If my work surroundings are any indication of the rest of the real world, a lot of companies are busy building greenfield environments — typically entirely new, separate network segments or Active Directory forests. Why do it? Sometimes, it's because the current network is completely owned by an APT (advanced persistent threat), but of course there are many other motives.
Most often, companies go to the expense of creating a greenfield because the current environment is so disjointed and full of accumulated errors that trying to fix the mess seems impossible. I'm often hired to assist with architecting the new design and advising clients on how to proceed.
While every environment is different, here's the advice I usually give to entities responding to big compromises.
1. You will never build the perfect network
At the beginning of greenfield planning, everyone designs the perfect network or Active Directory forest. The sky's the limit! It's a perfect security world! Management understands the seriousness of not doing security right! Application developers and business leaders will have to listen to computer security designers, for once! Finally, everyone is on the same page. Security is paramount!
Until it isn't.
Every greenfield design I've been involved with has begun with the best intentions of perfect security but ended up a lot closer to the design requirements of the existing environment. By this I mean that senior management finally puts a budget around it, with the expectations it will allow them to run the business and earn money.
It's the same old clash of functionality versus security, and in a bind, functionality will usually win, even in the new "high security" greenfield. On a positive note, security will usually be given more leeway and consideration, though not victory at all costs. It's important to start out with your perfect wish list, but be ready to supply your alternative backup plans when someone more senior doesn't think your idea of better security will work for the company.
2. Don't repeat the same mistakes
It's important not to repeat the same mistakes of the old environment in the new environment. This seems obvious, but I bet many who have built their own greenfields are nodding in agreement. People often stipulate simple points that seem to make sense, without realizing that those same requirements were part of what made the old environment fail.
For example, a common requirement in a greenfield is good patching. Who can argue against that? Often, lax patching led to the old environment becoming, well, the old environment. But when I examine the old and new patching requirements, they're nearly identical. It's usually something along lines of: "All critical security patches must be applied in a timely manner."
Sign up for MIS Asia eNewsletters.