More Technical Aspects of Security Policy

 

Introduction.  Probably one of the more perplexing aspects of developing security for many technically oriented people  is to make certain they are meeting the business needs of the people who will be using the system so they can work effectively.  These approaches must also stay up-to-date and always be on the lookout for realistic ways to improve.

The following outline summarizes many of the issues related to the more technical aspects of providing security.

  • Meet the Organization's Needs
    • You do not want to secure an organization to the point it cannot conduct its functions
      • Your own customers will find ways to defeat it if you aren't really meeting their needs
      • If you make it easy and/or reasonable to do the right things then people are much more likely to do them
    • What are people in the organization trying to do?
    • How are people trying to do it?
    • What does their workflow look like?
    • Be aware of reasonable technological solutions
    • You must enable people to work effectively
    • Provide reasonable levels of security
    • Create solutions that are as clean and simple as reasonable
    • Implement security within a reasonable time scale
  • Stay Up to Date
    • A security professional must be aware of the most likely forms of attack
    • Track bulletins from vendors
    • Peruse particularly informative websites daily
    • Read advisories from organizations that track security issues
    • Keep aware of new vulnerabilities
  • Authentication and Authorization
    • Fundamental to have a strong authentication system
    • Each user needs to have a unique identity
    • There should be no accounts with multiple users
    • Along with authentication comes authorization so that users can attain the appropriate levels of access for the appropriate systems
      • authentication assesses the users identity
      • authorization determines what this user can do
      • usually require at least username and password
      • a role account gives a user privileges and functions they normally can't
    • Authentication capability can usually be increased if some additional means are used to determine identities
      • biometrics
      • smart cards
      • something important the user doesn't want to lose
      • something important and unusual the users won't reveal about themselves
    • An authorization matrix is a good device to help the security administrators determine who has what levels of access/permission to use what
  • Selecting Products and Vendors
    • Almost all products must be evaluated from a security point of view considering issues such as
      • is it used by a third party who has a restricted level of access for the product
      • is it part of the authentication, authorization, access control system
      • is it accessible from the internet or any other untrusted network
      • does it provide authenticated access to sensitive data or systems
      • degree of confidence about in-built product security
      • vendor direction and maintenance
      • functionality and integration
    • Simplicity
    • Security
    • Open Source
      • often times if the source is available then smart intruders can really investigate their options
      • closed source can lead to other suspicions such as the vendor hides behind obscurantism
    • Usability
      • component interactions
      • ease of configuration
      • effects of configuration changes
      • training
      • validate appropriate configurations
      • vendor issues
        • maintenance patches
        • updates
        • security consciousness of the vendor
        • notification mechanisms
    • Integration
      • will it make use of your existing authentication system?
      • what sort of load does it put on the network and systems?
      • if it has to talk through the firewall are its protocols appropriate?
      • can its logs coordinate with the central host?
      • what sort of network service is required?
      • is the appropriate OS already supported?
    • Cost of Ownership
      • how long to configure software?
      • are there autoload options?
      • how much fine tuning and day to day maintenance are required?
      • already familiar?
      • how will new hires learn?
      • how will current employees learn?
      • ease and comfort of use
    • Futures
      • scalability
      • future directions for vendor and product
      • version support
      • frequency of new releases
      • market pressures
  • Internal Auditing
    • are security environments in compliance with policies and design criteria?
    • checking employee and contractor lists against authentication and authorization databases
    • physical perusal of machine rooms, wiring and telecom closets for intrusive devices
    • verifying up to date security patches
    • launching sophisticated attacks against infrastructure to test and improve
    • Log Processing
    • Internal Verification
      • traffic routes
      • phone numbers
      • source machines
      • who's actually using remote access
    • Per Project Verification
    • Physical Checks
  • Make Security Pervasive
    • make sure everyone is aware of what is being done and how it works
  • Maintain/Improve Contacts
    • make sure you are in touch with those that are on the cutting edge
    • make sure you are in touch with those that are aware of what really works
  • Produce Metrics
    • validate security effectiveness with data
    • have external audits assess as objectively as possible

Impact of Organization Size and Type.  The size  of the organization is going to have huge impact on security implementation and how many people are involved.  Whether the organization is small, medium or large and how technically oriented it infrastructure needs to be in order to be competitive are going to have a huge impact on how security is implemented.  The levels of security requirements for their operation are something else that are going to be very important.