Unified Security Framework
- This paper was published and acceppted by ISCIT and ACM Digital portal

In today’s business environment the rate of market change has far out-paced the ability to react effectively. As connectivity and collaboration picks up the pace, the need for a strategic approach to security becomes ever more important – if not critical. Security models have ceased to simply be components that can be “plugged-in” at various points in any business process that requires it and have now evolved into technologies of their own - tightly coupled with the entire business
itself. Several niche products have now diversified from providing a solution in one particular area of security to complete, end-to-end solutions that constantly try to meet and exceed the high customer expectations of security today.
This paper attempts to provide a roadmap with clear implementation breakpoints to building a common, enterprisewide security model.
Unified Security Framework
Authors:
GILSON WILSON
Information Security Consultant
Profile: Holds a B.E in Computer Science and Engineering.
More than 4 years of experience in Information technology working in areas of eCommerce, Web and Security Systems.
Has been associated as a web initiative consultant to GE and Telekom Malaysia among others.
Email: giwilson@deloitte.com

ULLAS O. THARAKAN
Information Security Consultant
Profile: Holds a B.E in Electronics and Telecommunication and a M.B.A in IT Strategy.
More than 5 years of experience in information technology and security systems. Has been associated with NAL, SGI, CMC and Polaris. Has also worked as an information security consultant with the World Bank.
Has also taken up pedagogical activities at IIT Delhi and IIITM Gwalior.
Email: ullaso.tharakan@wipro.com





Introduction
Information Security has to position itself as a business enabler. End users today should receive far more complete protection for the intellectual capital in their care, all with minimal involvement or awareness on their part. As the world becomes increasingly connected, risk rises accordingly. In response, businesses need a means to manage risk without disrupting normal operations or having to invest more money in a security solution than is necessary.
By bringing a wide range of security technologies – protocol analysis, pattern matching, active blocking, malicious code control (active content and/or antivirus), PKI, VPN, vulnerability assessment, policy distribution and enforcement, IDS, application protection, and security decision support – into a common framework, then packaging that framework
to address specific business needs and operational IT functions, the unified security model has redefined what information security means, and how it can be aligned as a measurable business benefit to customers.

Current Scenario
Security technology has become an essential part of normal business operations. As a result, organizations of all
sizes and markets are demanding that security technology reach new levels of effectiveness and value. Information security – the means by which organizations protect valuable digital assets such as accounting records, customer information, and proprietary trade secrets – has struggled to meet this need.

Unified Security Framework
As we move into the future, dependence on “soft data” has been increasing exponentially. Companies worldwide use information technology as the backbone of business processes in order to be more flexible in a competitive marketplace and more importantly - closer to the customer. This has led to the opening up of information systems which have made them more vulnerable from the perspective of security. Applications have their own customized
security models – complete with their own independent user stores and islands of sensitive information.
With the growth of business the number of applications to accomplish business tasks has risen phenomenally.
Management of this number of applications becomes a complex issue, making the life of the end user as well as that of the Chief Information Officer (CIO), tougher than ever. Management of Applications in terms of security increases the overhead cost to the company and on the other hand, end users are forced to remember multiple authentication attributes and credentials leading to the compromise of security in enterprise wide systems.




What we propose here is that, security of all applications needs to be exported into one unified security layer which manages all aspects and components in security from a single-window. The idea is to keep separate the business functionality and the security components of applications. Most security functionalities - like authentication, authorization and access control are usually embedded within the application itself.



Applications maintain their own user base for providing access to multiple functionalities. This kind of scattered
security functionality has implications in terms of manageability and leads to these challenges:-
• Applications have their own User Ids and Passwords on different account policies.
• Applications have their own user management functionalities like Create/Delete users, activate/revoke/grant
permissions for access etc.
• Users are forced to remember Multiple User Id’s and Passwords for each application leading to selection of
weak passwords and/or writing down passwords making it vulnerable to social engineering. With organizational
growth, this factor increases.
• Every time a user joins an Enterprise, he/she needs access to multiple applications. Creation of users in these
various applications are performed by multiple administrators. This creates a loss in productive time.
• Every deletion also calls for the reverse process of creation.
• Enforcing a consistent Information Policy across all applications enterprise-wide becomes tedious and a
massive exercise in itself.
• Similarly with all applications having their own audit mechanism, tracking of incidents becomes a Herculean task. Now the next step is to propose a framework where all applications can use a common security layer for all. required Security Processes. Each application can connect to a common layer and subscribe security services at a centralized level. This makes Security Management easier and ensures consistency in the security process which makes the life of the end user easier when interacting with all applications while enhancing overall security.
The Unified Security Layer provides a single insignia entry to end users while keeping the complex security transactions hidden.

The Unified Security Framework is a container will have all security related processes, practices and technologies at one Layer. Any end user/application can get access to the systems through this channel. Unified Security Framework consists of three distinct components:-
IT Infrastructure: This contains all the applications and defined processes that requires information security.
This consists of hardware, network components, data, operating systems and applications.
Core Security Technologies: These consist of all underlying technologies that provide encryption services, application level security, data security, signature services, certificate and key management and even user management functionalities; when data is in transmission, computation and when idle. This provides complete technology support for data at all levels.
Security Process: Security processes are the functionalities required for providing Authentication, Authorization, Confidentiality, Non Repudiation and higher level of services like Single Sign On, User Provisioning and Centralized/
Delegated Administration using the core security technologies.

7C Framework – Unified Security Framework Implementation
In order to develop this layer, an orchestration of the three would be required.

The 7C Framework proposes a methodology to implement the Unified Security Framework at a higher level. This unified strategy of security looks into the IT Strategy of the organization, evaluating the business risk and fine tuning the Information Security Policy like password management, user accounts etc to fit into the enterprise strategy. Realignment will be required after implementation to standardize this policy.
The 7C Framework solves the problem of multiple credentials in the 2nd phase. User Store Integration (Directory consolidation) is done using a centralized user store for as many applications as possible. This improves manageability and maintainability. This logically leads to a common authorization and Access control model. This could be based on Role, Policy, View, Content, Context or any other type. After the basic set up is in place, it calls for Common Security Audit mechanism which monitors all transactions centrally and at an enterprise level, making it transparent with flexible control on any security incident with a quick turn-around time. The end-user experience is enhanced by a common Single Sign on to access all applications in the next phase. The Common Provisioning mechanism creates and associates users and resources while maintaining consistency of these profiles (using various mechanisms such as synching, using meta-directory etc) across all applications and resources throughout
the enterprise. Finally, delegated and centralized administration provides a single window through which all security features, audits, access controls and even publishing of security policies for user awareness are managed.

Conclusion
Enterprises today need a unified model to achieve high levels of secure computing, tightly interwoven with business processes – which can still remain simple and transparent to users. This can be achieved by implementing the proposed 7C Framework which allows a complete and consistent “common-sense” approach in terms of manageability, maintainability and robustness of architecture.