User group to reveal model for IS security future

An influential user group is nearing release of a blueprint for a policy-based security architecture it hopes will become an industry model for securing corporate information systems.

The Network Applications Consortium (NAC), which includes major IT corporations such as Bechtel, Boeing, GlaxoSmithKline and State Farm Insurance, will publish on Jan. 1 the results of more than a year's worth of work in a document titled "Enterprise Security Architecture: A Framework and Template for Policy-Driven Security" (see executive summary).

"We have an industry reference document that brings together aspects of security architecture that have never been directly linked together in one document," says Fred Wettling, chairman of the NAC and infrastructure architect for Bechtel, a global engineering, construction and project management firm. "This ties, from stem to stern, governance down to operations along with a road map of where to go in the future. As far as a reference model, this is the first of its kind for policy-driven security."

The 121-page Enterprise Security Architecture (ESA) document describes the policy, technical and operational models companies should adopt in tailoring a security architecture. The architecture is based on a set of policies that use templates for policy creation from the National Institute of Standards and Technology and International Organization for Standards that can be represented electronically, stored on a network and used to execute and enforce policy.

The goal is to create a link between the definition, implementation and enforcement of security policies and the physical security components of a network. Eventually, the policies for each will be automated across the physical network.

The NAC - whose members represent combined revenues of more than $750 billion - is working with industry groups such as the Distributed Management Task Force (DMTF) and the Open Group, as well as vendors such as Cisco and Microsoft, to foster awareness and further refinement of the security architecture plan.

"You can't just buy a security product that is a quick fix to secure interconnected networks and distributed applications. You have to build that into the security products you have: That is architecture," says Daniel Blum, an analyst with Burton Group. He also says policy is a difficult problem with all the layers of security such as server and desktop firewalls and VPNs. "You have to distribute policy enforcement to those endpoints because that is where the threats are, but you have to centralize the decision making. That is why you need common policies and policy languages."