A blueprint for the next-generation of network security is close to release. The plans are for a policy-based security architecture of the future, pitched at becoming an industry model.

The Network Applications Consortium (NAC), which includes major IT corporations such as Bechtel, Boeing, GlaxoSmithKline and State Farm Mutual Automobile Insurance will be publish on 1 January, and is the result of more than a year's worth of work. It is titled: "Enterprise Security Architecture: A Framework and Template for Policy-Driven Security."

"We have an industry reference document that brings together aspects of security architecture that have never been directly linked together in one document," says Fred Wettling, chairman of the NAC and infrastructure architect for Bechtel. "This ties, from stem to stern, governance down to operations along with a road-map of where to go in the future. As far as a reference model, this is the first of its kind for policy-driven security."

The 121-page document describes the policy, technical and operational models companies should adopt in tailoring a security architecture. The architecture is based on a set of policies that use templates for policy creation from the National Institute of Standards and Technology and International Organisation for Standards that can be represented electronically, stored on a network and used to execute and enforce policy.

The goal is to create a link between the definition, implementation and enforcement of security policies and the physical security components of a network. Eventually, the policies for each will be automated across the physical network.

The NAC is working with industry groups such as the Distributed Management Task Force (DMTF) and the Open Group, as well as vendors such as Cisco and Microsoft, to foster awareness and further refinement of the security architecture plan.

"You can't just buy a security product that is a quick fix to secure interconnected networks and distributed applications. You have to build that into the security products you have: that is architecture," says Daniel Blum, an analyst with Burton Group. He also says policy is a difficult problem with all the layers of security such as server and desktop firewalls and VPNs. "You have to distribute policy enforcement to those endpoints because that is where the threats are, but you have to centralise the decision making. That is why you need common policies and policy languages."

NAC officials say they spent the past eight months updating an April draft of ESA to add a detailed description of the needs and interdependencies for security operations such as compliance, asset, vulnerability, event and incident management. The NAC also added a model that describes automated policy creation from a set of business requirements, such as Health Insurance Portability and Accountability Act compliance, and the implementation and enforcement of those policies.

However, the NAC acknowledges it's a process that requires a level of integration that can't be supported with today's technology and standards.

In the interim, the ESA document lays out a road-map of steps companies can take to move toward a more policy-driven security architecture, including creating or formalising policies, devising naming conventions for users and machines, cleaning up identity data, and supporting a range of standards.

"One of the things we decided to do is that we will maintain the policy automation model and the road-map independently so we can evolve that and make it more real as we work with the DMTF and others," says Harold Albrecht, the ESA project manager and technical writer. "Some of the things in there will change, perhaps significantly."