Information technology security implementation strategies

it Security Plan & Implementation

IT Security Plan and Implementation for a Small Corporation

IT Security Proposal Summary

Small corporations often have to deal with many conflicting it and often time-consuming priorities to keep their businesses making progress and profits. Yet the lack of having an it Security Plan in place can seriously cripple any company's performance and profitability and is one of the leading causes of smaller corporations failing (Gupta, Hammond, 2005). The intent of this project proposal is to define an it Security Plan for a small business network of thirty computers and three servers that are running Web-based applications, an e-mail system and a database application server. E-mail systems in smaller corporations are also specifically in need of continual security upgrades as this is often one of the systems that pose a significant security risk (Zambroski, 2006). In addition the lack of e-mail system security there is also a lack of metrics around the entire security system performance as well (Frankland, 2008).

Given the significant lack of security coverage of these areas, there is the need for managing the it Security Plan and Implementation using a proven framework.

This proposal relies on the Open Systems Interconnect (OSI) Model defined by the International Organization for Standardization (ISO). The purpose of ISO is to ensure a high level of interoperability and integration between systems, specifically focusing on the flow of data between systems. The OSI Model is an excellent framework for evaluating the security of networks and is shown in Figure 1, the Open Systems Interconnect (OSI) Model. This model is designed to provide a logical grouping of network functions taking into account the physical connections required to make a network effective. This model is ideally suited for evaluating the security of a network as its upper layers define the logical connections and process workflows of a network where the majority of security planning and execution are necessary to alleviate threats.

Figure 1: The Open Systems Interconnect (OSI) Model

Source: (Cisco Tutorial 2007)

An analysis of the considerations for a small corporations' network of thirty computers and three servers to run their Web, e-mail and database applications within the framework of each of the layers of the OSI Model are defined below.

The Physical Layer's role is for defining the standards relating to the physical medium of the network, such as cable, unshielded twisted pairs (UTP), Ten BaseT (10BaseT) and other hardware connections. The primary security risk of this layer is that the packets sent over the network via the TCP/IP protocol can be intercepted by devices (often called "packet sniffers") and messages read and data stolen (Gupta, Hammond, 2005). For small corporations this threat often goes undetected and cannot be easily stopped with firewalls or DMZ-based software or hybrid software and hardware security platforms. The need for physical security at this level is critical to protect a company's information assets and access to their network. Using Virtual Private Networks (VPN) and a reliance on advanced IPSec-based security would make the intercepting and interpreting of packets more difficult (Rowan, 2007). As a result, VPNs have become predominant for this and additional security benefits evident in an analysis of the OSI Model. The Data Link Layer interprets data packets and defines the transfer and reception of data on the network, managing data frames between network layer and physical layer, receiving raw data from physical layer. In addition, this layer creates data frames, and then delivers them to the network layer at the originating or sender side of the connection. Packets are in turn interpreted and coded down to bits on the receiving side. This is a layer of the OSI Model that hackers attempt to gain control of specifically for the vulnerabilities of the Logical Link Control function which handles error correction and the Media Access Control (MAC) layer which enables point to point connections over a network. The MAC layer is one of the most vulnerable from the packet re-direct standpoint and one that spoofing or impersonation viruses attempt to penetrate and take control of (Ciampa, 2005). As the MAC layer takes into account both the physical and logical connects of a network, it is critical that the security threats at this layer be protected against using DMZ-based security applications and firewalls (Loew, Stengel, Bleimann, McDonald, 1999). The third level of the OSI Model is the Network layer, which has the function of integrating and ensuring the security of the Internet Protocol (IP) into the remainder of the OSI Model protocol stack. This layer has many coordination and synchronization functions throughout the network, yet it's most important is the deconstructing of large IP-based packets being sent over the network to other systems. This layer works in data units called datagrams and is susceptible to re-routing of IP-based traffic based on IP address emulation and impersonation, in addition to the use of IP-based requests for data transfers (Gupta, Hammond, 2005). The Transport layer is the 4th layer of the OSI Model and is where the transmission of data occurs. This is the layer that has the Transport Control Protocol (TCP) and User Datagram Protocol (UDP) which are protected through firewalls (Ciampa, 2005) and also relied on for secure VPN connections for remote networks as well (Rowan, 2007). The Session Layer is the 5th one in the OSI Model and manages the establishing of session connections between Wireless and WiFi (Loo, 2008), Local Area (LANs) and Wide-Area Network (WANs). As an enabler of traffic over a network, this layer also defines then manages the bidirectional vs. unidirectional protocols used throughout the network, the extent to which TPC/IP relies on Error Correction Coding (ECC) and the use of Cyclic Redundancy (CRC) error checking as well. This layer also relies on the Session Protocol Data Unit (SPDU) to validate, secure and then release specific connections to ensure greater security (Cisco Tutorial, 2007). For the small corporation ne need for managing a consistent level of ECC and CRC checks is critical in this area (Gupta, Hammond, 2005) in addition to protocol-based security audits over the network as well. The 6th layer is the Presentation Layer, which acts as a converter of information from the lower layers and manages the transmission of messages by checking and validating message syntax, coordinating traffic from the lower layers of the OSI Model, and defining security authentication logic between originating and destination systems. This layer is often protected through multiple approaches to network security including firewalls that can sense impersonated or invalid IP addresses in addition to defining rules-based authentication on advanced firewalls and security applications (Gupta, Hammond, 2005). The last and 7th layer is the Application Layer which acts as the coordination point across the TCP/IP-based commands, Web browsers, and office automation applications that rely on XML messaging and Internet connections. Often this connection is protected through the use of VPN-based connections for shared applications, with IPSec used for point-to-point security and SSL support for broader Web-based application deployments (Rowan, 2007). Security on the 7th layer of the OSI Model is increasingly focused on shared or Web-based applications as a result of the en masse adoption of XML and AJAX-based applications.

Part 2: Review of Other Security Implementations (40 words)

In evaluating the it Security Plan for AMR Research, a small privately held corporation in Boston, Massachusetts there is several significant lessons that can be learned and applied to the security plan being defined here. First there is a reliance on a broad, strategic-wide approach to defining security strategies across all web content, VPN access points, internal databases accessible via authentication and access to accounting and financial systems (Loew, Stengel, Bleimann, McDonald, 1999). As AMR Research relies on teams of expert-level analysts to evaluate market trends and provide prescriptive guidance to it organizations globally there is also the need for secured VPN and SSL connections as well. The use of SSL as the means for ensuring security and verifiability of traffic over VPN connections is a best practice that corporations are finding scales to meet the needs of their increasingly mobile workforces (Rowan, 2007). These two aspects of an overarching security strategy and the need for creating a consistent VPN and remote access strategy are critical for AMR Research to protect its intellectual property as well.

Part 3: Rationale and Systems Analysis for it Security Upgrade

The need for higher levels of security across the corporations' network is accentuated by the fact that the majority of PCs in use today are laptops that rely on WiFi connections throughout the company. The three servers running the website, e-mail systems and database application servers will also need to have specific analysis of their existing security levels based on the options chosen during installation. Operating systems-level security also needs to be first evaluated to see options were configured for firewalls as well. All of these factors need to be taken into account for an initial security audit to be put into place which forms the baseline of security performance evaluation and measurement (Westcott, 2007). Second, the specific connection points throughout the network also need to be evaluated for their levels of existing security as well, with the WiFi network audited and tested (Loo, 2008). Third, the Virtual Private Networks (VPNS) and the selection of security protocols needs to be audited (Westcott, 2007) to evaluate the performance of IPSec vs. SSL protocols on overall network performance (Rowan, 2007). Many smaller corporations vacillate between IPSec and SSL as the corporate standard for wireless connections, defining the advantages and disadvantages as the table below has captured.

Table 1: Technical Analysis of Differences between IPSec and SSL

IPSec

SSL

Topology

Site-to-site VPN; mainly configured in a hub-and-spoke design

Remote-access VPN

Security

Session authentication

Authenticates through digital certificate or preshared key

Drops packets that do not conform to the security policy

Authenticate through the use of digital certificates; drops packets if a fatal alert is received

Confidentiality

Uses a flexible suite of encryption and tunneling mechanisms at the IP network layer

Encrypts traffic use the public key infrastructure (PKI)

QoS and SLAs

Does not address QoS and SLAs directly; yet the IPSec VPNs can be configured to preserve packet classification for QoS within an IPSec tunnel

Both QoS and SLAs do not apply to SSL deployments; the service providers network traffic is unaware of SSL traffic or its relative level

Scalability

Acceptable scalability in most hub-and-spoke configurations and deployments

Scalability for IPSec-based networks when there are large, meshed IPSec VPN deployments across a very large number of users (over 10,000); support for key management and peering configuration.

Entirely dependent on network traffic; SSL is not impacted by server provider network

Management

Site-to-Site support

Yes

No

Remote Access Support

Yes

Yes

Provisioning

Reduces operational expense through a centralized network-level provisioning

Does not apply; service provider traffic does not see SSL traffic

Service Deployment

Is a protocol compatible with other ones located through an existing IP network

Does not apply; service provider traffic does not see SSL traffic

VPN Client

Is required for client-initiated IPSec VPN deployment

Relies on a Web browser to complete sessions

Place in network

Local loop, edge and off-net

Local loop, edge and off-net

Transparency

Transparency to applications

Works only with applications coded for SSL

Wireless

Not easily accomplished as this protocol relies on point-to-point connections

Support for QoS, non-QoS and enterprise-wide connectivity through wireless

Sources: (Hickman, 2007) (Rowan, 2007) (OpenReach, 2002)

As many internal networks are based on VPNs due to the number of wireless networks overlapping in office and metro areas, the need for having secured connections even within ones' own company has become prevalent (Rowan, 2007). The use of SSL-based security technologies for connecting wireless and WiFi-enabled printers and remote storage equipment must also be included in the initial security audit (Westcott, 2007).

With these audits specifically defined, the need for defining security-based metrics of performance must next be accomplished (Frankland, 2008). The benchmarking of security levels will give the corporation an opportunity to see gradual process over time of their security efforts impacting overall system stability, up-time, and also track, log and analyze any patterns of external threats they can counter over time. This analysis of inbound threats through the use of analytics applications is also critically important for defining a corporation-wide security plan as well (Loew, Stengel, Bleimann, McDonald, 1999). A third rationale in addition to benchmarking security performance and defining a corporate-wide security strategy is the need for more effectively managing application-level threats. This is most prevalent in corporations within their e-mail systems (Zambroski, 2006) where viruses arrive via inbound e-mail, undetected by firewalls and other security measures. The need for creating auditability within e-mail systems (Westcott, 2007) is also critically important to ensure proper use guidelines are followed and that the corporation does not open itself up to lawsuits or viruses spread throughout their application servers via infected documents and e-mails. This also makes it critically important that the corporation have continual virus scanning strategy in place to protect its applications and servers, and in fact create a roadmap of continual updates as well (Lin, Chen, Lin, Lai, 2008). In conclusion the hacking of a WiFi network's most chilling example is how the terrorists responsible for the Mumbai, India attacks hacked into hotel networks to see which rooms held American and British visitors (Shastri, 2009). In addition the wireless networks around the hotel needed to have greater security to monitor the terrorists' communications in the midst of the hotel siege as well. There are also instances of company's financial data being stolen over WiFi networks due to a lack of previous security audits validating the strength of coverage as well (Rowan, 2007). All of these factors, from WiFi security, to the need for stabilizing and solidifying security for the servers and network, to the need for audits and the continual analysis of results to better security, need to be part of a broader upgrade strategy for enhancing security.

Part 4: Goals and Objectives for Upgrade it Security

The following are the key goals and objectives for the it Security Plan. Each of the goals has a corresponding series of objectives to lead to their fulfillment. At the end of this section there is a description of the Security Upgrade Phases as well.

First Goal: Create a Baseline Security Level and Manage to Real-Time Security Metrics

For many smaller corporations they have no idea just how in or out of compliance they are to specific security levels. This first goal and supporting objectives centers on creating this baseline level of security performance and then evaluating strategies for selectively improving performance over time.

The first objective is to define and executive a corporate-wide audit of security by OSI Model level, network access points including 10BaseT and WiFi, e-mail application security (Zambroski, 2006) and across database access processes and privileges (Westcott, 2007). This is critically important so that security strategies over time can be evaluated in terms of their effectiveness. As each corporation's security strategies must be aligned with their corporate strategic plans (Ciampa, 2005) there is also the need for ensuring the audit measures the most important areas relative supporting the corporations' business plans are also measured and improved. The need for ensuring that the audit provides scalability for the company's potential future growth as well is important as part of this goal (Gupta, Hammond, 2005)

A second objective is to evaluate the company's performance on its key security metrics relative to the industry standards or as they are often called, best practices in the industry. This is important as a goal due to the fact that the corporation over time needs to evaluate how its enterprise-wide security strategy is either enhancing or detracting its ability to remain competitive over time (Frankland, 2008). This type of data from a strategic planning standpoint can be very valuable in terms of planning how to deploy workers remotely or locally, the extent of access controls, role-based process workflows, and the development of entirely new approaches to creating virtual teams. All these strategic aspects of the corporations' growth are dependent on this goal being met.

The third objective to support this first goal is the development of sourcing and supplier criteria for purchasing new it products and services. This will be the result of a successful audit of the company's security levels and the quantification of its strengths and weaknesses (Frankland, 2008). With this information strategies can be created for purchasing only those products that support and strengthen the weakest areas.

Second Goal: Define and execute periodic assessments of application-based security

Strategically speaking the greatest potential threat to the corporation are the many areas where viruses both in files and in e-mails disrupt servers, bringing the company to a grinding halt. The need for e-mail especially to be secured over time and continually scanned is critical, in fact a strategic priority as this is the approach hackers take to gain access to company-wide systems and disrupt and damage them (Zambroski, 2006). The need for also having periodic updates to anti-virus applications at the server level is also critically important as well (Lin, Chen, Lin, Lai, 2008). The applications and website together form the weakest link in many corporations' security strategies (Gupta, Hammond, 2005). The objectives defined to ensure the attainment of this objective are provided below.

The first objective is to develop an e-mail monitoring policy that includes consistency of approaches for managing external e-mail traffic. While many organizations today choose to monitor and closely watch external traffic, some going as far as to prohibit it (Zambroski, 2006), for a corporation to grow it needs to have external communication with the outside world. The all-or-nothing proposition clearly is not scalable or feasible to work with, especially for corporation intent on growing over time. Instead the corporation needs to set the objective of creating an external e-mail filtering policy which will allow for greater control over potentially malicious e-mail attachments and the deletion of SPAM before it arrives on the company's servers. This objective an be attained by creating a series of rules-based constraints that can be applied to inbound e-mail from non-company accounts (Zambroski, 2006).

The second objective is to evaluate the security of hosted or Software-as-a-Service (SaaS) applications including Google Apps, Google Documents, and others that corporations have begun to adopt based on their cost and convenience advantages over licensed applications. As the corporation begins to grow over time it will need to have office automation applications that don't require the high price that Microsoft Office requires for example. In addition the use of SaaS-based applications fro Customer Relationship Management (CRM) including the potential the corporation could choose to standardize on Salesforce, com is a case in point. This evolution to adopt SaaS-based applications is critically important to understand from a security and system integration perspective as well. For the it Director of the corporation, the risks of having databases of customer names, addresses and other contact information linked via the Internet to the SaaS-based applications is a potential major security risk. This second objective of application security needs to concentrate on this area of hosted or SaaS-based applications to ensure that no proprietary or confidential data is potentially lost due to the use of these applications. The integration points across these applications also need to be evaluated from a security audit standpoint as well (Westcott, 2007).

Third Goal: Consistency of and Compliance to Security Standards

The defining of corporate-wide security standards is a goal that will provide for significant cost savings and a reduction in lost data, server downtime and potentially save customer data from being stolen and sold as well. Consistency of and compliance to security standards is critically important both from the network standpoint and the application level as well.

The first objective is to define SSL as the standard protocol for wireless and WiFi networks throughout the company. This objective needs to also be supported with standardization on a specific Virtual Private Network (VPN) client as well. The integration of the SSL protocol to the chosen VPN client also must be accomplished so that process workflows of employees are not disrupted when this combination of protocols and client technologies are used.

The second objective is to define a security standard specifically for application-level and operating system level upgrades. This must be managed to a specific schedule to ensure that the most recently released security upgrades and patches have been installed in addition to their prerequisite software as well. The need for creating a security standard for SaaS-based applications is also critically important as it will potentially save customer and operating division data from being compromised if there is a breach to these applications at any time. The third objective is to complete periodic audits of the applications to ensure they are capable of being securely used over the VPN and SSL connections of the company. There is also the need for auditing the XML integration points for SaaS-based applications if they are used as well (Westcott, 2007).

Security Upgrade Phases

The following three phases are recommended for the Security Upgrade. Beginning with the baseline analysis and benchmarking which will take approximately ninety days, the intent of this phase is to capture the current state of security levels by each network and application-level component of the corporation. This phase will also result in a best practices analysis of performance relative to the industry standard benchmarks to evaluate how the corporation is progressing relative to peer companies in key security areas. This phase will also lead to the development of a real-time scorecard which will provide management with insights into which areas of their enterprise-wide security strategy are working, and which are not. The use of audits as the basis for capturing data (Westcott, 2007) and the development of a series of metrics to measure overall performance (Frankland, 2008) of the security plan will also be invaluable for measuring the impact of future phases.

The second phase of the it Security Plan upgrade is to define application-level security strategies, with specific attention to e-mail (Zambroski, 2006) and also to desktop applications, both server and SaaS-based. This phase will concentrate on the continual evaluation of e-mail security and the potential threats that could occur from non-company e-mail, impersonated company e-mail accounts, and the use of attachments to deliver viruses that could potentially cripple the servers in the company as well. It is anticipated that the first phase of creating benchmark levels of performance will also provide the insights into how to manage the continual improvement of application security over time as well.

The final phase is the development of strategies to ensure a consistency and compliance to internal security standards. This will begin with the development of VPN as the standard application for managing external connections to company resources and the standardization on SSL as the company-wide approach to managing external security over the Internet. Additional standards include periodic security audits of all SaaS-based applications and the development of policies to define the use of external e-mail and audit processes to ensure compliance.

Part 5: Project Deliverables

To accomplish the goals and objectives of this program, the following project deliverables will be provided to the customer. For clarity the project deliverables are defined by each phase of delivery as defined in Part 4, Goals and Objectives for Upgrade it Security.

The first phase of the project is focused on enabling the customer to measure the level of security they have at present for their network, applications and the servers running them. The key deliverables of this phase are first a security audit that will be completed within 90 days of the proposal being accepted. This audit will evaluate all forms of networking connectivity the corporation has today, all applications, servers, operating system firewalls and any security hardware or software installed. After the 90 day audit is completed the customer will be provided a thorough analysis of where their security strengths and vulnerabilities are, with recommendations on which areas to fix first. The deliverable will be both a written report in addition to a presentation to senior management. In addition the corporation will receive a Web-enabled dashboard they can use for continually monitoring network, application and operating system security levels in real-time. This real-time dashboard will be produced as part of the initial phase development costing and planning. Recommendations for further security enhancements will be made and a listing of software upgrades, including patches and maintenance updates to operating systems, applications and networks will be provided. The benchmarking data will also be used for defining specific objectives for the second phase of the it Security Plan, which is evaluation and securing of applications. In addition to all of this data and upgrades there will also be a subscription provided to comparison services who research and present security best practices measures of performance as well.

The deliverables in this second phase include application updates for existing software, security updates for the existing e-mail systems (Zambroski, 2006), the defining of rules-based constraints for the managing of valid vs. spam external mail and e-mail filtering. These are all software-based applications that will be installed on the company's servers and used for managing e-mail security. The company's reliance on office automation applications will also need to be supported with extensive anti-virus applications that can reside on servers for enterprise use (Lin, Chen, Lin, Lai, 2008). Third, the use of intelligent firewalls that are a combination of software and firmware will be used for monitoring and attempting to alleviate IP-address based attacks that seek to impersonate valid network addresses. All of these software applications and the use of an intelligent firewall will significantly improve overall security at the application level for the corporation.

There is also the need for creating an entirely new series of integration points and accompanying security analysis applications for the XML links to external data storage locations and SaaS-based applications. This area will require custom programming to ensure the XML integration points are effectively monitored and their activity logged over time. As the corporation begins to migrate to SaaS-based applications it will also be critical for the XML data to be continually monitored and analyzed for patterns of potential attacks. The use of intelligent monitoring scripts that can ascertain when XML commands are being intercepted will also be included as part of this custom programming as well. The reliance on XML-based integration for internal Web-based applications will also need to be tested and evaluated for security at the highest encryption levels possible as well. All of these factors will lead to the development of both a suite of customized XML-based applications and a series of metrics or measures of security (Frankland, 2008) that the corporation can use to manage its growth in this area of integration, securely, over time.