With all security designs, there is some trade-off between user
productivity and security measures. The goal of any security design is to
provide maximum security with minimum impact on user access and productivity.
Some security measures, such as network data encryption, do not restrict access
and productivity. On the other hand, cumbersome or unnecessarily redundant
verification and authorization systems can frustrate users and prevent access
to critical network resources.
Business needs should dictate the security policy. A security policy should
not determine how a business operates. Because organizations are constantly
subject to change, security policies must be systematically updated to reflect
new business directions, technological changes, and resource allocations.
Security policies can vary greatly in design. Three general types of
security models are open, restrictive, and closed. Some important points are as
follows
:
- Security model can be open or closed as a starting point.
- Choose the best end-to-end mix of security products and technology to
implement the model.
- Application-level security can include Secure Socket Layer (SSL)
technology.
Like security models, many devices can be classified as open,
restrictive, or closed. For example, routers and switches are typically open
devices, allowing high functionality and services by default. On the other
hand, a firewall is typically a closed system that does not allow any services
until they are switched on. Server operating systems can fall into any of the
three categories, depending on the vendor. It is important to understand these
principles when deploying these devices.
Open Access
An open security model is the easiest to implement
–
. Very few
security measures are implemented in this design. Administrators configure
existing hardware and software basic security capabilities. Firewall, Virtual
Private Networks (VPN), Intrusion Detection Systems (IDS) and other measures
that incur additional costs are typically not implemented. Simple passwords and
server security become the foundation of this model. If encryption is used, it
is implemented by individual users or on servers.
This model assumes that
the protected assets are minimal, users are trusted and threats are minimal.
However, this does not exclude the need for data backup systems in most open
security policy scenarios. LANs, which are not connected to the Internet or
public WANs, are more likely to implement this type of model.
This type
of network design gives users free access to all areas. When security breaches
occur, they are likely to result in great damage and loss. Network
administrators are usually not held responsible for network breaches or
abuse.
Restrictive Access
A restrictive security model is more
difficult to implement
–
. Many security
measures are implemented in this design. Administrators configure existing
hardware and software for security capabilities in addition to deploying more
costly hardware and software solutions such as firewalls, VPN, IDS, and
identity servers. Firewalls and identity servers become the foundation of this
model.
This model assumes that the protected assets are substantial, some
users are not trustworthy, and that threats are likely. LANs, which are
connected to the Internet or public WANs, are more likely to implement this
type of model. Ease of use for users is diminished as security is
tightened.
Closed Access
A closed security model is most
difficult to implement. All available security measures are implemented in this
design. Administrators configure existing hardware and software for
maximum-security capabilities in addition to deploying more costly hardware and
software solutions such as firewalls, VPN, IDS, and identity servers
–
.
This
model assumes that the protected assets are premium, all users are not
trustworthy, and that threats are frequent. User access is very difficult and
cumbersome. Network administrators require greater skills and more time to
administer the network. Furthermore, companies require a higher number of
network administrators to maintain this tight security.
In many
corporations and organizations, these administrators are likely to be very
unpopular while implementing and maintaining security. Network security
departments must clarify that they only implement the policy, which is
designed, written, and approved by the corporation. Politics behind the closed
security model can be monumental. In the event of a security breach or network
outage, network administrators may be held more accountable for problems.