When designing layers of control to protect the confidentiality, integrity and availability of information systems, it is necessary to start with the information and business systems needing protection, designing layers of protection from there. This way you ensure that all the controls are aligned to the objective. The resultant requirements are documented in your organization’s security control framework. Reference Figure 2 as we look at the layers of controls.
Figure 2 IT Security Design Diagram
The fundamental controls for protecting information apply equally to protecting electronic documents and business systems: marking sensitive information and using personnel security controls for people authorized to create, use and share the sensitive information, and who use business systems.
The next layer of controls is physical controls for the hosts containing documents and business systems, which are typically grouped together in a shared hosting environment (in the past these were simply called data centers). A robust physical perimeter and doors controlled to permit access by a very few trusted individuals helps assure confidentiality, integrity and availability of the information systems. In addition, power backup is typically provided to enhance availability.
Business systems may be designed to directly authenticate users or they may rely on an infrastructure authentication capability such as Microsoft Windows Active Directory. Robust design and implementation of the business system application is necessary to reduce vulnerable user interfaces; this is especially relevant should the system be directly accessible from the Internet. Electronic documents are often stored using capabilities such as Microsoft Windows file sharing, which also takes advantage of Active Directory. The secure configuration of the information system host is the next layer of protection.
The information systems in some organizations rely on a single sign-on authentication system, and centralized identity data that includes people data attributes useful in making access decisions. The identity data may be integrated in Active Directory or could be part of a high availability directory service. Integrity and availability of these systems, along with appropriate data quality, are objectives of security controls for this component.
We now move out of the shared hosting environment into other organization facilities. We’ll assume that physical controls for information protection requirements are already in place. These provide some control for the network cables within a building as well as the user workstations connected to the network. Wireless communication between the network and the user is typically encrypted and has authentication to control its use. Network traffic between buildings could by physically protected where practical. But typically, this traffic travels through public networks, even if a dedicated communication path is provided. Point-to-point encryption is an option in these circumstances.
In some cases, the organization’s information systems (or some subset) are isolated from the Internet, so the organization physical perimeter is the final layer of protection. Otherwise, the final layer of controls is the interface between the organization’s information systems and the Internet, which is provided by perimeter systems. Some components include firewalls, antivirus and network traffic monitors. Often employees or other users can access the organization’s information systems through the perimeter. This requires robust authentication of the external users and more stringent host an application security controls to compensate for the increased threat event frequency associated with the perimeter. Some organization choose to isolate the external-facing information systems in a network segment that excludes normal internal organization network traffic.
In the last section, we defined information protection requirements to be used when you design your security control framework. Those requirements apply equally to information system. But we have added information system components and the protection objectives of confidentiality, integrity and availability. These requirements will also be composed of short requirements stated as a verb-phrase, followed with additional detail relevant to your circumstances.
Some of these details are drawn from regulatory requirements. The following illustrates requirement statements.
- Define confidentiality, integrity and availability requirements for business systems.
- Establish electronic identifier for network, host and application access control.
- Employ a single badge for physical and computing access.
- Require separate identifiers for users with privileged access.
- Protect sensitive information during use and at rest in information systems.
- Controlaccess to organization networks, hosts and applications.
- Limit access to sensitive information to authorized users.
- Controlauthorized access to business systems.
- Destroy sensitive information when no longer needed.
- Monitor for and respond to potential intrusions to information systems.
- Investigate and dispense corrective action to individuals misusing information systems.
- Manage and monitor suppliers providing information systems support.
- Prepare for disasters with offsite backup storage and geographically separate hosting.
- Push security requirement to transportation security.
Copyright © 2019 Christopher T. Carlson
Excerpt from How to Manage Cybersecurity Risk – A Security Leader’s Roadmap with Open FAIR
Return to Defense in Depth