In today’s article we’re going to be talking about security boundaries within your business, what they are, why you need them and how you can implement them to further safeguard your business and any information you have.
Introduction
So, what are security boundaries? Well as the name suggests, they are basically a protective boundary of some form that form a line of separation between areas of the business. So we’re looking for boundaries between network subnets or virtual local area networks (vlans), environments with different security requirements, for example high and low security as well as your main network and the internet.
These boundaries to some basic degree, are already in place for all computers that talk to the internet, this is using a firewall, here you are drawing a line in the sand, so to speak, and putting a boundary between your computer and the internet
Identification and planning security boundaries
By knowing that you need to identify your security boundaries within the business can help you plan for greater security of your business. But how do we go about identifying what we need and how do we plan the implementation of them?
The best way of doing this is understanding your business, not only at a technical network level, but also at the business level. Do you have multiple locations, multiple departments, are you working in a shared office or location? Do people work from home? Do you use wireless and virtual private networks? Do you use a lot of cloud providers for your information?
Once you understand what is in place and what you need to protect you can then start looking at what needs to be separated or protected from other areas and what security requirements need to be put in place. This will take some planning and talking to members of staff likely from other departments and teams, if available.
You will need to look at ways of deploying mechanisms to help control the flow of information across these boundaries. Is it purely access control and the use of firewalls; do you need to have locks on doors and the use of key fobs to access restricted areas? Remember we’re looking at all areas of the business computer and physical.
More importantly all these changes and planning need to be put through a change control process and implemented within your information security policy, so that everyone is aware of the changes and procedures.
When you are looking at your security boundaries, if you have areas of the business which is defined as a protected and unprotected area, these areas should always be clearly defined. But how do you know what is what? Unfortunately, this is up to you and your business to define what should be protected. Generally anything that is within the business environment and internal network is protected, anything that is internet based is unprotected, such as coffee shops and public wireless networks.
For physical or logical environments which are being segregated, you should ensure that people are only allowed to enter or access areas who are deemed to be authorised, this may be through knowing a code to gain access to the door, having access to a key fob or something else. But this should be communicated with all members of staff through policies and awareness training and make them aware that a breach of this could result in prosecution.
When looking at your boundaries and looking at how to plan the separation and control the flow of information access, you should ensure that your security controls which are going to be applied offer the most reasonable, cost-effective and efficient solution for your business. Just because there may be a new product out on the market or it costs substantially more to implement, may not mean it’s the right fit for your business.
You must ensure that when you are planning your security controls, that the security controls are weighted against the value of the objects they are protecting. By deploying countermeasures that cost more than the value of the protected objects is unwarranted. So, this goes back to ensuring that you evaluate and implement the right sized security controls for your business and the security boundaries.
Implementation of security boundaries
Now that you have looked at your business, understand your boundaries that you need to protect and have an idea of what countermeasures you are going to deploy, you need to establish an implementation plan.
Every business is going to have a different implementation plan, there is no one size fits all, every business has different premises, configurations and systems that they use. But you should document everything you are going to do, put it through change control and ensure that you communicate all the changes. Some changes may be breaking changes to the current environment, for example people may no longer have access to certain systems or areas of the business and are not blocked. You want to make sure that this is communicated before the implementation.
Once you have implemented your security boundaries and the associated countermeasures, you need to ensure that you monitor your changes, are they working as expected? Is there anything that is not working? Make sure that you keep an eye on any logs that you have and that you monitor security metrics of technical devices. Build up a history of metrics so that you can monitor the trend metrics and see what is not correct in the future.
Continuous improvement
Just because you’ve planning and implemented your new security controls, doesn’t mean it ends there, you need to routinely review your security boundaries and the countermeasures that are in place at least annually. Check them to see if they are still the right fit for the business and the systems and areas that they are protecting. Things change, things become unsupported, so ensuring that you regularly review and update is good for your business and the information it safeguards.