March 2001

Reviewed by Peter Stephenson

Christmas came late for me this past year. When I returned from my first vacation in about 17 years there was a big box of new security books from my good friend and publisher Rich O’Hanley at Auerbach. I’m going to have a look at these books and I expect that in the pile we’ll find some real gems. Sadly, this first one isn’t among them.

Information Security Architecture is OK for what it is. What it is, however, is not a book about architecture. It’s an entry level general information security book that covers all the old ground that a dozen other such books cover, some better, some worse. Let’s start with a discussion of what we really mean by the much-maligned term ‘architecture’.

An architecture is a reasonably formalized description of something. I say that it is reasonably formalized because we don’t require such things as mathematical models to make it formal. When we decide to build a house, for example, we talk to architects. They’ll want to know what we are going to use the building for, say a single-family dwelling or an apartment building. How much space and what kind do we need? Where will we build it - just in case we need to make it, for example, hurricane-proof? In other words, architects will want to know a host of things. They won’t just call the builder and say, “Get some bricks and wood over here and build these folks a house!”
The same is true of security architecture. Once we gather all the information we need, including such things as business drivers, network requirements and more, we can begin to create a very specific blueprint for the final, secure network.

That process is not what this book is about. This book does discuss many of the elements that go into defining an architecture (organization and infrastructure, policies, risk analysis, awareness, compliance, etc.), but nowhere does the book pull all of these pieces together into a functional description of what the final ‘house’ will look like. Nowhere in the author’s efforts do I find the final design plan or how to arrive at it.

The basics of information security are all here, but they are not particularly novel and there is nothing really new. Tudor writes well, though, and what she does say is said clearly and concisely. A book such as this really does cut through to the basics and is a very good read for a manager whose full-time work does not involve day-to-day security, but who needs to know enough to fund and manage a security effort in a medium to large organization. In that regard it’s a good tutorial.

What I find really interesting is the subtitle of the book: An Integrated Approach to Security in the Organization. If that were what the book used as a title, I would probably have added another star to my rating. It is a far better description of what the book is trying to do.

Because I can’t completely trash a pretty good effort solely for a bad choice of title, I give this one three stars. If you need another general book with a slightly different approach to security (although not much different), add this one to your bookshelf. But if you’re looking for a book that really treats security architecture completely, wait a bit – it’s just not here yet.
   

SC On-Line
SC Magazine
www.scmagazine.com