Security Architecture: Design, Deployment and Operations

The product development scenario for information technology and information security is radically different. Corporate networks are being rolled out with planning and design that is not on par with that of our counterparts in the aviation and construction industries. In fact, already complex corporate networks are continuously becoming more byzantine. Take an average MIS department and add up all their hardware vendors, network topologies and protocols, operating systems, software add-ons, and custom-written applications. Now try to securely integrate them. If security was not designed into the original system architecture, how can these security products be expected to work? Despite the fact that companies are spending more and more money on information systems security, the systems are growing more and more complex -- and complex systems are much harder to protect.

Security Architecture: Design, Deployment and Operations, is intended to help readers design and deploy better security technologies. The authors believe that security architecture must be comprehensive, because a network that is 98% secure is actually 100% insecure. This is especially true, given that -- contrary to popular belief -- information security is not a pure science, but a mixture of art and science.

Effective information security must encompass every aspect of the enterprise. Security Architecture shows how to design a secure infrastructure. It addresses all of the major security products and provides details on how to deploy them.

The authors incisively write that it is not enough for security professionals to understand the theory behind information security; unless they are able to insert security controls in the proper places within an application (data flows, storage and processing), the security solution will not be effective. A security product that is implemented incorrectly is like medicine that is taken improperly: great in potential, but futile in reality.

In addition, if the inserted security solution is not managed with the proper processes in place (e.g., change management, separation of duties, notification, and escalation), the level of security provided will degrade with time until the control becomes ineffective.

The book covers all of the fundamentals of information security. Particularly noteworthy is Chapter 3, "Information Classification and Access Control Plan." As companies place more of their corporate data jewels on often-untrusted public networks, the lack of an information classification scheme can have significant negative security consequences. Also, access control is critical in that many organizations -- and even the media -- are busy obsessing about remote hackers from foreign countries and have become oblivious to the real threats to information security: insiders. While it is much more romantic to think about foreigners hacking into your system in the middle of the night, the reality is that most breaches occur via insiders during normal business hours.

The authors of Security Architecture discuss the elements needed to design and deploy effective information security architecture. Critical security products such as PKI, firewalls, VPN, IDS, and others are discussed, but cryptographic accelerators are not mentioned.

This book highlights best practices and security standards and guidelines for effectively securing an enterprise. The book is well organized and easy to read. Many chapters have additional references and URL's for further research.

The inclusion of numerous case studies, combined with the authors' real-world experience, makes Security Architecture a valuable reference. No one would ever want to get on a plane that had not been properly designed and tested. Neither should we want to use networks that have not been adequately designed and tested from a security standpoint. Security Architecture is intended to make sure that doesn't happen.

Rating:
Summary: Getting Lost
Review: The first 5 chapters are really about Security Architecture. The rest of the book has a more technical angle. The author totally, in my view, gets lost in words like: Requirements, Services and Controls. He uses these words sometimes at random. Since these definitions are crucial to a good and understandable built-up of any ICT architecture, the reader might get lost.

Under design guidelines he talks about the services offered by the a team: Authentication, Authorizaton...etc. etc. Part of those services are Logical Access Controls which he calls "these controls". Under Technical Security Requirements we focus on controls that....The main focus of technical security controls is to protect C.A.I, which are at the same time technical security requirements. At the same time: Controls are designed to gover the following actions: again we find confidentiality, integrity..etc.

All are requirements, actions, controls and services. Not clear enough in my opinion.

The technical part is good.

Rating:
Summary: Diamond In The Rough
Review: While this book didn't light a raging intellectual fire within my gray matter it certainly was a well-crafted and thorough explanation of various security techniques. And although I found some of the chapters a bit bloated and at times confusing the price of the volume was completely justified on the basis of Chapter 12 alone. "PKI: Components and Applications" was by far the most clear and concise treatise I have ever encountered during my months of research covering PKI -- a challenging and almost arcane security method. With envious ease the author managed to delineate complicated and intricate methodolgies using a common-sense approach that's a pleasurable derivation from standard computer book narrative.

If you are interested in learning about PKI I suggest no better a place to start or end than "Security Architecture: Design, Deployment and Operations".