Customer Portal

Protecting Your Data in Today's World

Part 1 - Secure Systems and their Architecture
Secure Systems and their Architecture

You are an information security analyst or manager and responsible for security on the hodgepodge of systems and applications that operate on your WAN, Intranets, or LANS within your business. You know that each system or application may have its own security requirements and that these will probably not be the same. However, your task is to provide a security infrastructure that has a low or nil risk of being compromised, while providing enough flexibility to address the different security requirements of your systems and/or applications now and in the future.

Anyone who has researched this subject can testify to the abundance of information available on the topics. The focus of this series of articles pertaining to 'Protecting Your Data in Today's World.' will be to describe a variety of techniques used in data protection strategies over the Internet today. In addition, I will highlight some of the advantages and disadvantages of each of these strategies.

This is Part 1 of the series Protecting Your Data in Today's World. The following articles discuss related topics on how to protect your data in today's world:

To meet the goals of developing secure systems and their architectures, issues regarding cyber security must be addressed. Cyber security is the ability of networks to detect and respond to unwanted intrusions by hackers or terrorists into software and hardware systems, including protections to prevent unauthorized access to data or system controls.

The design of secure systems and their architecture is as varied as the imagination — as long as you have the budget for it. The tradeoffs with secure systems are between cost, security and convenience. In general though, there are some common features that define a well-thought-out secure system, that provides the level of security needed. However, it's important to understand that security doesn't have to be perfect, for it to be beneficial. But the risks do have to be understood and managed. Many security problems are the result of users not understanding these risks.

Designing a secure architecture for a business is not an easy task, however it is part of doing business in today's world. While some organizations are entirely information driven (Internet-based), all business entities rely on networks, systems and electronic data as vital components that support their business. It's not enough to just identify and protect against possible security threats from the outside world, it should be equally seen that an organization is also vulnerable and open to serious damage of business interests based on ignorance of internal security issues.

The goal of designing secure systems and the architecture that supports them is to protect the integrity, confidentiality, and availability of information. An effective secure infrastructure consists of a cohesive network of systems and resources that support a security protection program, which includes system monitoring, data collection, and the capability to make coordinated responses to detected incidents.

Why should organizations be concerned about security? In today's open-system environment, it is very easy to gain unauthorized access to an unsecured, networked environment. Even a workstation with seemingly non-sensitive information can be the "weak-link", which is where a security breach can occur. Information about the hardware, software, network connections, authentication procedures, etc. can be discovered and used for unauthorized access into the system.

There are a number of different layers within a systems architecture where security can be implemented. The highest security layer is at the application itself. By implementing the security here, it is possible to tailor the system to provide exactly the functions that are required for specific circumstances. However, this means that separate security measures have to be employed for separate applications, which can prove to be expensive. By implementing security at a lower level, it is possible to cover a wide range of applications without additional effort and expense. However, this means that there may be specific features or requirements for certain applications that cannot be provided for. An example of this would be the ability to link the security to specific users, rather than specific machines, or even sites. Additionally, software licensing may restrict the areas where encryption is possible, thus making it more difficult to use lower level security to cover general applications.

Many security products on the market today provide tools that focus security on specific areas, such as applications, operating systems, or networks. Part of the problem here is that there may be gaps in the security infrastructure that are not being addressed. In many cases, the tools designed to identify security vulnerabilities typically focus on the specific areas, they were created for. In addition, gaps in security may also exist as a result of logical divisions of responsibility within a company. There may be several different people and processes in a large organization that are responsible for security issues, each addressing security issues as they pertain their specific area. A scalable security architecture solution must address divisions of responsibility.

Comprehensive integrated security architecture should also combine intrusion detection and vulnerability assessment capabilities, which will provide the means to enforce security policies that have been established. Detecting a security breach when it occurs is half the battle. Once the problem is discovered, a good, integrated security solution will help to correct the problem, and establish or enforce any security policy so the problem does not occur again.

With the threat of any type of cyber-attack, whether it be from hackers, criminal activity, malicious users, economic espionage, and disgruntled employees, organizations must begin to take more proactive steps to protect their most valuable information assets. It's also important to understand that not all information is created equal. This means that to effectively protect sensitive data in today's world, the ability to control the delivery of data packets based on the content of the data itself is essential. Before allowing the delivery of a data packet over a network, the security system should confirm that the user is authorized to receive the data on the particular computer that he or she is using.

When designing a secure system or architecture, consideration to the technology that will be used can change what kind of security infrastructure is put in place, or how a security policy will be implemented. For example: knowing the type of network environment, which protocols will be supported, what type of platform(s) will exist, how client/server databases will be accessed, what kind of connections to back-end systems will be supported by a Web server or other applications, and will remote access be supported, to name just a few, can change how the security, is enforced, and help to identify specific policies that drive it.

Will the architecture support wireless access? If so, security can be a real challenge. Wireless security strategies represent the removal of many physical protections that may currently be in place for a wired architecture. For example, it's not uncommon today for organizations to provide different levels of protection for different points of entry into their networks. Workstations or servers in the office environment that already may be physically secure, may only be protected by a user name and password, whereas laptops used to access the same network from remote locations may require security tokens as well. There is probably some level of control over access to wiring cabinets, network hubs, switches and routers and so on. If someone within the office was going to attach a sniffer to the network, there is a fair chance it would be detected.

Wireless access puts not only the client device, but also the data, well beyond the physical control of the organization. Sniffing of data traffic can be done without any risk of detection over a much wider range of locations. Furthermore, the client device, in the case of a cell phone or PDA, is even easier to steal than a laptop computer. Although today's mobile devices cannot store as much data as today's laptops, they can store a lot more than many early PCs. Compromise of the wireless client thus poses a double threat to data: the remote access to data which the device enables, and immediate access to the downloaded data which is stored within it. When such devices are accorded larger roles in corporate systems, the scale of both of these threats will increase.

Effectively protecting your internal network and providing a security program will go a long way in protecting your data. We don't conclude that just because we have a door lock on our home, that we do not need police protection or breaking-and-entering laws in the event that we have a break-in. So we wouldn't want to conclude that just because we are protected in some fashion from external threats, that our sensitive information is secure.

The best way to secure systems and the architecture that supports them is to incorporate solutions designed specifically to protect information from the inside out. By using interoperable hardware devices and innovative technologies that permit customer data and the network infrastructure to collaborate in determining where and to whom data can be sent, companies can remove the last remaining hurdle to the secure access of corporate data by partners, customers, and employees.