RFG believes network security is only as strong as the foundation upon which it is built, and enterprises should employ the essential building blocks as part of the overall security architecture. The availability of a corporate security policy, well defined BAP security requirements, and robust security administration and monitoring tools represent the three fundamental building blocks for a robust security architecture. IT executives should utilize a top-down methodology to identify, design, and implement security measures for business applications, and also verify that security layers work together seamlessly in compliance with corporate security directives.Business Imperatives: A corporate security policy is the first fundamental building block for strong enterprise security, and all subsequent security measures should reflect compatibility with these guidelines. IT executives should work with the Chief Security Officer (CSO) to develop enterprise security guidelines for all employees, business partners, and any other groups requiring access to corporate information assets. Business applications typically require distinct security profiles that reflect the importance of the application, from a liability and a revenue generation standpoint. IT executives should review business applications separately, and develop security profiles that reflect their importance and enterprise value. Once security measures are implemented, they will require administration processes and monitoring tools to support security administration, management, and performance monitoring. IT executives should purchase the required tools needed to provide these capabilities, develop processes for handling security breaches and administrative issues, and staff their IT organizations accordingly. Secure data networks require IT executives to incorporate three essential imperatives and fundamental building blocks. Without a security policy, well defined BAP security requirements, and robust security administration and monitoring tools, the enterprise cannot have a robust security architecture that reduces security breaches and administration issues.Information security remains a critical line item, as most corporations and enterprises are continuing to focus on security measures, mechanisms, and tools to protect themselves from unauthorized access to business applications. However, many companies still do not have a published corporate policy that clearly identifies the critical business assets to be protected, and the safeguards required to enforce the security policy mandates.A corporate security policy should identify and define the various categories of information that must be protected, the value of each information source, and the liability potentials that could occur if security is breached. Senior management, including the CSO, IT executives, and line of business (LOB) executives, must agree to and enforce the corporate security guidelines required to protect corporate information assets, and promulgate them down to all levels of employees.At a minimum, a corporate security policy should address four important items: The identification and description of all corporate information assets requiring security mechanisms and policy implementation for protection. A statement defining what information security measures are required, and the responsibilities of employees, business partners, and any other groups that have access rights to business applications. A clear description of those organizations responsible for implementing, promulgating, and monitoring security policy and budget support for all groups tasked to implement and maintain the security measures. Development of an education policy informing all employees and business partners about an existing security policy, and providing a vehicle for answering related questions, and reporting security problems. Typically, user accessible corporate information should be categorized into various classes based on overall value. The following table illustrates an example of how to classify enterprise information into the various categories. Once the information is put into the appropriate category, IT can determine what measures are available and most effective to provide the required levels of security.Table 1: Corporate Information Categorization ExampleInformation CategoryEnterprise ValueRequired Security MeasuresGeneral:Low Must operate in a separate server No access to other corporate databases Web-based activity tracking Internal Use Only:Medium to High Data encryption Intrusion detection User authentication Virus protection Company confidential:High Audit trail tracking Data encryption Intrusion detection Mutual client\/server authentication Virus protection Restricted:High Audit trail tracking Data encryption Intrusion detection Non-repudiation Public Key Infrastructure (PKI) with managed certificates Virus protection Marketing and corporate data informationFinancial and operational dataHR and sales related informationSalary information and strategic planning documentsSource: Robert Frances GroupThe next step in crafting a robust security architecture is to focus on specific business applications and the associated value of the information, as determined by the corporate information categorization process. Business applications typically require distinct security profiles that reflect the importance of the application, from both a liability and a revenue generation standpoint.Once the policy is established for accessing different types of information, the next step is to develop business application profiles (BAP) for those enterprise applications that require some level of security. As a point of reference, it is possible that even though certain applications require user authentication, the type of authentication will be different based on the BAP requirements. For example, some applications could be protected with seven-digit passwords that are changed monthly, while other applications may require smart card or other multi-layer technology to provide the required level of authentication. E-commerce applications can pose additional threats, including potential liability issues for security breaches that may occur. Consequently, IT executives should review e-commerce applications closely to ensure they are adequately protected, and comply with corporate security mandates.The following table presents various security options that may need to be considered for deploying and protecting two different types of enterprise applications, as a result of the BAP process and liability determination.Table 2: Sample Security Measure Requirements for Enterprise ApplicationsSecurity Measure RequirementE-mail ApplicationE-commerce ApplicationData encryption Only for documents classified as confidentialRequired for all transactionsIntrusion detectionE-mail server onlyClient and server levelUser AuthenticationSeven-digit passwordMutual authenticationVirus detectionServer onlyClient and server levelMonitoring\/TrackingNone requiredAll breach attempts must be logged and categorizedSource: Robert Frances GroupOnce the above information is gathered on a per application basis, the IT staff shouldselect and test the appropriate levels of security based on some or all of the following parameters: Administration requirements How difficult is the product to install, maintain, manage, and upgrade? Compatibility with corporate security policy Is there a clear match? Cost constraints What is the initial and long-term cost based on the product's projected life cycle? Product references Are their verifiable users of the product, and what is their experience? Scalability Does the product meet enterprise scalability needs, and is the scalability based on a logical and cost effective growth path? Status reports What reports are available to provide status and performance information? Vendor expertise Are they best of breed, well funded, and capable of supporting enterprise requirements over time? The final imperative for building secure data networks is to determine what security measures require monitoring, and how to accomplish this. Enterprises have several choices available, and may elect to provide the security monitoring internally, or outsource some or all of these services to a third party. If outsourcing is an option, IT executives should develop a firm statement of work (SOW) to which vendors respond, and negotiate an enforceable service level agreement (SLA) that protects the enterprise against lackluster performance and contract violations. Although, there are many different security products available, enterprises should include administration and monitoring systems as key selection criteria. Some of the areas that administration and monitoring tools should address include: Application servers attempted invalid sign-on requests, unauthorized application access violations, load balancing status, encryption status; Encryption status of applications using encryption, identification of encryption algorithms in use, ability to change encryption algorithms; Firewalls policy control, access control list monitoring, attempted hacking events, user administration; Intrusion detection proactive reporting systems that identify suspicious activity, and block unauthorized access; User authentication tools that log information on hacker attacks and unauthorized access attempts at the application, client, and server levels; E-mail archiving incoming and\/or outgoing messages to meet regulatory requirements; Virus detection update information on user devices, download capability, asset tracking, and status reports; Web site blocking tools monitor and provide activity statistics on users, Web sites visited, and unauthorized access attempts. Staffing can also be an important issue for consideration, because experienced security personnel are expensive, and difficult to hire and retain. Even when security outsourcing is a viable option, enterprises should staff a subject matter expert to monitor the services provided by the outsourcer, and stay current on new security developments both inside and outside of the corporation. RFG believes data security will continue to increase in importance over time, and IT executives should place business application security in the top tier of business-critical initiatives.Finally, security mechanisms and appropriate staffing will be ineffective without clear processes that define what actions to take for various types of security breaches. As an example, a denial of service attack (DOS) can cripple an enterprise unless immediate action is taken to minimize the impact on the targeted application or server. Counter measures may include bringing backup systems online, or re-homing impacted users to another location that is in a hot-standby status. Although there is no "silver bullet" for many hacker attacks, enterprises can, and should, develop and test processes to mitigate the potential damage.RFG believes the availability of a corporate security policy, well defined BAP security requirements, and robust security administration and monitoring tools represent three essential imperatives and fundamental building blocks for a robust security architecture. IT executives should verify that corporate security policy and BAPs are available and congruent, and that effective security monitoring tools are utilized to monitor enterprise security performance, to minimize security breaches and administration issues.