Heidelberg University of Applied Sciences                      Germany/Heidelberg                    Faculty of Informatic...
2
Business Process modeling for the sake of                  Information Security                                           ...
Affidavit  Herewith I declare:      •     That I have composed the chapters for the Master Thesis for            Which I a...
AcknowledgementsFollowing the Indian tradition, first I would like to give my heartiest thank to theGermany and its people...
Table of ContentsAbstract ...................................................................................................
3.3        ISO 27001: ............................................................ Fehler! Textmarke nicht definiert.3.4  ...
8
AbstractWe are heading towards the next generation solutions for making life better with the helpof technological advancem...
10
1   IntroductionMy work starts from the definition of, “What is a Process” and I would answer that aprocess is nothing mor...
When we talk about privacy in the context of applied cryptography, the first idea thatcomes to our mind is encryption and ...
Another scenario covers the usage of untrustworthy keys, in case an associated notaryfunction has been compromised. Notary...
Even though standardization efforts show significant improvements, such as KMIP (KeyManagement Interoperability Protocol) ...
implementation of a cryptographic service provider and its exploitation by applicationsaffords profound system-planning an...
So here I am trying to give a strategic approach to follow a plethora of standards and toachieve the maximum information s...
Figure 1-1Source:       Ambler, S. (2010). fox.wikis. Retrieved       August   2,   2011,   fromhttp://fox.wikis.com/wc.dl...
1.3    SOAService oriented Architecture, it is a combination of different services which are looselycoupled but at last we...
Disadvantages:The both models mentioned above, concentrate on issues regarding the IT industry anddon’t cover the holistic...
Orchestration       Ease of Use       Easy to visualize       Human tasks       Gateways       Message Flows       Group T...
According to Forbes magazine companies relish the prospect of reducing complexity,while cutting and maintaining IT infrast...
2   Company Profile                      22
2.1   History1992 – 2009 SYNARGOS GmbH                  -    International projects with leading banks, manufacturers and ...
2.2   Core Business  1. Establishing & Securing Business-Processes          Securing electronic payment systems for financ...
2.3   Cryptography-Typical Application      Today, applied cryptographic methods reaches, almost all areas of information ...
2.5   HSM IBM 4764-001 Internal Architecture                                               Figure 2-1Source: IBM. (2005, O...
2.6   FINPINBackground of Cryptographic Abstraction Layer            Name origin: Financial PIN Services            Descri...
2.7    FunctionsPossible general Functions are:       GMPX – German MAC/PAC Extension       GTPV- German Triple DES PIN Ve...
3     ConceptualizationI have already mentioned the concept starting from encrypting data which itself is a resultof encip...
information. Amongst these standards, some are covering the security demands for theimplementation and accreditation of cr...
Another most important standard is ISO 27001which is by far the basis for defining amanagement process to assure informati...
1                                            Figure 3-13.3       VISA PIN Security Requirements Audit:Visa explains in its...
always consists of minimum two parts and to do so we need two at least two people (keycustodians and their deputies) who a...
3.4    PCI DSS:Payment Card Industry Data Security Standard is an information security standard coversdata security requir...
Source: PCI-DSS. (2011). PCI Data Security Standanrds. Retrieved May 20, 2011, fromhttps://www.pcisecuritystandards.org/se...
Figure 3-2Source: IBM. (2011). Security. Retrieved August 2, 2011, from Cryptocards: http://www-03.ibm.com/security/crypto...
operations. And the most important thing is that these versions of HSMs from IBM qualifythe maximum level of security stan...
3.8.1Objectives       PINs used in transactions governed by these requirements are processed using       the equipment and...
We need to start in an upmost hierarchy of any organization that is on the managementlevel, when establishing an Informati...
2                                              Figure 3-3In order to achieve such an implementation in any organization of...
security management as the companies operating their solutions to provide high securitylevels to their customers.So the fi...
The CSO will identify applicable risks as outlined by ISO 27001, setting a major directiveon how to manage information sec...
Figure 3-4          3Calculate RisksTo calculate the risks on Information Security as defined by the ISO 27001 standard, w...
The ISO27001 covers the whole organization but for this thesis my main focus will be onthe Objective A.12.3.1 which says:C...
4                        Figure 3-5                                     5                        Figure 3-64    Created by...
6                                             Figure 3-7The next thing is to define the business assets including all the ...
7                                             Figure 3-8Figure 3-8 explains that how the individual component in the organ...
8                                             Figure 3-9The above Figure shows the risk analysis on the basis of ISO 27001...
Figure 3-10                                                                              9                                ...
have seen the utility of the RM Studio which has made our work easy to asses ourorganization against these standards. But ...
4     Chapter 4 – Solution4.1     PrototypingNow comes the role of Infrastructure Management- the lowest level of manageme...
10                                             Figure 4-1As I have already explained in the previous chapter, first we hav...
in exceptional situations) or degrading awareness and knowledge, due to employeefluctuation. So, if a decision is made to ...
The next thing coming up is the environment we need:There are different possibilities, depending on the organizations. As ...
I would prefer to use three different servers to achieve more security; they all stay at theclient side (which is to say a...
Special requirements and pre-requisites regarding the execution of the key ceremony: thecomplete ceremony must be executed...
Regarding the generation of the desired Key. It has to be dedicated systems       only for this purpose and it should be n...
process can handle the whole system easily which will in consequence secure           our whole environment as well.At thi...
ISO-27001. As you can see in the Figure 4-2, it consists of the three tasks start task, ascript task and an end task. You ...
13                         Figure 4-313     Created by author                         60
4.3        PCI-DSS Based Risk AnalysisNow comes the second part of the whole work flow which is to analyze the risks on th...
4.4        Master key Management         15                                             Figure 4-5Figure 4-5 shows the nex...
Second important tab for us to know is Master key which is of course used for generatingMaster Keys, via several Master Ke...
more secure and it might also be possible that instead of dual control there are threecustodians so we have to invite all ...
17                         Figure 4-7           18                         Figure 4-817     Created by author18     Create...
At last you can see the final Figure 4-9 which is the complete workflow that reveals to usthe whole concept.              ...
19                         Figure 4-919     Created by author                         67
Masters thesis
Masters thesis
Masters thesis
Masters thesis
Masters thesis
Masters thesis
Masters thesis
Masters thesis
Masters thesis
Masters thesis
Masters thesis
Masters thesis
Upcoming SlideShare
Loading in...5
×

Masters thesis

2,132

Published on

Business Process Modelling for the sake of Information Security

Published in: Education, Technology
6 Comments
2 Likes
Statistics
Notes
No Downloads
Views
Total Views
2,132
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
26
Comments
6
Likes
2
Embeds 0
No embeds

No notes for slide

Transcript of "Masters thesis"

  1. 1. Heidelberg University of Applied Sciences Germany/Heidelberg Faculty of Informatics Master ThesisBusiness Process Modeling in the field of Information Security Submitted by Vishal Sharma Supervised by Prof. Dr. Gerd Möckel Dr. Peter Misch August 2011 Company’s Supervisor: Dipl. - Ing. Thomas Brandtstaetter 1
  2. 2. 2
  3. 3. Business Process modeling for the sake of Information Security By Vishal Sharma Matriculation no: m1000830 A thesis submitted as a pre-requisite for the Degree of Master of Science Thesis Advisory CommitteeProf. Dr. Gerd Möckel & Dr. Peter Misch Dipl-Ing. (BA) ThomasHeidelberg University of Applied Science Brandtstaetter BÜROTEX Synargos GmbHLudwig-Guttmann-Straße 6 Max-Eyth-Str. 2169123 Heidelberg 72622 NürtingenGermany Germany 3
  4. 4. Affidavit Herewith I declare: • That I have composed the chapters for the Master Thesis for Which I am named as the author independently; • That I did not use any other sources and additives then the one’s specified; • That I did not submit this work at any other examination procedure;Heidelberg,(Date)______________________________(Signature)______________________ 4
  5. 5. AcknowledgementsFollowing the Indian tradition, first I would like to give my heartiest thank to theGermany and its people who have accepted me here and gave me an opportunity tolearn and to move further in my life. Not forgetting about my family after stayingaway from them for almost two years and who are the pillars of my life that alwaysstand by me to give me the strength to accomplish whoever I am today.Mr. Thomas Brandtstaetter as my mentor, who has always gave me an inspiration toachieve the best and to think in an eco-economic manner which is fruitful to thewhole society. I would like to give him my thanks to be with me all the time duringthis project. As an Indian the most important people in my life are my teachers(Gurus) Prof. Dr. Gerd Möckel and Dr. Peter Misch, the most generous persons I metand the whole staff of Fachhochschule Heidelberg, who always helped me andalways motivated me during my studies.Last but not least the whole Staff of BÜROTEX Synargos who has always shown methe right path, and provided me with all the information which I needed during thesix months, and always spend their useful time for me to discuss things about myproject. 5
  6. 6. Table of ContentsAbstract ................................................................................................................................ 91 Introduction ............................................................................................................... 111.1 Various Techniques ............................................................................................... 161.2 UML ........................................................................................................................ 161.3 SOA ......................................................................................................................... 181.4 BPMN2.0 ................................................................................................................ 191.5 Advantages over others:........................................................................................ 192 Company Profile ........................................................................................................ 222.1 History .................................................................................................................... 232.2 Core Business ......................................................................................................... 242.3 Cryptography-Typical Application ..................................................................... 252.4 Hardware Security Module in Crypto Server-Implementation ........................ 252.5 HSM IBM 4764-001 Internal Architecture ......................................................... 262.6 FINPIN ................................................................................................................... 272.7 Functions ................................................................................................................ 283 Conceptualization ...................................................................................................... 293.1 NIST ........................................................................................................................ 293.2 FIPS ........................................................................................................................ 293.2.1 FIPS 140-2 Level 1: ............................................................................................... 303.2.2 FIPS 140-2 level 2: ................................................................................................. 303.2.3 FIPS 140-2 level 3: ................................................................................................. 303.2.4 FIPS 140-2 level 4: ................................................................................................. 30 6
  7. 7. 3.3 ISO 27001: ............................................................ Fehler! Textmarke nicht definiert.3.4 VISA PIN Security Requirements Audit: ........................................................... 323.5 PCI DSS:................................................................................................................. 343.6 Devices used ........................................................................................................... 353.7 HSM: ....................................................................................................................... 353.8 Crypto processor ................................................................................................... 373.8.1 Functionality: ......................................................................................................... 373.9 Payment Card Industry PIN Security Requirements: ....................................... 373.9.1 Objectives ............................................................................................................... 383.10 Establishing Security Measures ........................................................................... 383.11 Risk assessment: .................................................................................................... 414 Chapter 4 – Solution .................................................................................................. 514.1 Prototyping ............................................................................................................. 514.1.1 Key Ceremony ....................................................................................................... 554.2 ISO 27001 Based Risk Analysis ............................................................................ 584.3 PCI-DSS Based Risk Analysis .............................................................................. 614.4 Master key Management ...................................................................................... 625 Chapter 5 – Tools....................................................................................................... 685.1 Bonita Soft:............................................................................................................. 685.2 Bonita User Experience ......................................................................................... 706 Future Prospects ........................................................................................................ 727 Table of Figures ......................................................................................................... 758 Abbreviations ............................................................................................................. 769 Bibliography ............................................................................................................... 78 7
  8. 8. 8
  9. 9. AbstractWe are heading towards the next generation solutions for making life better with the helpof technological advancements -we always talk about futuristic solutions:How we could make the best for our upcoming generations which should be ecological andfruitful. But we sometimes forget about the fundamentals that assist to achieve those things- we have the ideas, we also have the aim in our mind - but still we are not able to get theunsurpassable results out of those things that already exist. Technology has really helped alot to achieve that target of making things better: so that it could assist us to work well inorganizations, dealing with the problems and most importantly for the people to live theirlife in a more valuable way.This Master thesis is dedicated to those situations where a normal human intelligence is notenough to manage certain complexities around us: Of course with the help of technologyand our brain power. Whatever we do in our life, it basically consists of some steps toreach a goal. We start in the morning, when we wake up and everybody tries to give his orher best to make the most out of a day, but still sometimes we are not able to meet thosegoals that we decide for when we wake up. That’s because sometimes we forget to followour own rules or sometimes we stick to our rules enough that we cannot even see the otherpossibilities which can affect our whole process of reaching somewhere.This is the case of only our every day’s life, but here we are more concerned about a muchmore complex process which is Information Security, so I am trying to represent my viewsto ensure optimum Information Security and particularly in the field of Payment Cardindustry. In last few years we all have been moved to electronic medium of managing andmaintaining vital information: Internet, Mobiles are good examples. We have tried all theways to make it more and more secure but still we have seen a lot of issues whilemaintaining it.This thesis is a research work of such issues and how we could handle them with the rightapproach. Securing information is one of the most critical tasks in today’s world as thecloud of information is increasing every day. That’s because the interaction of humanswith the machines is increasing at a very rapid rate. As you can see, the dependency ofmanaging the information with the help of machines has notably increased, as a result,complexity of the processes has also increased. As a consequence, inability to managingthe vital information is also increasing.Off course machines have made our life easy but think about a world where you cannoteven prove who you are because of the lack in the process of securing the content. The ideais to overcome the issue of being „lost in possibilities”. 9
  10. 10. 10
  11. 11. 1 IntroductionMy work starts from the definition of, “What is a Process” and I would answer that aprocess is nothing more than a set of rules to reach certain results in an optimum manner.But this is a very simple definition of the word “Process”, and everybody learns it fromtheir childhood to achieve the best at their school, in various subjects, different sports andother activities etc. And the nature of doing it in a way to achieve the optimum comesautomatically. So my point is everybody is the manager of its own life and the variousprocesses around it. But still we can easily see that we rely on different strategies,techniques and at most the technology to make things better e.g. we use technology to getthings done automatically and faster.But if we come to the reality of complex processes in the corporate world, in these kinds ofsituations ordinary human intelligence is not enough to handle everything by its own andthere comes the role of IT. It came into existence in the late 60’s and since then it hasplayed a major role in everybody’s life. As a result, we have been trying to automate thethings in almost every aspect of life. But we never asked ourselves that “are we making thebest out of IT” and my answer is yes but only up to some extent.As we look at today’s process infrastructure in any industry, it’s very dynamic and verycomplex in almost every aspect. So we need the concept of Business process modeling tomake it easy for the users to view, to find solutions around the complications, to managethings in a useful way.The basic idea of Information Security works on three elementary pillars: Availability Integrity PrivacyIn context of information security, if there is no privacy, it’s not worth it, if it is notavailable then there is no use, if there is no integrity then we have lost the authenticity. Soto achieve the maximum security we should consider all three points, as without each otherthey are incomplete and none of them make any sense.In a more precise view the concept of availability depends on the infrastructure likeoptimal system resources, power backups, backup of the information, disaster recoverymanagement etc. Second thing is to ensure the Integrity in order to provide trustworthyinformation processing system: We must take care that information should be viewed inthe same manner as it is entered. Third and the most important pillar of informationsecurity lead to maintaining the privacy -which in terms leads to granulated access controlto information, secured by the means of applied cryptography. 11
  12. 12. When we talk about privacy in the context of applied cryptography, the first idea thatcomes to our mind is encryption and decryption, as we encipher the content and send it tothe desired user and the designated recipient can decipher it to read the original content.This is the most basic definition of maintaining security by applying the methods ofcryptography for securing privacy. But in a real working environment it becomes morethan the simple definition, as additional security requirements needs to be considered: Where do we want to ensure security? What information needs to be secured? Which quality requirements are appropriate? How much we can invest into security precautions?Especially the aspect of applied cryptography receives a more detailed augmentation alongthis thesis. Cryptography on the one hand is a discipline covering more than justencryption algorithms and associated cryptographic keys.Most commonly, these algorithms are implemented in software libraries (e.g. OpenSSL,NSS, CyaSSL, and many others) which can increase overall system security indeed. By theway, OpenSSL has evolved to be a widely used and integrated cryptographic serviceprovider (SSL, 2011)A closer look into the architecture though, reveals the focus of next generation cyber-criminals and hackers: having potentials for compromising cryptographic key material. Incase an adversary gets access to the clear values of cryptographic keys, he has access to theinformation realm protected by these keys.Hence, the protection of cryptographic keys is an essential requirement to meet the basicsecurity requirements mentioned above.In order to illustrate the potential risks behind the scene: whenever cryptography isprocessed in software using a cryptographic service provider such as OpenSSL, a system-dump, provoked by an adversary or caused by erroneous programming, can lead to a key-compromise. That’s because, the keys in operation need to be available in clear formwithin application memory.This may sound to inherit a very theoretical probability and even professional riskmanagers, today may still ignore the possible impacts, but such attacks are alreadybecoming reality. In order to reduce the risks for this kind of key-compromise method,special crypto-hardware can be applied to backend-servers, in order to encapsulatecryptographic functions and keys using tamper resistant security modules (TRSM, or moreabstract: Hardware Security Modules – HSM). Well defined protection profiles, alignedand certified to international and open standards, enable the highest level of risk reductioncovering the technological aspects regarding applied cryptography. 12
  13. 13. Another scenario covers the usage of untrustworthy keys, in case an associated notaryfunction has been compromised. Notary functions for assigning higher trust-levels tocryptographic key material using digital signing methods based on cryptography aretypically implemented as a Certification Authority (CA) for digital certificates. As a matterof fact, digital certificates can be seen as today’s pillars of the stage, on which the play ofapplied cryptography is performed, especially covering the act “Trusting the internet andits web-services”.As an example, a possible man-in-the-middle attack, using rogue digital certificates, can benamed. Further information regarding the recent attacks on CAs like Commodo andDigiNotar can be found here: Unauthorized issuing of Google certificates Source: Sophos. (2011). naked Security. Retrieved September 4, 2011, from http://nakedsecurity.sophos.com/2011/08/29/falsely-issued-google-ssl-certificate- in-the-wild-for-more-than-5-weeks/)Source: Hack on DigiNotar: Arstechnica. (2011). Retrieved August 3, 2011, fromhttp://arstechnica.com/security/news/2011/09/comodo-hacker-i-hacked-diginotar-too-other-cas-breached.ars A brief resume of the above mentioned cases reveals that the security cannot be achieved solely by integrating technological measures, without a strong focus on the organizational measures.This thesis will focus on possible misconceptions, unveiling the missing link in the overallsecurity equation and how possible mitigations can be implemented, especially on the basisof holistic and risk-managed business process management and its dedicated workflows.If cryptographic key-material is not managed properly, e.g. on time, then system-availability cannot be assured. Certain keys must be securely generated, distributed andimported at a corresponding crypto node on a cyclic basis, for instance yearly. In certaincases when a key would not be provided in time, a business service may disrupt forduration longer than demanded, thus harming business processes by causing severerevenue losses.Various international solution manufacturers have started responding to the growing needfor holistic enterprise key management systems and infrastructures over the last 10-20years. As of today, the outcome can be reduced to a simple conclusion: even though manykey-management tools exist, they are mostly island-solutions, lacking standardization orstandards-harmonization, thus introducing a multitude of key-import-formats andprocesses, leading to expensive investments for integration or increasing the possibility forsingle-point-of-failure. 13
  14. 14. Even though standardization efforts show significant improvements, such as KMIP (KeyManagement Interoperability Protocol) driven by the OASIS Group, the outcomes aresolutions mainly on the technological level, missing attention on the organizational level.Due to resort-boundaries within organizations and different perspectives and prioritiesalong the management-lines, lacks in the organizational aspects of information security aremost common.Uncertainty of employees, impacts of change management, the effects of mergers andacquisitions, time-pressure on projects due to rapid market developments and oversizedshareholder expectations, lead to a very dynamic business environment. Therefore easilydisturbing business continuity and degrading the awareness for establishing andmaintaining a holistically oriented information security management system on a cross-company level.While discussing an overall concept of IT-based orchestration of Business ProcessManagement on the one hand, I will also guide a down-the-rabbit-hole journey through theroundabouts of the administration and management of critical cryptographic key-materialfor cryptographic service providers.These are typically anticipated to be black-box systems and operations on the IT systemadministration level, providing required cryptographic services to various levels ofinformation processing components, like business-applications, middle-ware, operating-systems, network-devices and information long term storage.In today’s business-world, there is a significant and growing demand for informationsecurity based on applied cryptographic services and therefore also cryptographic keys.The evolution has taken place in a rather subtle manner, multiplied by the achievements ofthe internet-era and increasingly being under severe compliance-pressure due to themultitude of successful attacks by cyber-criminals or even just system-failures, as aconsequence of underestimated quality-assurance and inexplicable processes andworkflows.Therefore, an enterprise can face pervasive dependencies inherited in the IT-landscapecaused by missing knowledge about the lifecycle and whereabouts of cryptographic key-material. As an example: not knowing about the whereabouts of cryptographic keys, canlead to severe conflicts with national laws, in case law-enforcement agencies are entitled toaccess company information within an investigation. Access to information can requiredecryption of an information database, which can be hindered, if the correspondingencryption-key is not accessible or cannot be recovered.Resuming the above mentioned, the establishment and operation of cryptographicinfrastructures requires more than conventional system integration of IT-Systems. Each 14
  15. 15. implementation of a cryptographic service provider and its exploitation by applicationsaffords profound system-planning and process integration.A very crucial aspect in this context is the risks being introduced with initially setting upcryptographic infrastructures. Professional, trustworthy and obviously certified crypto-equipment (Smartcards, Smart-Card readers, Password Tokens, Hardware SecurityModules (short: HSM, also called tamper resistant security Modules: TRSM)) requires aprimary protection layer, which needs to be managed using well-defined and approvedworkflows under dual control and/or co-signing.Source: In Personal communication with:Brandtstaetter, T. (2011). Cyber Crime. Nürtingen: In Personal Communitaion.The whole concept of protecting cryptographic keys starts from generating a key alsoknown as a Master Key so that it could encrypt or decrypt other keys lying in the keyhierarchy. This is the most essential requirement for maintaining the security. But as I havealready mentioned, the concept of applying cryptography depends on many other factorsespecially regarding the realm for which we want to achieve the security goals. Due to vastamount of standards that should be met by the industries and the international complianceguidelines that may have to be followed, the location of the area in which one wants toapply cryptography should be carefully checked according the national laws. In these kindof situations may be you won’t be allowed to use certain cryptographic algorithms or mustlimit the key length to be used. In these cases for instance, the operational controls forcryptographic infrastructures exceed the white-paper presentation usually found on appliedcryptography.To scramble up a more practice oriented approach, this master thesis is basicallyconsidering the area of payment card industry in terms of Information Security which is ofcourse very crucial in today’s global world. Almost everybody uses ATMs these days towithdraw money from their bank accounts but most of the people don’t know how theywork. Because people increasingly rely on standards like VISA, PCI PIN SecurityRequirements, PCI-DSS, they may think that it must be secure enough if they arefollowing these standards. But still every day we can see a lot of forgeries and a lot ofhacks everywhere around the world and most of the time they arise because of humannegligence. This thesis will provide a strategic and practicable approach to overcome thoseloopholes, which are more of an organizational nature rather than being only technological.Because technologically we are advanced enough to make the system secure but in order toachieve and maintain that level we depend on more than only highly diverse technologies. 15
  16. 16. So here I am trying to give a strategic approach to follow a plethora of standards and toachieve the maximum information security possible, reducing mistakes, covering amultitude of loopholes and balancing efforts:1.1 Various TechniquesThe complexity of the various technologies is increasing every day and the desire ofmaking them simpler is increasing as well. Lots of ideas have come and gone in the past tomake the world simpler but only few persist. If we talk about simplicity then we vision aninteractive system with which we can interact and which can give the answers to ourissues, which can maximize the profits, maximize the outputs, minimize the risks,maximize the possibilities of change management etc. Below I introduced some strategiesthat we have used so far on which we still rely at different levels, depending on thedifferent scope of requirements.1.2 UMLThe techniques of Unified Modeling Language (UML) are used to model some artifacts,like to specify, modify, visualize and construct during the System or Software developmentprocess. It came into the market after hard work from Rational Software Corporation.UML provides us with a very good way of understanding different aspects andperspectives of a software or system with the help of standardized diagrams for modeling.We can easily design prototypes and the blueprints for testing purpose.Advantages:We can use it to re-engineer existing systems, for instance, if these were not properlydocumented. Using UML improves collaboration and co-operation within largerdevelopment teams, enables cost reduction in external auditing and support interactivework during the SW-Engineering process. 16
  17. 17. Figure 1-1Source: Ambler, S. (2010). fox.wikis. Retrieved August 2, 2011, fromhttp://fox.wikis.com/wc.dll?Wiki~BusinessRulesAndUMLUML has started the first revolution to handle the complex business processes. It hasprovided many useful elements to keep track of the process and to visualize it for thesimplicity. Activities Actors Business Processes database Schemas Logical components Programming Language components Software Components 17
  18. 18. 1.3 SOAService oriented Architecture, it is a combination of different services which are looselycoupled but at last we can make the benefit out of combining them together. It is kind of aframework that covers various disciplines to conceptualize, analyze, design, and architecttheir service-oriented assets. It was a great achievement for us to come to this point asSOA has given us a power to integrate various things together and to give the optimaloutput. But still it was basically meant for the IT industry, which is not enough if we dealwith the complexity of today’s world. Figure 1-2Source: Corbasson, L. (2007, December 24). SOA. Retrieved August 1, 2011, fromhttp://en.wikipedia.org/wiki/File:SOA_Metamodel.svg 18
  19. 19. Disadvantages:The both models mentioned above, concentrate on issues regarding the IT industry anddon’t cover the holistic aspects of business process in any kind of industry. They both arefocusing on the development of software and systems in the field of IT, but they are notaligning to the process-oriented business demands, that incorporate IT beyond today’ssystem integration of island solutions.1.4 BPMN2.0Business Process Modeling Notations 2.0,itcomes with a lot of hopes and a lot ofexpectations for many industries which are trying to automate their processes for a longtime; it’s been a big problem for a long time in industries and in general to handleprocesses. People in different industries have been surrounded by this question since yearsthat how to generate culminating results out of any process. Many management techniqueswere introduced, to handle the various issues within the industry (like policy management,risk management, disaster recovery management etc.) but we never were able toconglomerate all issues together to provide the unrivaled solution. We have tried to workwith different technologies so that we could manage different processes as I have alreadymentioned a few of them above. But BPMN has provided all those functionalities and gaveus a platform which is not only suitable for the IT industry but it can fulfill a wider scopeof requirements depending on the demands of various industries.1.5 Advantages over others:As I have shown above two basic approaches to fulfill our intrinsic requirements, thecomparison to BPMN has its limitations.Regardless of fulfilling our needs not only in IT, it gives us a wide variety of tools to playwith it as well. This eventually makes it more concrete to measure the complexity, andmore scenic. It also provides a much better chance for users to understand it easily. It has awide range of notations that can give us a lot of freedom in designing in order to reduce thecomplexity. Some of its features are as follows: We can design and implement various complex processes(like in designing a car) Choreography 19
  20. 20. Orchestration Ease of Use Easy to visualize Human tasks Gateways Message Flows Group Tasks CollaborationsThere are many tools available in order to apply BPMN to the design and implementationof any work flow or the modeling of any process. But it’s always a challenging task todecide which one to choose.During the progress of my work, many options were available. Since, I intend to attracttowards open public for the topic of my thesis. I have focused on open source tools only, inorder to promote rapid applicabilityThe bewildering variety of open source technologies and solutions is obviously steadilyincreasing, so I also wanted to contribute to this development. I have chosen to analyze thefollowing candidates:ActivitiSource: Activiti. (2011). Components. Retrieved May 20, 2011, fromhttp://www.activiti.org/components.htmlJBPM5Source: Community, J. (2011). JBPM. Retrieved May 20, 2011, from Documentation:http://www.jboss.org/Bonita SoftSource: Bonita Open Solution. (2011). Bonita Soft. Retrieved May 20, 2011, fromResources: http://www.bonitasoft.com/It depends on the requirements, which tool to choose, because every tool has someadvantage over the other. So it depends exactly on what we actually need to do, thecomplexity of the process or the whole infrastructure we have to cope with. For my work Iwould like to prefer Bonita Soft for further evaluation and prototyping. 20
  21. 21. According to Forbes magazine companies relish the prospect of reducing complexity,while cutting and maintaining IT infrastructure and that’s the main motive behind theintroduction of BPMN in market. So with the help of BPMN we cannot even reduce thecomplexity but we can also reduce cost, reduced stressed etc. so far these are theachievement of BPMN. 21
  22. 22. 2 Company Profile 22
  23. 23. 2.1 History1992 – 2009 SYNARGOS GmbH - International projects with leading banks, manufacturers and providers (data processing centers, outsourcing) - Design and implementation of applied cryptography (key- management and protocols) using hardware security modules (HSM) for banking networks, based on solutions from leading manufacturers for achieving highest security ratings possible (NIST FIPS 140-2 Level 4)2010 - 2011 BÜROTEX Synargos GmbH - Continuation of line of business - Business extension to infrastructures for business processes based on mobile computing: RFID, NFC (near field communication), secure user authentication using smart phones Establishing & Securing critical Business-Processes Project development Software and systems engineering 23
  24. 24. 2.2 Core Business 1. Establishing & Securing Business-Processes Securing electronic payment systems for financial transaction solutions via dedicated and internet-based networks (home banking) Card based payment systems in networks running ATM and POS 2. Project & Solution development Requirements-Management Feasibility studies Consulting, Training & Education Tendering support Project management Sub-contracted and full scale project realization Security and Risk Management (ISO 27001) Audit Support (PCI-DSS, VISA PCI PIN Security Requirements) 3. Software and systems engineering Standard processes and methodologies Architecture, Design and Quality-assurance using the methodologies of cybernetics 24
  25. 25. 2.3 Cryptography-Typical Application Today, applied cryptographic methods reaches, almost all areas of information processing. Typical applications are: The encryption of personal data e.g. credit card information Securing the information while transmission within Card based payment systems The calculation of personal data for pre-personalization of chips for smart cards The production and use of digital signatures for certificates signed by Certification Authorities.2.4 Hardware Security Module in Crypto Server-Implementation The MX42 crypto server is delivered as an appliance with one or more HSMs The production of the appliance is done at BÜROTEX Synargos which processed highly secured and with maximum measures regarding quality assured components and quality-assurance processes: - Hardware platform: IBMx3650 server, IBM 4764-001 HSM(certified to FIPS 140-2 Level 4) - Software platform: SUSE Linux Enterprise server(Certified by Common Criteria EAL4+), IBM CCA Services (Basic Crypto API), BÜROTEX Synargos MX42 FINPIN Software(SW-Engineering using Rational Unified Process and Extensions using V-Model when required by customers) The integrity of the appliance is detectable 25
  26. 26. 2.5 HSM IBM 4764-001 Internal Architecture Figure 2-1Source: IBM. (2005, October). Security. Retrieved August 2, 2011, from Crypto Cards:www-03.ibm.com/security.cryptocards/pcixcc/library.shtml 26
  27. 27. 2.6 FINPINBackground of Cryptographic Abstraction Layer Name origin: Financial PIN Services Description: FINPIN is an Application Programming interface Architecture: Client Server Licensing: As a feature enhancement to the crypto server MX42 Usage: Application can use the cryptographic services of MX42 Crypto server via FINPIN API. FINPIN provides the basic features but you can also add other features Characteristics: The interface is expendable FINPIN The parameterization of key names is flexible and it provides a generic referencing for the application Inside the Crypto server a FINPIN call can be divided into several crypto functions No clear key or the intermediate results of cryptographic protocols outside the HSM The application is decoupled from the key management Key administration for the initial keys e.g. Master key of the HSM, delivery of the Transport key 27
  28. 28. 2.7 FunctionsPossible general Functions are: GMPX – German MAC/PAC Extension GTPV- German Triple DES PIN Verification EMVX- Euro Card Master Card Visa Card Extension, scripting for secure crypto OS cardsNote: Other information about the customer specific functions on demandSource: BÜROTEX Synargos. (2011). FIPS. Nürtingen: Communication with in thecompany. 28
  29. 29. 3 ConceptualizationI have already mentioned the concept starting from encrypting data which itself is a resultof enciphering with the help of a key. But it always depends on technologies that you wantto use and the companies policies, so these two things are the most important to considerfirst. Applied cryptography for securing critical business processes based on hardwaresecurity modules is today’s choice, when prompting cryptographic strengths into IT-security realms of critical businesses. You will get to know more about Hardware SecurityModules soon which really ensures a-high level of security. So technologically we haveenough means to ensure the optimum level of security. Still we can see a lot of nullifyingresults every day, that’s because we are not able to manage certain things properly whichleads to many security loopholes. These organizational loopholes are very easy tounderstand but most of the time they are not being accepted, due to interest-conflicts. Veryoften they are taken for granted and at the end of the day we see the devastating results asan outcome of initially small mistakes. This thesis is a work on these kinds of situationsand I am trying to figure out, how we could overcome those gaps.My main focus is on the payment card industry and when you talk about this industry youcan easily imagine that it needs high end security, since it is mostly very complex and noteasy to manage. Almost everyone is related to this industry in today’s world but generallypeople don’t want to go into details.So before diving into the most complex part here I will provide a brief description of someof the standards that we have to follow while handling issues related especially to thisindustry.3.1 NISTNational Institute of Standards and Technology is responsible for U.S. Security standardsthat have been internationally spread and adapted by the security industry and itsapplications. Its major task is to promote the innovation and the technologicaladvancements of security standards and certifying solutions, in order to be widely acceptedby governments and industries for the global benefit of the society.3.2 FIPSFederal Information Processing Standards are US government computer security standardsthat specify requirements for cryptographic modules. There are different modules availabledepending on what kind and what level of security you need in your organization and somestandards have already been defined for some particular organizations. These standardshave been defined by the NIST to ensure optimum security levels for processing 29
  30. 30. information. Amongst these standards, some are covering the security demands for theimplementation and accreditation of cryptographic modules: FIPS 140 here especiallyFIPS 140-2.It is basically categorized in to four levels:3.2.1FIPS 140-2 Level 1:This is the lowest level of security, it prevail limited level of security and remarkably goodlevel of security is actually absent in this level. An example of the security level 1 is themother board of the personal computer encryption board or the FIPS validation ofOpenSSL being validated to FIPS-2 Level 1.3.2.2FIPS 140-2 level 2:It adds the concept of the physical tamper-evidence devices that just pick up the resistancefrom the outside world related to the device. It is actually kind of a seal which places overthe cryptographic devices so that an attacker has to go through this layer of coating and ifhe or she will break this coating then the authorized person will be informed and it alsofacilitates the availability of the role based authentication.3.2.3FIPS 140-2 level 3:In addition to the tamper-evident, level 3 also ensures that the intruder cannot have theaccess to the Critical Security Parameters held within the cryptographic module. This layerespecially focuses on the physical intrusion of the module and how to handle it. It alsoensures the security by the concept of the split knowledge, because of which you can trustthe system can trust yourself and can trust others, that’s why the knowledge is alwaysdivided into two people.3.2.4FIPS 140-2 level 4:This level enforces the maximum level of security for cryptographic modules, providingtamper-detection and tamper-prevention of attacks, forcing an internal overall mesh-coating for achieving maximum resistance against tampers. Also enforced are protectionagainst X-Ray tampering, atmospherically tampering (temperature, surrounding air-pressure) and voltage-tampering; the module must exactly test and detect all possibletampers in its operating environment and in case of a tamper -zeroize all security elementswithin the module, thus taking the device out of operation and preventing successfulattacks.Source: BÜROTEX Synargos. (2011). FIPS. Nürtingen: Communication with in thecompany. 30
  31. 31. Another most important standard is ISO 27001which is by far the basis for defining amanagement process to assure information security. Being into this kind of industry andfocusing on the optimum security measures one should adhere to theISO27001 standardsfamily. Initially the British Standard Institution has developed a standard called BS7799which was used to develop and implement an Information Security Management Systemcommonly known as ISMS. Its main focus was on the availability, integrity and theconfidentiality of organizational information. But it was initially a single standard and lateron they have added some more information to it and then it became ISO 17799. And thenISO 27001 mandate the use of the BS7799 so, It is actually today the second part of theISO 27001. It is also beneficial for companies who already have ISO 9001 standard whichbasically ensures a quality process.ISO 27001 basically consists of four steps which covers most of the organizational securitymeasures. PLAN(Establish the ISMS):Establish the ISMS, policy, objectives, processes and procedures that are relevant formanaging risks and improving information security to deliver results in accordance with anorganization’s overall policies and objectives. DO(Implement and operate the ISMS):Implement and operate the ISMS policy, controls, processes and procedures. Checks (monitors and review the ISMS):Access and, where applicable, measure process performance against ISMS policy,objectives and practical experience and report the results to management for review. ACT(maintain and improve the ISMS):Take corrective and preventive actions, based on the results of the internal ISMS audit andmanagement review or other relevant information, to achieve continual improvement of theISMS.Source: ISO-27001. (2011). itgovernance. Retrieved July 10, 2011, from Compliance:http://www.itgovernance.co.uk/iso27001.aspx 31
  32. 32. 1 Figure 3-13.3 VISA PIN Security Requirements Audit:Visa explains in its standard management of the master key which starts with itsgeneration. As I said above that enciphering of data can be done with the help of a key andat the top most level in the hierarchy of keys it is called Master Key. We need to take someprecautions while managing master keys and VISA helps us to do that.We need to set up an environment to manage the whole process. The first and the foremostthing, is to have a minimum of dual control for every process so that there will always betwo people who are responsible for the management of the master key. The reason for thisis to secure the master key from the person himself. By dual-control the knowledge aboutthe secret (master key) is always segregated among two people so that without each otherthey cannot receive the knowledge of complete final key.It depends on the security policies, in how many pieces we divide that key, and we caneven divide it into three parts depending on the policy we are using. So the master key1 Created by author 32
  33. 33. always consists of minimum two parts and to do so we need two at least two people (keycustodians and their deputies) who are responsible for this purpose. So the first thing is todecide who these two people are going to be, it depends on the management where we areimplementing it, in our case we will call them Custodian 1 and Custodian 2. So accordingto the Visa requirements there are basically 7 stages to ensure the security of the key. Secure equipment and methodologies Secure key creation Secure key conveyance/Transmission Secure key loading Prevent unauthorized usage Secure key administration Equipment managementSource: VISA. (2004). PIN Security Requirements. Retrieved May 20, 2011, fromhttps://partnernetwork.visa.com/vpn/ 33
  34. 34. 3.4 PCI DSS:Payment Card Industry Data Security Standard is an information security standard coversdata security requirements regarding security of personal data of a bank’s customer, whoholds the credit cards, debit cards, prepaid, e-purse, ATM, and POS cards etc. Thisstandard was basically meant to reduce the risk of the fraud in the payment card industry. Itapplies to all the entities which are involved in the payment card processing likemerchants, processors, acquirers, issuers, service providers as well as all the other entitieswhich process and store the card holder’s details.There are 12 requirements for meeting the PCI DSS which are divided into 6 groupsBuild and Maintain a Secure NetworkRequirements: Install and maintain a firewall configuration to protect cardholder data Do not use vendor-supplied defaults for system passwords and other security parametersProtect Cardholder DataRequirements: Protect stored cardholder data Encrypt transmission of cardholder data across open, public networksMaintain a Vulnerability Management ProgramRequirements: Use and regularly update anti-virus software Develop and maintain secure systems and applicationsImplement Strong Access Control MeasuresRequirements: Restrict access to cardholder data by business need-to-know Assign a unique ID to each person with computer access Restrict physical access to cardholder dataRegularly Monitor and Test NetworksRequirements: Track and monitor all access to network resources and cardholder data Regularly test security systems and processesMaintain an Information Security PolicyRequirements: Maintain a policy that addresses information security 34
  35. 35. Source: PCI-DSS. (2011). PCI Data Security Standanrds. Retrieved May 20, 2011, fromhttps://www.pcisecuritystandards.org/security_standards/3.5 Devices usedThere are also some kinds of devices that we use to reach the maximum level of securitysome of them are as follows:3.6 HSM:It stands for Hardware Security Module, and is defined as a piece of hardware-componentand associated software that is usually installed inside a computer and provides a tamperresistant environment for itself. An HSM basically used for secure generation of keymaterial, encryption, decryption, hashing etc.There are many HSM manufacturers that are available in the market today but IBM is oneof the global players and also the most renowned in the HSM market, being the firstcompany in the market to have achieved FIPS 140-2 Level 4 validation for their HSMs byNIST.IBMs tradition in participating in the HSM market with cryptographic co-processors thatcan be additionally installed by customers in backend servers, reaches back to 1989, wherethe first HSM in form of cryptographic co-processor, being a tamper resistant HSM namedIBM 4755(adapter card) and IBM 4753(Network Security Processor for IBM mainframes)were introduced. Along with this product availability IBM introduced IBM CCA.Today IBM has basically two products which are available in the market: IBM 4764 andIBM 4765, whose cryptographic services are made available to applications via the IBMCommon Cryptographic Architecture (CCA)Even before the CCA era, IBM provided tamper resistant cryptographic modules as systemimmanent components, for instance on the IBM 4700 controller series, which reaches backto the seventies.Being designed for long durations of operation, the IBM HSMs are used by top 500companies, especially the ones using IBM mainframes (zSeries). In case of propermaintenance, meaning regular exchange of batteries, the HSMs can be operated forduration up to 10 years. 35
  36. 36. Figure 3-2Source: IBM. (2011). Security. Retrieved August 2, 2011, from Cryptocards: http://www-03.ibm.com/security/cryptocards/pcixcc/4764SerialNumbers.shtmlIt does not only provide the security by its tamper proof architecture, but also acceleratesthe processing time -for functions like key generation, encryption, decryption and digitalsigning. There are many kinds of algorithms available today for the encryption anddecryption and some are really complex and also consumes too much CPU power whenusing software crypto libraries on a server. When we talk about the payment card industrythen of course we are thinking about a very high volume of transactions requiring cryptooperations every day. So of course we need to handle the operations very quickly and insome cases HSM can successfully off-load a servers CPU usage- when performing crypto 36
  37. 37. operations. And the most important thing is that these versions of HSMs from IBM qualifythe maximum level of security standards called-FIPS 140-2 Level 4.Source: BÜROTEX Synargos. (2011). FIPS. Nürtingen: Communication with in thecompany.3.7 Crypto processorCrypto processor is nothing more than a chip embedded in an HSM for carrying outcryptographic operations. It also provides a certain degree of tamper resistance.3.7.1Functionality:In general how do we ensure the security is to bind the software to a piece of hardware sothat only the legitimate user can have access to the software: But in order to prevent notonly the execution of the software on other machines but to protect the entire softwarefrom any access, we require a security perimeter that keeps unauthorized reverseengineering from observing the memory and the execution of instructions. The manualsolution is to keep the computer into a locked room so that only the desired people canhave access to the hardware and the software but the problem lies there, only few peoplecan have access to the room. But there is another approach which is called as IBMsµABYSS project. Here the security perimeters protect a single printed circuit board insidea workstation. The operating system and cryptographic keys are stored in battery bufferedstatic RAM chips that are located on the same board as the CPU, the system bus, the harddisk controller, a real time clock and a battery. The board is surrounded from all side by analarm mechanism that consists of a multilayered winding pattern of a pair of fine wires,which is embedded into hard opaque epoxy resin. And any attempt to hamper the securitymodule will trigger the alarm and wipe out the software and the keys from the batterybuffered RAM.Source: Kuhn, M. (1997, April 30). Cambridge. Retrieved May 20, 2011, fromhttp://www.cl.cam.ac.uk/~mgk25/trustno1.pdf3.8 Payment Card Industry PIN Security Requirements:It basically consists of 7 objectives which tell us all the required parameters to ensure thePIN security. 37
  38. 38. 3.8.1Objectives PINs used in transactions governed by these requirements are processed using the equipment and methodologies that ensure they are kept secure.Objective : Cryptographic keys used for the PIN encryption/decryption and related keymanagement are created using the process that ensure that it is not possible to predict anykey or determine that certain keys are more probable than others. Keys are converted or transmitted in a secure manner. Key loading to hosts and PIN entry devices is handles in secure manner Keys are used in manner that prevents or detects their unauthorized usage Keys are administered in a secure manner Equipment used to process PINs and keys is managed in secure mannerSource: PCI-DSS. (2011). PCI Data Security Standanrds. Retrieved May 20, 2011, fromhttps://www.pcisecuritystandards.org/security_standards/So far you have seen that to maintain all the security we need a lot of standards. And it is amust have condition to follow all these standards to be in this industry otherwise we cancannot assure the optimum quality. But the standards are so complex that many a times wecommit some mistakes and even these standards tells us all the formalities but they nevertell us how to apply all those and if you look into the details of every standard you caneven find a lot of loopholes. That’s where I am trying to focus in this master thesis.3.9 Establishing Security MeasuresAs you can understand the importance of a Master key by now, which was generatedduring the initial phase the rest of the security assurance will always depend on thehandling and protection of Master Key. But if the master key itself is compromised thenthere is no use of securing anything underneath the Master Key-as it is the root cause of thevulnerabilities. Using various technologies and different standards we safely generate themaster key, which itself is not easy to crack. The next step is the real challenge: that is toplace it into HSM and its real operational environment. Here lies the actual problem. Howwe can manage the master key to ensure the security at its optimum?The standard defines the measures, one should take to ensure the security but they don’tdefine how we can establish them in a real world enterprise. 38
  39. 39. We need to start in an upmost hierarchy of any organization that is on the managementlevel, when establishing an Information Security Management System (ISMS) thatidentifies and manage the risks existent to vital assets such as a Master Key.When business processes are tied to profound ISMS, the awareness is placed accordinglyto manage the risks and assure the measures needed to prevent impacts of possibleloopholes that could lead to compromises of Master Keys.Information Security:In my scenario of a holistic coverage of security awareness, starting from InformationSecurity Management level, all the way down to the operational level, where Master Keyare process on the system level, I want to identify basically three layers which consists of : 1. Management- Risk assessment (which basically consists of ISO 27001) 2. Business Process- Following all the standards(PCI DSS mainly) 3. System- Management of the master key 39
  40. 40. 2 Figure 3-3In order to achieve such an implementation in any organization of course, you will need tosegment the security context across different departments, which is another managerialtask to accomplish. So for my purpose I will divide the whole process into three differentlayers within an organization. Top Management Line of Business management Infrastructure and System- ManagementAnd if you see the whole scheme then you will say it’s the top management’s job to decidefor what they want to go, depending on the objectives and the strategies of the company.Top management basically consists of the highest ranking executives like the managingdirectors, president, vice presidents etc. and their main responsibility is to define the goals,objectives, strategies and for sure the future of the company. So their job stands at the topof a company’s organizational hierarchy, they will have to decide whether they want to gofor a profound Information Risk and Security Management system or not.If you look at today’s business world, it becomes a necessity to follow all requiredstandards and compliance issues.Otherwise a company’s leadership may last for a short period of time only, which alsoapplies to manufacturers of security solutions, which require the same awareness in2 Created by author 40
  41. 41. security management as the companies operating their solutions to provide high securitylevels to their customers.So the first step in order to ensure security starts with Risk assessment. Top managementwill have to identify and manage the risks for the company’s future related to a particularbusiness and if they want to persist into the business then they have to commit to therequired processes.Now if you have decided to go for all these standards then comes the second phase whichis line management who will plan to get the desired output or we could say the people whoare responsible for meeting the corporate goals, maintaining the policies and all thestandards. A line manager could be anybody depending on the industry where you areparticipating in.Like in any company we need a person who will handle the probabilities of the risksregarding the particular working field. In our case he must be a person who will handle thedesired goals in real time to get the desired output that the top management has planned.He will manage the resources under him to get the predefined result and it’s his job to planhow to reach those targets.The third and last layer I will consider is called Infrastructure Management the people whoare responsible for daily operations as defined by the top management and the line ofbusiness management have planned. They will also have to adhere standards depending onthe industry area you work in, but in the cases of IT-infrastructure operations, the ITILstandards-framework is a good approach to follow.3.10 Risk assessment:The top management is responsible to manage the overall risks for the company and needsto govern, all the necessary measures that need to be fulfilled, so they will generate a set ofobjectives and the second line of management will handle all those objectives.In my scenario top management is responsible for defining the objectives of the ISMS.The Chief Security Officer (CSO) will decide and plan to which extent an ISMS system isneeded and how efficient its implementation will need to be. Current development andtrends show, that companies accept the international standard ISO27001 as a guideline forimplementing an ISMS, which is the reason why I will further focus on it. 41
  42. 42. The CSO will identify applicable risks as outlined by ISO 27001, setting a major directiveon how to manage information security. But depending on the business areadiversifications on ISO 27001, other standards could also imply, resulting from the natureof business risks.The second line of management will take care of risk assessment to meet those targetsaccording to the desired standards. Various technologies, implementation strategies,standards an studies are available in the market, that allow individual approaches forestablishing an ISMSIn my work, I have used the RM Studio application from Stiki (Iceland).This tool is basically used to analyze the security risks while focusing on ISO 27001 andother security measures. The advantage of RM Studio compared to an implementation ofan ISMS based on EXCEL is the round-trip-management that is possible with yearly auditsand re-certifications as well as the intelligent reporting system that produces assessmentand audit-report on the fly, thus saving considerably valuable time.It has already predefined all the necessary requirements that can apply to a company, Verypractical is the fact, that standards like ISO 27001 or PCI-DSS are already copied inverbose into the database of RM Studio, which saves valuable time in editing. In addition,the standards are available in different languages, making it quite convenient to get ISMScertification on an international basis, which is essential for global enterprises.We can also create our own standards or add threats and measures depending on ourdemands and assess the risks using the same ISMS tool infrastructure.The below diagram is the first view of the RM Studio and here you can see that it looksvery user friendly and it has all the parameters as well to calculate the risks. 42
  43. 43. Figure 3-4 3Calculate RisksTo calculate the risks on Information Security as defined by the ISO 27001 standard, weneed to define the infrastructure of our information processing landscape, including all theassets, job roles, availability and the other resources and of course their dependencies oneach other. As you can see in the picture above, first we have to define the business entitiesfor which we are trying to calculate the risks. As we are talking about the security so wemust consider the ISO 27001 all the time, so for this reason whatever we are going toanalyze it will calculate the risk on the basis of ISO 27001. This is the first task to achievein any company who wants to do their business securely. ISO 27001 basically tells us todesign ISMS (Information Security Management System) which eventually ensures asystem to tell us about the overall security system in an Enterprise.Since we have the desired standards integrated in RM Studio, we can easily define ourassets, assign the applicable risks and perform the risk assessment on the fly.3 Created by author 43
  44. 44. The ISO27001 covers the whole organization but for this thesis my main focus will be onthe Objective A.12.3.1 which says:Cryptographic ControlObjective:Protect the confidentiality, authenticity and integrity of information by cryptography. Infurther detail that means:Policy in the use of Cryptographic control: A policy on the use of the cryptographiccontrol for protection of information shall be developed and implemented.Key management: Key management shall be in place to support the organization’s use ofthe cryptographic techniques.Most of the people always neglect these two most basic problems and even the ISO doesn’tdefine how to achieve these tasks. So the first thing in any organization is to check whetherthey are following these standards or not and if they are then how much is the risk and theRM Studio provides us this facility to calculate on the basis of above mentioned standards.The next most important thing that comes is the PCI DSS, if we are working in theinformation security and especially in the banking domain then we will have to follow thePCI DSS which stands for Payment Card Industry Data Security Standards.I will give a brief introduction on how to calculate the risk regarding these two standardsbut I have to mention that, it varies from organization to organization.We can easily see in the Figure3-5, various standards but for us means as security wise,only ISO 27001 and PCI-DSS are important so first we will analyze with the ISO27001standard and then we will try to find out the risk analysis with the PCI DSS.In Figure 3.6 we can see that the next step is to define the Business entity for which we aretrying to calculate the risk. In the Business entity we have to provide the basic details ofthe company like name, address etc. 44
  45. 45. 4 Figure 3-5 5 Figure 3-64 Created by author5 Created by author 45
  46. 46. 6 Figure 3-7The next thing is to define the business assets including all the details of the company.Figure 3-7 explains this how to define the assets of the company and to get the accurateresult we have to define all the assets of the company that includes all the possibilitiesexists in any organization that means the people their expertise, hardware, service levelagreements with the clients etc. Now as you can see in the Figure 3-7 the assets are definedincluding all the people involved their dependency on each other and completeinfrastructural assets as well.6 Created by author 46
  47. 47. 7 Figure 3-8Figure 3-8 explains that how the individual component in the organization are importantfor us, and what’s their credibility, their security risks and their impact in the organizationwhich is very important e.g. If the lead developer is not available in the company duringany issue so his availability has to be high during those period where as on the other hand aperson who is doing only the clerical stuff, he is also very important for the company buthis availability is not that important during the critical issues. So regarding all thesequestions in mind we have to provide the different parameters in the risk scenarios for thedifferent assets.7 Created by author 47
  48. 48. 8 Figure 3-9The above Figure shows the risk analysis on the basis of ISO 27001 and different assetsthat we have defined earlier. On the basis of values of the assets and availability it showsus the risk is 2%, which is very low and good for the organization. Now we can also checkit for different parameters like the confidentiality and the integrity how much is the risk.The below Figure 3-10, shows that now the result have been rises to 1% including the allthe factors in an organization. So it is even far better so by theses all results we can easilydefine that we have gone through the risk parameters of the ISO 27001 standards and inany case if the risk is too high then we can again define the assets and then we could do thegap analysis.8 Created by author 48
  49. 49. Figure 3-10 9 Figure 3-11The Figure 3-11 shows here the PCI-DSS standards, we have to do the same things againand then again we have to check the possibility of the risks and the threats from againstPCI-DSS. If the result is low like 1% or 2% then we could be sure of one thing that we cango further that means we have successfully followed the PCI-DSS standards as well.And now the real work start for the information security, initially we had the problem thatthere are many standards which are very complicated and how to follow them all. Then we9 Created by author 49
  50. 50. have seen the utility of the RM Studio which has made our work easy to asses ourorganization against these standards. But still the problem is there, even though we have allthe standards but we can still see various attacks every day in news. So there must be aproblem somewhere which is the problem of good management and basically the problemof following all the complex processes. And to solve all the problems we will take the helpof the BPMN2.0 50
  51. 51. 4 Chapter 4 – Solution4.1 PrototypingNow comes the role of Infrastructure Management- the lowest level of management, it’snot only responsible for the IT infrastructure to meet the business needs for highavailability, reliability and scalability, but it is also responsible for managing services ofthe business process management. It provides us a way to calculate the availability,reliability, risks management etc. In the past this kind of structure was mainly meant forthe big organizations but today even the small organizations can also make profit with thiskind of approach.In this chapter I am trying to find some loopholes on the basis of the infrastructuremanager with the help of the Business Process Modeling. It will be used as a prototype todefine the problems using the BPMN2.0. As I have already introduced BPMN2.0 and havealready explained that there are many tools available in the market today so for myconvenience I would use a tool called Bonita Studio. It consists of many facilities whichare using different technologies to solve our purpose. Figure 4-1 shows the basic view ofthe Bonita Studio which explains itself that how we could design the workflows. On theleft hand side of the picture we can see the toolkit to design the workflows which consistsof the BPMN2.0 standards.Source: Bonita Open Solution. (2011). Bonita Soft. Retrieved May 20, 2011, fromResources: http://www.bonitasoft.com/ 51
  52. 52. 10 Figure 4-1As I have already explained in the previous chapter, first we have to follow the generalstandards which are important to be compliant to, so that we could ensure maximumsecurity possible. First we have to go through all those steps to achieve the certificationsand to calculate risks in an enterprise accordingly. Top Management: get ISMS certified according to ISO 27001 Business line: get certified according to PCI-DSS(while interacting with ISMS) Infrastructure: make sure, that processes meet required quality goals and provide audible trails, adhering to policies directed by layer 1 and 2 respectively.Then we come to the details of Master Key management.Master Key management is a very complicated issue and the operational issues lie at thebottom of the whole organizational hierarchy. In reality, experience shows, that dualcontrol can practice with compromises, as a result of project-pressure (e.g. change requests10 Created by author 52
  53. 53. in exceptional situations) or degrading awareness and knowledge, due to employeefluctuation. So, if a decision is made to have a single key-custodian process both parts of aMaster Key, then the key by definition is compromised. The associated crypto system maystill operate fully functional, but when it comes to an audit in the future, especiallyconnected to the implications of a successful and published hack by cyber-criminals, thebusiness itself may be faced with severe losses.Bottom Line: if a Master Key is not properly secured, because the responsible persons forthe key ceremonies do not follow a pre-defined process, then nothing beneath it will besecure.It doesn’t matter which standards we are trying to comply to. Even after following all thesecurity measures and all standards we are not able to ensure the provable protection ofMaster Key.So in this chapter I will try to outline solution which can be used to overcome the issues ofprocess disruption during Master Key management. The idea itself is not new and it is aconglomerate of all the standards that we have talked about earlier.As according to VISA, the whole process has to be divided among two people so that thepossession and knowledge is segmented among two which is also called secret splitting.One custodian therefore has no knowledge about the second part of Master Key. Withoutthe second part final Master Key cannot be reconstructed.This is an essential step to ensure the highest level of trust in processing this kind of vitalasset.If only one person would be responsible for the whole process, then lots of problems comeup: Insider attack: if the person turns out to be corrupt, the organization can be heavily damaged(all business processes go out of operation, reputation damage, customer resigning due to loss of trust) Social engineering made easy: it is easy for the attackers to leak out information from just a single person, as compared to retrieving it from segregated knowledge.At any place the process starts from establishing an environment which has to be properlydefined and configured to produce the optimum output. So we will need at least two peopleto handle the whole process at any cost (keeping in mind that substituted, also calleddeputies, need to be assigned also). We will call them custodians for our own conveniencewith specific rights to manage the master key and they must not know each other for thesake of security. 53
  54. 54. The next thing coming up is the environment we need:There are different possibilities, depending on the organizations. As it is most crucial part,so I would suggest to, prefer for maximum security. In other words: to go for highestquality, regarding Hardware, Software and Service Level Agreements (SLA, ITIL forfurther details on the implications). As it is not easy to maintain operations without clearstructures and contracting schemes, this aspect alone requires intensive managementcovering a complexity of, security measures of its own.Now coming to my solution, the infrastructure to be managed will consists of differentthings:11 N no of Workflow application front end servers Application Server using Workflow HSM Server Crypto Hardware to Web WF-Mgr.Customer secure Server Business Logic Workflow for MK CNM Mgmt HSM Key-Mgr. N no of HSMs11 Created by author 54
  55. 55. I would prefer to use three different servers to achieve more security; they all stay at theclient side (which is to say any bank). Now on the first server we have to use an APIthrough which we can communicate with the IBM-CCA (common cryptographicarchitecture) which actually lies on the other server. Through this API users can enter intothe machine to do the desired operation. On the other server the whole processing worksunder the HSM but users can access it through another login (for security purpose). Whilein between there lies another server which is called as IBM MQ series which is basicallyused for the queuing purpose. So that queuing takes place properly and it will never go intothe deadlock situations. On the second server there lies the crypto API and IBM CNMthrough which we can generate the keys. These servers are connected with each other withthe help of LAN and must be placed under high supervision. This is another loophole whenwe manage Master Key while in a real time environment and most of the standard doesn’tprovide much information regarding the management of the Master Key while handling itin network attached HSMs. This is the technical aspect of the infrastructure that reallyensures very high end security but the real problem to be solved is performing the requiredoperations without loopholes.The organizational infrastructure has many loopholes whenever key components areproduced by an HSM and there comes the most critical part.Often enough, we face the problem that users don’t know how to handle the completeenvironment so they make mistakes while doing so.So here I am trying to give a best view of the complete process. It has to be divided intodifferent departments properly so that all participating roles are enforced to do their workproperly, which is the most important part regarding the organizational management.The whole process, which is called key ceremony, is as follows:Note: Each Key ceremony is understood as a change to a productive system. This implies,that all the tasks performed during the following process for the key ceremony, are pre-plan able and governed by a workflow management system, designed and implemented toguide the process in a manner, that guarantees a continuous audit trail and provides logs,that give detailed information about the life-cycle of any key processed.4.1.1Key CeremonyThe centralized authority will instruct the two custodians that they will have to generatetheir key parts for a certain target key; this notification could be sent via e-mail, physicalmail or anything whatever the policy is. The custodians have to confirm their availabilityand if any case they are not available, they must take care of assigning the correspondingdeputy for that custodian in advance. 55
  56. 56. Special requirements and pre-requisites regarding the execution of the key ceremony: thecomplete ceremony must be executed in a secure room(trusted environment, level: HIGH),which requires: - Isolation from outside environment, protecting against acoustic and electromagnetically information trespassing - Dual access control: no single person should be able to be alone in the secure room, the access to the room is granted after dual-login to the room - In case of exceptional situations(fire, earthquake, etc.) the ceremony must be cancelled, any key material produced during this session marked as incomplete, not trustworthy-and should be destroyed - Cellular/smart phones are not allowed during the residence in this room - Camera surveillance: this requirement can be conflicting, as gaining knowledge about who enters the room on the one side, brings the disadvantage, that surveillance officers could possibly re-construct key-values that are entered by custodians after reading the values from key letters Security guards will check the facility access of the custodians and other participating persons (in case if a live audit by Visa) and inspect and carried item not required during the key ceremony, which may need to be deposited by the security guards during the ceremony. Custodians will have a dedicated time to achieve their task, as defined. The custodians will be escorted by at least one other person (internal auditor) until the last entrance of the room. As required before, no person is allowed to be alone in the secure room. There has to be a secured login accessing the system operated by the custodians while performing the operation to generate the master key parts. Access Control can be realized by various ways: smart card login, access tokens with one time password etc. there are different technologies today, it depends on the companies security demands and policies and external compliance regulations. 56
  57. 57. Regarding the generation of the desired Key. It has to be dedicated systems only for this purpose and it should be non -bootable from any media. Another important issue: the system hardware should be connected to a functionality tested and working Uninterruptible Power Supply. As soon as the key generation is done, and stored to the intermediate transportation media for further key part loading to the target HSMs, the has to be backed up, for the purpose of key-recovery, depending on the companies backup policies. Regarding cryptographic key material, long term in experience and best practices show that most of the organizations still believe key-parts printed all key letters on paper to be the best practical choice and most enduring backup media still around. Once key-values are securely printed out onto key-letters, the printouts are enveloped and are required to be separately stored to different physical safes, providing continuity in key separation under dual control. There are different scenarios in different organizations where some people prefer to have the key generation environment into the organization itself and others prefer to have it at the other places. And the complexity differs from case to case. If it is at a different place then it has to be transported through a physical medium and there comes another security loophole. There are different ways, but most of the organizations do this thing, they contact the courier company and they transport it within a tamper resistant module. So that if anybody tries to hamper it then it will automatically destroy the content. Both the parts have to be transported through different routes and through different courier companies so that to achieve the concept of the dual control all the time.As you can see this whole key ceremony process is a perfect candidate for implementing aworkflow using BPMN2.0: It can be automated and run as a centralized governed authority moderating the process It can keep track of all process activities all the time It could also reduce the human errors which people generally do in organizations like forgetting about vital process steps that disrupt the quality chain. So to overcome all those problems we need an automated process control (our centralized authority) so the people who are involved in this 57
  58. 58. process can handle the whole system easily which will in consequence secure our whole environment as well.At this point I want to introduce the role and application of BPMN2.0 with the help ofwhich we cannot just automate the process but also we can keep track of all activitiesapplied.4.2 ISO 27001 Based Risk Analysis 12 Figure 4-2Figure 4-2 shows that we are going through our first phase of the whole process where wewill check the criteria for the ISO 27001. This workflow will initiate the STIKI RMStudio, in order to perform the minimum yearly risk analysis. The outcome is the yearlyreport required for ISO 27001 certification. If we will be able to follow the ISO27001standards then we will go to the next phase.So now it’s just time to automate the whole process and make it working. This part of theworkflow is the first swimlane and I have given it a name called Risk Assessment for the12 Created by author 58
  59. 59. ISO-27001. As you can see in the Figure 4-2, it consists of the three tasks start task, ascript task and an end task. You can see in the middle which is the script task which isactually a shell script which is going to initialize the STIKI RM Studio. It provides us awide variety of options. I have preferred to choose the script task as it seems simple forme.Figure 4-3shows how you could define the script task. This Figure is basically showingconnectors. In Bonita Studio, we have to define a connector for this task, which is of theshell script type and then you just have to define the script that you want to run. It isactually a simple GUI which is easy to understand and can guide you for everything thatyou want to do. I have simply used one line of script to initiate RM Studio. There arevarious other ways to do this task like you can create a java code as well but then thewhole process will be too mighty and if you want to make some changes then you willhave to make the changes everywhere. That’s why I have chosen the script task which iseasy to use and easy to perform, just one line of code and you can achieve your work.Further this means I have provided a layer between workflow design and implementationthat means if you want to replace the implementation details you don’t have to touch theworkflow design. You also need to define the person who is going to initialize the process,in my case this is the initiator who will handle the workflow and who is going to initializethis particular process. There are several other facilities that you could achieve with this tomake it more secure like only a dedicated user can do a particular task. For this reason Ihave created a particular user in RM Studio to perform this task as if we can see this in anorganization there has to be a person who will take care of this responsibility and who havethe complete knowledge of the company’s environment and also have a nice idea about theISO-27001. 59
  60. 60. 13 Figure 4-313 Created by author 60
  61. 61. 4.3 PCI-DSS Based Risk AnalysisNow comes the second part of the whole work flow which is to analyze the risks on thebasis of the PCI-DSS. After finishing the first job that is to analyze the risk on the basis ofISO27001, workflow will jump onto the second level which is to analyze the risk on thebasis of PCI-DSS. You can see in the Figure4-4, the next swim lane comes into theexistence which is called as PCI-DSS Analysis. It has different criteria as compare to theISO27001 but it is also very important to fulfill this task so as to ensure the maximumsecurity and the optimum result. You have to do the same thing again like in previousprocess. So again I have defined a script task to initialize the RM Studio but this time theuser is different. From the organizational point of view it will be a person who will takecare for the PCI-DSS certification and a person who has a sound knowledge about the PCI-DSS, so that the organization could be sure about getting the certification properly. And ifthe organization already has the certification then they could skip to the next step which isfor the management of the Master Key. And don’t forget to change the standards in RMStudio as by default after finishing the previous step it must have been selectedautomatically to ISO27001. These two swimlane are loosely coupled, they are notdependent on each other but they are part of the whole process. So we just cannot skip anyof them. 14 Figure 4-414 Created by author 61
  62. 62. 4.4 Master key Management 15 Figure 4-5Figure 4-5 shows the next layer of the work flow which consist of the more complex andmuch interesting part. Here I am trying to show the management of the Master Key. Here Ihave used Crypto Node Management (CNM) which is proprietary by IBM and deliveredwith IBM HSM 4764 and IBM 4765 so I will not give much detail here but you can see thelogin for CNM in Figure 4-6. And it doesn’t matter for us how it works because we areonly focused on the organizational issues rather than the technical details. It is also calledas Common Cryptographic Architecture Node Management Utility. As you can see in theFigure 4-6, the custodians can login with different methods, it depends on the company’spolicy how you do this; you can also notice different tabs showing different utilities likekey storage, Crypto node etc. For our purpose there are of course few things to knowabout. The Crypto Node and Master key tab are the most important for us to know. WithCrypto Node we can easily find the information about installed HSMs, like the state of theHSM, its battery state, error logs etc. So whenever we notice any unwanted behavior likeunauthorized logon (outside valid time range), we can easily inspect Crypto Node and canlook into the details moreover can possibly find the cause of the issue.15 Created by author 62
  63. 63. Second important tab for us to know is Master key which is of course used for generatingMaster Keys, via several Master Key parts. It provides us a guided way of generating it.The other important thing that comes next is key storage which gives us an ability tomanage the keys and their storage. As there are different algorithms available for theencryption so it provides us different ways depending on key type. Figure 4-6Source:IBM. (2011). Infocenter. Retrieved from ZOS:http://publib.boulder.ibm.com/infocenter/zos/In Figure 4-5, you can see in the workflow that this part of the whole workflow starts fromsending invitations to the custodians. Now we are sending mails to different Custodians,inviting them for the key ceremony on a particular date and if any of the custodians are notavailable then they will have to communicate with the responsible person that they are notavailable, thus activating their deputy.There is another scenario here that we have to invite different custodians on different datesso that they will never come to know about each other, it makes the whole key ceremony 63
  64. 64. more secure and it might also be possible that instead of dual control there are threecustodians so we have to invite all of them at different times. And if they accept theinvitation then the workflow will move to the next step and it will guide all involvedpeople to move further.But before workflow can do this we have to consider a few more things as regards to theworkflow. First we have to setup some technical requirements: configure mail server sothat we could receive or send mails. For the purpose of receiving the mails we could usefor e.g. Mozilla’s thunderbird or we can use default environment depending on theindividual infrastructure.In the next step the CNM will come into existence and the work flow will ignite the CNM,in order to initiate the generation of the required key material. It has a mechanism tohandle the complexity of generating the master key and you can also choose differentstrategies for management or for distribution. As you can see in the diagram there are twotimers at the two different tasks. So there is always a dedicated time which has beenallocated to complete the task and if that time is reached and the job is not done then youcannot go to the next phase of the process. This normally causes management alerts andtriggers appropriate measures to continue the process.The next thing that comes into the mind is to store the key parts after generation, so for thatpurpose we need to take the backup of the key parts and it depends on the organizationspolicy how they could do this. Many organizations take the backup on a USB stick or, ifallowed by budgets, even smart cards16, but as sticking to the stereotypes that paper is thebest form of storing information for long lasting persistence, we will write down the key ona piece of paper and will store it in a safe as you can see it in the Figure 4-7.Details not mentioned: each custodian must deposit its key part in separate safes. Anyaccess to the safes and whereabouts of the key letters during absence must be logged in akey life cycle protocol. After unpacking a key letter from an envelope, a new envelope(tamper proof security bags) with registered serial numbers must be used before depositingthe key material back to the safes.16 Smart cards are not secure by nature, as with HSMs, they need to be initialized and personalized beforethey can be used by their associated custodians to carry key material and other security parameters. Alsosmart cards need to be backed up otherwise in case of one smart card being damaged, recovery of certainkey is not possible anymore. 64
  65. 65. 17 Figure 4-7 18 Figure 4-817 Created by author18 Created by author 65
  66. 66. At last you can see the final Figure 4-9 which is the complete workflow that reveals to usthe whole concept. 66
  67. 67. 19 Figure 4-919 Created by author 67

×