Your SlideShare is downloading. ×
04. SAKTTI Introduction
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

04. SAKTTI Introduction

607

Published on

This presentation presentated by Gildas Deograt Lumy "Simulasi Scirital Information Infrastructure Protection (CIIP)" , Bandung, Indonesia 10th September 2013 on #IISF2013

This presentation presentated by Gildas Deograt Lumy "Simulasi Scirital Information Infrastructure Protection (CIIP)" , Bandung, Indonesia 10th September 2013 on #IISF2013

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
607
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
76
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Standar Arsitektur KeamananStandar Arsitektur Keamanan Tingkat Tinggi Informasi (SAKTTI)Tingkat Tinggi Informasi (SAKTTI) Introduction toIntroduction to Standard High Grade Information Security ArchitectureStandard High Grade Information Security Architecture
  • 2. SAKTTI ObjectiveSAKTTI Objective
  • 3. SAKTTISAKTTI is an architecture to buildis an architecture to build an integrated “digital fortress” systeman integrated “digital fortress” system which consist of people,administrative,which consist of people,administrative, technology and physical controlstechnology and physical controls that enforce the consistency ofthat enforce the consistency of information security strategy.information security strategy.
  • 4. SAKTTI’s Biggest Challenge: To Change The Mindset “I feel convenience if... I use the good safety belt and helmet properly and the car has the effective breaking system to go fast !”
  • 5. The Digital Fortress, an illustration...The Digital Fortress, an illustration...
  • 6. ● White List Approach ● Defense in Depth ● Integrity Assurance ● Least Privilege ● Separation of Duties ● End-to-End Security ● Full Encryption ● System Partitioning ● System Redundancy ● Backup and Restore SAKTTI Control PrinciplesSAKTTI Control Principles Balanced between preventive, detective and corrective controls in all information life cycle:
  • 7. SAKTTI ComponentsSAKTTI Components
  • 8. Information Security ConceptInformation Security Concept SAKTTI - Information Security Concepts.odp
  • 9. SAKTTI Technology ControlsSAKTTI Technology Controls People SecurityPeople Security ● Integrity Assurance ● People integrity must be ensured though background checking, monitoring and audit. ● Competencies ● People must be aware, prudent and have profound information security knowledge to secure the information. ● Protection ● People must be protected, especially under dourest.
  • 10. SAKTTI Technology ControlsSAKTTI Technology Controls Administrative SecurityAdministrative Security ● Fully comply with laws and regulations ● Fully conform with international standards, such as: ● ISO/IEC 22000 Business Continuity Management (BCM) ● Payment Card Industry Data Security Standard (PCI DSS) ● Baseline Requirements for the Issuance & Management of Publicly-Trusted Certificates ● TIA-942 Data Center Standards ● Risk Assessment Methodology includes threat agent. ● Appropriate Information Security Classification ● 4 categories of business impact: Financial, Reputation, Legal and Safety. ● Khusus untuk penyelenggara negara: IPOLEKSOSBUDHANKAM ● 4 levels of classification: Level 1, Level 2, Level 3, Level 4 ● Aspects: Integrity, Availability, Confidentiality ● Secure Change Management
  • 11. SAKTTI Technology ControlsSAKTTI Technology Controls Technology Security: Zoning and ConnectionsTechnology Security: Zoning and Connections 5 Jenis Koneksi Fisik Terenkripsi ● Koneksi Pengguna Mobile ke DC via Internet ● Koneksi Lokasi Remote ke DC via Internet ● Koneksi DC to DC via Internet ● Koneksi via WAN (FO, MPLS, VSAT) ● Koneksi via LAN Zona Dalam Zona Tengah Zona Luar Zona Aman Lingkup Pengamanan
  • 12. SAKTTI Technology ControlsSAKTTI Technology Controls Technology Security: Data EncryptionTechnology Security: Data Encryption ● Media penyimpan harus dienkripsi. ● Media penyimpan didalam perangkat server harus dilindungi menggunakan enkripsi hardware. ● Seluruh paket jaringan pada koneksi fisik diluar dan antar Zona harus selalu dalam bentuk terenkripsi. ● Seluruh paket jaringan harus dianalisa dan difilter dalam kondisi clear text oleh firewall aplikasi dan/atau IDS saat melalui Application Cross Area di Zona Tengah. ● Seluruh paket jaringan didalam Zona Dalam (Area 0, Area Aplikasi, Area Database dan Area Server Farm Connectivity (SFC) harus dalam bentuk clear text agar dapat dianalisa oleh IDS.
  • 13. SAKTTI Technology ControlsSAKTTI Technology Controls Technology Security: NetworkTechnology Security: Network ● Physical Separation and Network Segmentation ● Jaringan fisik dibagi secara vertikal kedalam Zona Luar, Zona Tengah dan Zona Dalam. ● Setiap sub zona harus menggunakan firewall terpisah. ● Setiap jenis koneksi Internet, WAN dan LAN harus menggunakan Sub Zona terpisah. ● Segmentasi jaringan harus dapat membentuk lalu lintas jaringan yang terpola berdasarkan sensitifitas dan tingkat risiko. ● Pemisahan infrastruktur aplikasi (berbeda Zona Dalam) berdasarkan klasifikasi keamanan informasi dan berdasarkan pengelompoka risiko (jenis aplikasi, kelompok pengguna, dll). ● Network switch digunakan jika terdapat beberapa Zona Dalam.
  • 14. SAKTTI Technology ControlsSAKTTI Technology Controls Technology Security: NetworkTechnology Security: Network ● Multi Layers Network Detection and Prevention ● Setiap segmen jaringan harus dipisahkan oleh firewall. ● Filtering dari Zona Luar hingga ke Area 0 (Core) didalam Zona Aplikasi harus menggunakan 2 firewall (sistem operasi dan aplikasi) yang berbeda. ● Setiap segmen jaringan diluar dan didalam Zona harus diawasi oleh IDS. ● Eksploitasi kelemahan kritis dan backdoor pada salah salah zona atau segmen jaringan harus dapat dideteksi dan dicegah. ● IP Address Allocation ● Pengelompokan terstruktur yang mudah dimengerti, diingat dan diidentifikasi secara visual terutama untuk keperluan pengawasan dan analisa serangan.
  • 15. SAKTTI Technology ControlsSAKTTI Technology Controls Technology Security: Secure ConnectionTechnology Security: Secure Connection Internet / WAN Secure Sensor INFRASTRUKTUR LOKASI 6 Secure Sensor INFRASTRUKTUR LOKASI 5 Secure Sensor INFRASTRUKTUR LOKASI 4 Secure Sensor INFRASTRUKTUR LOKASI 3 Secure Sensor INFRASTRUKTUR LOKASI 2 INFRASTRUKTUR LOKASI 1 CYBER OPERATION CENTER (COC) DATA CENTER
  • 16. SAKTTI Technology ControlsSAKTTI Technology Controls Technology Security: Network Diagram Level-0Technology Security: Network Diagram Level-0 Zona Luar Zona Tengah Pengawasan Zona Tengah Gerbang Luar Gerbang VPN 5 Ports Pengawasan Zona Luar 5 Ports 5 Ports Zona Dalam Aplikasi 2 Aplikasi NAplikasi 1 WAN LANInternet ● Gerbang VPN dari Internet, WAN atau LAN. ● Dekripsi paket HTTPS. ● Analisa intrusi dan filtering ditingkat aplikasi. ● IDS didalam Gerbang mendeteksi serangan pada paket jaringan yang telah didekripsi. ● VPN ke Zona Dalam. ● Mencegah serangan di Zona Luar. ● Hanya mengijinkan paket VPN ke Gerbang VPN sesuai dengan jenis koneksinya. ● IDS diluar gerbang untuk memastikan efektifitas Firewall. ● IDS didalam Gerbang mendeteksi intrusi didalam Firewall. ● Gerbang VPN dari Zona Tengah. ● Seluruh paket jaringan harus clear text. ● Pemisahan segmen Access, middleware, Database & SFC dgn firewall terpisah. ● Internal IDS mendeteksi serangan pada setiap segmen. Zona Aman

×