7 essentials for creating a greenfield environment

Perhaps your network is so badly compromised or bedraggled that you need to start from scratch. Here's how to go about it

If my work surroundings are any indication of the rest of the real world, a lot of companies are busy building greenfield environments -- typically entirely new, separate network segments or Active Directory forests. Why do it? Sometimes, it's because the current network is completely owned by an APT (advanced persistent threat), but of course there are many other motives.

Most often, companies go to the expense of creating a greenfield because the current environment is so disjointed and full of accumulated errors that trying to fix the mess seems impossible. I'm often hired to assist with architecting the new design and advising clients on how to proceed.

While every environment is different, here's the advice I usually give to entities responding to big compromises.

1. You will never build the perfect network

At the beginning of greenfield planning, everyone designs the perfect network or Active Directory forest. The sky's the limit! It's a perfect security world! Management understands the seriousness of not doing security right! Application developers and business leaders will have to listen to computer security designers, for once! Finally, everyone is on the same page. Security is paramount!

Until it isn't.

Every greenfield design I've been involved with has begun with the best intentions of perfect security but ended up a lot closer to the design requirements of the existing environment. By this I mean that senior management finally puts a budget around it, with the expectations it will allow them to run the business and earn money.

It's the same old clash of functionality versus security, and in a bind, functionality will usually win, even in the new "high security" greenfield. On a positive note, security will usually be given more leeway and consideration, though not victory at all costs. It's important to start out with your perfect wish list, but be ready to supply your alternative backup plans when someone more senior doesn't think your idea of better security will work for the company.

2. Don't repeat the same mistakes

It's important not to repeat the same mistakes of the old environment in the new environment. This seems obvious, but I bet many who have built their own greenfields are nodding in agreement. People often stipulate simple points that seem to make sense, without realizing that those same requirements were part of what made the old environment fail.

For example, a common requirement in a greenfield is good patching. Who can argue against that? Often, lax patching led to the old environment becoming, well, the old environment. But when I examine the old and new patching requirements, they're nearly identical. It's usually something along lines of: "All critical security patches must be applied in a timely manner."

It sounds nice, but how will that be different? In order to write a better policy for the greenfield environment, you're going to have to understand what went wrong in the old environment and write a better policy that's more specific. The devil is in the details.

3. How will you keep the hackers out?

I've been involved with a few companies that spent tens of millions of dollars to build a new environment: new computers, new network, new applications, new workstations, new servers. Nothing old was allowed to touch the new environment. After spending all that money and time, the old hackers compromised the new environment in days.

You need to learn from the weaknesses of the old environment so that the same old tricks no longer work in the new environment. For example, if the hackers got into the old environment using spearphishing emails containing malicious Adobe Acrobat PDF documents, how are you going to stop that from working in the new environment? I've seen plenty of possible solutions, including making sure that PDF documents are opened in encapsulated virtual environments where they couldn't do further harm. Just make sure those miraculous solutions are tested and implemented from the start. Making them pervasive in a few months isn't going to help you today.

4. The new environment looks great -- but will it stay that way?

If you think it's hard to plan something new and near-perfect, that's easy compared to keeping it that way. Remember, those who built your current environment started out with the best of intentions. No one wanted to design insecure crap.

Examine what happened over time to make the current environment one people can't wait to get rid of. Was it due to poor technical decisions or was it more than that? In many cases, political or business pressures force poor security decisions. How can those be avoided in the future?

To me, this is the most important point of all. It's an awful lot of money and effort to build something new if you can't prevent repeating the same mistakes. These sorts of policy decisions are harder than just building a new network. It requires the right senior people agreeing on the right foundational policies.

5. Object lifecycle management

Another key implementation decision is to account for the full lifecycle of each and every object (user, computer, group, printer, OU, application, service account, and so on) in the network or Active Directory forest. Each object must have an owner who is easy for anyone to identify or query. Ownership gives accountability and allows key decisions to be made in a timely manner.

Each object should be tracked from provisioning to de-provisioning. Each object should have specific policies that detail how it comes into creation, how often review takes place, and when and how it should be modified and removed. The documentation should specify who can manipulate the object and how often the object needs to be reviewed for legitimacy.

For example, when you create a security group, the owner should be identified and the members and permissions and rights documented. Every now and then -- at least annually, if not more often -- the owner should be asked if the group is still needed. The owner should review the members and permissions and actively respond to keep the group. Otherwise, it should be deleted. Preferably, all of this should be automated.

6. What is the "system of trust" for greenfield membership?

What system should be used for determining membership in the greenfield? This is another very important decision. Most companies usually want to use the same system found in the old environment (often involving an HR application). But if your greenfield is going to be green, you must give it a new system of trust. You can't populate a new, more trustworthy environment using a system or application from an untrustworthy environment. Well, you can, and you might even be forced to accept it, but you're creating a built-in weakness.

7. Do a better job of monitoring and drift control

Most compromised environments do a very poor job at monitoring and drift control. Ensure that all assets having event logging turned on with critical events predefined to generate alerts. Document what programs and processes are supposed to be running on each computer, then monitor changes.

Most companies don't have a clue as to what programs should be running on their computers, so when a new Trojan shows up, it goes unnoticed for a long time. Break the cycle! Instead, fully document what is allowed to be running and set up alerts when something new is installed or executed. This is a great place to use application control ("whitelisting") programs. I often recommend that they run in audit mode, so you get all the benefits of their monitoring, without causing undue operational interruption.

Is a greenfield the answer?

Is a greenfield really going to solve your organization's problems? If you've been reading up to this point, you'll realize that none of my advice has been about new designs or structures. Almost all the inherent problems I see in compromised environments involve either poor policies or poorly implemented policies. Most of the benefit you will gain from greenfield environment can be realized in your current one, with much less time and expense.

The biggest problems in today's networks aren't technical. They're political and human. That won't change as long as politics and humans remain the same.

Copyright © 2013 IDG Communications, Inc.

Get the best of CSO ... delivered. Sign up for our FREE email newsletters!