Secure architectures

Enterprises are increasingly designing security into every aspect of their systems from the get-go, rather than retroactively

Thanks to complex perimeters, sophisticated application-level threats, and regulations that hold CEOs and CIOs accountable for company data, security must now be regarded as more than a bunch of technologies tacked onto the network. “Companies are realizing they must approach security at the enterprise level,” says Rich Caralli, senior member of the technical staff at the CERT Coordination Center’s survivable enterprise management group. “Rather than chasing the latest threat, they’re working on identifying and securing directly the core business processes and information assets essential to the company mission.”

In fact, security is moving so deeply into business processes and infrastructure that it may someday disappear as a category unto itself. “As organizations develop more mature capabilities in business and IT processes, they’re seeing the significant security benefits,” Caralli says. “They’re moving beyond just patch management, for example, to configuration management or availability management.” No matter what you do in the enterprise, he adds, your function is likely to include information security.

If anything has eliminated the effectiveness of traditional perimeter security, it’s the growth of anytime, anywhere access.

“Companies used to depend on employees carrying around a notebook with a VPN for remote access,” says John Pescatore, vice president of Internet security at Gartner. “But with SSL VPNs, employees now access the network from home computers, other companies’ computers, kiosks, Kinko’s, and cybercafés.”

Pescatore recounts that at a recent RSA conference, he stepped up to a kiosk that displayed a venture capitalist’s e-mail revealing that company X was in for $2.1 million. Or, to take a less spectacular example, a dab of keyboard-logging spyware on a system at FedEx Kinko’s can easily capture an employee’s password and send it to an attacker. And because telecommuters often share their home computers, a little laxity by Junior as he downloads music on the same machine can breed infection, thereby compromising the corporate network.

Enterprises have also wrestled with the security implications of outsourcing, connections with partners and suppliers, and the growth of Web services. “They can’t just hope that the call center in India handling customer data or the company they outsource payroll or sales-force automation to understands and meets their security requirements. They must take into account the impact of an attack or infection on that company’s network,” Pescatore says. The same goes for connected partners and suppliers.

“No doubt Web services and applications reduce the value of traditional firewalls, as companies have to expose data to the world,” says Johannes Ullrich, CTO of The SANS Institute’s Internet Storm Center.

With more application-layer exploits sneaking past traditional firewalls as legitimate port 80 traffic, companies have turned to application-savvy intrusion prevention solutions, as well as application layer and XML firewalls placed strategically to protect specific sensitive data. In fact, these capabilities are increasingly merging with traditional firewall solutions.

“By 2006, when someone buys a firewall, they’ll also be buying intrusion prevention,” Pescatore says. He also sees XML and Web application security merging with content-filtering products, as evidenced by F5 Networks’ purchase of Magnifire.

Web services and compliance requirements are also driving the need for end-to-end enterprise identity solutions and federated identity standards that allow different organizations to set up trust relationships with one another. Identity management’s centralized auditing function, in particular, is becoming an important compliance tool.

Traditional desktop and network management solutions have increasingly taken on patch management and other security functions. Their hardware and software inventory capabilities have also become essential components of a viable security strategy, as PC-based technologies and Web servers have been incorporated into a variety of devices.

“My wife worked for a company that sold oscilloscopes running Windows 2000,” SANS’ Ullrich says. “Did you patch your oscilloscope today?” Switch vendors such as Cisco are working security into their mainstream network hardware. “Each port in your Cisco switch is a perimeter that you can shut down when a security event happens,” Ullrich says.

Finally, companies are working security into the development and implementation process much earlier. “Outside code review and vulnerability and penetration testing have become more widespread,” Ullrich says. Caralli agrees, “It’s much better to head off the security threat much earlier in the process, before you inherit it in the operations phase.” The result is that security is on its way to being part of everything else. “In the work we’re doing, we’re really trying to lose the term ‘security,’ ” Ullrich says.