This book is published as a part of the IT Best Practices Series, and it is focused on the information technology in dynamic business environment. This book is a "step by step" guide about how to keep the enterprise data secure in a distributed environment. It describes a six-step process of securing business information that result in the Enterprise Security Plan (ESP).
About the authors
F. Christian Byrnes leads META Group's security coverage. He is the author of Security in Enterprise Computing: A Practical Guide. In recognition of his expertise in intellectual property concerns, he was appointed to the US Congress advisory committee that produced an extensive report to guide the Congress in planning future laws. Mr. Byrnes was CEO at Centrax Corporation, a security software vendor acquired by CyberSafe.
Dale Kutnick is the cofounder, CEO, and Chairman of the Board of META Group, overseeing all of the company's research and analytic activities. Prior to cofounding META Group in 1989, Mr. Kutnick was the executive vice president of research at Gartner Group. Previously, he was the executive director and a principal at Yankee Group, and the principal at Battery Ventures, a venture capital firm.
Inside the book
The book is divided into thirteen chapters. The first six chapters are actually the six steps of the Enterprise Security Plan (further ESP) process. Other chapters cover modifying ESP for the enterprise and case studies of two enterprises.
Chapter one describes the crucial step of the ESP process - preparing the enterprise for security. After starting from the Enterprise Security Charter, where a model for a security charter is given, the authors explain in detail the roles which are necessary for strong business security. However, the emphasis is on marketing (upward and outward marketing), a special mission in completing the ESP for business security.
The second step, as the title of chapter two indicates, is about organizing security by resources and domains. The authors show the six domain schemes towards which to group the resources according to security needs: geographical, organizational, administrative, resource-based, and technology-based and lifecycle based. The authors also point to the art of merging the domain schemes and to the importance of documenting the rules for domain designation.
After determining roles and organizing domains you will be able to complete Baseline Security Analysis through a few steps. The first step is choosing a policy model between formal security policy, identity-based policies and role-based policies. The second step is researching the existing policies through the enterprise security charter, domains default policies and execution policies. The next step is creating the functional assessment of security matrix whose purpose is to reduce the scope of the projects.
Chapter four describes the process of identifying security requirements. In order to do that security managers must identify tactical and strategic business needs and assess technology capabilities. They must select the sources of information, collect the information by using survey forms and in the end sort them into three categories: business, application and infrastructure requirements.
The title of chapter (step) five is Identify Gaps and Prioritize Needs. Once the security manager completes the baseline analysis and requirements, he can compare them in order to identify the gaps between where the system environment is and where it should be. The security manager should first analyze gaps by assessing risk, analyzing costs and benefits and assessing culture. The authors describe three modeling tools which you can use for risk assessment. Cost/benefit analysis, as the authors say, is the creation of a business plan with some documents sketched in this chapter in order of importance. The cultural assessment, again in authors' words, is an evaluation of the probability of success based on support within the organization.
If the previous step, i.e. the identification of gaps, results in a comprehensive list of projects, a security manager should review the list and shorten it. The sixth step, i.e. selection of projects, includes determination of project duration and its comparison with the project priority. The result of the comparison is a matrix of projects classified according to their importance and duration, out of which the order of projects is derived. Project planning follows. The security manager may use any tool for plan-making.
After the creation of the ESP, it should be modified according to the size of the company. Of course, since technology is constantly evolving, a manager makes choices based on the understanding of the existing and future technologies.
In Chapter Nine the authors present to us enforcement security technologies such as identification (passwords, tokens, smart cards, and biometrics), authentication (Kerberos, Public-key infrastructure, and digital signatures), authorization (individual authorization, authorization servers, single-point administration, and virus and rogue protection) and access control (PC access control, and network access control).
Chapter Ten brings us two case studies, Y and Z Company. Y Company has decided to augment its existing NetWare servers with application servers running Win 2000. Z Company wants to ensure that new business units can be added and the others sold off without compromising neither the security nor the business plans of the existing business units. Like a security manager in those companies you can track steps to complete ESP.
In Chapter Eleven you are still with the security managers from Y and Z Company. You can read how to make a marketing program through market identification, product packaging, and marketing communication plan.
The title of Chapter Twelve is Single-Point Administration through Role-Based Authorization. Is it necessary to say more? It explains why single-point administration is needed, what role-based authorization is and how to establish it and what are potential issues to be discussed while implementing role-based authorization.
The final chapter, titled Single Sing-On (further SSO), brings us SSO terminology, identification, two product architectures: script-based SSO and broker-based SSO with graphical figures that compare those two architectures. How to succeed at SSO is a part where the authors write about installability and scalability of SSO current product offerings.
In the end of the book there are two appendices and a glossary. Appendices include a sample request for proposal (RFP) and a list of books for further reading. Glossary offers explanations of specialized terms used in the book.
The book is intended first of all for managers whose job entails care about system security. Although the book in its greater part covers the security of distributed systems of an organization with 10,000 or more employees, with a hundred or more servers, it is nevertheless useful for those whose business is of a much smaller scale. Namely, as it is already mentioned, the book is a "step by step" guide through a six-step process of securing business information. It describes in great detail how to start the creation of ESP, how to relate to managers and colleagues, how to collect the necessary information, lead meetings, prepare documentation, choose technology...
On the other hand, administrators will not find useful information on dangers that threaten business systems. Besides, the role of administrators in the creation of the security systems is described very briefly.
If, however, we look at the book as a whole, I would recommend it to everyone who is interested in the security of business systems because it presents the "business world" and the relationship between management and IT department in a simple way. The book also gives basic definitions of concepts connected with security in general. So, don't hesitate to read this book!
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.