Role of Security in Infrastructure Optimization

By Aloysius Cheang, CISA, CISSP, GCIH, Microsoft MVP

See other Security MVP Article of the Month columns.

Introduction

Technology is often viewed as an enabler to delivering business success. However, IT investments may not necessarily bring a corresponding perceivable improvement to your operations. Often, the derived benefits from IT investments may not be as rosy a picture as painted by the vendors, and there are many reasons why that is so. One of the important reasons is that the existing IT infrastructure may not be fully integrated into the business processes and optimized to perform efficiently and effectively in the first place, which would have a significant impact on the control, quality and speed of information access, and the availability of information. Thus, in order to reap maximum benefits from any IT investment, the IT infrastructure must be optimized, benchmarked and its value to business quantifiable. In addition, security plays an important role during the optimization process in bringing an IT infrastructure from a highly vulnerable state to an optimized state where a practice of continuous process improvements would ensure processes in place are mature and quantifiable. In fact, today, security can be a business enabler and a competitive advantage.

How does security help in the optimization process?

There are three key areas in which security plays an important role in the infrastructure optimization effort.

Control of information access

First and foremost, security allows for the control of access to information to be managed and defined. By control of access to information, we are referring to identity management and network access control. Identity management refers to the management of the lifecycle of entities within an IT infrastructure -- in this case it can be people, assets, or any IT resource.

In a properly defined identity management lifecycle, the identity of the entity can be established or enrolled (provisioned), have information assigned to describe it or associate with it, and be properly destroyed or deregistered (deprovisioned) in the event that an employee leaves the company or that an IT asset such as the laptop is damaged beyond repair. Today’s challenge is not only to manage these entities within the company well, but also to manage or synchronize the access to these resources from corporate mobile users, customers, and partners outside of a traditional firewall that protects the company’s IT infrastructure. This is a challenge because there is no way for any company to regulate or control the way security is treated at the customers’ or partners’ end. Added to that challenge is the difficulty of enforcing company security policies on mobile users.

In a way, identity management also affects network access control within the IT infrastructure. Simple network access or access to critical resources on the network is only allowed upon successful authentication of the entity that submits a request and receives the right credentials in returns that authorized the access. At the same time, through network access control, identity management also provides a mechanism to protect the IT infrastructure from denial of services attacks and viruses while preserving access to corporate resources.

Network Access Protection (NAP) is a new technology employed in Windows Vista (and soon-to-be released Windows Server 2008) for controlling a computer host’s network access privileges based on its system health. With NAP, system administrators of an organization's computer network can define and enforce compliance on policies for system health requirements. For example, a firewall must be installed and enabled, and the latest operating system patches and updates must be installed. With NAP, you can create customized health requirement policies to validate computer health before assigning compliant computers full network access privileges and the ability to update their policies to ensure ongoing compliance, or to optionally assign restricted network access privileges only to non-compliant computers until they are compliant to policies.

Process improvement

While technology is necessary to meet demands for reliable, available, and highly secured IT services, technology alone is not sufficient. People and processes are also required to optimally operate the implemented technology. As part of the infrastructure optimization, a well-implemented security process will allow for highly reliable, available, and secure access to information. One of the most referenced security process improvement framework used is ISO/IEC 27002, formerly known as ISO/IEC 17799:2005. It is an information security standard published by the International Organization for Standardization (ISO) and the International Electro-technical Commission (IEC) that provides best practice recommendations on information security management for use by those who are responsible for initiating, implementing, or maintaining information security. The standard contains twelve main sections where within each section, information security controls and their objectives are specified and outlined. The information security controls are generally regarded as the best practice means of achieving those objectives.

By using ISO/IEC 27002, relevant process and procedures can be designed and then adopted by the security policy compliance template within NAP to be used for optimizing operations within the IT infrastructure.

Data availability

Last but not least, security is instrumental to ensure data availability in an optimized environment. Desktop, device, and server management can be simplified through NAP allowing for easier deployment of patches, operating system updates, and applications across the network without any downtime. In addition, a well-designed security policy will define the process of business continuity management (BCM) that protects, maintains, and recovers business-critical processes and systems in a cost-effective and time-efficient manner. BCM helps to reduce operational risks associated with lax information management controls, and helps to rapidly regain access to information in a timely manner with a well-established recovery process. BCM may be integrated during any improvement process of information security and corporate reputation risk management practices.

Conclusion

IT infrastructure in many organizations today uses various point products that have integration and compatibility problems. Management of such systems is applied across silos, which make it difficult for a holistic approach to manage any systems. Additionally, ever-increasing security and regulatory compliance requirements restrict how IT can react in a timely manner. In the pursuit of infrastructure optimization to improve the reliability and quality of service, and to reduce costs, security plays a very important role. Infrastructure optimization is possible through implementing information access control, rolling out security processes, and employing data availability initiatives. In the absence of a centralized control, solutions are needed by IT to give it more control over the infrastructure, simplify management, and deliver highly secure and accelerated information services across the extended enterprise.

Risk is inherent in any business and can be an unnerving factor that prevents you from achieving your business objectives. Security is a way to reduce risk. Hence, security not only plays a role in infrastructure optimization, it is the foundation that optimization is built on.