As a member of a global security organization that was global only by name, I’ve seen the extreme downside to having a patchwork and dysfunctional security across all of the IT infrastructure. It takes forever to find problems and breaches, figure out what actually occurred, and then patching the holes and recovering from the issue. I’ve been reading through a few documents recently that cover alot of ideas around IT security historically and where it should be going.
Currently, security is always an after thought. It goes that way with anything in life for most people. They go down the road not planning for an emergency until it’s happened. Now how do you fix it? With the proliferation of cloud technologies such as Dropbox and Evernote (both of which I use personally) and the state of BYOD in the corporate world, there are many holes and opportunities for data loss and reputational damage from breaches. We’ve also got the external threats of phishing, social engineering, hacktivism, and nation-state attacks to worry about and protect ourselves from, yet stay within a sustainable budget so that we can continue being profitable as a company. To do this you have to start from the ground up planning your security. That way you can easily mitigate security risks by properly implementing applications and services within the IT infrastructure. Also, by planning in advance, you can properly design a network and server architecture that utilizes high density and cost effective solutions yet still provide the same level of security. There have been multiple times that I’ve been on a project and due to poor planning we’re being forced to basically setup an entirely new leg of the network populated with servers, SAN, the whole gambit. That creates complexity which increases implementation time, troubleshooting, and training/onboarding of new personnel.
So how should you begin planning your IT security framework? You first need to start with understanding yourself. What is your business about? What compliance and regulation do you need to be thinking of (HIPAA, PCI-DSS etc…)
Once you understand the business, you then need to work on your data classifications. Keeping the number of classifications low will help with the complexity side of things. Three to four is a good number. It could be Public, Internal, Restricted, or maybe Public, Internal, Confidential, Restricted. Whatever you choose and think is best for your organization.
Now that you have a good understanding of your business and data classifications, you now need to work on an understanding of your applications. How do they function with each other and what classification of data do they hold? Getting a firm grip on your applications interactions and functionality will help you in designing a network strategy that will scale well over time as well as include a server and SAN strategy that also scales. It will also help you understand what security gaps there might be that you can use compensating controls and technologies to cover.
Now its down to the designing of your IT infrastructure. Placing external facing applications away from internal facing applications is a great way to help limit unnecessary exposure to external risks. Making sure you are using your firewall and IPS technology effectively in proper network bottle necks will help you keep those costs down as well as simplify the infrastructure. Design your network to be modular. Make it where you can add modules to a central core routing infrastructure so that it scales well. Add strong authentication to all externally facing applications. Make sure that you are doing vulnerability and penetration testing on your environment and utilizing that data to update your IPS policies and patching strategies. Create a simple and efficient SEIM technology so that you can gather logs from critical parts of the infrastructure. Don’t just place SEIM infrastructure everywhere and pull logs into it from everything. You need to make sure that you have SEIM coverage allocated to a specific data classification. That goes for firewalls, IPS, WAF, etc… You need to create a security matrix which gives you the required security controls to consider for each data classification. Not all might be needed but it at least gives you a check list to go through when designing new modules in the network. Also making sure that your endpoint security is simple will help your personnel learn it quicker and actually utilize it, instead of trying to bypass it. My last manager taught me alot about make sure the users have a good experience with the security we put in place. If your own user base is trying to undermine your security posture by bypassing it, then you open yourself for greater risk.
And finally you need to make sure that the process is in place to effectively manage your environment. From HR policies for adding/modifying and removing users, to adding, modifying and decommissioning applications and services in your environment. This allows you to close up infrastructure and save costs and decrease complexity in your infrastructure.
Below is the document I liked the most. HP covered alot of the facets of IT security design and they covered it extremely well and concisely.
Rethinking your enterprise security – Critical priorities to consider – by HP