Needed: an enterprise security architecture

Given the avalanche of security threats identified and directed daily at all sorts of corporate IT assets – PCs, midrange servers, mainframes, networks, storage systems, VoIP systems and cell phones, to list just a few – the case for effective, active management of these IT and networking security risks is a no-brainer. Issues of concern include interception, interruption, modification and fabrication of corporate information. Infractions may be inadvertent acts, deliberate nefarious acts, acts of God, technical failure and management malfeasance or failure.

Some organizations have developed principle-based security architecture to define the necessary elements of security. However, many companies still take a piecemeal view of security management. What all organizations need is a comprehensive framework for the uniform and organized treatment of all aspects of security. This can be accomplished through a well-thought-out security architecture.

An architecture is a blueprint for how to place resources optimally in the IT environment to support business, and security is a critical component. While the IT industry has come to accept enterprise architecture in the past five years, the focus has not been on security.

Addressing security challenges effectively requires a proper overall security architecture and policy. Clearly, network hardware and software components must be secure, and personnel must be trustworthy.

The goal of enterprise architecture is to create a unified IT environment – standardized hardware and software systems – across the company, with tight links to the business side of the organization. A security architecture should describe the security services a system must provide, the elements required to implement the services and the behaviors of the elements (including the performance goals) to deal with the threat environment. The security architecture should address administrative, communication, computer, radiation, personnel and physical security. An enterprise architecture in general, and a security architecture in particular, drive standardization and service improvement. Standardization results in lower operational costs and faster rollout of functions, whether they are atomic functions such as configuring a firewall or more complex integrated functions, such as a new software application.

Layered frameworks and models for enterprise architecture have proved useful, because layering has the advantage of defining contained, non-overlapping partitions of the environment. One of the first security frameworks was ISO 7498-2, which covers general architectural elements that can be used to thwart attacks and circumstances under which the security elements can be used.

But this model, published in 1989, is static; in addition, it covers general principles rather than detailed solutions. New models for robust security architecture planning are needed and, fortunately, some are under development.