Finally, we come to the security systems that are trusted to enable a variety of physical, computing and network security controls. This include capabilities such as card access systems for the physical perimeter, network perimeter firewalls and access control. Also included are centralized identity, authentication, key management and authorization systems that are leveraged to support computing and network security.
Prior to the mid-1990’s the organization’s information systems were entirely contained within the physical perimeter. Many organizations were swift in their adoption of the internet, with the desire to have a web presence and engage in e-commerce. Soon it became apparent that they had moved into a bad neighborhood containing threats that no longer had to overcome the organization’s physical perimeter in order to seek confidential information, deface web sites, and disrupt systems’ availability. Worse yet, the internet became awash with viruses attempting to attack systems, potentially adversely impacting confidentiality, integrity or availability.
The computing and network perimeter is much like the physical perimeter, providing a foundation for protecting the confidentiality, integrity and integrity of the information system. The first step is to limit the number of connections to the internet, which is analogous to access-controlled doors on the organization’s physical perimeter. As with doors, the incoming internet traffic must be screened for what is permitted and what is not. It is also common to control traffic leaving the organization, most commonly to prevent access to internet locations known to present a threat to the organization.
Organization users may access the internet anonymously (e.g. access to a public web site) or they may have authenticated access to an internet location. The data flows between the user and the internet must be allowed to flow both ways through the perimeter. Similarly, there may be users at internet locations who are permitted to access systems inside the organizations perimeter, such as employees working at home or on travel, and organization customers or suppliers who need access to organization systems in order to provide status and billing for materials being provided, or ordering and checking status on products being purchased. Fundamentally these all require an authentication at the perimeter in order to establish the connection. But what can arise is the burdensome requirement for a series of logons, such as logging on to the supplier’s information system, logging on to your organization’s perimeter, logging on to the host, and finally logging onto the desired application.
The ideal is to achieve a single sign on experience for users, employees as well as suppliers and customers. It is common to achieve single sign on for a hosting environment, which is commonly supported by Windows or UNIX operating systems. Applications can be configured to leverage the host authentication. It is also possible for one organization to trust the authentication of another organization. The Security Assertion Markup Language (SAML) can be leveraged for this purpose, accompanied by the establishment of the trust relationship between organizations and their information systems.
Copyright © 2019 Christopher T. Carlson
Return to Defense in Depth