Security Architecture: Design, Deployment and Operations [Paperback]

Christopher King (Author), Ertem Osmanoglu (Author), Curtis Dalton (Author)

Book Description

Series: Rsa Press | Publication Date: July 30, 2001

Will more than 1.3 trillion dollars expected to be spent via e-business on the Internet by 2003, security has never been more important. This title offers a practical, step-by-step approach, and shows how to design and deploy security sucessfully across the enterprise.

Editorial Reviews

From the Back Cover

Apply the latest security technology to real-world corporate and external applications

Design a secure solution from start to finish and learn the principles needed for developing solid network architecture using this authoritative guide. You'll find hands-on coverage for deploying a wide range of solutions, including network partitioning, platform hardening, application security and more. Get details on common security practices, standards, and guidelines and learn proven implementation techniques from case studies discussed in each chapter. Written by recognized experts and endorsed by RSA Security Inc., the most trusted name in e-security, this comprehensive and practical security guide is your essential tool for planning and implementing a safe and reliable enterprise network.

This book will show you how to:

• Develop an information classification and access control plan
• Use the appropriate security policies and technology to best meet your security requirements
• Comprehend security infrastructure design principles
• Utilize appropriate security technology in the most secure method
• Fully understand the tradeoffs between usability and liability
• Ensure complete network security across multiple systems, applications, hosts, and devices
• Develop and apply policies, assess risks, and understand requirements for running security-specific technology
• Work with and configure IDS, VPN, PKI, and firewalls

About the Author

Christopher King CISSP (Andover, MA) (Certified Information Systems Security Professional) is the Managing Principal of Greenwich Technology Partners. He has over 15 years of experience with various corporations such as Bell Atlantic, McGraw-Hill and Fidelity Investments as an Information Security consultant. Prior to joining Greenwich Technology Partners he served as a Cryptographic Engineer with The National Security Agency. He's a regular contributor to Information Security Magazine, Business Communication Review and Computer Security Review. Curtis Dalton (Georgetown, MA) CISSP, CCIE is a Consulting Engineer with Greenwich Technology Partners. He has over 12 years experience with companies such as Siemens Information and Communications Networks, Boston Technology Corp and Xerox designing and deploying large-scale network solutions in industries ranging from finance to telecommunications, manufacturing, and R&D. Ertam Osmanoglu (Malden, MA) is a Security Engineer with Greenwich Technology Partners. He has over over 5 years experience providing systems and security consulting and support services for Ernst and Young.

Product Details

• Paperback: 481 pages
• Publisher: Osborne/McGraw-Hill; 1st edition (July 30, 2001)
• Language: English
• ISBN-10: 0072133856
• ISBN-13: 978-0072133851
• Product Dimensions: 9.2 x 7.4 x 1.4 inches
• Shipping Weight: 2.3 pounds
• Average Customer Review: 3.3 out of 5 stars  See all reviews (3 customer reviews)
• Amazon Best Sellers Rank: #1,415,340 in Books (See Top 100 in Books)

Customer Reviews

Most Helpful Customer Reviews

10 of 13 people found the following review helpful:

4.0 out of 5 stars Excellent referent for building security infrastructure, October 26, 2001

By 

Ben Rothke "Author of 'Computer Security: 20 ... (USA) - See all my reviews
(REAL NAME)   

This review is from: Security Architecture: Design, Deployment and Operations (Paperback)

Boeing Aircraft is currently working on its next big airplane, the Sonic Cruiser. But even before a prototype of the Sonic Cruiser takes to the skies, tens of thousands of hours will have been spent on design, planning, testing, legal, administrative, and other tasks.

The product development scenario for information technology and information security is radically different. Corporate networks are being rolled out with planning and design that is not on par with that of our counterparts in the aviation and construction industries. In fact, already complex corporate networks are continuously becoming more byzantine. Take an average MIS department and add up all their hardware vendors, network topologies and protocols, operating systems, software add-ons, and custom-written applications. Now try to securely integrate them. If security was not designed into the original system architecture, how can these security products be expected to work? Despite the fact that companies are spending more and more money on information systems security, the systems are growing more and more complex -- and complex systems are much harder to protect.

Security Architecture: Design, Deployment and Operations, is intended to help readers design and deploy better security technologies. The authors believe that security architecture must be comprehensive, because a network that is 98% secure is actually 100% insecure. This is especially true, given that -- contrary to popular belief -- information security is not a pure science, but a mixture of art and science.

Effective information security must encompass every aspect of the enterprise. Security Architecture shows how to design a secure infrastructure. It addresses all of the major security products and provides details on how to deploy them.

The authors incisively write that it is not enough for security professionals to understand the theory behind information security; unless they are able to insert security controls in the proper places within an application (data flows, storage and processing), the security solution will not be effective. A security product that is implemented incorrectly is like medicine that is taken improperly: great in potential, but futile in reality.

In addition, if the inserted security solution is not managed with the proper processes in place (e.g., change management, separation of duties, notification, and escalation), the level of security provided will degrade with time until the control becomes ineffective.

The book covers all of the fundamentals of information security. Particularly noteworthy is Chapter 3, "Information Classification and Access Control Plan." As companies place more of their corporate data jewels on often-untrusted public networks, the lack of an information classification scheme can have significant negative security consequences. Also, access control is critical in that many organizations -- and even the media -- are busy obsessing about remote hackers from foreign countries and have become oblivious to the real threats to information security: insiders. While it is much more romantic to think about foreigners hacking into your system in the middle of the night, the reality is that most breaches occur via insiders during normal business hours.

The authors of Security Architecture discuss the elements needed to design and deploy effective information security architecture. Critical security products such as PKI, firewalls, VPN, IDS, and others are discussed, but cryptographic accelerators are not mentioned.

This book highlights best practices and security standards and guidelines for effectively securing an enterprise. The book is well organized and easy to read. Many chapters have additional references and URL's for further research.

The inclusion of numerous case studies, combined with the authors' real-world experience, makes Security Architecture a valuable reference. No one would ever want to get on a plane that had not been properly designed and tested. Neither should we want to use networks that have not been adequately designed and tested from a security standpoint. Security Architecture is intended to make sure that doesn't happen.

10 of 13 people found the following review helpful:

4.0 out of 5 stars Diamond In The Rough, August 22, 2001

By 

"dougjames1" (Norwalk, CT USA) - See all my reviews

This review is from: Security Architecture: Design, Deployment and Operations (Paperback)

While this book didn't light a raging intellectual fire within my gray matter it certainly was a well-crafted and thorough explanation of various security techniques. And although I found some of the chapters a bit bloated and at times confusing the price of the volume was completely justified on the basis of Chapter 12 alone. "PKI: Components and Applications" was by far the most clear and concise treatise I have ever encountered during my months of research covering PKI -- a challenging and almost arcane security method. With envious ease the author managed to delineate complicated and intricate methodolgies using a common-sense approach that's a pleasurable derivation from standard computer book narrative.

If you are interested in learning about PKI I suggest no better a place to start or end than "Security Architecture: Design, Deployment and Operations".

7 of 10 people found the following review helpful:

2.0 out of 5 stars Getting Lost, January 16, 2002

By 

Ivo (Netherlands) - See all my reviews

This review is from: Security Architecture: Design, Deployment and Operations (Paperback)

The first 5 chapters are really about Security Architecture. The rest of the book has a more technical angle. The author totally, in my view, gets lost in words like: Requirements, Services and Controls. He uses these words sometimes at random. Since these definitions are crucial to a good and understandable built-up of any ICT architecture, the reader might get lost.

Under design guidelines he talks about the services offered by the a team: Authentication, Authorizaton...etc. etc. Part of those services are Logical Access Controls which he calls "these controls". Under Technical Security Requirements we focus on controls that....The main focus of technical security controls is to protect C.A.I, which are at the same time technical security requirements. At the same time: Controls are designed to gover the following actions: again we find confidentiality, integrity..etc.

All are requirements, actions, controls and services. Not clear enough in my opinion.

The technical part is good.