An influential, industry user group is tackling a problem that has stumped many network executives: how to create an enterprise security architecture.

The Network Applications Consortium (NAC) plans to publish a document this summer that outlines the principle, policies, standards, technologies and processes necessary to protect a company's information assets. NAC's Enterprise Security Architecture addresses hot topics in cybersecurity such as governance, technology architecture and operations.

The document will affect how several major corporations - including Bechtel, Boeing, GlaxoSmithKline and State Farm Insurance - make network hardware and software purchases in the future, network executives at these companies say. NAC members also plan to use the document to influence how key network vendors such as Cisco, Entrust, Microsoft and Symantec create security products. The consortium plans to embrace several security standards - selections have not been finalised - and urge vendors to adopt these standards.

Network executives from several multinational corporations last week participated in a two-day meeting to review and refine the latest draft of the security architecture document. NAC gave Network World a sneak peek at the document and an exclusive opportunity to interview NAC members about their cybersecurity efforts.

NAC's leadership says its Enterprise Security Architecture is the most important document the group has crafted in several years.

Reference point
"This document is something that we hope will become a common reference point" for our members when they purchase and deploy security products, says NAC Chairman Fred Wettling, infrastructure architecture manager at Bechtel. "It's been a couple years since we've produced a document of this scope." NAC started work on Enterprise Security Architecture last October, when member GlaxoSmithKline asked for help developing a comprehensive security architecture. A dozen NAC members have worked regularly on the document, which is in its 10th draft. NAC officials expect the document to be finalised by August.

"Everyone was in various stages of putting security architectures together," Wettling says. "State Farm Insurance was further along than the rest of us, but we were all grappling with this issue."

The document's goal is to create a framework that lets companies mix and match security products from different vendors while assuring interoperability and manageability.

The 59-page draft document outlines a framework that a company can use to ensure the confidentiality of information, integrity of data and the availability of IT resources. It is written for corporate decision-makers, such as network, IT and C-level executives.

The draft document doesn't detail what a company's security requirements should be or the types of security products it should deploy. Instead, it provides a methodology for managing information-security risks to an acceptable level and in a cost-effective way.
Not comprehensive
NAC members say they are struggling to define their own security architectures in the wake of mergers, acquisitions, joint ventures and other business dealings that require rapid and regular changes to network infrastructures. Meanwhile, viruses, worms and other attacks increasingly threaten corporate networks.

"Having a security architecture is a huge priority for us," says Bill Rocholl, first vice president for network technical services at Dutch banking conglomerate ABN AMRO. "We have a strategy and plan for security, but it's not as comprehensive as the one that's being developed here."

Rocholl says ABN AMRO has had a security strategy for two years and a corporate governance plan for four years. He plans to use the NAC Enterprise Security Architecture as an industry benchmark.

"We can validate, compare and do gap analysis to see if our strategies have any holes," Rocholl says. "This framework still needs to be developed, but hopefully it will be helping us solve problems that are three to five years out."

Rocholl says having a security architecture that is consistently applied is important for ABN AMRO. That's because the company grows through acquisitions and needs to merge networks quickly when acquisitions are approved.

"This document may influence our purchases of security devices and applications, especially if we can influence vendors to come out with the products we want," Rocholl adds.

The construction company Bechtel also expects NAC's Enterprise Security Architecture to affect its network security purchases. Bechtel's security budget has been growing at double-digit rates over the last four years, but it still accounts for less than 1 percent of this year's overall IT budget.

"Information security has become more important over the last four years," says Don Michniuk, corporate manager of information security at Bechtel. "Our senior management is interested in intellectual property leakage, e-mail impersonation and virus [protection]."

Michniuk says NAC's Enterprise Security Architecture will help Bechtel create consistent security capabilities across business units and help foster a common language for IT executives to use when talking about cybersecurity with upper management.

Following last week's discussions, NAC plans to make significant changes to the draft document before its release. Currently, the document is divided into three sections.

The governance section defines eight security principles, including simplicity and resilience. It lists questions to ask when creating security policies and provides a template that addresses services such as encryption, authorization and authentication.

The technology architecture section provides a three-layer security model. The resource layer includes workstations, servers, applications, databases and data. The perimeter layer includes security products such as firewalls that enforce boundaries between corporate networks and the Internet. The access layer includes proxy servers that enforce identity-related access to network resources.
The operational architecture section considers issues such as design and development, deployment, monitoring, change management, vulnerability management and ongoing assessment.

"What we're looking for is some kind of framework that helps us solve the problem of how to make security products interoperate with each other," Wettling says.

NAC has significant clout among network vendors. NAC companies represent combined revenues of more than $750 billion, more than 50,000 network servers and 1 million workstations. Founded in 1990, NAC's support has helped advance key industry standards such as the Lightweight Directory Access Protocol.

"This document will have real market impact without a doubt," says Tony Rock, vice president of client services at Archer Technologies, which sells enterprise security management software to Lehman Brothers, Citigroup, Credit Suisse First Boston and many other financial services firms. "It will be interesting to see where this effort is at a year from now."

NAC's Enterprise Security Architecture will be available to non-members of the NAC, including corporate users and vendors, via written request.