035
ENTERPRISE SECURITY BLUEPRINT
MANAGEMENT LAYER
03
Modularity
Enterprise security policy in large enterprises has become very complex. Security policy
rule bases typically contain thousands of rules. Even worse, many organizations use
multiple security management tools, each providing a narrow view of only a subset of
the enterprise configuration. Complexity combined with tunnel vision lead to siloed
administrative practices.
A unified console provides administrators with the ability to define security policy in a
consolidated manner for networks, hosts, applications and data. Policy modularity allows
administrators to break down monolithic rule bases into simple, reusable and manageable
components by separating the security policy rules into independent modules, such that
each module is concerned with a simple aspect of the overall policy. The Management
Layer compiles the different policy modules together to create the complete policy
provisioned to the Control Layer.
In order to achieve the goal of modular policy, security policy needs to follow the logical
segment boundaries as defined in the Enforcement Layer. By focusing on each segment
and on its required interactions, policy definition is greatly simplified.
Modularity facilitates distribution of the security administration task across different
teams working together simultaneously to address organizational challenges. Each
administrator is exposed to a simple subset of the overall security policy that relates to
his or her area of responsibility. In order to be able to scale to very large organizations,
the Management Layer must be able to support multiple administrators taking part
simultaneously in the security policy management process, permitting concurrent changes
to security policies and providing merge capabilities as necessary.
Policy modules are defined in layers and sub-layers, taking into account the different
protection types. Separate layers could deal with network flows, data flows, compliance
with applicable regulations, etc. A global policy can be overridden (but perhaps not
violated) by more detailed subordinate policies. The Management Layer would define
a framework for addressing policy inheritance and conflict resolution between policy
modules.
In the example given in Figure 3-A, the Internal Servers segment hosts a database server,
while a Web server that is used to access the database is hosted on the DMZ segment. Data
center network administrators could define a global network security policy layer (1) that
allows certain protocols over the internal network. A sub-layer defining authorized Web
applications might be controlled by a DMZ administrator (2), whereas an administrator
responsible for Internal Servers manages an independent layer defining the data objects
authorized to flow out of the segment (3).
Security policy
needs to follow
the logical
segment
boundaries
Policy modules
are defined in
layers and sub-
layers, taking
into account
the different
protection types
