What is an Enterprise Environment?
From a technology perspective, an enterprise environment is the total of all information assets that support the process, storing, or transmission of data that supports the business functions of an organization. Such assets include everything from user endpoints (e.g., laptops, phones, tablets), to servers (virtual or physical), data storage, network infrastructure, leveraged cloud resources, etc. Each type of information asset plays a specific role in supporting the business functions of an organization and must be protected appropriately.
What is Enterprise Security?
Enterprise security is the process by which an organization protects its information assets from infringement of confidentiality, integrity, or availability. In addition to specific technology implementations, enterprise security also includes policies and procedures which provide guidance on the who, what, why, and how to implement the protection mechanisms for an organization’s information assets.
Often overlooked, people are major contributors (or liabilities) to enterprise security. People must be trained frequently on existing and emerging threats that seek to exploit the human element of all organizations.
A risk management program is a key tool in the execution of activities to implement protections through the identification of assets, threats to the assets, where vulnerabilities exist, and controls or protections that can be implemented to mitigate identified risks. The enterprise continually changes, so the effectiveness of the risk mitigation efforts and the overall enterprise security program must be continually assessed for effectiveness and improvement.
Why is Enterprise Security (& Cyber Security) Important?
While this question seems obvious, it is surprising how many enterprises have weak or ineffective security programs or none at all. In today’s cyber environment, an effective enterprise security program is imperative in order to protect the computing infrastructure upon which the enterprise is built.
Effective enterprise security programs enable the mission of the enterprise, not hinder it. Without an effective security program, enterprises leave themselves exposed and vulnerable to the malicious intent of countless numbers of bad actors and organized crime.
Why Is Enterprise Security An Important Piece To The Success Of A Business?
There are many elements that can make a business successful, but an organization’s enterprise environment is one of the most important. Because technology is the heart of the enterprise environment, it is imperative that it be protected via a strong enterprise security plan and supporting enterprise security tools. The enterprise security plan must address how the organization will address the risks and associated threats that have been identified via the enterprise risk assessment.
Once the plan is established, security tools and internal processes can be employed to support the enterprise security plan. Enterprise security is a critical facet of the functioning of the business as it protects the data and information that the business relies on to execute its mission. Without a defined approach to implementing enterprise IT security to protect data and information, companies are susceptible to data loss, theft, destruction, etc. which can damage their reputation, have fines levied against them for loss of customer data, or cause a company to fail altogether.
What are Five Practices to Enhance Enterprise Level Security?
Implementing an effective enterprise security program takes time, focus, and resources. If your organization does not have an effective enterprise security program, getting started can seem overwhelming.
Use your understanding of what data, systems, and infrastructure are critical to your business and where you are most vulnerable. Then develop a plan to implement, assess, and manage the controls put in place.
All internal controls are not created equal, so it is important to focus first on those controls that are relatively straightforward to implement and provide significant gains in protecting and securing your enterprise.
Based on the Center for Internet Security 18 Critical Security Controls, the list below focuses on core principles of enterprise security and will put your enterprise on the right path to a more secure environment.
1) Define & Control Your Enterprise IT Assets
In order to protect your enterprise, you must have a solid understanding of the assets that are owned by the organization. The enterprise security inventory consists of all information assets (e.g. servers, workstations, cloud services) that support the mission of the enterprise through information processing and storage operations. It includes information assets that the enterprise controls as well as external services that are leveraged in support of the enterprise.
Before cloud computing became mainstream, defining an enterprise IT boundary used to be fairly straightforward — it consisted of the computing assets on-premise to the organization and/or at a colocation data center. With the seemingly ubiquitous adoption of cloud services, the enterprise cybersecurity boundary is becoming blurry and is no longer defined by geographic locations. It must be extended to include leveraged cloud services.
For example, an organization may have information assets on-premises at their corporate location but also leverage AWS or Azure for additional compute resources and storage. We’ve read about how AWS S3 buckets have been publicly exposed on the internet and as a result, organizations have suffered a data breach.
There is a shared responsibility model with the use of cloud services, and it is the responsibility of the enterprise that is using cloud services to implement protections and controls to ensure the cloud services being used do not leave them vulnerable to attack or a breach. As a result, these external services need to be included within the organization’s IT asset inventory in order to ensure that controls are properly implemented.
Defining the enterprise asset inventory is critical because that which is not defined cannot be protected (see point #4 below). Enterprises must understand which assets are persistent on their network and which are transient (e.g. laptops of sales staff) and may not be as current for security updates as those devices that are persistent on the network.
Using active or passive discovery tools will help organizations develop their inventory and have an understanding of the scope of the effort to protect each asset on the network. Unfamiliar devices should be investigated quickly and either removed from the network, quarantined, or approved for use (and the inventory should be updated). Developing an inventory of hardware assets (to include virtual hardware) will support the efforts of step #2.
2) Define Your Software Environment
Defining your software environment goes hand-in-hand with defining your boundary and identifying the hardware devices (including virtual devices). For this effort, identify all software that is running on every platform within your boundary.
Using a software inventory tool will be extremely helpful in completing this task and understanding what software the enterprise is using to support its business functions. You will likely find considerable amounts of software running in your environment that was previously unknown and does not support the business function of your organization.
The business need for the software should be substantiated, or the software should be removed from your environment. Keep all software versions up to date as this reduces your vulnerability to attack based on unpatched software.
The approved software inventory should also be correlated with the approved hardware inventory. This will help in developing approved baselines and ensure that software licensing is in check as well.
Once an approved software list is identified, implement a whitelisting capability to only allow approved software to run. Many organizations write scripts to automate tasks and perform important business functions. These scripts should be included in the whitelisting effort.
3) Data Protection
Knowing where an organization’s data resides has become increasingly challenging with the introduction of cloud services. Data can reside anywhere from employee endpoints, to on-premise servers, to one or more cloud environments anywhere in the world. The lifecycle of an organization’s data must be understood, so appropriate controls can be put in place to protect organizational data from creation through destruction. Therefore, organizations need to create clear data management policies that support the data lifecycle.
These policies include data classification, protection, handling, retention, and disposal. Once these policies are defined then technical controls can be implemented to enforce the policies. For example, network segmentation and access rules should be developed to control what resources can access data in a given network segment. Data in transit and at rest should be encrypted.
Another approach is to implement zero-trust (ZT) principles and supporting architectures. While too large of a topic to discuss in this blog, ZT is essentially a set of guiding principles that govern policy, technology design and implementation, and organizational operations. With ZT nothing (user, process, server, etc.) is inherently trusted, and all assets are subject to continual authentication and authorization for each asset for which access is requested. In addition to access control, data should be encrypted in transit and at rest. Organizations should also have an understanding (via logs) of who accesses, modifies, or deletes sensitive data.
4) Harden The Assets Within Your Enterprise
Once step #2 is complete, then you can proceed with hardening each operating system and application within your environment. This effort should target the software running on every workstation, laptop, server (physical or virtual), and network device within the boundary of the enterprise.
Secure configuration guides for most well-known operating systems, applications, databases, and network devices have been developed by organizations like the Center for Internet Security. The government has also developed hardening guides such as the Security Technical Implementation Guides (STIG) to assist in hardening operating systems, applications, databases, etc.
Due to the potential negative impact on performance or operations, not every parameter of every hardening guide can be implemented. Implement all that can be and document the rationale for not implementing those that negatively impact your systems.
Once these hardening parameters have been defined and implemented, this becomes your configuration baseline. All instances of the approved software must be configured in accordance with the approved configuration baseline.
It is common for subsequent instances (or previously hardened configurations) to drift from the approved baseline. Therefore, configuration monitoring tools should be employed to detect drift from the approved configuration baseline. When drift from the approved baseline is discovered, steps should be immediately taken to bring the software back in alignment with the approved configuration.
5) Account Management
Accounts (and their associated credentials) are the gateway to an organization’s IT assets or data. Organizations need to track accounts like they do their inventory. It is important to understand what type of accounts (individual users, system accounts, shared/group accounts, admin accounts, etc.) are on the system and validate that there is still a need for the account. Periodic reviews of the accounts on the system are important to make sure that the accounts that are active on enterprise IT systems are required. Any account that is no longer being used should be deactivated immediately.
Account reviews should include administrative accounts across an enterprise. Administrative access into the network is an attacker’s goal, so it is important that administrative access is limited on all applications and devices to only those that require it for their job functions.
Take an inventory of the accounts with administrative access within your enterprise and then determine if access is warranted. If not, remove access immediately. Those with administrative privileges should only use their administrative account when performing administrative tasks, else, an account without administrative privileges should be used.
Implement multi-factor authentication (MFA) on all accounts where possible. Single sign-on (SSO) can alleviate the burden of having to log in to a large number of applications to perform user responsibilities. All passwords should be stored in a secure password management solution, and all passwords should be unique.
What’s Next?
Once a base capability is in place to support these five controls, then expand the effectiveness of the control by implementing a monitoring program to ensure the controls continue to operate effectively.
Also, implement a measurement program to assist in ensuring the control is implemented across the entire enterprise and not just a couple of departments, network segments (as applicable), applications, etc. There is much more to accomplish with regard to implementing controls across your enterprise.
Remember the following principles when implementing controls:
- Controls should align with policy
- Communicate the implementation of controls across the enterprise
- Implement the control and monitor the operating effectiveness
- Measure the roll-out of the control to ensure it is implemented across the entire organization (e.g. what percentage of the enterprise has been inventoried for hardware and software)
- Iterate
Summary
Having an effective and well-maintained enterprise security program is a must in today’s world. Bad actors continually scan the internet looking for vulnerable targets, so having an effective enterprise security program is crucial to building a defensive posture that makes the bar high enough that those with malicious intent move on to a softer target.
Work with an enterprise security company and implement controls to address the greatest risks in your enterprise first, then work in phases to build out a control structure that encompasses the entire enterprise.
Linford and Company has extensive experience working with organizations to define their control environment. Please contact us if you would like to learn more about how we can help you.
Related blog posts:
- How Is Your (Cyber) Hygiene?
- Considering Risk to Mitigate Cyber Security Threats to Online Business Applications
- Reporting on an Entity’s Cybersecurity Risk Management Program and Controls (SOC for Cybersecurity)
- Establishing an Effective Internal Control Environment
- Can You Assess & Manage Your Organizational Risk?
This article was originally published on 6/5/2019 and was updated on 7/13/2022.
Ray Dunham started his career as an Air Force Officer in 1996 in the field of Communications and Computer Systems. Following his time in the Air Force, Ray worked in the defense industry in areas of system architecture, system engineering, and primarily information security. Ray leads L&C’s FedRAMP practice but also supports SOC examinations. Ray enjoys working with clients to secure their environments and provide guidance on information security principles and practices.