The previous six posts make up a Defence in Depth approach to securing an IT system and the data contained within. IT systems are essential to commerce in many parts of the world. Protecting all the components of these systems helps to safeguard the business’ secrets and maintain compliance with the laws that govern the security of data.
Layers
The Perimeter of the system is hard to define with the use of new communication tools that connect people to systems remotely. The system’s owner has to regularly define the boundary between the business’ system and that which is entirely out of his control.
Boundary defence will include securing access to the System. Machines should be locked away from unauthorised access. A home run business would avoid risks by locating the computer in a private part of the home. Scale this up to a large company and you get dedicated server centres with high security.
Networks are usually connected to the Internet and are protected primarily at that junction. Firewalls help control the type of traffic that comes into the home network but defending against the Web is not the end of network defence. Within a company there will be division of responsibilities and different rights of access which must be technologically defended.
The Host machines run different applications to serve the business. Some staff will have access to the finance applications, others to the HR. The machines need to be protected, access to the applications need to be protected and access to the data used by the applications must also be protected.
Some Applications such as an email program are used but all staff. Proper authentication is important to ensure that each person see only their account. These applications usually come with default settings which are common knowledge and need to be reset on installation.
Data Classification helps decide what to hide where. When a business is clear about which data must be kept secret, it makes it easier to allocate resources to protecting that data. Without a classification there will be an effort to protect all, nothing or the wrong things.
Additional Steps
Back up of essential data is a security step that ensures a business can continue running after a disaster. It can be a loss of power, machines, offices, natural disasters or anything that would deprive the business of its IT systems and data. An external storage device and a schedule for backing up data would provide a company with the means to recovery from many types of attacks and catastrophes.
Encryption is another defensive tool that would keep data private both in storage and transit. Many of the usually office applications have the function to save documents in an encrypted form. There are also Open Source encryption tools to help protect email, memory sticks and storage devices.
A Defence in Depth strategy for a business’ IT systems pays its way because it sets up barriers at each point between an external entity and the data that is the lifeblood of a business. This ensures that the company can keep hold of its secrets and in the event of a disaster, resume business without much interruption.
Photo by Adam Mulligan
Comments