Recently, I have participated in several discussions around internal and external security breaches, big data and benefits of security information and event management (SIEM) solutions in making a security function proactive. As part of these discussions, I realised that organisations are not paying attention to a basic building block of securing information, that is, secure network design. Let me explain this using a real life example
If you take an example from the physical world – visiting a museum or any other place where valuable items are kept, generally you would see physical security at the front gate where everyone entering would be screened. This is similar to the firewalls that we have within the network which checks traffic that is entering the organisation network. However, in the case of museum even when you have passed security at entry point and are inside a museum, there are additional security measures in place to protect areas that display valuable items and these areas are generally compartmentalised.
But the same analogy does not apply to our networks. Once you are in a network it is assumed that you are a trusted user and allowed to move around freely. What is not happening and what companies should be doing is to consider creating different zones (not talking about DMZ) within their network depending on the value of the information and inherent risk associated with the different types of information. Any assets that are valuable to the company (crown jewels) should be kept within a segregated higher security zone so that additional security measures can be put in place and access to this information can be provided only to those who should have the access.
Current networks and systems are not designed in such a way that systems can be isolated if there is a security breach. Generally it comes back to the point of when the application is designed, as most of the time when they are designed the control which is put in place means that we have to have a logging capability with some sort of security monitoring. However, when we look at the landscape with the amount of information that is being processed we can’t monitor everything and although we can have a log, it will only be able to give us access to the data for forensics purposes when something bad has already happened. In terms of identification or isolation if we have good monitoring controls we can identify anomalies within the environment but isolation is going to be very difficult unless we define various zones.
Security and compliance is becoming an increasingly expensive item in the balance sheet for each business. What this means is that we have to be smarter and more innovative in the way that we are able to invest that money in order to give better returns to the business. You can’t protect everything as a 100% security is not practical because it costs a lot of money and it’s even more difficult in the current climate when every department has challenges around reduced budgets and mandate to save costs. We need to understand what needs protecting within the organisation and what are those valuable information assets that are key for the survival of the business. A better solution is to provide a higher level of control and security measures for these important information assets rather than trying to have a similar level of controls for everything.
I am not saying that it’s an easy thing to do but this is the best way forward to manage information security risks effectively in constantly changing threat landscape.
I talked about this topic in a bit more detail as part of my interview for “Financial Crime and Operational Security Annual Report” published by Clear Path Analysis on 2nd April 2013.