Enterprise Security: An Architectural Approach

RFG believes it is easy to lose sight of the bigger picture when addressing security concerns in the enterprise. IT executives should develop a strategic plan to address security requirements throughout the enterprise before digging into any single issue. IT executives should also work closely with other line of business (LOB) executives to incorporate areas such as auditing, intellectual property, and physical site security into an overarching security strategy document for the company as a whole.

Business Imperatives:

• Security problems abound, and it is easy to get drawn into a single issue, such as patching vulnerable systems or installing firewalls. However, a best practice for enterprise security is to work from the top down. IT executives should work to create a cohesive security strategy that covers all areas of concern for the entire company, then focus on addressing specific areas as components of the larger plan.
• Factors such as applications and platforms in use, current staffing levels, the size of the organization, and so on can all affect the nature of the company’s security strategy. Generalized security reference materials are often erroneously used directly as a company’s security plan. IT executives should focus on creating strategies customized for their own environments, and rely on public resources such as sample policy and procedure documents only as generic guidelines.
• The enterprise’s security strategy is often spearheaded by IT, as it most often involves technology. However, a security strategy should not be limited strictly to IT issues such as the installation of firewalls or virus protection software. IT executives should work with other LOB executives and departments to cover issues such as auditing, employee education, intellectual property concerns, physical site security, and unique LOB requirements.

Security problems fall into a broad range of categories, including patching systems as vulnerabilities are discovered, monitoring and blocking intrusion attempts on e-commerce systems, and controlling user access to protected resources. With such an extensive list of problems to solve, it is easy to become too focused on solving specific issues and lose sight of the need for an enterprise-wide security strategy and architecture.

It is also frequently difficult to obtain adequate funding for security initiatives, as security is typically viewed as a cost factor with no real return on investment for the enterprise. IT executives should counter this view by focusing on return on value (ROV), weighing the negative effects of security breaches, including loss of revenue and possible litigation by customers against the cost of the preventative measures to avoid these occurrences.

IT executives should also educate other LOB executives regarding the dangers posed by internal users. A recent study of 146 companies by Activis, Ltd., a security firm based in Reading, GB, found that internal sources account for 81 percent of all security breaches. Thus, although these events are rarely publicized, this issue warrants significant additional attention by IT and LOB executives.

Even more important, security strategies that are not supported and understood by all LOB executives often fail. IT executives should work closely with other LOB executives to educate them as to the potential risks and threats the company faces, the possible effects of a security breach, and the necessity for various protective measures and processes. It is crucial that IT executives communicate the concept that security is not an achievable state, but rather a process that must be ongoing and focused to be successful.

To solve all of these problems, IT executives should spearhead an effort to develop a cohesive security strategy. The bulk of the security problems and solutions fall under IT’s umbrella, because most security issues (although not all) are technological in nature. This generally puts IT in a good position to help other LOB executives understand the security risks the enterprise faces, and develop processes and solutions to address them.

However, IT executives should not limit their efforts to purely technological issues. Physical site security is another issue that demands attention, especially because it can have direct and indirect impacts on network and system security if an unauthorized individual can gain access to an internal network port or wireless network, no amount of firewall and intrusion detect layers between internal systems and the Internet will prevent an intrusion.

The enterprise’s security strategy should also focus on roles and responsibilities for each security aspect. For example, system administrators are the appropriate individuals to repair a breach or patch a vulnerability. However, they are not the appropriate contacts for media inquiries about security breaches, so IT executives should ensure that the company has a spokesperson capable of fending off a media frenzy in the event that a security breach becomes public news. Assigning roles and responsibilities should be one core element of the company’s security strategy.

Each company has different security requirements, and IT executives should not spend too much time searching for sample policy documents or staffing guidelines. For example, a company with a decentralized IT infrastructure and many lines of business may require several media contacts for security breach incidents. On the other hand, in a company with a centralized IT infrastructure and limited IT staffing, the IT executive may find him or herself to be the most appropriate person to fill this role. As another example, auditing responsibilities may not be addressable by internal resources the company may need to outsource this function to address it properly.

As the first step in this process, IT executives should evaluate the following factors for their companies.

1. Employee education needs.
2. Requirements for protection of intellectual property.
3. Risk factors, including wireless network deployments, remote access to networks, e-commerce applications, contractors and partners, etc.
4. The size of the company and its infrastructure, including desktops and servers.
5. The size of the IT department and knowledge levels of staff.
6. The type of IT infrastructure in place (centralized or decentralized).

IT executives should then work with LOB executives to develop an enterprise-wide security strategy that addresses each risk for each system or concept (such as intellectual property rights). The product of this work should, at a minimum, include a document that describes the enterprise’s security risks and threats, the general solution for each risk, and prerequisites or ongoing requirements such as auditing tasks and employee education.

As part of the security strategy document, IT executives should build a matrix to define the risk levels, current exposures, and target exposures for each area of risk. IT executives should bear in mind that system accessibility often prevents complete elimination of exposures, so exposure goals should be realistic targets for which solutions can be developed. The table below contains a generalized example of such a matrix.

In the above table, the “Internal” grouping represents those areas for which IT will primarily be responsible. The “External” grouping represents items determined either by LOBs, business partners, vendors, or other relationships, and may include systems over which the IT department has less control, such as systems used by teleworkers. These systems often represent greater levels of risk to the enterprise.

Employee education is a critical element in an enterprise security strategy, and extends beyond administrator training regarding vulnerabilities and network threats. As mentioned above, the majority of security breaches are still caused by internal employees, whether they are disgruntled workers who deliberately sabotage a system or release confidential customer information, or users who unintentionally cause breaches by installing file-sharing software or similar programs.

Each employee should understand that he or she is an important link in the chain of security at the company. Security policy documents supplied as part of the employee handbook or other required-reading resource should define intellectual property, acceptable use of corporate resources, and expected actions in certain events, such as if contacted by a competitor or a member of the media. Failure to comply is in many cases suitable justification for termination of employment.

RFG believes enterprises should develop comprehensive security strategies before focusing on any one particular security problem. IT executives are in a good position to support this drive, and should champion this effort in their own companies. To create the strategy, IT executives should work with other LOB executives to evaluate the risks for each area of the company, and include such factors as intellectual property concerns and physical site security requirements.

Author Chad Robinson can be reached at 860-684-6037 or crobinson@rfgonline.com