An influential user group is nearing release of a blueprint for a policy-based security architecture it hopes will become an industry model for securing corporate information systems.

The Network Applications Consortium (NAC), which includes major IT corporations such as Bechtel, Boeing, GlaxoSmithKline and State Farm Insurance, will publish on Jan. 1 the results of more than a year's worth of work in a document titled "Enterprise Security Architecture: A Framework and Template for Policy-Driven Security" (see executive summary).

"We have an industry reference document that brings together aspects of security architecture that have never been directly linked together in one document," says Fred Wettling, chairman of the NAC and infrastructure architect for Bechtel, a global engineering, construction and project management firm. "This ties, from stem to stern, governance down to operations along with a road map of where to go in the future. As far as a reference model, this is the first of its kind for policy-driven security."

The 121-page Enterprise Security Architecture (ESA) document describes the policy, technical and operational models companies should adopt in tailoring a security architecture. The architecture is based on a set of policies that use templates for policy creation from the National Institute of Standards and Technology and International Organization for Standards that can be represented electronically, stored on a network and used to execute and enforce policy.

The goal is to create a link between the definition, implementation and enforcement of security policies and the physical security components of a network. Eventually, the policies for each will be automated across the physical network.

The NAC - whose members represent combined revenues of more than $750 billion - is working with industry groups such as the Distributed Management Task Force (DMTF) and the Open Group, as well as vendors such as Cisco and Microsoft, to foster awareness and further refinement of the security architecture plan.

"You can't just buy a security product that is a quick fix to secure interconnected networks and distributed applications. You have to build that into the security products you have: That is architecture," says Daniel Blum, an analyst with Burton Group. He also says policy is a difficult problem with all the layers of security such as server and desktop firewalls and VPNs. "You have to distribute policy enforcement to those endpoints because that is where the threats are, but you have to centralize the decision making. That is why you need common policies and policy languages."

Whitepapers

• Best Practices for HP Servers and HP Enterprise Virtual Array in a Microsoft Exchange
• Network-Wide Change Management Visibility with Route Analytics
• REMOTE CONTROL: How to Reduce the Cost, Complexity and Risk of Managing Your Distributed IT Infrastructure
• Steal This Script: Hands-On Tips for Service Impact Network Management
• The Case for an Untethered Enterprise
• Best Practices for WAN Optimization with Data Replication

View more LANS & WANS whitepapers

Webcasts

• WAN Optimization Editorial Webcast
• Best Practices for Deploying WAN Optimization for Disaster Recovery
• Tips and Techniques for Remote Data Backup and Delivery
• WAN Optimization Landscape
• High Availability for SQL Server 2005 Using Array-Based Replication and Host-Based Mirroring Technologies
• Technical Overview of Exchange Server 2007 with HP Servers and Storage

View more LANS & WANS webcasts

Special Reports

• Network World Executive GUide: The Virtualization Equation
• Get More From Your WAN
• Learn how to Keep your Mobile Workforce Connected
• WAN Optimization: How to rev up sluggish applications
• The Wireless Explosion
• Network World Executive Guide: Perfecting Application Performance Management

View more LANS & WANS special reports