We all know perimeter firewalls are necessary but not sufficient. But what’s the right strategy for building additional layers of security? Greg Machler dives in.
By Greg Machler
August 17, 2010 — CSO —
As an executive, do you ever get worried wondering if your corporate brand is properly protected from a lack of technological integrity? Corporations today have sensitive HR data, financial data, and often consumer data. If this data is compromised, often the outside world finds out about it, lawsuits are initiated and the corporate brand is tarnished. This could lead to consumers thinking twice about purchasing your products or services.
In the case of retail organizations, how does one effectively protect customer credit card data? Consider deploying an IT architecture that information security professionals call a deep-theater defense. Let’s investigate the design of this protective architecture:
First, put sensitive data in a second-tier of firewall segments behind the main corporate firewalls. This second-tier firewall and corresponding network shields sensitive applications and their data from being easily accessed if the Web-facing firewalls are breached.
For example, many national retailers sell groceries and have a pharmacy. It would be wise to deploy at least five firewall/network segments: one for HR data, one for financial data, one for credit card PCI (Payment Card Industry) data, one for pharmacy (HIPAA) data, and one for services that the other segments shared.
The segment containing services that are shared could contain common support services such as network and systems management, encryption and PKI functions, access control services, and security event management functions. Another architectural implementation that protects corporations from internal data theft is the creation of a tunneling access protocol. Often, critical systems are accessed by administrators and outside vendors.
It is important that all access to these applications be logged so that if an internal data breach occurs, the source can be discovered. It is important that the second-tier firewall close its administrative port access so that administration can only be initiated from the segment for common services. One wants to prevent access from administrative tools that exist in front of the second-tier firewalls.
Applications need to be ported behind the deep theater second-tier firewalls. Where does one start?
For the rest, visit CSO Online.