The three keypoints of security

En la newletter:

SECURITY STRATEGIES --- February 20, 2002
Published by ITworld.com -- changing the way you view IT
http://www.itworld.com/newsletters
leemos:
A Higher View of Defense in Depth
By Brent Huston

Security in the modern world relies completely on layers of defense or, as it is often referred to in the military world, "defense in depth". Just as layer-after-layer of defensive technology and strategic battlements ranging from simple fencing and barbed wire to complicated heat and vibration sensing alarm systems protect military bases, so must the world of online defense be deployed. With so many vulnerabilities in products, operating systems, and network gear, how can one or a simple handful of solutions provide adequate protection for us? But defense in depth goes beyond platforms, products, and patches.

Technical defense in depth is certainly a key idea. Protecting our assets can no longer be left to simple single-point solutions. The firewall is little more than a speed bump unless it is an integral part of an overall security solution with components that enhance and support its position. Network intrusion sensors, host-based hardening and monitoring, network access lists on perimeter devices, and log watching accessories all combine with hardware tokens, honey pots, and a myriad of other devices, products, and strategies to create an effective technical security bastion.

Now, all of this technology certainly can get complicated but this complication is manageable for successful security organizations because they employ another integral security component: Policy. Policy is the overall ruler of the technical implementations. While the computer systems, sensors, and other devices are working on separate pieces of the puzzle, they should be enforcing a common vision and methodology created by the policy. Again, the policy and the technology form the basis for a winning security edge.

Lastly, add into this mix a third-level component to the security team: People. People have to be aware of the policy and the results of the technical tools that are in place to protect them. If this awareness of the environment is left out, even technology and policy can't make them secure. Awareness is the single largest security enhancement any firm can make. By combining awareness with policy and technology, an organization creates the safest solution they can have for their assets and their bottom line.

Technology, policy, and awareness are three key concepts for creating defense in depth. They are the power behind the throne of the firewall, IDS, VPN, and all the other components involved. Since security is really a human social problem, it makes sense that it has a human social solution. Begin looking at the three components in your organization. Have you really deployed defense in depth when looked at from this 100,000 foot level?

About the author(s)
-------------------

Brent Huston earned his Associate of Applied Science degree in Electronics at DeVry Technical Institute (Columbus, Ohio) in 1994. His 12 years of professional experience has demonstrated his knowledge of cyber security testing, network monitoring, scanning protocols, firewalls, viruses and virus prevention formats, incident response, forensic computing, and hacker techniques. As President and CEO of MicroSolved, Inc., he and his staff have performed system and network security-consulting services for Fortune 500 companies and all levels of governmental facilities. He is an accomplished computer and information security speaker, published numerous white papers on security-related topics, and worked as co-author and technical editor of the book "Hack Proofing Your E-Commerce Site" from Syngress Publishing.

Algunas página que modelizan la seguridad según esta triple visión son:

  • http://www.microsolved.com/media/files/compliance_whitepaper.pdf
  • http://www.securearuba.com/about/philosophy.html
  • http://www.secureassure.com/about/philosophy.html

    Camino(s) ascendente(s):