Information Technology Reference
In-Depth Information
personnel, and technology are support and overhead. This is not to say nonkey areas
are not important—indeed they are. However, in context of fulfilling the organi-
zational mission, there are key areas and there are support and overhead areas. The
distinction becomes particularly important in context of business continuity and
disaster recovery; key areas are of higher priority.
Core aspects of the technology reside at the center of organizational operations,
figuratively if not literally. The core in most organizations houses data centers, serv-
ers, databases, data, and information. Much of core technology is also key technol-
ogy, but not all. Moreover, not all key technology resides at the core. Neither do all
key business functions and personnel reside in the core. Layers of security controls
(defense-in-depth) are necessary for both core and key business functions, personnel,
information, and information technology. The principle of defense-in-depth intro-
duces layers of protection that surround core and key aspects of the organization.
The introduction of firewalls in the mid-1990s produced somewhat hardened
network perimeters; however, if an attacker made it through the firewall, he had
free reign over the interior network. This is the proverbial “crunchy on the outside,
soft on the inside” network. Subsequent safeguards began to address the inside of
the network at various layers (e.g., intrusion detection systems). Moreover, the use
of firewalls within the perimeter to segregate sections of the internal organization
also provides an additional layer of defense-in-depth.
Defense-in-depth takes on two macro views,
exogenous
and
endogenous
. Exog-
enous is activity occurring outside the organization. Endogenous is activity within
the organization. An elaboration of these two views is as follows:
n
−
Exogenous
Scope of control
Control
Influence
Controlled response
Endogenous
Physical
Perimeter
Core
Data state
In transit
In use
At rest
Principle or IA operations cycle
Anticipate
Prevent
Defend
Monitor
Detect
n
n
n
n
−
n
n
−
n
n
n
−
n
−
n
n
−
