SECURITY ARCHITECTURE

At the beginning of this chapter, two models were introduced: defense-in-depth and security architecture. In this section we discuss a common security architecture.

Companies have a competitive imperative to adopt comprehensive technical architectures to support business demands and transformations. By the same token, a security architecture must not only exist but also interact with the business objec-tives and provide a reference framework that serves as a fundamental guide when new technology and requirements are introduced into the company.

Today, a great number of corporate entities have been forced to integrate their systems and applications with the Internet to remain competitive. In order to reduce costs, gain greater return on investments, or simply keep up with the current of

expected services, businesses are integrating the Internet and complex systems into their core objectives. Many of the companies have leveraged the Internet for partner access, remote user access, customer services, supply-chain management, and data warehousing. Physical boundaries and specific chokepoints alone cannot address the multifaceted and dynamic relationships within and among today’s businesses. In direct correlation with advances in technology, business demands, and the ever-present competitive differentiator, security has grown inherently more complex in the actual business environment as well as philosophically.

As we move into an age of multi-access, multiple platforms, access technologies, and the increase of regulation and legal requirements, companies are forced to adopt new infrastructure designs, which in turn require a variety of access management and layered security. To accommodate the dynamics of business, technology, and environments, it is necessary to adopt a security architecture that will allow flexibility in operations, in addition to providing a point of reference so that one can make sound decisions when change in demands and environment occurs.

There are several examples and types of security architectures from organizations such as the Department of Defense (DOD), National Security Agency (NSA), Federal Bureau of Investigation (FBI), National Institute of Standards and Technology (NIST; or more specifically, Computer Security Resource Center (CSRC)), Internet Engineering Task Force (IETF), and CERT (formally known as Computer Emer-gency Response Team). Each ranges greatly in complexity, ability, and, of course, cost. However, there is a consistent theme among all that can be applied to today’s Internet-enabled economy.

Commonalities among many of the architectures that are available are four layers that can be identified to promote sound security integration and management of technology, information, and policy (see Figure 4.5).

1. The resource layer is where services and data reside. It is the home of servers, applications, databases, workstations, and storage.

2. One of the more critical and complex is the control layer, which provides identity and access management services. Moreover, the control layer is the point where policy becomes reality in the technical space. It provides FIGURE 4.5 Example of a Typical Security Architecture

Internet

S D

Data

Extended Perimeter

Control

Resource

management with the policy and is the point where policy is bound to data to promote greater authorization across the other characteristics of the entire security architecture.

3. There is the perimeter layer, which enforces a logical boundary between the Internet and the intranet, departments, applications, and even users.

4. Finally, the extended layer is a growing entity in its own right. This represents the externally facing envelope of influence and security, such as remote access risks, application access, and E-commerce.

For business to remain nimble in today’s economy organizations will have to confront many challenges. Enterprises must work much more closely with external entities to maintain a consistent and agile value chain. To accomplish the challenge, companies must successfully manage relationships—internal and external—and the information flow between them. There remains the need to work closely with part-ners, customers, and various providers, but qualifying that communication and the necessary controls is what a security architecture provides.

One may assume that security can be rigid, but due to mergers and acquisitions, environmental changes, or simply rapid economic changes, security does not have the opportunity to remain static. The Holy Grail of security is a technology and architecture that establishes an environment which remains constant regardless of changing business demands.

Therefore, a security architecture is a policy-supporting overlay that can interact with users, resources, and external influences. To accommodate the desired flexibil-ity, the architecture must be built for general purposes and well conceived. It can provide broad guidelines to allow for conceptual segmentation, encouraging the aggregation of various services and products to function optimally within a layer or interactively with others. It must be deployed in an abstract manner that separates physical from logical, focusing on the latter. For example, each layer could have its own characteristics that can be interchanged with other layers, such as the control layer, whereas some layers represent technology limited to only one specific layer, such as the perimeter layer. Firewalls are traditionally associated with the perimeter, whereas authentication resides in the control layer, and authentication (logically or physically) can exist in the perimeter or the resource layer. Each layer is loosely coupled with the next, allowing for flexibility but reducing redundancy.

Due to merger and acquisitions, legacy systems that may not support a higher form of adopted security measures, and highly complex business requirements, security infrastructures today rarely follow a comprehensive overlying architecture.

The result is one of two possibilities or a combination of both: a point solution that focuses on limited control of specific information flows, or strengthening within a layer, instead of the points of interaction with other layers of the security model.

For example, many organizations focus on the perimeter by implementing firewalls and realize security in the resource layer by leveraging traditional operating system security. However, the lack of a comprehensive control layer weakens the interaction between the perimeter and resource layers and could represent a vulnerability within an organization.