Defense In Depth: A Blueprint For Security

ADMISSION CONTROL
Surrounding data access policies (see diagram, "A Model For Secure Data Access") is an intelligent means of regulating the way applications access the network and local applications. Most IT shops are deploying network access control architectures that admit approved devices and quarantine devices not conforming to corporate security policies.

Some ITers find those problems solved by other means, such as automating patch updates. "NAC solves the wrong problem," says Stuart Berman, security engineer at Steelcase, an office-furniture maker. "NAC is sold today as a means of protecting the network from viruses. But we haven't had that problem in years."

The real problem, says Berman, remains how to secure the network via user logon and tracking. IT requires a smart NAC, if you will, smart enough to restrict access to network resources based on user identity--not just the system's configuration.

APPLICATION ACCESS
Two technologies show great promise for restricting application use. One approach relies on IT knowing the applications approved for execution on a corporate workstation. IT creates a "whitelist" of permissible binaries, identified with hash indexes to prevent altering. Unlisted applications or listed applications with a different hash are prevented from executing on the desktop.

While effective in preventing rogue application access, whitelists may break down in the face of changing IT trends around desktop governance. IT has long battled for management of desktops viewed by departments and employees as their turf. The phenomenon is made worse as PC prices fall and smartphones get more powerful.

One solution may be desktop virtualization. The corporate-approved virtual machine will be where users run all company applications and access the network. Citrix Systems, Microsoft, VMware, and others sell such products.

SECURE THE HOST
IT's next job is to protect the host from threats residing on the network and vice versa. Endpoint security applications will continue to consolidate into suites providing firewall, antivirus, anti-spyware, and anti-spam capabilities as well as host-based intrusion-prevention systems. We expect this trend to continue with a single agent replacing security and management agents.

Restricting network access once users have been approved for the network is the final step in the security blueprint. The solution begins by deploying policy enforcement points, or PEPs, throughout the network. These devices enforce legal, regulatory, and contractual policies. Once admitted, users are prevented from accessing resources or carrying out actions that conflict with those policies.

At its most basic, this means increased use of physical and virtual firewalls to prevent users from accessing systems with sensitive data. PEPs provide post-admission control through IPS capabilities to ensure compliance with corporate policies.

PEPs are managed through a common console and query a policy decision point within the management console for current policies. PEP management, like all infrastructure management, is part of the holistic view of the enterprise management system, which pulls together information about identity, services, and applications as well as infrastructure.

David Greenfield is an IT consultant and freelance writer. Write to him at [email protected].