HIERARCHY

When thinking about security in theenterprise, focus often turns to securityappliances such as firewalls and IDSsensors. In reality, firewalls and IDS

sensors are only a small part of the equa-tion. Further, IDS sensors are potential-ly distractions for an IT Security depart-ment that should be focusing on coresecurity services. But what are the coresecurity services an enterprise needs tobe worried about and what are the highest priority activities for an IT

security department? This article outlines a framework for

IT Security priorities. The general con-cept is based on Maslow’s pyramid ofhuman needs. In Maslow’s pyramid,needs at the foundation of the pyramidmust be met before needs at the nextlevel can be addressed. For instance, if aperson does not have their basic physio-logical needs met (such as food, air,water, and sleep) then they aren’t likelyto worry about higher order needs such

as finances and job security. Further,higher order needs such as justice andethics are completely out the window.By examining human needs in this hier-archical fashion, we can help peoplegrow by addressing their needs in astructured manner.

IT security pyramid

Similarly, by examining IT securityneeds in a hierarchical fashion we canbuild a more secure infrastructure. TheIT security pyramid presented in thisarticle in Figure 1 is a notional one; it ismeant as an example that may or maynot fit your particular infrastructure.However, based on years of operationsexperience by myself and many I haveinterviewed, I think the example here isgenerally universal and should fit mostorganizations.

Network Security May 200514

IT security needs hierarchy Bruce Potter

Securing a large enterprise network can be a difficult and complicated task. Applying the Maslow’s pyramid of human needsto IT security tasks helps to clarify real priorities. Only when the basicneeds at the bottom of the pyramid are fulfilled, should attention beturned to more elaborate needs.

Figre 1 Maslow’s Pyramid adapted to IT Security Hierarchy

HIERARCHY

Core security needs

At the base of the pyramid are core oper-ational procedures that are commonamong all healthy and secure IT organi-zations. The vast majority of maliciouscode roaming around on the Internettargets well known vulnerabilities.Applying patches rapidly upon vendorrelease can dramatically decrease thechances of compromise. However,patches cannot be applied randomly to aproduction environment. They must betested to understand the impact they willhave on production services. Further,they must be deployed in a coherentmanner in order to minimize chaos andoutages during the upgrades. Patchmanagement can be a complicated topicbut it is core to keeping attackers at bay.

Similarly, any IT department needs tohave security procedures that instructstaff on how to administer hosts and sys-tems in a secure fashion. Passwordlengths and lifetimes, encrypted adminis-tration traffic, log storage and rotation,and even physical security are all parts ofoperational procedures that need to be inplace. Without these procedures (andaudits to ensure staff are adhering tothem), attackers will find your enterpriseeasy prey.

Mid-level needs

Once these basic security needs havebeen met, the next issue is the securityarchitecture of the network and systems.Some may argue that architectural ele-ments like firewalls are actually a coresecurity need and not a secondary con-cern. However, this is a view of securityinfluenced by decades of poor adminis-tration techniques and bad patch man-agement. A firewall covers up many sinsof operations, however they are not per-fect. Ultimately, if patch management isignored and there are no security proce-dures, an attacker will make it throughthe firewalls and compromise systems.Conversely, strong operational securitycan usually make up for the fact that thesecurity architecture is poor.

That said, a firewall is an excellent net-

work-level access control. As a technolo-gy, firewalls have become very sophisti-cated at stopping attackers and allowingsecurity administrators to fine tune net-work access. Authentication and autho-rization provide similar functionality atthe application and service level.Authentication and authorization are notnecessarily bullet-proof architecturalconstructs for preventing compromise,but they go a long way to keeping usersin line.

Further up the pyramid are softwaresecurity needs. Many organizations havecustom developed software to supporttheir specific line of business.Determined attackers will often targetthis custom code when attacking a spe-cific organization. By implementingsoftware security practices in the soft-ware development lifecycle, an enterprisecan work to thwart these dedicatedattackers.

On the operational side of the soft-ware security problem, new access con-trol mechanisms are allowing for finetuned control of software on hosts.For instance, FreeBSD has aMandatory Access Control (MAC)mechanism that can dramatically limitan applications ability to misbehave.Security Enhanced Linux (SELinux)has similar capabilities on the Linuxoperating system. However, these finegrained access control mechanisms canbe administratively difficult to maintain. Further, the skills needed toset up these types of systems are diffi-cult to find and employ in most ITdepartments.

Upper level needs

At the top of the pyramid are complexIT security architectural components.Intrusion detection systems and honey-pots can be useful for finding attackersthat are entering your network.However, they are manpower intensiveapplications that can have a terrible sig-nal to noise ratio. For instance, in someorganizations you will find that half ofthe IT security staff is dedicated to needsat the top of the pyramid such as IDSmonitoring. So, half the staff is takingcare of 85% of the IT security needs, butthat last 15% is very expensive to obtain.

Further, these upper level needs oftenfocus on detection, not prevention.While intrusion prevention systems areon the rise, these types of prevention sys-tems are still in their infancy. Further,most IT departments are weary of asecurity device making dynamic accesscontrol decisions without human inter-action. It may be years before IT man-agers are comfortable with preventionsystems in the upper level of the IT secu-rity needs pyramid.

Parting shots

While you may be able to find counterexamples to the examples given here, thegeneral idea of examining your IT secu-rity needs in a hierarchical manner is asound one. By dealing with your infra-structure one layer at a time, you canbetter make operational, architectural,and budgetary decisions. For instance, ifyou do not have reasonable patch man-agement practices, can you really justifyspending 60% of your budget on IDSlicensing and staff? Hopefully if youaddress the issues at the base of the pyra-mid you will not even need the higherlevel items.

About the author

Bruce Potter is currently a senior securityconsultant at Booz Allen Hamilton.

May 2005 Network Security15

“A firewall

covers up

many sins of

operations”