Information Technology Reference
In-Depth Information
Encrypt in Storage and Transmission
An enterprise architect must keep abreast of current and emerging
security threats and mechanisms for system exploitation and malware
operation, while also remaining cognizant of physical security and user
training requirements. All enterprise planning should first identify all
resources and the requirements for protecting each resource before begin-
ning implementation plans. Encryption and data protection should be
included whenever data is stored, transmitted, or processed—particularly
in service-oriented architecture (SOA) implementations, where legacy
integrated systems may not include the capability for more modern types
of data transmission security or endpoint validation.
Security Must Be Layered
Security is not encryption, authentication, firewalls, filtering policies, run-
time authorization, antivirus/antispam applications, or intrusion-detec-
tion systems—it is all of these and more. Security should be included at
the most basic level and then layered in order to strengthen a network's
defenses. Figure 3.3 illustrates a simplified model of network defense
including host-based and network-based defensive applications, along
with firewall barriers shielding an externally exposed data management
zone (or, sometimes, demilitarized zone, DMZ) as well as an internally
protected shielded subnet.
An illustration of enterprise defensive concepts has much in common
with early physical defenses employed to protect against invading armies.
It is often said that a castle is only as secure as its least protected gate,
and this same thinking must be applied when the enterprise architect is
evaluating architectural plans. Most large networks are placed behind a
boundary defense, as is often the case when individual business elements
are allowed to maintain and update their own systems within the over-
all organizational network. A single unpatched or insufficiently defended
system can be compromised and used to bypass boundary defenses for
attacks against other systems within the protected network.
Note:
One desirable complexity may be to implement devices from
different vendors for defensive layering. By including products based
on different technologies at the external and internal boundaries of the
