Organizing data center security operations

Many enterprises are developing internal groups to run security operations, known as “sec-ops.” These groups are responsible for monitoring and responding to security events. To ensure their effective operations, putting the right organizational structure in place is critical.

There are, broadly speaking, three disciplines in enterprise information security. Governance is concerned with the evaluation of risk and the definition of enterprise security policies. Security implementation is the discipline of converting security policies into technical implementations. Finally, audit and compliance is the discipline that ensures that policies are correctly implemented and enforced. Organizing the three roles under a single group that’s distinct from data center architecture and operations not only isolates security functions in a “silo” but also places the role of audit far too close to the implementers. It’s best to align security operations more closely to overall data center operations.

A security operations team’s main role is monitoring the infrastructure and applications for security events, responding to the events, and conducting “post-mortem” analysis to recommend improvements to security policy or implementation. To be effective against insider threats from system administrators and security administrators, the security operations team needs to operate independently from those implementing security controls – hard to do if they’re part of the same overall team.

Additionally, responding to a security event requires that it is first identified as a security event. Differentiating between a security event and a network or application failure is often very difficult, especially in the early stages of troubleshooting – so sec-ops needs to work more closely with the overall operations group. The security operations team therefore needs to be part of the operations group, for many reasons:

* The tools and protocols used to monitor the infrastructure and applications for “unintended” failures are the same as those required to detect “intentional” breaches. “Intent” is usually determined after-the-fact through analysis of an event.

* The skills needed to prioritize response based on the business-criticality of an affected application are the same, regardless of the root-cause.

* Analyzing an anomalous event requires knowledge of what a “normal” response looks like. Operations groups have a better understanding of the infrastructure as a whole and are better equipped to identify anomalies.

* One of the most important tools for any operations team is a ticketing system for generating and tracking “faults.” Such a system is also a critical component of a security-incident response process.

Enterprise IT executives should create a security operations team that is closely integrated with the broader network/systems operations group. The sec-ops team should report to the other security groups (governance, implementation) on a regular basis and especially after an incident “post-mortem.” Every security breach represents a failure of security policies or a failure of security implementation. As the watchdog for security, the sec-ops team should provide regular feedback to ensure that security policies and implementation reflect the “lessons learnt” with continuous improvement. The only certainty in the security business is that a lesson not learnt will soon be on the curriculum again.