Lesson 2: Determining Security Business Requirements | MCSE Training Kit (Exam 70-220): Designing Microsoft Windows 2000 Network Security: Designing Microsoft(r) Windows(r) 2000 Network Security (IT-Training Kits)

Your security design must take into account all of your organization's business requirements, because these will serve as the criteria that your security design must meet. When designing security for your network, you must ensure that you gather and understand all business requirements.

After this lesson, you will be able to

Determine how to design security for your organization to meet business objectives

Estimated lesson time: 45 minutes

Determining Business Requirements

Your network's security design will be based on meeting your organization's business requirements, which will range from identifying company priorities to recognizing your organization's risk level.

You must analyze the following business factors when you design your organization's Windows 2000 security:

The business model. The security that's deployed in an organization can be greatly affected by the business model implemented for the organization. An organization with branches around the world may have different business requirements for security than a company with a single office at a single location. You have to know how decisions are made within the company. A centralized decision process will generally lead to a centralized security plan.
The business processes. Security must not hamper day-to-day business within an organization. You need to know how business processes flow. If many people work on a project, you have to know exactly what part they play in the project and what actions they take in the business process. This knowledge will assist you in defining permissions for resources and with group strategies in Active Directory. If the business process has managers, you have to know what rights they require for management. This information will help you define the way you delegate administration structure.
The projected growth. You must develop a security plan that can change and grow with the organization. You don't want to deploy a security plan with a short life span. Be aware of the relationships that the organization has with partners and whether there are any mergers or acquisitions planned in the foreseeable future. The security plan that you deploy must be extensible to handle growth over the next few years.
The management strategy. Does the organization use a centralized or decentralized management strategy? This isn't always an easy question to answer. In many cases the management strategy will be a mix of centralized and decentralized administrative practices. For example, an IT department may centrally manage the creation of all user and group accounts. This is accomplished by restricting this practice to a central team of account administrators. Yet the same organization may delegate administration of servers to each branch office in order to allow local administration where the servers exist on the network. Always ask who manages a resource.
The current security policy. Many organizations will have a predefined security policy. A security policy defines the organization's aversion to risk. This means that the organization clearly states what it considers the minimum acceptable levels of security within their organization. Each facet of the network that you secure may have its own security policy. For example, because certain Internet protocols may have potential security weaknesses, the organization may restrict them from being used on the corporate network.
The tolerance of risk. Organizations can differ on what they consider risky. Some organizations might consider passwords with fewer than 10 characters a security risk, while other organizations may consider 6 characters to be sufficient. Determining an organization's risk tolerance will help you design a security solution that reduces the organization's perceived risks.

NOTE
Remember that risk is best defined by the costs faced if the risk occurs multiplied by the probability that the risk will actually take place. In other words, Risk = Cost × Probability. Converting risk into a numeric formula will help you prioritize risks as you develop a security solution.

The laws and regulations that affect the organization. An organization must abide by the laws and regulations of the jurisdictions where it performs business. Some countries require network management to take place within that country. This rule affects your security design because it requires decentralized management of security within that country. Know the laws and regulations that may affect your security design. For example, if you wish to use strong encryption in your security solution (for example, using 3DES encryption with IPSec), you should be aware that it is forbidden to export strong encryption to countries on the U.S. embargo list. Not only are you affected by U.S. export rules, you are also affected by the import laws of all the countries you do business in. If the country doesn't allow the importing of strong encryption, you need to configure alternate encryption strength for transmissions within that country.

NOTE
For more information on export rules, go to www.microsoft.com and search for "Exporting Microsoft Products."

The organization's financial status. Because a security solution is going to have a dollar value associated with it, you must always determine its projected cost. In the event that the best solution to a problem is financially impossible, you must develop alternate solutions that meet business requirements.
The employees' skills. A security solution might involve several new technologies that an organization's employees don't have expertise in. You must identify these shortfalls and determine whether the staff must learn these technologies or whether the organization should use outsourcing to bring in expert consultants. Either method will cost money.

Making the Decision

You can use Table 1.1 to identify business factors that will affect an organization's security strategies and the actions that you need to include in your security planning in order to address those business factors.

Table 1.1 Identifying the Ways Business Factors Affect Security Design

If the Organization	Include the Following in Your Security Plan
Uses a centralized administration model	Management of administrative group membership Minimize the number of domains
Uses a decentralized administration model	Determine which users will require administrative abilities on the network Determine exactly what rights and permissions the users will require Determine whether the administration can be limited to specific classes of objects or to specific attributes of an object Determine if delegation of administration will meet the organization's needs
Implements business processes	Identify the flow of all information involved in the business processes Determine which users require access to the services involved in the business process Determine the level of access that each participant will require
Projects growth in the near future	Determine the future number of users and computers that will be the near future a part of the network Determine the geographic spread of the organization Include the expected growth of your company in the security plan so that the plan doesn't need to be modified
Shows an aversion to risk	Determine exactly what the organization considers to be risky Ensure that the security plan mitigates the risks andincludes actions to take if the risks occur
Performs business in many countries	Determine if any of the participating country's laws will affect many countries security implementation decisions Identify all import and export laws that could affect your security design
Is constrained by costs	Ensure that the security plan fits within the organization's budget Report all forecasted costs early in the design process so that if costs are too high, the design can be modified early
Does not have the required skill sets	Determine which skill sets are lacking in the organization Determine whether it is more effective to bring in third-party skills or implement staff training

Applying the Decision

Lucerne Publishing must meet the following business requirements in its Windows 2000 security design:

Centralized administration of user accounts. Lucerne Publishing uses a centralized management style for user accounts. The user accounts are all created and modified at the head office in Tokyo. To meet this business requirement, the number of domains in the forest must be minimized and membership in the Domain Admins, Enterprise Admins, Administrators, and Account Operators groups must be carefully monitored to ensure that only approved IT staff are members.
Decentralized administration of servers. Lucerne Publishing uses a decentralized management methodology for its servers. At each office the local servers are managed by the local IT staff. The nearness of the IT support staff allows for quicker recovery times in the event of a server failure. Lucerne Publishing should ensure that IT support staff are members of the Server Operators group in the domains where the servers are located.
Decentralized administration of user passwords. The help desk staff must have the ability to reset all user passwords. If you use delegation of administration, you can delegate the right to reset passwords to a local group that contains all help desk user accounts. This will ensure that the help desk personnel can perform necessary tasks but not grant excess privileges.
Match the business process. Granting help desk operators only the ability to reset passwords ensures that the help desk personnel must contact the Tokyo IT department for any other necessary changes to user accounts.
Plans for growth. Windows 2000 Active Directory can support much larger domains than Windows NT 4.0 could. The expansion plans for Lucerne Publishing will affect the physical design of the network because additional sites must be defined for each of the distribution centers. The only planned expansion that could affect the Active Directory design is the plan to expand into Cuba. Due to current embargoes on Cuba, there may be a requirement for a separate domain to be established for the Havana office.
Issues concerning the Havana office. Cuba is currently on the list of U.S. embargoed countries, which will affect the security design for Lucerne Publishing because strong encryption products can't be exported to Cuba. This will also affect the design of the online ordering application because 128-bit encryption wouldn't be allowed for access from Cuba.
Meets current risk aversion. Because Lucerne Publishing's Web site was recently hacked, the security design for the Web site must take into account how it happened. The design must address the weaknesses exposed during the previous attack to ensure that the same methods can't be used again.
Skill set shortages. The current Web administrator doesn't have the required skill set needed to set up the online ordering Web site. Just sending the Web administrator for three weeks of training won't be sufficient. This is especially true since there is a business requirement to reduce the risk of the ordering Web site being hacked. Consultants must be brought in to design the ordering Web site. Alternatively, the actual creation of the Web site and all necessary security mechanisms could be outsourced.

Lesson Summary

A security plan must meet all of an organization's business requirements. These business requirements will serve as criteria for your security design. When you begin to design your security plan, make sure that you collect all the business requirements so that your plan will meet them. Doing this will also prevent changes to the security plan during the deployment stage.