Security Architecture: Design, Deployment & Applications [With CDROM]

Boeing Aircraft is currently working on its next big airplane, the Sonic Cruiser. But even before a prototype of the Sonic Cruiser takes to the skies, tens of thousands of hours will have been spent on design, planning, testing, legal, administrative, and other tasks. The product development scenario for information technology and information security is radically different. Corporate networks are being rolled out with planning and design that is not on par with that of our counterparts in the aviation and construction industries. In fact, already complex corporate networks are continuously becoming more byzantine. Take an average MIS department and add up all their hardware vendors, network topologies and protocols, operating systems, software add-ons, and custom-written applications. Now try to securely integrate them. If security was not designed into the original system architecture, how can these security products be expected to work? Despite the fact that companies are spending more and more money on information systems security, the systems are growing more and more complex -- and complex systems are much harder to protect. Security Architecture: Design, Deployment and Operations, is intended to help readers design and deploy better security technologies. The authors believe that security architecture must be comprehensive, because a network that is 98% secure is actually 100% insecure. This is especially true, given that -- contrary to popular belief -- information security is not a pure science, but a mixture of art and science. Effective information security must encompass every aspect of the enterprise. Security Architecture shows how to design a secure infrastructure. It addresses all of the major security products and provides details on how to deploy them. The authors incisively write that it is not enough for security professionals to understand the theory behind information security; unless they are able to insert security controls in the proper places within an application (data flows, storage and processing), the security solution will not be effective. A security product that is implemented incorrectly is like medicine that is taken improperly: great in potential, but futile in reality. In addition, if the inserted security solution is not managed with the proper processes in place (e.g., change management, separation of duties, notification, and escalation), the level of security provided will degrade with time until the control becomes ineffective. The book covers all of the fundamentals of information security. Particularly noteworthy is Chapter 3, "Information Classification and Access Control Plan." As companies place more of their corporate data jewels on often-untrusted public networks, the lack of an information classification scheme can have significant negative security consequences. Also, access control is critical in that many organizations -- and even the media -- are busy obsessing about remote hac

While this book didn't light a raging intellectual fire within my gray matter it certainly was a well-crafted and thorough explanation of various security techniques. And although I found some of the chapters a bit bloated and at times confusing the price of the volume was completely justified on the basis of Chapter 12 alone. "PKI: Components and Applications" was by far the most clear and concise treatise I have ever encountered during my months of research covering PKI -- a challenging and almost arcane security method. With envious ease the author managed to delineate complicated and intricate methodolgies using a common-sense approach that's a pleasurable derivation from standard computer book narrative. If you are interested in learning about PKI I suggest no better a place to start or end than "Security Architecture: Design, Deployment and Operations".