Security Architecture: The Paperwork Explained
When you do security for a large-scale company, something as big as a Fortune 500 enterprise, the architecture of your set up is going to come with some challenges, but it will all be worth it. You’ve got to keep organized and separate your network into different areas, or “scopes”, depending on how critical each area is to your business.
So when you do this, think of your network “logically” and “physically”. A logical network is a map of how the data flows. A physical network is the path the wires and devices make spatially in reality. You need to consider where packets are headed, and how the devices talk to each other, but also where things are located, like how close the server room is to the end-devices using that network.
LOGICAL EXAMPLE:
PHYSICAL EXAMPLE:
Here you can even see purple clouds around buildings, indicating the reach of their Wi-Fi. That would be handy to know, for example, to prepare for wardrivers, who might drive on your company’s street in the hopes your signal reaches the road.
I would argue that physical security is more important because many people overlook it, and all the cybersecurity in the world can’t help if an attacker can simply walk into your server room. People who are hired to protect computers tend to know more about using a computer for protection rather than, for example, whether the door hatches fit correctly, or if a clothes hanger can be slipped through to pull a handle from outside.
You need to consider when devices are outdated and guestimate when they might break on you. You need to make sure you have all the proper policies worked out on paper, and that following those policies actually works. You need to know how much your company can actually protect itself. It’s unwise to think your company can be completely 100% secure. You want to cover as much of your “attack domain” as possible, using preventative controls, detective controls, audit controls, and forensic logs.
Then you need to write your policies down! Your policies come in 4 parts: Definition, Standards, Guidelines, and Procedures.
A document defining your policies is first: you need to define your assets, which you need to protect, then explicitly state who is in charge of keeping those assets safe. Lastly, this needs to come with consequences – what happens if these assets aren’t safe. What’s the worst case scenario? Remember there are four kinds of assets: Equipment, People, Facilites, and Data.
Security standards documentation is second! Clearly state protection levels for all your assets, so we know how critical they all are. For example, an administrator’s password, gaining access to 400 servers, is a whole different level of importance than a cashier’s log in for a single money box at a store.
Guidelines are write-ups from a parent company to a subordinate company who is allowed to write their own policies. The parent enterprise is saying “Hey you can do whatever you want for your security policy, but stay between these general borders with it.”
Procedures are the nitty-gritty details for even the lowest-level employee. This is to keep us all on the same page, so we all know exactly how and what we are supposed to be doing.
In conclusion, knowing what you need to do is half the battle. After implementation, the upside is you know what your strengths and weaknesses are, and though you may not be able to protect against every attack, you are at least ready for any attack.
References
Donaldson, S. E., Siegel, S. G., Williams, C. K., & Aslam, A. (2018). Enterprise cybersecurity study guide : how to build a successful cyberdefense program against advanced threats. Apress.
