Infrastructure Security
by DAVID ARBEITEL

There’s a war going on, and it’s all about your computer. It’s also about your co-workers’, business partners’ and customers’ computers...

Infrastructure Security Threats Are Outpacing Infrastructure Security Strategies

Threats from cyber-attacks are growing and becoming more sophisticated and damaging. It’s cyber-warfare and your business could be the next battleground.

In a recent global study on information security, two-thirds of companies reported having been hit by cyber-attacks in the past year, costing businesses over $1.4 trillion. In light of these dangers, every organisation needs to ask itself, Do I have adequate infrastructure security?

For many companies, the answer today is no. Most businesses have not taken the necessary steps to guard against break-ins and espionage, many have no formal security policies in place, and most rely on user passwords for protection. An even greater risk factor is the level of trust that many organisations place in their technology staffs that are charged with keeping the business running. Increasingly, these workers are becoming outsiders themselves, yet they have access to some of the most critical business assets - the networks, servers and desktops that comprise the critical infrastructure of a business. Many organisations enthusiastically embraced technology for its benefits, but do not adequately consider the need to manage the risks. So how can an organisation ensure that it has protected its underlying technology infrastructure?

A Blueprint for Infrastructure Security

 What characterises these new threats is the ease with which attackers can disrupt the operations of a business. One approach to protecting critical infrastructure elements is the Secure Infrastructure Management Architecture (SIMA) developed by ION Networks. A number of organisations use SIMA today to ensure that the necessary security policies, baseline controls, and management processes are in place to protect their critical technology infrastructure. SIMA breaks down the challenge of securing the management of critical infrastructure into a three-layer model for infrastructure security based on the following principles:

Securing Perimeter

  • Ensures the secure access to infrastructure elements by remote users.
  • Ensures that information cannot be read and understood while in transit.
  • Ensures that unauthorised access to the infrastructure through its externally facing access points is prevented.
  • Ensures that security breaches at all externally facing access points to the infrastructure are identified in a real-time manner and repudiated.

Securing the Interior

  • Ensures that users are appropriately identified before gaining access to infrastructure elements.
  • Ensures that an authenticated user can only access administrator approved infrastructure elements.
  • Ensures that all security violations and sensitive activities are documented and can be easily retrieved for investigation and management purposes.

Securing Users & Their Actions

  • Ensures that no information leaves an organisation without authorisation, and that information received from external sources does not violate policies.
  • Ensures that actions are securely logged so that no user can deny the actions they take.
  • Ensures safe management of private keys that provide authentication, authorisation, message-integrity and non-repudiation services for users.
  • Ensures that user access requests are processed in accordance with the stated directions of the administrator.
  • Ensures that users are authenticated once and then granted access programmatically to all infrastructure elements to which they need to perform their job function.

For many organisations, the end game of any infrastructure security strategy is to deliver sustainable service in spite of security threats.

 In order to protect critical infrastructure, a well-designed infrastructure security strategy must ensure that every infrastructure element is fully protected by the same strong security measures.