Enterprise environments are composed of thousands of distributed IT systems that include various operating systems, business applications, and hardware devices. While the systems themselves are connected through the network and generally work as one, the security remains separate and unique. From the security perspective, each IT system remains an independent security domain that requires individual administration, reporting, management, and maintenance—with all the associated cost this requires. This approach creates security risks and exposures because it requires replication of control information on multiple disparate systems that must be synchronized. With so many different technologies, it becomes extremely difficult, if not impossible, to be compliant.
Maintaining and administering a large number of security systems in a single enterprise is a daunting task. Each system must have user accounts added and managed and fine-grain access control lists created and administered. Managing these environments is further complicated because different vendor systems use proprietary schemes for control, administration, and reporting. The resulting complexity negatively impacts the level of security in the enterprise. The security actually achieved is directly related to the usability of security controls more than the capabilities of the security systems themselves. More simply put: The more complex a system is to use, the less likely it will be used.
If those in the enterprise who have governance, fiduciary, and operational responsibilities are going to meet the demands of stakeholders, customers, partners and regulatory agencies, they must mitigate system complexities.
What if there’s a completely different approach to enterprise security that solves the complexity issues and improves security at a lower cost? What if this solution is actually a proven methodology? That’s what this article is about.
Centralized Should Mean More Than a Dashboard
Most enterprisewide security solutions attempt to address the problem of managing thousands of IT systems by creating additional layers of technology on top of each of the individual security systems. These layers replicate security control information from the individual servers to a centralized command and control center with an enterprise dashboard. While this enterprise repository of security policy appears to be integrated, it isn’t. That’s because individual systems continue to be separately maintained and administered.
The command center doesn’t actually perform security functions; it simply contains the rules and pushes them down to the individual systems. While this approach might be considered “centralized,” it’s by no means integrated, resulting in additional layers of software and replicated control data that need to be administered and maintained (see Figure 1). Each individual system can still be managed locally, outside the centralized command and control center, which often creates out-of-sync conditions between the enterprise dashboard view and the actual systems being controlled. This can create a false sense of security and compliance becomes impossible. As a result, increased efforts (resources) are required to correct, administer, and report on the dashboard and the many individual systems it controls. The bottom line is that limited and costly resources are spent on managing the security systems themselves, instead of doing the actual security the systems were meant to perform.
Organizations need to find a better way to address the interactions between the security systems themselves. The answer is a new integrated enterprise security architecture that offers a simple design, ease-of-use, and security (application) automation tools.
A true integrated approach to enterprise security is one that treats the entire trusted enterprise as a single secure domain—resulting in one system to secure, not thousands. With this approach, all enterprise systems (e.g., mainframe, Windows, Novell, HP, Sun, Unix, Linux, and others) are controlled by one security system that redirects all security processes to a single enterprise security server.