If my work surroundings are any indication of the rest of the real world, a lot of companies are busy building greenfield environments -- typically entirely new, separate network segments or Active Directory forests. Why do it? Sometimes, it's because the current network is completely owned by an APT (advanced persistent threat), but of course there are many other motives.
Most often, companies go to the expense of creating a greenfield because the current environment is so disjointed and full of accumulated errors that trying to fix the mess seems impossible. I'm often hired to assist with architecting the new design and advising clients on how to proceed.
[ Get expert networking how-to advice from InfoWorld's Networking Deep Dive PDF special report and Technology: Networking newsletter. | Learn how to secure your systems with InfoWorld's Security Central newsletter. ]
While every environment is different, here's the advice I usually give to entities responding to big compromises.
1. You will never build the perfect network
At the beginning of greenfield planning, everyone designs the perfect network or Active Directory forest. The sky's the limit! It's a perfect security world! Management understands the seriousness of not doing security right! Application developers and business leaders will have to listen to computer security designers, for once! Finally, everyone is on the same page. Security is paramount!
Until it isn't.
Every greenfield design I've been involved with has begun with the best intentions of perfect security but ended up a lot closer to the design requirements of the existing environment. By this I mean that senior management finally puts a budget around it, with the expectations it will allow them to run the business and earn money.
It's the same old clash of functionality versus security, and in a bind, functionality will usually win, even in the new "high security" greenfield. On a positive note, security will usually be given more leeway and consideration, though not victory at all costs. It's important to start out with your perfect wish list, but be ready to supply your alternative backup plans when someone more senior doesn't think your idea of better security will work for the company.
2. Don't repeat the same mistakes
It's important not to repeat the same mistakes of the old environment in the new environment. This seems obvious, but I bet many who have built their own greenfields are nodding in agreement. People often stipulate simple points that seem to make sense, without realizing that those same requirements were part of what made the old environment fail.
For example, a common requirement in a greenfield is good patching. Who can argue against that? Often, lax patching led to the old environment becoming, well, the old environment. But when I examine the old and new patching requirements, they're nearly identical. It's usually something along lines of: "All critical security patches must be applied in a timely manner."
It sounds nice, but how will that be different? In order to write a better policy for the greenfield environment, you're going to have to understand what went wrong in the old environment and write a better policy that's more specific. The devil is in the details.
3. How will you keep the hackers out?
I've been involved with a few companies that spent tens of millions of dollars to build a new environment: new computers, new network, new applications, new workstations, new servers. Nothing old was allowed to touch the new environment. After spending all that money and time, the old hackers compromised the new environment in days.
You need to learn from the weaknesses of the old environment so that the same old tricks no longer work in the new environment. For example, if the hackers got into the old environment using spearphishing emails containing malicious Adobe Acrobat PDF documents, how are you going to stop that from working in the new environment? I've seen plenty of possible solutions, including making sure that PDF documents are opened in encapsulated virtual environments where they couldn't do further harm. Just make sure those miraculous solutions are tested and implemented from the start. Making them pervasive in a few months isn't going to help you today.