Security Program Best-Practices 3
July 22, 2013 5 Comments
Security Program Best-Practices – Part 3Security Program Best-Practices – Part 1 Part 2 Part 4 Part 5
This blog continues our Security Governance Series with the next installment of recommended security program best-practices drawn from a broad sample of assessments.
As a refresher, in Part 1 we shared some typical gaps, deficiencies or, need for improvements summarized in the Opportunity Matrix below. The Opportunity Matrix can be used as a capability maturity assessment and iterative planning tool to present proposed next steps to executive management for approval and funding.
Part 1 and Part 2 of the Security Program Best-Practices series covered an overview as well as Gap 01 through Gap 05 inclusive. In this blog we will discuss Gap 06 – Develop Network Security Architecture through Gap 07 Develop Network Security Roadmap, per summary below.
- GAP 01 – Identify Requirements: Security Policy, Regulation and, Laws
- GAP 02 – Develop Security Governance Program
- GAP 03 – Establish Network Security Organization
- GAP 04 – Establish Security Collaboration Working Group (WG)
- GAP 05 – Develop and Maintain Network Security Standards
- GAP 06 – Develop Network Security Architecture (3-5 Year Objective)
- GAP 07 – Develop Network Security Roadmap (with Annual Plans)
- GAP 08 – Integrate Central Security Logging
- GAP 09 – Establish Network Security Management & Operations
- GAP 10 – Develop Firewall Rule Lifecycle Management
Gap 06: Develop Network Security Architecture
From the earliest days of networking, security manifested itself in strong information security perimeter defenses. As long as the perimeter was secure, the assets being protected didn’t need to be monitored or managed because the command and control environment gave people assurance that core data was safe because unauthorized access was prevented.
Today’s hyper-extended connected enterprise faces a security paradox. The very openness and ubiquity that make the Internet such a powerful business tool also make it a tremendous liability. The Internet was designed to share, not to protect. The ports and portals that welcome remote sites, mobile users, and business partners into the trusted internal network also potentially welcome cyber-thieves, hackers, and others who would misappropriate network resources for personal gain.
Most companies didn’t design their current security architecture; rather, they built it over time, based on need: a firewall here, an intrusion prevention system there.
As a result, many businesses rely on a bewildering collection of stand-alone security systems. That’s a problem in two ways. First, without a clear understanding of how all your defenses fit together, it’s impossible to know if they provide complete protection. Second, managing and integrating all those systems costs time and money. Security integration into a holistic architecture that enables but manages role-based access is critical to success.
That’s why many organizations desire ways to simplify their security architectures.
“Security done right is the key to Anywhere Anytime by Any Device Access”
Developing a Framework
Network security architecture is defined as the desired structure of an enterprise’s technology components and technical safeguards. With network security architecture in place, an enterprise has a framework for more informed decision making and a guide for ongoing planning, design, and implementation activities.
Establish Coordinates –
- Pinpoint your Business Requirements and Vision
- Analyze Current State in terms of Infra and Services
- Establish an Holistic yet Defensible Network Security Architecture
- Identify Organization Stakeholders and Seek Consensus
Chart your Course –
- Develop a Security Roadmap (Adaptive Iterative Evolution)
- Deliver Prioritized Action Plans
A Defensible Network Security Architecture provides a conceptual, physical, and procedural framework of best recommendations and solutions for network security. It serves as an important reference guide for IT professionals responsible for designing and implementing secure networks.
Architecture typically provides, as follows:
- A way to evaluate applicability of new technologies, products, and services
- A blueprint for future applications and infrastructure growth
- A framework for security technology decision making
- A framework that guides the security implementation
- Decomposes into modular and flexible components (enables reuse of proven modules as organization grows, e.g. remote office module)
- A method of cost avoidance
- A macro view of security-relevant systems and components
- A method for creating and documenting consensus
- A statement of direction for IT
A Defensible Network Security Architecture is realistic.
It assumes that all components of an IT infrastructure are targets … that even internal users could be network threats … attacks are inevitable … network performance cannot be compromised by processing intensive security measures … and IT budgets are constrained.
The Network Security Architecture should consider and include, as follows:
- Business Requirements
- Regulatory Requirements
- Security Policy Requirements
- Current Network Security Architecture
- Goal-State Network Security Architecture
- High-level gap assessment
The Defensible Network Security Architecture promotes a process, rather than an endpoint. Effective security is not achieved through a one-time initiative. This architecture outlines measures for strong ongoing policy management, reflecting both human and technical factors. For more details see the Security Architecture Series, referenced below.
- Think You’re Secure? Think Again.
- Security Architecture Primer
- Security Architecture Baseline
- Risk-Aware Security Architecture
- Develop Security Architecture
- Product and Solution Selection
- Security Architecture Implementation
- Adaptive Security Lifecycle
- Architecture Case Study – Part 1
- Architecture Case Study – Part 2
The above set of blogs takes the reader through a detailed step-by-step development of a network security architecture with the latter blogs presenting an Architecture Realization Case Study. Future blogs will present network architecture and design templates that make use of security zones to enable Access Anywhere Anytime by Any Device.
Gap 07: Develop Network Security Roadmap
“A good plan executed today is better than a perfect plan executed at some indefinite point in the future.”
—General George S. Patton Jr.
Computers and the environments in which they operate are dynamic. System technology and users, data and information in the systems, risks associated with the system, business drivers, and security requirements are ever-changing. Many types of changes affect security: technological developments (whether adopted by the system owner or available for use by others); connection to external networks; a change in the value or use of information; or the emergence of a new threat.
In addition, security is never perfect when a system is implemented. System users and operators discover new ways to intentionally or unintentionally bypass or subvert security. Changes in the system or the environment can create new vulnerabilities. Strict adherence to procedures is rare, and procedures become outdated over time.
These issues make it necessary to periodically reassess security architecture and the supporting plans in a feedback loop that both addresses tactical exceptions as well as updates and refreshes the vision and objectives.
Adaptive Security Roadmap
What is required is a systematic business risk approach to security that integrates and drives security into the network as an operational service. This is accomplished with an Adaptive Security Roadmap and iterative lifecycle process that refreshes the architecture on an annual or quarterly basis to establish, implement, operate, monitor, review, maintain, and improve network security.
The first step in the process is to develop the current state (see figure below). The results of the security baseline and assessment (current infrastructure environment) are analyzed. Factors such as the network security perimeter, Virtual Private Networks (VPNs), intranet, extranet, partner connections, remote access, and access to assets, are considered to develop the current state and security risk profile.
The network security architecture (from Gap 06) creates the goal state. This process takes the current state and security-risk profile and adds the business drivers, prioritized requirements, policy, legal constraints, and so on. From this step, an updated and finalized network security architecture is developed and shared with the stakeholders to gain consensus.
The final step is to compare the current state with the goal state and to identify the projects that are required to transition the current infrastructure and realize the architecture goals. From a migration strategy workshop, together with the business units and stakeholders, the viable projects are selected based upon their dependencies, priorities, available resources, and budgets forming the annual plan of infrastructure improvements.
During the next planning year, the process is repeated and the architecture updated with new business requirements, new technologies, new solutions, and so on. A follow-on assessment of the current infrastructure captures improvements together with any new threats, vulnerabilities, and exposures, and documents the new current state and security-risk profile. Performing a gap analysis and migration strategy planning workshop contrasting the new current state and goal state allows an updated plan to be developed for that year.
Over time, it can be seen (see figure above) that the security architecture is used as a baseline for consensus and direction but that it is active and capable of being updated. This process allows the security architecture to adapt to support the needs of the business. It evolves and sets future objectives.
At the same time, the annual plan sets the stage for the projects that need to occur that year, and the improvements begin to track with the architecture. Finally, with the proactive asset, risk, and policy management and infrastructure improvements, the security-risk profile is also managed, resulting in risk reduction. In this manner, not only does the security architecture drive the IT and network infrastructure direction, but it also enables the illustration of tangible results, winning continued support for the program.
It is an organizational approach to network security with the appropriate network security architecture, governance, policy, standards, compliance verification and, audit.
From an operations perspective, time is money. This is why project management is an important process domain. It helps ensure that the outcomes of information technology projects are on time, within budget, and deliver the expected outcomes.
For more details on developing a Network Security Roadmap together with lifecycle management process see the Adaptive Security Lifecycle blog.
Security Program Best-Practices – Part 4 will complete this Security Governance Series with the next set of gaps for discussion and helpful advice on key components.
Thanks for your interest!
Nige the Security Guy.