Book Excerpt: Customer Data Integration and Master Data Management for Global Enterprise
Information Management Special Reports, September 2007
This is an excerpt from Chapter 8: "Traditional and Emerging Concerns of Information Security" found in the book entitled, Customer Data Integration and Master Data Management for Global Enterprise, McGraw Hill, 2007.
In medieval times, commerce was conducted in city-states that were well protected by city walls, weapons and an army of guards and soldiers. In modern times, as commerce rapidly moved to a global marketplace, the goal of keeping potential participants out was replaced by the desire to invite and keep potential customers in.
In today's business environment we see a similar transformation - instead of keeping everything hidden behind proprietary secure networks protected by firewalls, commerce is done on the public Internet, and every business plans to take advantage of the potentially huge population of prospective customers. Denying access to corporate information is no longer a viable option - inviting new customers and enticing them to do business is the new imperative.
Advertisement
Clearly, this imperative brings with it a new set of security challenges - challenges that are reinforced by numerous pieces of legislation that promote various forms of e-commerce and even e-government and require new approaches to security that can protect both the consumer and corporate information assets.
What Do We Need to Secure?
The Internet has become a de facto standard environment where corporations and individuals conduct business, "meet" people, perform financial transactions and seek answers for questions about anything and everything. In fact, all users and all organizations that have some form of Internet access appear to be close (and equidistant) to each other.
The Internet has moved the boundaries of an enterprise so far away from the corporate data center that it created its own set of problems. Indeed, together with the enterprise boundaries, the traditional security mechanisms have also been moved outward, creating a new "playing field" for customers, partners, and unwanted intruders and hackers alike. As a result, enterprise security requirements have become much more complex.
One way to discuss these requirements is to look at what areas of the business environments need to be secured, and from what kind of danger. Figure 1 illustrates the areas of security concerns and corresponding security disciplines that are defined in the following section.
Layered Security Framework
The security domains can be organized into a layered framework that looks at security from "outside in:" perimeter security; network security; platform (host) security; and application, data and user security.
This model describes security "zones" that need to be protected regardless of whether the threat is originating from outside or from within the organization.
Figure 1: Layered Security Model
Technologies that enable the implementation of the layered security framework may offer overlapping functionality and can span several security domains. For example, the security disciplines of authentication, authorization and administration (3A) play equally important roles in securing the network resources, the enterprise perimeter, the computing platform, and the applications, data and users.
Perimeter Security
Perimeter security deals with the security threats that arrive at the enterprise boundary via a network. By definition, the perimeter security has to handle user authentication, authorization and access control to the resources that reside inside the perimeter. The primary technology employed to achieve perimeter security is known as firewalls.
A firewall is placed at the network node where a secure network (i.e., an internal enterprise network) and an insecure network (i.e., the Internet) meet each other. As a general rule, all network traffic, inbound and outbound, flows through the firewall, which screens all incoming traffic, and blocks that which does not meet the restrictions of the organization's security policy.
In its most simple form, the role of the firewall is to restrict incoming traffic from the Internet into an organization's internal network according to certain parameters. Once a firewall is configured, it filters network traffic, examines packet headers and determines which packets should be forwarded or allowed to enter and which should be rejected.
Network Security
Network security deals with authenticating network users, authorizing access to the network resources and protecting the information that flows over the network.
Network security involves authentication, authorization, and encryption and often uses technologies like Public Key Infrastructure (PKI) and Virtual Private Network (VPN). These technologies are frequently used together to achieve the desired degree of security protection. Indeed, no security tool, be it authentication, encryption, VPN, firewall, or antivirus software, should be used alone for network security protection. A combination of several products needs to be utilized to truly protect the enterprise's sensitive data and other information assets.
Network and Perimeter Security Concerns
A common approach to network security is to surround an enterprise network with a defensive perimeter that controls access to the network. However, once a hostile intruder has passed through the perimeter defenses, he, she, or it may be unconstrained and may cause intentional or accidental damage. A perimeter defense is valuable as a part of an overall defense. However, it is ineffective if a hostile party gains access to a system inside the perimeter or compromises a single authorized user.
Besides a defensive perimeter approach, an alternative network security model is the model of mutual suspicion where every system within a critical network regards every other system as a potential source of threat.
Platform (Host) Security
Platform or host security deals with the security threats that affect the actual device and make it vulnerable to outside or internal attack. The platform security issues include the already-familiar authentication, authorization, and access control disciplines, and the security of the operating system, file system, application server and other computing platform resources that can be broken into or taken over by a hacker.
Page 1 of 3.
