New security manager starting at ground zero

Editor's note: Last week, Security Manager's Journal contributor Jude Thaddeus decided to pass the baton, but our new author, "Mathias Thurman," is ready to take the next lap. New to management and with a fancy title, Thurman faces the daunting task of creating a security infrastructure at a rapidly growing start-up company. He's got the job. He's got the budget. Now he just needs a plan.

I like working for start-ups. One of my passions in life is helping to build things, and start-ups give me that pleasure. So now I've gone and done it. I've joined a small start-up company where I'm the first security professional on board. My previous experience has been mostly hands-on engineering, project leader and analyst positions. This time, however, I've been hired as the manager for enterprise security.

My company writes its own software and makes it available to clients over the Internet via a standard Web browser. Our infrastructure is fairly small: slightly fewer than 50 servers. However, the application architecture is complex and highly managed. Front-end Apache Web servers talk to midlevel in-house-developed application servers, which talk to back-end Oracle database servers. It's a three-tiered architecture with many interdependencies.

The company administers its own network, servers and applications. And we're building a state-of-the art operations center that will monitor our production servers - which are currently hosted at a service provider's site - complete with all the bells and whistles, man traps and biometrics. We have about 25 sales and professional service offices worldwide, all using virtual private network connections to our corporate intranet for such things as e-mail, Web access and file sharing. We also have several other areas: preproduction, staging, quality assurance, development and probably others that I have yet to discover.

I was hired after my employer hired a security consulting firm to accomplish one of those third-party, US$30,000, three-week audits. If you've never had the pleasure of having some computer hackers dedicate three weeks of their lives to fully exploiting your entire livelihood, then you don't know what you're missing. It's amazing and well worth the money. We did fairly well. However, there were some glaring issues that need to be addressed.

One audit report recommendation was to hire a security manager and build a team. So, here I am. I report directly to the CIO, I've been told I have a substantial hardware and software budget to work with, and I have a generous budget to hire two security engineers. I've started by creating a list of short-term projects.

The Plan

I'll review the audit and immediately address the critical findings. I'll also develop a project plan to address the additional findings, get acquainted with the managers in all departments, become intimately familiar with the network and applications and develop a cross-functional team using people from different departments.

In addition, I've started putting together my shopping list: an intrusion-detection system (IDS), file integrity-checking software, two-factor authentication infrastructure, vulnerability assessment tools, secure administrative software and the hardware to support these applications.

The company already has made a significant investment in Pix firewalls from San Jose-based Cisco Systems Inc., so I'm not going to switch. The network engineering department has been administering the firewalls, and I'll leave that in place and just do audits of the rule base.

I'm currently in the evaluation stages of picking an IDS. I've narrowed it down to SafeSuite from Atlanta-based Internet Security Systems Inc., the NFR Intrusion Dection System from Washington-based NFR Security Inc. and a fairly new but well-respected tool called Dragon, from Rochester, N.H.-based Enterasys Networks Inc. I have to pick one that will incur the least amount of administration, can handle a large portion of our network traffic and is cheap. I'll supplement this tool with some shareware and homegrown assessment tools.

For file integrity-checking software, nothing beats Tripwire software from Portland, Ore.-based Tripwire Inc. It actually has a new, centralized management console that can talk to all other machines using Tripwire and allows on-the-fly policy file changes, scheduling and reporting. Neat stuff.

I'll use ACE/Server from RSA Security Inc. in Bedford, Mass., and get a bunch of SecurID tokens to handle my authentication needs. Antivirus software vendor F-Secure Corp. in Espoo, Finland, has a fully supported version of the Secure Shell (SSH) secure session program, which is even reported to be able to utilize SecurID tokens through a RADIUS server. The use of SecurID tokens and SSH has always been a problem in the past because the two couldn't work together.

Getting Physical

In addition to system and network security responsibilities, I'm also in charge of physical security. Fortunately, the funds will come out of a different pot of money, but I'm still responsible for identifying the requirements, which I feel should include picture identification access badges, card readers, closed-circuit TV equipment and a centralized alarm system.

I'm also thinking of a biometric system for our network operations center (NOC), which is currently under construction. Not that I'm so worried about unauthorized access. Biometric systems look cool when you walk a customer through the NOC. I believe it's worth the money if we land one big contract because of it. Initially, and until I have the time to get involved, I'm going to try to maintain an oversight function and let the facilities manager handle the physical security.

This is actually my first job in which I'll hold the title of manager. I've had management responsibilities before, but never the title or budget. With a limited budget and worldwide presence, maintaining a robust security infrastructure will be a challenge. The rest of the week will be spent meeting staff, getting acquainted with our infrastructure and calling vendors to start the negotiations. I'm the security manager, and I've got some money to spend.

- This week's journal is written by a real security manager, "Mathias Thurman," whose name and employer have been disguised for obvious reasons. It's posted weekly at www.computerworld.com to help you and our security manager better solve security problems. Contact him at mthurman@hushmail.com or head to Computerworld.com's Security Manager's Journal interactive forum.

This Week's Glossary

SSH: Secure Shell is an industry standard program that provides for encrypted remote user sessions and allows users to create public and private keys to control sessions. Both commercial and shareware versions are available.

SecurID token: A randomly assigned number, assigned by a small device the size of a credit card, that can be used in combination with a personal identification number to provide an additional level of authentication for resource access.

RADIUS server: Remote Authentication Dial-in User Service (RADIUS) allows multiple servers and devices to pass authentication information to a single machine. A RADIUS server contains the authentication information.

Two-factor authentication: An authentication scheme that requires users to divulge something they should know and something that they have or "are." A normal user ID and password pair isn't considered two-factor authentication, but a user ID/password combined with a digital token or a fingerprinting scanner is.

Man trap: This is usually a corridor in the computer center that traps intruders in the event that they are able to bypass initial physical security controls.www.iss.net: Internet Security Systems Inc.www.enterasys.com: Enterasys Networks Inc.www.nfr.com: NFR Security Inc.www.securitywizards.com: Network Security Wizards Inc.www.f-secure.com: F-Secure Corp.www.rsasecurity.com: RSA Security Inc.

Join the newsletter!

Error: Please check your email address.

More about ApacheCiscoEnterasys NetworksFirst SecurityF-SecureInternet Security SystemsISS GroupNFR SecurityOracleRSA, The Security Division of EMCSecurity SystemsTripwireTripwire

Show Comments