Chapter 4-3-2
Enterprise Security Architecture

William H. Murray

INTRODUCTION

Sometime during the 1980s we crossed a line from a world in which the majority of computer users were users of multi-user systems to one in which the majority were users of single-user systems. We are now in the process of connecting all computers in the world into the most complex mechanism that humans have ever built. While for many purposes we may be able to do this on an ad hoc basis, for purposes of security, audit, and control it is essential that we have a rigorous and timely design. We will not achieve effective, much less efficient, security without an enterprise-wide design and a coherent management system.

Enterprise

If you look in the dictionary for the definitions of enterprise, you will find that an enterprise is a project, a task, or an undertaking; or, the readiness for such, the motivation, or the moving forward of that undertaking. The dictionary does not contain the definition of the enterprise as we are using it here. For our purposes here, the enterprise is defined as the largest unit of business organization, that unit of business organization that is associated with ownership. If the institution is a government institution, then it is the smallest unit headed by an elected official. What we need to understand is that it is a large, coordinated, and independent organization.

ENTERPRISE SECURITY IN THE 1990S

Because the scale of the computer has changed from one scaled to the enterprise to one scaled to the application or the individual, the computer security requirements of the enterprise have changed. The new requirement can best be met by an architecture or a design.

We do not do design merely for the fun of it or even because it is the “right” thing to do. Rather, we do it in response to a problem or a set of requirements. While the requirements for a particular design will be those for a specific enterprise, there are some requirements that are so pervasive as to be typical of many, if not most, enterprises. This section describes a set of observations by the author to which current designs should respond.

Inadequate expression of management intent — One of these is that there is an inadequate expression of management’s intent. Many enterprises have no written policy at all. Of those that do, many offer inadequate guidance for the decisions that must be made. Many say little more than “do good things.” They fail to tell managers and staff how much risk general management is prepared or intends to accept. Many fail to adequately assign responsibility or duties or fix the discretion to say who can use what resources. This results in inconsistent risk and inefficient security, i.e., some resources are overprotected and others are underprotected.

Multiple sign-ons, IDs, and passwords — Users are spending tens of minutes per day logging on and logging off. They may have to log on to several processes in tandem in order to access an application. They may have to log off of one application in order to do another. They may be required to remember multiple user identifiers and coordinate many passwords. Users are often forced into insecure or inefficient behavior in futile attempts to compensate for these security measures. For example, they may write down or otherwise record identifiers and passwords. They may even automate their use in macros. They may postpone, or even forget tasks so as not to have to quit one application in order to do another. This situation is often not obvious to system managers. They tend to view the user only in the context of the systems that they manage rather in the context of the systems he uses. He may also see this cost as “soft money,” not easily reclaimed by him. On the other hand, it is very real money to the enterprise which may have thousands of such users and which might be able to get by with fewer if they were not engaged in such activity. Said another way, information technology management overlooks what general management sees as an opportunity.

Multiple points of control — Contrary to what we had hoped and worked for in the 1980s, data are proliferating and spreading throughout the enterprise. We did not succeed in bringing all enterprise data under a single access control system. Management is forced to rely upon multiple processes to control access to data. This often results in inconsistent and incomplete control. Inconsistent control is usually inefficient. It means that management is spending too much or too little for protection. Incomplete control is ineffective. It means that some data are completely unprotected and unreliable.

Unsafe defaults — In order to provide for ease of installation and avoid deadlocks, systems are frequently shipped with security mechanisms set to the unsafe conditions by default. The designers are concerned that even before the system is completely installed, management may losecontrol. The administrator might accidentally lock himself out ofhis own system with no remedy but to start over from scratch.Therefore, the system may be shipped with controls defaulted totheir most open settings. The intent is that after the systems areconfigured and otherwise stable, the administrator will reset thecontrols to the safe condition. However, in practice and so as notto interfere with running systems, administrators are oftenreluctant to alter these settings. This may be complicated by thefact that systems which are not securely configured are, bydefinition, unstable. The manager has learned that changes to analready unstable system tend to aggravate the instability.