The global framework must include the following elements of a security architecture: Identity ● Integrity ● Confidentiality ● Availability ● Audit ●
Each of these elements must be taken into consideration when determining the corporate policy. Identity
In this book, identity is defined as the element of the security architecture that encompasses both authentication and authorization. Authentication answers the question, "Who are you and where are you?" Authorization answers the question, "What are you allowed to access?" Identity mechanisms must be carefully deployed because even the most careful of security policies can be circumvented if the implementations are hard to use. A classic example is that of passwords or personal identification code
(PIN) numbers scribbled on a sticky pad and attached to the computer monitor or telephone---a real
solution for the user who has to remember a multitude of passwords.
Another example of poorly implemented security is when employees use an easily guessed password so that they don't have to write it down. An ad hoc study at Bell Labs some years ago found that a
surprisingly high percentage of the people logging onto systems chose a password that was a child's name, dog's name, wife's name, and so on. Corporations can install systems that ensure that the
passwords selected by its employees are not proper names, words found in the dictionary, or other logical sequences of characters. However, verification and authorization systems that are cumbersome or
unnecessarily redundant can frustrate users and should be avoided.
Companies must create appropriate barriers inside their systems so that if intruders do access one part of the corporate environment, they do not automatically have access to the rest of it. Just as the creation of security barriers applies to physical buildings (access to the building itself does not let you access every room in the building), it should also apply to network access. That is, the computer network
infrastructure should be partitioned to provide as much protection as necessary for specific components of the network. Although maintaining a high level of security on the entire corporate environment is difficult, it is often possible to do so for a smaller sensitive component.
Integrity
Integrity is the element of the security architecture that encompasses network infrastructure device
security (physical and logical access) and perimeter security. Physical access to a computer (or router or switch or firewall) usually gives a sufficiently sophisticated user total control over that device. Physical access to a network link usually allows a person to tap into that link, jam it, or inject traffic into it. Software security measures can often be circumvented when physical access to the hardware is not controlled. Therefore, for corporate facilities, physical security should be based on security guards, closed circuit television, and card-key entry systems. With these measures in place, organizations can feel confident that within their physical facilities, assets are protected and high user productivity is maintained.
Logical access security refers to providing identity mechanisms (authentication and authorization) that
must be satisfied before the user is allowed Telnet or console access to integral network infrastructure components (such as routers and firewalls). Perimeter security deals with firewall-type functionality, determining which traffic is permitted or denied from various areas of the network. Often, firewalls are placed between the Internet and the main campus or between the dial-up connection and the main campus.
Confidentiality
Confidentiality is the element of the security architecture that ensures that data communication is kept
private between the sender and receiver of information. A strong policy statement should dictate to users the types of information deemed sensitive enough to warrant encryption. A program-level policy may dictate the broad categories of information that must be stringently protected, while a system-level policy may detail the specific types of information and the specific environments that warrant encryption
protection.
At whatever level the policy is dictated, the decision to use encryption should be made by the authority within the organization charged with ensuring protection of sensitive information. If a strong policy that defines what information to encrypt does not exist, then the owner of the data should ultimately make the decision about whether or not to encrypt information.
Availability
Availability is the process of ensuring that all critical resources are accessible when needed. Keeping data
available means that you must have planned system upgrades and configuration changes that are fully tested to avoid catastrophic surprises caused by software bugs or misconfigurations.
Physical security and logical security are also part of ensuring availability. Physical security ensures that no malicious tampering can take place and that acts of nature will not cause systems to be inaccessible. It also ensures that hardware failures are handled in a timely manner. Logical security ensures that traffic can be rerouted and that malicious software threats can be deterred.
Audit
The audit element of the security architecture is necessary to verify and monitor the corporate security policy. A software audit verifies the correct implementation of the security policy in the corporate network infrastructure. Subsequent logging and monitoring of events can help detect any unusual behavior and possible intrusions.
To test the effectiveness of the security infrastructure, security auditing should occur frequently and at regular intervals. Auditing should include new system installation checks, methods to discover possible malicious insider activity, possible presence of a specific class of problems (DoS attacks), and overall compliance with the site security policy.
An audit log, generated by all the various operating systems running in your infrastructure, can be used to determine the extent of the damage from a successful attack. Audit trails are most often put to use after the fact to reconstruct what happened during damage assessment. The problem to avoid is logging every event such that the amount of data to sift through becomes insurmountable. If you log too much data and an intrusion does occur, that intrusion will definitely be logged---along with hundreds of other
insignificant events. The intrusion will most likely remain undetected by the people responsible for detecting such things because the intrusion is hidden under a mountain of other data being generated by the system.
NOTE If your network or system is designed and implemented well, think about logging the kinds of activity that would most likely indicate a first-stage attack. Don't log every event---just the unusual ones. This information can give you a warning that something is amiss without burying you in too much
inconsequential detail.
When creating data log files, consider the following points:
· Use a program to filter through the audit data and bring to your attention the truly serious issues. · Do not audit every little issue in your network or system.
Understanding how a system normally functions, knowing what is expected and unexpected behavior, and being familiar with how devices are usually used can help the organization detect security problems. Noticing unusual events can help catch intruders before they can damage the system. Software auditing tools can help companies detect, log, and track those unusual events.