Defense In Depth: A Blueprint For Security

Neither firewalls nor seven-pointed tin stars can protect IT from the realities of today's security threats. Gone are the days when IT could assume that the Internet was the sole purview of bored hackers, script kiddies, and other cyberbrats. Threats now come from within the corporate boundaries. Desktops must be assumed to be corrupted, applications infected. IT needs to find a way to protect the data. Welcome to the IT gunfight of today.

If that has you worried, then you're not alone. Deloitte reported last year that the vast majority--83%--of technology, media, and telecommunications companies were concerned about "employee misconduct involving information systems."

The better news is that we have the blueprint for a solution. With this comprehensive data security plan, networks and desktops are secured against threats. Most of the technology for implementing this strategy already exists; some is just coming to market. Taken together, these technologies let IT defeat even the toughest gunslinger, whether inside or outside the company corral.

NEW SECURITY LANDSCAPE
Outsourcing and a mobile workforce contribute greatly to the security woes. In virtually every enterprise, users must access corporate resources from outside the confines of the traditional network. As these users increase in number and need, the assumptions we make about their intentions, capabilities, and overall security threat must change.Attackers access the Internet from seemingly innocuous third-party Wi-Fi networks, turning once "friendly" domains into the new attack vector. No longer can we assume that just because a user accesses a corporate resource from a partner's domain or even one of the company's own branch offices that the person isn't hostile or otherwise compromised. For that matter, with one of the greatest threats coming from disgruntled employees, even trusted desktops have to be watched.

Security architects must build an infrastructure that will minimize the opportunity for data abuse. This is particularly true today, when regulations require companies to show a "best effort" in monitoring and controlling data usage.

At the core lies data protection. Protecting data by admitting or denying access to applications remains a fundamental capability. More difficult is restricting data usage and availability when users have at least some need to see or modify data. For example, even those users who can change a document's contents may have to be restricted from copying, forwarding, and altering that information later.

Restricting those capabilities at the right time and in the right way is the key. Data may be editable on day one but only be viewable by day three, and even if the data is editable, all changes may need to be tracked.

To some extent, such rights management already is incorporated into some applications. Adobe Systems, for instance, provides some of those capabilities within Acrobat. What's missing is the ability to administer these as cohesive policies across platforms and applications. Providing those capabilities requires overarching digital rights management and more specifically the use of the Trusted Platform Module microcontroller included in most business PCs, and popularized by applications such as BitLocker, which is included with Vista.

(click image for larger view)ADMISSION CONTROL
Surrounding data access policies (see diagram, "A Model For Secure Data Access") is an intelligent means of regulating the way applications access the network and local applications. Most IT shops are deploying network access control architectures that admit approved devices and quarantine devices not conforming to corporate security policies.

Some ITers find those problems solved by other means, such as automating patch updates. "NAC solves the wrong problem," says Stuart Berman, security engineer at Steelcase, an office-furniture maker. "NAC is sold today as a means of protecting the network from viruses. But we haven't had that problem in years."

The real problem, says Berman, remains how to secure the network via user logon and tracking. IT requires a smart NAC, if you will, smart enough to restrict access to network resources based on user identity--not just the system's configuration.

APPLICATION ACCESS
Two technologies show great promise for restricting application use. One approach relies on IT knowing the applications approved for execution on a corporate workstation. IT creates a "whitelist" of permissible binaries, identified with hash indexes to prevent altering. Unlisted applications or listed applications with a different hash are prevented from executing on the desktop.While effective in preventing rogue application access, whitelists may break down in the face of changing IT trends around desktop governance. IT has long battled for management of desktops viewed by departments and employees as their turf. The phenomenon is made worse as PC prices fall and smartphones get more powerful.

One solution may be desktop virtualization. The corporate-approved virtual machine will be where users run all company applications and access the network. Citrix Systems, Microsoft, VMware, and others sell such products.

SECURE THE HOST
IT's next job is to protect the host from threats residing on the network and vice versa. Endpoint security applications will continue to consolidate into suites providing firewall, antivirus, anti-spyware, and anti-spam capabilities as well as host-based intrusion-prevention systems. We expect this trend to continue with a single agent replacing security and management agents.

Restricting network access once users have been approved for the network is the final step in the security blueprint. The solution begins by deploying policy enforcement points, or PEPs, throughout the network. These devices enforce legal, regulatory, and contractual policies. Once admitted, users are prevented from accessing resources or carrying out actions that conflict with those policies.

At its most basic, this means increased use of physical and virtual firewalls to prevent users from accessing systems with sensitive data. PEPs provide post-admission control through IPS capabilities to ensure compliance with corporate policies.PEPs are managed through a common console and query a policy decision point within the management console for current policies. PEP management, like all infrastructure management, is part of the holistic view of the enterprise management system, which pulls together information about identity, services, and applications as well as infrastructure.

David Greenfield is an IT consultant and freelance writer. Write to him at [email protected].