Security has been among the top five items on every information technology (IT) manager’s agenda for the past decade; many new technologies and tools have been developed in this area, and consulting companies and practices have sprung up everywhere. Yet, many writers, including notable security expert Kevin Day, claim that information is not more secure now than it was a few years ago. And the well-understood, but often discounted, reason for this is that security is not a technology-only issue, so it can’t be addressed via technology alone. This position is well known, but this book explains it well. The book is easy to understand, even for a nontechnical reader.
Contrary to the majority of writers who believe that security is so complex that complete security is impossible to achieve, Day contends that complete security is achievable if you approach it with a “security mind,” that is, if you focus on fundamental rules of security instead of millions of details in every security situation. Moreover, the author claims that security is a complex topic, but that the rules should be easy to follow: if security overhead overburdens users or developers, something is wrong. The remaining 300 pages and 11 chapters of the book illustrate, justify, and explain these views.
Chapter 2 explains that security is an art form, and information security is not guided entirely by rational considerations. It is one of the youngest areas of IT, and one of the broadest, applying to almost every component of IT systems and their maintenance. Security is also the only IT field where the good guys (technologists) are pitted against the bad guys (hackers). As a result, many security decisions are guided by fear rather than careful planning. Fear, however, is not always bad; it is also good, in that it drives the investment in security, even in times of scarcity.
Chapter 3 focuses on four virtues of security: security must involve daily efforts; it has to be a community enterprise; security practice has to be general; and the education component is as important as technology. The “higher focus” or generality virtue is especially important: the author contends that seeing a bigger picture is a tremendous advantage that allows security practitioners to define security in terms of repeatable rules and best practices, and inform various classes of security end users about these practices,
Chapter 4 is about the “Eight Rules of Security”: least privilege, trust, change, weakest link, separation, three-fold process, immediate and proper response, and preventative action. This chapter attempts to simplify the challenging job of creating the security rules and guidelines to cover the organizational universe of systems that need to be secured. The chapter does offer a formal framework to support the effort of defining proper levels of security, but it is too abstract to be of immediate practical value. For example, the “weakest link” rule claims that the security is as good as its weakest link (correct), and invites practitioners to document the weak links (correct, but nearly impossible to do because the weakest links are not self-evident). Still, a good list of issues important for security, offered in the chapter, will be useful for security administrators.
Chapter 5 instructs the reader on how to develop “a higher security mind,” that is, the ability to generalize in order to formulate viable security rules. Day uses the example of zoning for security to illustrate the point. Security zones and the relationships among them can be simplified and formalized, in order to create concrete rules that can apply to specific computer applications. General information, such as the need for access auditing and silent checkpoints, is helpful in defining details of perimeter traversal. Security procedures have ample parallels in everyday events, and the author uses them to present a higher order security framework that can be actualized in concrete environments.
Chapter 6 presents the process of making security decisions. The chapter suggests first taking into consideration the components of the security issue, then identifying and analyzing risk, and then using the security rules and virtues described in earlier chapters to come up with a viable decision. The example in the chapter has to do with the multi-enterprise solution, after a partnership with another company has been established. The author guides the reader through the rules, security zoning, and other aspects of security, as well as risk and threat analysis, to the point where a decision can be made. The process is very interesting, but the decision itself is disappointing because of its generality: establish access control, terminate connections in a secure zone, use transport security, and so on. These are parameters applicable to all business-to-business (B2B) communications, and are known to most security administrators.
Chapter 7 is about knowing your enemies and your organization: knowing and forecasting threats that come from hackers and employees. The author provides general information about threats of this nature, and the most vulnerable targets, such as email or domain name system (DNS) servers. Information about social engineering, and the need for physical security and strictness of rules, is also provided. The chapter concludes with excellent practical guidance about formulating the organizational security profile, and hiding vulnerable assets.
Chapters 8 through 11 constitute a pragmatic guide to managing security for organizations, focusing on security assessment and audit, necessary security staff, additional security issues brought on by networking and modern technology, and the application of the earlier described security rules in practice. The chapters provide step-by-step instructions to conducting evaluations of secure systems and security audits; present excellent materials on choosing between internal security staff and consultants; and address the issues of wireless security, virtual private networks (VPNs), reliable key management, and use of open source solutions. The last section of the group defines some of the most important security practices, such as perimeter defense, authentication, access audit, authorization, and single sign-on, based on the eight security rules described in chapter 4.
The concluding chapter briefly outlines the future of information security, describing both security reasoning and security technology.
This is an unusual book, in that it offers readers a very broad description of security issues, in a way that even a novice IT worker can understand. The breadth of the book makes it an excellent tool for security practitioners working on securing their enterprises in ever-changing conditions. While the generality of its descriptions may disqualify the book from being used directly as a policy and architecture development guide, its breadth makes it appropriate at the initial stages of definition for almost all security projects. The volume can also be used as a textbook, for those beginning to look into security management and administration, and eager to learn about the inventory of problems in the area, and techniques to approach and resolve most security issues.
