A corporation has various business goals, many of which involve profit expectations and ROI. Lapses in the development of a corporate architecture and security risks to data storage and processing can stifle business profit goals. Although there are a few industry and government regulations intended to strengthen a corporation’s information security posture, no regulation should be considered a one-size-fits-all solution. In my experience, many “InfoSec” regulations have proven insufficient. Although they foster the perception of risk discernment, they provide limited assistance in the prevention and mitigation of vulnerabilities. Regulations seem to focus on common measures of prevention without addressing the holistic network architecture. Without sufficient identification of security risks, it would be difficult to measure the business goal of sustainability. Newton’s Third Law of Motion states that for every action, there is an equal and opposite reaction. Likewise, every customer record processed for storage has an equal and opposite method of extraction — in fact, it has multiple methods of extraction. The security goal of record keeping should not be to eliminate risks. That just cannot be done. The goal should be to detect the presence of vulnerabilities and create a framework that significantly decreases the level of risk.
Basic Threats to an Organization
Not every business has the same problems, but the threats to information security are likely similar. Basic threats include unpatched and outdated systems, open Internet browsing, weak workstation security controls, mobile work environments, untrained and or insufficient staff, malicious software, and weak network environments.
According to the tenets of defense in depth, there are three elements that an organization must incorporate in its information security plan:
-
Defense of the networks
-
Defense of the enclave boundaries
-
Defense of the computing environment
Defending the networks will strengthen confidentiality of customer data and the integrity of the network. Defending the enclave boundaries involves the appropriate deployment, configuration, and management of firewalls, intrusion detection systems (IDSs), intrusion prevention systems (IPSs), and other hardware-based protections. Defending the computing environment encompasses access control protections. Let’s define these elements further and discuss applicable means of defense for each.
Defense of the Networks
Confidentiality is the idea of ensuring that information and data remain private and secret. In the case of a healthcare provider, this could mean adopting a method in which patient health information remains concealed and can only be evaluated or transmitted to regulated individuals and organizations. It requires protecting the most sensitive patient data from unauthorized access. Integrity is the manner in which data is protected from modification or deletion by authorized or unauthorized users. The defensive mechanisms for networks include passwords, encryption, and designs for access control lists.
Defense of the Enclave Boundaries
Enclave boundaries are those points in a network that are separated from the general computing activities and contain the most sensitive data. Large entities will have multiple enclaves, while small to medium businesses (SMBs) will generally have one main enclave. It is here that you will most often see a direct relationship among firewalls, IDSs/IPSs, and other security hardware. This relationship will require you to aggregate logs from each device, and it will help you build a more usable picture of your threats, attackers, and vulnerabilities. If there is no correlation of logs, you are not utilizing one of the main strengths of the hardware on your network. Utilize every server or security hardware device to associate attack awareness and correlate knowledge.
Access to the enclave is often restricted through the implementation of policies and processes on servers and hardware that programmatically restrict access. Network appliances deployed can include packet-filtering firewalls that decide whether information requests should be forwarded into a network, Web application firewalls (WAFs) that work as a website filter between the Internet and a Web server, routers and switches with capabilities to control traffic flow, and proxy-based firewalls that aim to forward data requests to the intended destination.
Defense of the Computing Environment
Defending the computing environment entails utilizing hardware and software approaches to ensure privacy of data. It is likely that most SMBs have a basic firewall, but that will not sufficiently guard against the multitude of current Internet-based attacks. Defenses can include software and hardware to prevent host-based attacks (e.g., viruses, worms, malware), data injection activities (e.g., SQL injection [SQLi] or cross-site scripting [XSS]), and attempts to make server resources unavailable through a denial of service (DoS).
[For more from the author on this topic, see “Architectural Risk Assessment: Matching Security Goals to Business Goals.”]