An influential user group is nearing release of a blueprint for a policy-based security architecture it hopes will become an industry model for securing corporate information systems.
The Network Applications Consortium (NAC), which includes major IT corporations such as Bechtel, Boeing, GlaxoSmithKline and State Farm Insurance, will publish on Jan. 1 the results of more than a year's worth of work in a document titled "Enterprise Security Architecture: A Framework and Template for Policy-Driven Security" (see executive summary).
"We have an industry reference document that brings together aspects of security architecture that have never been directly linked together in one document," says Fred Wettling, chairman of the NAC and infrastructure architect for Bechtel, a global engineering, construction and project management firm. "This ties, from stem to stern, governance down to operations along with a road map of where to go in the future. As far as a reference model, this is the first of its kind for policy-driven security."
The 121-page Enterprise Security Architecture (ESA) document describes the policy, technical and operational models companies should adopt in tailoring a security architecture. The architecture is based on a set of policies that use templates for policy creation from the National Institute of Standards and Technology and International Organization for Standards that can be represented electronically, stored on a network and used to execute and enforce policy.
The goal is to create a link between the definition, implementation and enforcement of security policies and the physical security components of a network. Eventually, the policies for each will be automated across the physical network.
The NAC - whose members represent combined revenues of more than $750 billion - is working with industry groups such as the Distributed Management Task Force (DMTF) and the Open Group, as well as vendors such as Cisco and Microsoft, to foster awareness and further refinement of the security architecture plan.
"You can't just buy a security product that is a quick fix to secure interconnected networks and distributed applications. You have to build that into the security products you have: That is architecture," says Daniel Blum, an analyst with Burton Group. He also says policy is a difficult problem with all the layers of security such as server and desktop firewalls and VPNs. "You have to distribute policy enforcement to those endpoints because that is where the threats are, but you have to centralize the decision making. That is why you need common policies and policy languages."
NAC officials say they spent the past eight months updating an April draft of ESA to add a detailed description of the needs and interdependencies for security operations such as compliance, asset, vulnerability, event and incident management. The NAC also added a model that describes automated policy creation from a set of business requirements, such as Health Insurance Portability and Accountability Act compliance, and the implementation and enforcement of those policies.
However, the NAC acknowledges it's a process that requires a level of integration that can't be supported with today's technology and standards.
In the interim, the ESA document lays out a road map of steps companies can take to move toward a more policy-driven security architecture, including creating or formalizing policies, devising naming conventions for users and machines, cleaning up identity data, and supporting a range of standards (see graphic).
"One of the things we decided to do is that we will maintain the policy automation model and the road map independently so we can evolve that and make it more real as we work with the DMTF and others," says Harold Albrecht, the ESA project manager and technical writer. "Some of the things in there will change, perhaps significantly."
Learn more about this topicUser group defines security needs
Network World, 04/26/04