Understanding which security model is optimal for your business organization?
The use of any security solutions or approach always addresses a question for the organization, is it 100% safe from all kinds of attacks and threats? In optimal circumstances, security is impenetrable but only exists in theory. The chase for a secure state and solution is a never-ending process due to the very dynamic nature of IT. Since most hackers are far ahead in terms of finding and exploiting the loopholes in the system, even the use of the most advanced and secured solutions without proper update and configuration will eventually lead to the compromise of the organization’s assets.
One of the major challenges in building an impenetrable system is the cost and in many cases is not worth it. The cost of solutions and systems can cost more than the information is worth (or its loss would cost). One needs to evaluate many criteria including the potential risk of attack or comprise and its impact on the business, product, or service with the addition of any system, host, or network. There are several ways to measure the potential risks and threats such as financial loss, loss of trust, loss of reputation, downtime, and legal or regulatory penalties by the authority. In short, one needs to balance security based on the potential risks against the investment required to mitigate these risks.
Positive security model
The positive security model starts with the approach of “block everything” and is then built upon by permitting specific, approved traffic, actions, or other functions. So, an undefined positive security model should block everything from the start (what you allow is positive). Initially getting false positives in this security model is high as it blocks every traffic. Basically, all the network firewalls use this security model. One of the benefits of this security model is that it helps us in preventing zero-day attacks. Web application firewall uses a positive security model so if any changes are made to the system, then a new policy must be added in order to make the application run smoothly.
Negative security model
The negative security model starts with the approach “allow everything” and is then further constructed by blocking functions based on known previous attacks and unwanted content and behaviors (what you deny is the negative). Every rule that gets added to a negative security model will increase the security of the policy. So, at the start, a negative security model will allow all traffic, and as more restrictions are added security increases. This security model is used by anti-virus and intrusion prevention systems in the network. Implementing a negative security model is easy and not time-consuming. If we implement this security model in the application the false positive is not discovered as it allows everything linked to an application, rejection of any traffic should be done manually.
The prime purpose behind the two-security model: the positive security model and the negative security model is to build an idea about the approach or adoption of rules suitable for the organization. It has been a long debate over the optimal approach between the positive and negative security models. Most security experts argue that the positive security model is preferred due to its more secure posture than the negative security model and the gradual increase in its functionality. However, the negative security model seems to be more optimal in terms of business objectives as it starts off from the most functional posture and slowly increases its security.
Even though both the security models have their own pros and cons, which is just a theoretical concept. In a real-life scenario, a security policy falls somewhere in between the positive and negative security models. This approach helps to widen the scope of the security model and also balances the business functionality with the security of the system/network. Since a negative security model over time gets more secure it will gradually become a positive security model and similarly, the positive security model that gets more functional will eventually become a negative security model. In the present context of business, IT decisions have become the business decision so, the adoption of the security model entirely depends upon the business functionality and policy.