are experts in othe...
Why are we so confident about the first point? Because IMAP support in WebMail Pro now includes quot...
Business users already heavily rely on their BlackBerry smartphones for telephone and wireless email...
Mimosa Systems, a provider of next-generation email, file and SharePoint archiving solutions, today ...
Businesses need the latest technologies to help them meet their needs, support their goals and compe...
F5 Networks, Inc., a provider Application Delivery Networking (ADN), has announced integration betwe...
Comodo's free pc security software, Comodo Internet Security, has earned five stars, the maximum num...
Oracle has announced the general availability of Oracle Service-Oriented Architecture (SOA) Suite 11...
As part of today's Oracle(R) Fusion Middleware 11g launch, Oracle announced that Oracle Fusion Middl...
With the advent of Cloud Computing, the cost of computation, application hosting and content storage...
Virtualization, viewed as one of the most promising technology investments in an economic downturn, ...
Red Hat, Inc., has announced the Premier Cloud Provider Certification and Partner Program, designed ...
“SOA serves as the foundation for the move into the cloud,” stated Dr. Kareem Yusuf, Director Produc...