Posted by: adelvecchio
defense in depth, network security, security information and event management
This is part two of a four-part series of posts where I look at perimeter security, network security, host security, and finally administrative security as distinct elements in overall information security architecture and the best way to evaluate the current state of each.
A standard question we ask when working with clients is how they go about assessing their organization’s information security architecture. Previously, we examined the perimeter and how to address perimeter security in an ever-changing technical environment. The second element, working our way from the outside of the network to the inside, is what we call network security. Network security and segmentation is often deemed unnecessary in the modern switched network since many associate segmentation of the network with performance-optimization exercises rather than as a security feature. But this is actually the first place where the tenet of defense in depth starts to take shape within an enterprise architecture.
Early in the history of the Internet, it was rare to find a firewall or “bastion host” in place. When these became commonplace, it created the “Tootsie Pop” model of network security — defense with a hard, crunchy outside and a soft, chewy inside. Adding structure and implementing access controls to the internal network doesn’t need to create an overly complex maintenance nightmare to provide a simple, yet effective, added layer of security to the architecture. The fundamental premise behind the idea is that certain assets deserve more consideration than simply being on the inside of a “trusted” network. Studies have long shown that more than 80% of security incidents involve insiders (a huge and very timely case in point being Edward Snowden). Creating additional zones of security within the internal network that have basic access control in place to help safeguard more important information assets goes a long way toward the goal of defense in depth.
In addition to carving out areas of the network that have tighter access controls in place, network security also includes technical tools such as network intrusion detection/prevention, event correlation and security information and event management, data loss prevention, encryption of sensitive data in transit, etc. Unlike the evolving nature of the perimeter over time, what we consider the internal network does not evolve quite as fluidly, but the technologies to help us police and defend it are definitely constantly evolving. For that reason, staying on top of the “bleeding edge” technologies is important to see what the next generation of tools for network security will bring, while still focusing on current generation tools to help address current threat vectors.
An important note here is that controls in this arena should never be evaluated simply on the basis of “Is this a duplication?” but viewed as a question of “How can we augment a capability existing at a different layer in our architecture?” Provided the controls are not completely overlapping, but complimentary in nature, the results should help further the goal for defense in depth as well as provide additional tools, data/metrics, and capabilities to the organization.