Want better security? It's a multilevel process

There's this old joke used in security seminars that if you ask your IT guy what sort of security he has and he says "Oh, we're secure; we have firewalls," you should show said IT guy the door because he has no clue and couldn't even buy one from Vanna White.

Security is a process. It is not something that stays static for all time. In some ways, Security threats are a sphere inwardly directed around a target in the center. The specific threat will be a combination of forces that form a resultant vector inwards to the target. security is a lot like dodgeball. You never know where it's going to come from, and if they tag you you're out. Security threats are a sphere inwardly directed around a target in the center. The specific threat will be a combination of forces that form a resultant vector inwards to the target. The composition of those forces ending up as a threat vector obviously changes from specific case to specific case. In security, one size definitely does not fit all.

Let's cut a circular plane out of the middle of this threat sphere. Let's then mark four orthogonal vectors on the resultant circular plane, just like the main points on a compass. But these lines point to what I see as the four main security areas. These are Physical Security, Logistical Security, Data Security, and Technical Security.

Each concept by itself is only a part of the overall solution to the generalized problem of risk management. Combined in the proportions necessary for the job at hand, they can have a powerfully deflective effect on threats. It may even be possible to neutralize a threat completely, although that may not always be possible. A deflective outcome (or a protective reaction response that leads to a deflective outcome) is not to be sneered at. It may not stop someone from throwing that ball, but you can dodge it and stay in the game.

Physical Security

This area covers all that pertains to the physical siting and environment. It should be obvious to anyone that this is basic to a security effort. What good is One of the simplest and most effective concepts of physical security is limiting the access of non-essential personnel. encryption of data going to do for you if someone can waltz into the computer room and read the data in plain text?

Relevant elements of PS include the physical plant and the siting of the machine; any hardware "dongles" that are needed to run the program (perhaps for copy protection), as well as environmental factors. Disaster recovery plans — surely an integral part of any security operation — should also be based on the physical situation.

One of the simplest and most effective concepts of physical security is limiting the access of non-essential personnel to the computing area by physical means like walls and locked doors. Routers and servers should also be protected in a secure, maintainable area, not just shoved into some handy closet because there's space there.

Logistical Security

This kind of security has to do with an institution's policies and procedures. If the computer is in a locked room, the logistical aspect of security determines who gets a copy of the key to the door.

Logistics is where we "close the loop" on the security process. Logistics are the management aspects of the security spectrum. For instance, there should always be a way to obtain stakeholder feedback about the current practice of security, as well as an oversight process to address any identified security lapses with an eye toward preventing their reoccurrence.

The results of the oversight/review efforts can and should impact policies and procedures. If they don't, the review process is not a true security review. It's a blame shifter.

Security depends on the correct execution of the appropriate policies. So, LS must include a way to implement the effective promulgation of those policies. For example, a large organization may have well thought out policies in place but fail to inform new hires about them. Good LS would enlist human resources to disseminate security information, and would continually monitor how well HR does this.

Logistical security manages the implementation of security practices. It also incorporates a functional overview of the entire process. This is where the rubber of the paper meets the road of the data, so to speak.

Data Security

Many people think that data security is the whole of system security, because this is where the sexy stuff lives — and because most users equate security with resistance to attack. Data security should mean data is not corrupted or altered including data sent to or received from a network.

Encryption/decryption technologies are only part of the mix used for data security. Simple technologies, like the use of test datasets of known values, can be as important to the DS effort as any other technology used for the effort.

Software that directly touches the data affects DS. It is incumbent upon the security analyst to verify each software component's function by itself and within the overall system. Components may function correctly when used independently, but fail in the aggregate system.

DS usually deals with differing technologies that span the system end-to-end, but from a process-specific viewpoint (a viewpoint that aggregates only the information affecting the process under review). You want the server to pass your data along the network, but don't need to know what specific program the server is using as long as it functions transparently with your data. Data Security focuses on the data and just the data.

Technical Security

Somewhat of a catchall, technical security concerns itself with the "technical" details of a secured system. To use the previous section's example, TS concerns itself with the operating system on a system's server, looking to increase its resistance to attacks as well as its functionality.

As noted before, most users think "resistance to attack" when they say "security". Among other things, TS deals with the specific details of implementation involved in the resisting of attacks. When a virus invades, TS acts as the immune system of the data ecology, ridding it of any infection.

To fulfill its responsibilities, TS must manage, as well as keep current with, a mountain of details. Most will probably deal with manufacturer-recommended maintenance patches to the installed software base. TS is responsible for the proactive routine dissemination to users of this maintenance information, such as updates to virus detection software. This is part of locking the barn door before the cows get out.

TS acts as the constantly changing filter that keeps impurities out of the system and stops the spread of any evident sniffles to others. TS should be able to respond positively to change, since it is the first line of response to a threat. TS is like a cop on the beat — it should preserve and protect.

Summary

The classifications we make discussing system security are only worthwhile if we can use them to better plan for and respond to problems. Whether efforts are focused on the physical, logistical, data or technical facets of the security gem matters not if the end result fails to increase the system's ability to function and defend itself.

What’s wrong? The new clean desk test
Join the discussion
Be the first to comment on this article. Our Commenting Policies