Community of interest (computer security)
Community of interest (C.O.I.) is a means by which network assets and or network users are segregated by some technological means for some established purpose. COIs are a strategy that fall under the realm of computer security which itself is a subset of security engineering. Typically, COIs are set up to protect a network infrastructure from a group or groups of users who are performing some esoteric functions. COIs are also designed to protect their user community from the rest of the enclave user population.
Definition
A COI can be defined as a logical or physical grouping of network devices or users with access to information that should not be made available to the general user population on a LAN or WAN infrastructure. A COI can be used to provide multiple levels of protection for a LAN or WAN infrastructure from the activities within a COI. A COI can consist of a logical perimeter around the community (or enclave). It can allow for separate security management and operational direction. COI's generally do not dictate separate internal security policies (e.g., password policies, etc.) because they fall under the jurisdiction and management of the LAN or WAN owners. However, they can and often do have a laxed subset of the overall Network security policy. The terms "Segregation Mechanism" and "Security Mechanism" for the purposes of this article are interchangeable. The COI segregates in order to achieve security.
COI Types and Mechanisms | ||
---|---|---|
Segregation Mechanism | Cost |
Description |
MS Active Directory | Low | Provides logical separation in the form of group formations utilizing MS Active Directory controls. |
VLAN | Medium | Provides logical separation and network layer 2 separation (see the OSI model for more information). Virtual Local Area Networks are usually constructed on the network switches which connect devices together. |
Router | High | Provides physical device separation, while maintaining a desired level of communication with the rest of the LAN or WAN infrastructure. |
Firewall | High | Provides physical device separation much like the router separation but adds the added security benefits of firewall components like ACLs, proxies, SPI. |
VPN | High | Provides physical device separation and support for multiple sites, which have no communication with the LAN or WAN infrastructure. A VPN device adds the ability to encrypt all data from the COI to others sites thus providing another layer of protection. |
Complete Physical Separation | Very High | Provides highest level of separation through complete physical separation of COIs. Very high cost because network resources cannot be leveraged against. |
Security mechanisms
COI security requirements can range in sophistication from simple network file shares to an interconnection of physically separate sites that are connected via dedicated communication circuits. COI security mechanisms and the respective basic characteristics are identified in the Table. These security mechanisms may be utilized individually and in combinations to provide the requisite security for each COI. COI architecture can overlay the existing LAN or WAN architecture in order to maximize the use of existing resources and to provide the required COI separation in the most efficient manner.
COIs that require additional dedicated physical resources (e.g., dedicated router, VPN and firewalls devices) are usually more complex in nature and expensive to operate because of the added network devices and the personnel to operate and manage them. They also add the benefit of more security utilizing the defense in depth approach. A COI does not necessarily imply a physical separation of the infrastructure, but can do so.
Construction
A standard approach to COI segregation can be through the use of group policies if the LAN or WAN infrastructure utilizes the Microsoft Windows operating system utilizing the Active Directory service. Additional dedicated COI boundary security components such as a router, VPN, firewall, and IDS can be provided depending upon the requirement needs of a COI. COIs can be designed and deployed by employing the security mechanisms that are listed in the Table. Typically each individual COI may have unique characteristics and requirements. The security mechanisms listed above are the basic building blocks in the construction of all COIs.
See also
- Computer security policy
- National security policy, military strategy
- Network security policy
- Policy
- Security engineering
- Separation of mechanism and policy