Probably the most difficult task when dealing with security is the planning stage, in which you need to develop a solution to meet your company's business and security needs. When examining your network and identifying critical and insecure areas and components, you need to approach a security plan from various perspectives:
Business goals and user needs
People and politics
First, you have to remember that your company has business goals outlined in a business plan. These are used as a roadmap to increase your company's success. A good security solution should help, not hinder, a company in reaching its business goals. The company's users have needs that are related to the company's business plan. Whereas the business plan is a general guideline, users have specific needs to reach the company's business goals.
You must deal with all kinds of users from different departments and divisions when determining what assets and resources your company is using to reach its business goals. This means that you need to be intimate with the corporate organization ladder and have political savvy when dealing with various users and departments, as well as their diverse needs.
When you understand what resources either are being used by or are required by users to reach the company's business goals, you need to determine what kind of security solution should be implemented that will protect your company yet allow it to achieve its goals. A solution that is completely secure yet prevents a company from reaching its goals is counterproductive and useless.
Probably one of the most difficult things you face when designing a security solution is trying to find a one-size-fits-all solution?in other words, trying to find all your security products from one vendor with a management system that easily enables you to implement your security polices across all your security products.
For example, your security solution must encompass many types of hardware devices and software applications. Here is a small list of some of the types of devices that your security solution might have to deal with:
PCs and laptops running Windows 95, 98, Me, 2000, XP, and 2003, as well as UNIX desktops and Macintoshes
Servers running NT, 2000, 2003, NetWare, Linux, Solaris, HP-UX, and other operating systems
Mainframes running Multiple Virtual Storage (MVS) and Virtual Machine (VM)
Routers from Cisco, Juniper, Nortel, Lucent, and others
Switches from Cisco, Foundry, Extreme, and others
This list is not all encompassing, by any means: Many more types of hardware devices, as well as dozens, if not hundreds, of software applications, play a role in your network.
In many situations, you might have to buy security products from different vendors to implement a security solution that will meet your company's policies and goals. In this situation, take care when determining a management solution that will be used to maintain your security implementation. I have found that the more products that you have from different vendors, especially as related to security, the more difficult it becomes to manage the solution.
A security solution can become complex quickly, especially in large enterprise networks. To help simplify the process, a good security solution should meet these goals:
A single cohesive security policy should be created, based on your company's business plan and goals.
Security policies should dictate the choice of security solutions and products, not vice versa.
Security management should be centralized under a single umbrella.
First, you should create a single, cohesive, company-wide security policy. This policy should be based on your company's business plans and goals. It should be flexible enough to allow your company to meets its business objectives, while still protecting your company's assets at a cost-effective price.
Second, the security products that you purchase should complement your security plan. You should never try to force a particular product into a role that it was not meant to be used in. Instead, develop a security solution with general components, and then find specific products that will meet the design guidelines for the included components.
Third, ongoing management and support of your products is critical, especially as they relate to detecting and dealing with security threats in a real-time manner. Some companies like to purchase all of their security products from one vendor, which makes management integration of the products easier: It is easier to deploy, manage, and support platforms from a single vendor than from multiple vendors. Of course, this approach might not be an option, based on the kinds and types of products that you need for your security solution.
If you need to purchase equipment and software from different vendors to develop a cohesive security solution, remember that you must manage these products after you implement them. Therefore, you should choose a security-management software product(s) that will ease the management and monitoring of your security devices. Choosing the right management solution will allow you to scale your security solution to a large size. It is also important to point out that even if you buy all of your security products from one vendor, that vendor might not have a single security-management platform to manage your security.
When developing a security solution, keep in mind that there is a total dollar cost for implementing any type of security measure, which includes equipment purchases, installation, training, management, and ongoing support. You need to carefully weigh the costs of a particular security measure with its benefits to determine whether the cost of the security measure outweighs the cost of the asset(s) being protected. There is no such thing as a completely secure network. Therefore, you need to examine your company's business plan, the needs of your users, and your critical resources to find a solution that adequately will protect these items.