The traditional approach to computer security was based on the assumption that security would be applied to one or a few mainframe computers. These systems and the applications running on them were complex and usually evolved over time. The practice which developed over time was to base security measures on a thorough and formal review of the security requirements of the system based on the applications it was running, who was using it, the potential impacts of breaches of security, etc.

While this approach was appropriate for that environment, it ceased to be so in fast changing distributed environments with new platforms being introduced to the environment fairly frequently. Assume an organization is deploying a large number of new systems such as the latest version of Windows. They will typically be deployed in numerous locations running numerous different applications subject to different levels of physical security and with different levels of sensitivity. Furthermore, they will frequently have different degrees of and requirements for connectivity to other parts of the network.

In such an environment, a new approach to security is required. It was realized a few years ago that there were standard aspects of security on which virtually all practitioners could agree. Examples include the fact that all accounts should have passwords, that accounts should not be shared between people, that directories should not be world accessible, etc. (Note that in all the above examples there are legitimate exceptions)

It should, then, be possible to define a "Baseline Security Standard" which translates these universally accepted security rules into the specific technology and capability of a particular platform. ("Platform" here refers to a combination of hardware and software, but with the emphasis on the software; while it is usually a specific operating system, it could also be something like a particular relational database package. The concept can be expanded to such things as networks as a whole, particular routers, etc.)

In this scenario, if an organization were to deploy a large number of Windows systems, the system administrators would all be provided with copies of the Windows Baseline Security Standard. This standard would include not only the specific actions which should be taken but also why they should be taken and what the implications are of not taking them.

Such discussion is included in the Standard because it is recognized that not all actions are always appropriate: they were designed with no knowledge of the organization, the applications, the users, the physical environment, etc. For example, if the system is to be used specifically to provide semi-public information to the general public via dial-up lines, it would make little sense to insist on separate user accounts with passwords.

The Baseline Standard is not to be used blindly, then, but as a starting point. Furthermore, all deviations from it should be subject to a management process to ensure that excluding a measure doesn't introduce other unanticipated risks.

The net result of this process is that large numbers of systems can be deployed quickly with the knowledge that at least minimum security standards are in place and with the knowledge of where they are not in place and why. This buys the time to deploy relatively safely and then return later on a system by system basis to review the specific security requirements of each system and, perhaps, adjust the security standard for special cases.

This is not the only use of Baseline Security Standards. Frequently an organization is not introducing a large number of systems but is introducing a new platform with which they are not familiar. It may be one system because it supports a turnkey application, or it may be a new platform which is to be tested for wider scale use. Once again, there is a need for a way to deploy the system rapidly without extensive training of existing security staff or formal analysis of the system's requirements.

While the traditional approach to computer security is still frequently appropriate and while formal security reviews and risk analyses should still be carried out as early as possible in the deployment of new systems, Baseline Security is an approach which is frequently more appropriate in today's distributed environments. It is not a replacement for the earlier more formal approach, but can allow rapid system deployment, provide at least some peace of mind, and buy the time necessary for later more formal approaches.

Top of Page

Back