May 15, 2013 9 Comments
Security Architecture Baseline
Once distributed roles and responsibilities are identified and established for the security architecture project team, the next important step is to add to that foundation with a security architecture project baseline.
This blog series will enable organizations to create that baseline by defining and reviewing applicable regulations, security policy and standards, identifying and classifying information assets and resources, and conducting a risk and threat analysis.
It is critical that security policy is aligned with and frames the security architecture, and that risks are assessed, mitigated, and managed on an ongoing basis. The prime objective of the security architecture is to emphasize accountability and share responsibility while enabling business applications and other requirements.
Mission Critical Assets
How much money, inconvenience, and time should an organization spend to counter an exposure or class of exposure? How does an organization deploy defense-in-depth to address and/or mitigate Advanced Persistent Threats (APT)? What is the organization trying to protect? It is very challenging to try to protect everything and anything equally regardless of its role and trustworthiness.
Taking an inventory of all IT infrastructure assets helps identify potential targets. At the rate some companies are growing today, it is no surprise to discover unknown active equipment on an internal network. Finding this equipment and determining ownership establishes responsibility and accountability for what occurs on the equipment.
Classification involves assessing what resources or assets an attacker might want to steal. The inventory forms a clearer picture of exactly which data is really critical to the business, and thus which applications and servers need the most protection, monitoring, and auditing. This step lets the enterprise focus its resources and budget at the optimal level on the most significant or sensitive data.
Inventory of Assets
The security architecture project leader coordinates the creation of an inventory of major assets associated with each information system. Each asset should be clearly identified and its guardianship, retention schedule, data categories and security classification agreed upon and documented.
Wherever possible, use E-Discovery or Enterprise Search Tools (crawler, index) to identify assets and sensitive data to reduce the burden of this task and to keep the data as current as possible. The baseline security inventory should encompass, for example, the following assets and data:
- Applications & Systems (APIs, COTS Applications, Custom Apps, Appliances)
- Structured Information (DBMS, Databases: Oracle, SQL, etc.)
- Un-Structured Information (E-mail, File Systems, Content Repositories)
- Network-based Storage (SAN, NAS, NFS, etc.)
- Middleware (BizTalk Message Bus, EDI, etc.)
- Server Systems (Mainframe, MacOS, Wintel, Unix, others)
- Hosting & Virtualization (VM Control, VMs, Storage, etc.)
- 3rd Party Services (Service Provider, Cloud,
Developing a security inventory is a necessary step, but it is also the one where most companies get bogged down. Asset self-discovery tools, and strategies that let you group or aggregate assets into organized categories can help considerably.
From this baseline inventory pertinent applications and systems can be identified to iteratively develop and update an Application Security Profile Catalog. It is important to begin to understand application roles and relationships (data flows, interfaces) since a set of applications may provide a service or business function. This will be discussed in more detail in a future blog.
In the Security Architecture series blogs, as part of Application & Systems Zoning and Application Architecture Taxonomy series I will share advice on the practical classification of assets taking application and system use cases and applying criteria (user and application roles and relationships) towards organization and protection, i.e., Zone Placement, Zone Policy and Zone Controls based on Risk and Threat Assessment. Simplicity is the path to better security.
Thanks for your interest.
Nige the Security Guy.