Four Phases of Security

Techniques to protect against undesirable consequences are often discussed in the abstract, in terms of confidentiality, integrity and accessibility. But these principles provide little guidance about how a secure system should be built, much less how a security initiative affects technology that isn’t primarily associated with security. We advise customers to adopt a four-phase security cycle comprising assessment, planning, delivery and operation. This model is based on the Policy Framework for Interpreting Risk in E-Commerce Security model (download PDF) developed at the Center for Education and Research in Information Assurance and Security at Purdue University.

The assessment phase is where a robust security program begins, yet we find that many organizations have a tendency to leap straight to delivery. As a result, security controls are instituted in an ad hoc fashion, without sufficient means to measure—much less improve on—the results of their investments. There are especially significant ramifications for organizations’ operating systems and technology infrastructure in this phase, and we recommend that organizations take the following three key actions:

1. Review—or create—policy
2. Analyze technology infrastructure risks, balancing functionality against fortification
3. Assess internal and external threats

Policy

Policy is the tool that drives security strategy across people, processes and technologies, emphasizing the company’s priorities on what is to be protected and why. Too many organizations are reluctant to dive into policy change, overwhelmed by what they perceive to be insurmountable cultural and political challenges, or are locked into “analysis paralysis” by the sheer magnitude of the problem. But without an explicit, specific and enforced policy, security gaps will proliferate. The key is iteration, moving gradually from good to better to world-class security over time.

Infrastructure Analysis

Much infrastructure technology wasn’t designed for the open access that’s commonplace today. Consequently, these systems aren’t always protected against the risks in today’s environment. Infrastructure analysis examines all aspects of security, from operating system configuration to password protection. The outcome is hardware, software and administrative configuration that balances functionality with protection.

Threat Assessment

Anticipating possible threats from inside and outside the company contributes to immediate and long-term technology decisions. Motivation, access, knowledge and traceability vary for different sources of attack. Moreover, external threats can become internal ones, once the perimeter has been breached and unprotected assets within the trusted network are exposed. A “defense-in-depth” strategy builds security into all facets of technology infrastructure so that if one component fails, others provide protection.

In our experience, inadequate policy and the failure to properly configure and maintain data systems tend to exacerbate software flaws, which can turn a small problem into a big one. While we look to software vendors to continue to improve the security of their products, every organization can protect against the impact of security flaws that do appear. For example, a regulatory agency recently sought our help with meeting mandatory security requirements. We found that its operating environment needed to strengthen and enforce security policy as part of employees’ work habits and to implement formal structure and controls to close security gaps. Tasks included:

1. Enhancing monitoring capabilities. Operating system, firewall and database logging produce a wealth of information that’s typically ignored until after a security breach. Proactive monitoring, supported by the latest operations tool sets, is critical to prevent or limit damages.
2. Hardening operating systems, that is, locking them down to minimum required functionality for both servers and desktops. Tight server configuration is a preferred state for secure operations (and a major enhancement of the Windows Server 2003 “default deny” standard installation).
3. Improving patch management control and procedures, to ensure that operating platforms are always up to date in a heterogeneous environment. Like proactive monitoring, this is another challenging task made easier with new operations tool sets.
4. Tightening password management of privileged accounts. Too often, privileged account passwords are managed with less care than those for standard users. Shared accounts and static passwords are unacceptable in today’s high-risk environment.

While the customer in this example was driven by a regulatory requirement for International Standards Organization compliance, these recommendations are applicable to all organizations, public and private. Locked doors and secured tape storage were sufficient decades ago, but Web services will necessitate secure relationships among systems and applications that may be maintained by strangers. By assessing requirements for security, evaluating internal and external threats and determining acceptable trade-offs between the degree of technology function and the extent of fortification, IT executives can define and support secure relationships from the operating system on up.

Christopher Burry is a fellow and the technology infrastructure practice director at Avanade Inc., a Seattle-based integrator for Microsoft Corp. technology that’s a joint venture between Accenture Ltd. and Microsoft. Daniel Deganutti is a fellow, program manager and security architect at Avanade; Ace Swerling is a Microsoft Certified Systems Engineer within Avanade’s technology infrastructure practice. Readers can send comments or questions to Christopher.Burry@avanade.com.