4. The new environment looks great -- but will it stay that way?
If you think it's hard to plan something new and near-perfect, that's easy compared to keeping it that way. Remember, those who built your current environment started out with the best of intentions. No one wanted to design insecure crap.
Examine what happened over time to make the current environment one people can't wait to get rid of. Was it due to poor technical decisions or was it more than that? In many cases, political or business pressures force poor security decisions. How can those be avoided in the future?
To me, this is the most important point of all. It's an awful lot of money and effort to build something new if you can't prevent repeating the same mistakes. These sorts of policy decisions are harder than just building a new network. It requires the right senior people agreeing on the right foundational policies.
5. Object lifecycle management
Another key implementation decision is to account for the full lifecycle of each and every object (user, computer, group, printer, OU, application, service account, and so on) in the network or Active Directory forest. Each object must have an owner who is easy for anyone to identify or query. Ownership gives accountability and allows key decisions to be made in a timely manner.
Each object should be tracked from provisioning to de-provisioning. Each object should have specific policies that detail how it comes into creation, how often review takes place, and when and how it should be modified and removed. The documentation should specify who can manipulate the object and how often the object needs to be reviewed for legitimacy.
For example, when you create a security group, the owner should be identified and the members and permissions and rights documented. Every now and then -- at least annually, if not more often -- the owner should be asked if the group is still needed. The owner should review the members and permissions and actively respond to keep the group. Otherwise, it should be deleted. Preferably, all of this should be automated.
6. What is the "system of trust" for greenfield membership?
What system should be used for determining membership in the greenfield? This is another very important decision. Most companies usually want to use the same system found in the old environment (often involving an HR application). But if your greenfield is going to be green, you must give it a new system of trust. You can't populate a new, more trustworthy environment using a system or application from an untrustworthy environment. Well, you can, and you might even be forced to accept it, but you're creating a built-in weakness.
7. Do a better job of monitoring and drift control
Most compromised environments do a very poor job at monitoring and drift control. Ensure that all assets having event logging turned on with critical events predefined to generate alerts. Document what programs and processes are supposed to be running on each computer, then monitor changes.
Most companies don't have a clue as to what programs should be running on their computers, so when a new Trojan shows up, it goes unnoticed for a long time. Break the cycle! Instead, fully document what is allowed to be running and set up alerts when something new is installed or executed. This is a great place to use application control ("whitelisting") programs. I often recommend that they run in audit mode, so you get all the benefits of their monitoring, without causing undue operational interruption.
Is a greenfield the answer?
Is a greenfield really going to solve your organization's problems? If you've been reading up to this point, you'll realize that none of my advice has been about new designs or structures. Almost all the inherent problems I see in compromised environments involve either poor policies or poorly implemented policies. Most of the benefit you will gain from greenfield environment can be realized in your current one, with much less time and expense.
The biggest problems in today's networks aren't technical. They're political and human. That won't change as long as politics and humans remain the same.
This story, "7 essentials for creating a greenfield environment," was originally published at InfoWorld.com. Keep up on the latest developments in network security and read more of Roger Grimes' Security Adviser blog at InfoWorld.com. For the latest business technology news, follow InfoWorld.com on Twitter.