• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Integrating Physical And Logical Security
 

Integrating Physical And Logical Security

on

  • 24,336 views

Integration of Physical and IT Logical Security at Identity Summit Dubai UAE. Presented by Jorge Sebastiao from eSgulf.

Integration of Physical and IT Logical Security at Identity Summit Dubai UAE. Presented by Jorge Sebastiao from eSgulf.

Statistics

Views

Total Views
24,336
Views on SlideShare
24,253
Embed Views
83

Actions

Likes
60
Downloads
1
Comments
23

8 Embeds 83

http://www.slideshare.net 42
http://www.telcoss.net 30
http://elearning.ipe.ac.th 3
http://www.linkedin.com 3
http://ecampus.suagm.edu 2
http://bb9.bee-net.com 1
https://twimg0-a.akamaihd.net 1
https://bboard.scoca-k12.org 1
More...

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel

110 of 23 previous next Post a comment

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
  • Very nice and complete presentation.Could I have a copy of it? I'm teaching at some universities in Argentina, and would like to use your material. My email is rlangdon@caece.edu.ar . Thanks in advance. Roberto
    Are you sure you want to
    Your message goes here
    Processing…
  • hello, hope you could share to us a copy of this presentation. Please email me at sylvain@cyberfenua.com . thanks
    Are you sure you want to
    Your message goes here
    Processing…
  • This is a pretty old doc. Having actually helped write the PHYSBITS doc, I can see that you have done a good job of extrapolating out the implications. However, it is still a bit esoteric. The idea that you can integrate these two disciplines is still beyond the scope of what most physical security groups can hope for; instead, the holy grail is to gain enough recognition for each sides' authority and technology requirements to ensure proper collaboration. The day of a physical security practitioner taking over an IT security practitioner's role, or vice versa is over. They are dramatically different disciplines. Instead, proper scoping and collaboration will help the two teams optimise their efforts based on where one ends and the other begins.
    Are you sure you want to
    Your message goes here
    Processing…
  • hey can u give me a copy of this at jyoti.dhauni@gmail.com
    Are you sure you want to
    Your message goes here
    Processing…
  • may i have a ppt copy?? gcarrozza@gmail.com thnx 4 the great job!
    Are you sure you want to
    Your message goes here
    Processing…

110 of 23 previous next

Post Comment
Edit your comment

Integrating Physical And Logical Security Integrating Physical And Logical Security Presentation Transcript

  • Integrating Physical & Logical Security Jorge Sebastião, CISSP, ISP, BSLA Founder and CEO “ Security is:… a continuous skilled process which safeguards your business value…” Jorge S., 1999
  • Security
    • Protection systems
      • Safeguard assets
      • Safeguard of personnel
      • Integrate People, Process, Technology
      • Two major types:
        • Physical Security
        • Information Security (infosec)
  • Physical Security-Focus
    • Protection of physical assets
    • Personnel
    • Buildings
    • Computing Facilities
    • Physical Access Control
    • Power
  • Information Security-Focus
    • Protection of information assets
    • Computer Systems
    • Data Networks
    • Databases, Applications
    • Logical Access Control
    • Disaster Recovery
  • Signal also applies to cars of other colors
  • Signal also applies to cars of other colors
  • Scenario
    • CFO Traveling abroad for 2 weeks
      • Normally in Riyadh HQ Office
      • Now in Dubai visiting
    • Non-Integrated, non-compatible physical access control
    • Trusted employee uses CFO password to access confidential data in Riyadh
      • Normal working hours
      • Sensitive files shared with competitors
    • No Alarm raised by system???
    • No violation in either physical sec or infosec systems
  • Data Center
  • Threats and risks Human faults Operational disruptions Software Faults In-compatability Fraud Forgery Access Control Espionage Illegal copying Virus Natural phenomena Fire, Smoke, Explosion Destruction, Sabotage Power Failure Water Damage Leakage Theft Vandalism Delivery Problem Service Disruption Loss of Key personnel Notice to quit, Sickness
  • Security as: TPP Technology Process People
  • Attack-NCR, IBM ATMs
    • UAE Bank Attack May-June 2003
    • Exploits ATM Vulnerabilities
    • Special Device capture cards
    • Physical Security
    • 1.5-?.? Million Dhs
    Technology
  • Microsoft
    • SQL Slammer Worm 25/01/2003
    • Exploits SQL Server 2000 Vulnerabilities
    • Document since July 2002
    • Traveled Globe in 15 min
    Process
  • Verisign
    • Verisign 22/03/2001 Someone tricked digital security specialist VeriSign ( VRSN ) , which authenticates parties in e-commerce transactions, into issuing two digital certificates with Microsoft's name on them. The certificates could be used by a malicious poseur to spread viruses or other harmful programs by camouflaging them as Microsoft software.
    People
  • PDR
    • Defence in Depth (layered security)
    • No Single Point of Vulnerability
    • Centralized Security Management
    • Heterogeneous
    • Effective
    • Process
    • Implement Protection, Detection, Response
    PROTECTION DETECTION RESPONSE FORENSICS
  • Security = Time Protection Detection Response SECURITY P>D+R Anti-virus VPN Access Control Firewall Intrusion Prevention Managed Services CIRT Patch Mgmt Vulnerability Testing Intrusion Detection CCTV Log Correlation
  • Securing the System Effective security requires a balanced application of all methods Personnel System Security Computer Security Physical Security Process Encryption
  • Security Continuous process ASSESS ARCHITECT APPLY ADMINISTER Business Risk Controls Maturity
  • Integrated Security Management Business Security Management Physical Security Management ICT Security Management
  • Security Management Processes
  • Convergence APPLY
  • Identity and Access Management Strategic Context Physical Security Network / System Application / Data Suppliers, Partners, Customers Employees
  • New Boundaries
    • Platforms
      • Data Center
      • Laptops
      • PDA
      • Mobiles
    • Distributed Access
      • Dialup, ADSL, VPN
      • VSAT
      • Wifi, WiMax
      • GPRS/3G
    • Communication Centric Applications
      • Web
      • Email
      • IPM
      • VoIP
    • Multiple Networks
      • Intranet
      • Extranet
      • Internet
    • Users
      • Employees
      • Partners
      • Suppliers
      • Customers
      • Consumers/Prospects
    • Location
      • Office
      • Internet Café/Restaurants
      • Airport
      • Hotels
      • Home
  • Identity and Access Management Interoperability Control Loosely-coupled, Dynamic exterior Tightly-coupled, Persistent interior Intranet Extranets Customers Partners/Suppliers Employees Consumers Internet
  • Identity and Access Management Flexibility Intranet Extranets Internet Control Customers Partners/Suppliers Employees Consumers Federation, Cooperation Integration
  • Physical Security Physical Security Sprinkler hallon Alarm System UPS CCTV System Intrusion Detection Intercom Evacuation Physical Access Control Elevator Fire HVAC Lighting Power Mgmt
  • Physical Security Architecture
  • Biometrics Example
  • Storage SMART CCTV + biometrics Corporate LAN / WAN / VLAN Internet
  • Records Physical Protection
  • Physical Security
  •  
  • Info warfare C4
      • Command, Control, Communications, Computers
  • Logical Security Physical Security Data Encryption Host Intrusion Detection Antivirus Perimeter Security Network Intrusion Detection Remote Client VPN Access Control Remote Clientless HTTPS Disaster Recovery Content Filtering Anti-spam Intrusion Prevention Wireless Security Network / System Application/Data
  • Architecture Layers Extended Perimeter Perimeter Layer Control Layer Resource Layer Identity & Access Mgmt Physical Security Integrated Directory Security Management Policy Management Remote Employees Consumers Partners Customers Suppliers
  • Identity and Access Management Context Business policy: legal, liability, assurance for transactions Relationships to organization Applications/Services: access control and authorization Identity and information Presentation/Personalization: Identification Relationships Authentication: Identity (Person)
  • Architecture and Infrastructure Directory Access Mgmt Portal/Device Identity Mgmt Policy Propagation Administration Control Access Resources Authentication Authorization User Device? Applications Platforms Databases Physical Services
  • SSO~~Security
    • SSO and security
        • Reducing sign-on a goal
        • S ingle sign on is a risk in security compromise
        • Standard authentication infrastructure is good
        • SSO is not always realistic
        • Different applications
          • Different security
          • Different application states
        • Policy drives
        • No single credential should give access to everything
  • Where to spend? High Low Excessive Exposure Low High R I S K SECURITY INVESTMENT Excessive Cost Appropriate Security
  • Return On Investment (ROI)? ROI Curve Security Investment ROI design= 21% ROI implementation= 21% ROI testing= 12% ROI
  • Security Architecture Incidence Response Operational Monitoring Administration Change Procedures Guidelines Roles and Responsibilities Incident Reporting Physical Dynamic Controls Selection Policy Configurations Baselines Standards Awareness Education Training Logical BIA Mapping Perimeter Architecture InfoSec Policy Security Organization Conceptual P > D + R Strategy Scope Executive InfoSec Policy Steering Committee Contextual Time (Risk Management) Technology Process People
  • Beyond Technology
  • Knowledge Base Incidence Response Applying the Knowledge Incidence Response Multiple Sources of Information Partners, Vendors, CERT ,… Internal Security Research Internet, Mailing lists and other sources ADMINISTER
  • Integrated P+D+R Enterprise Security Management Routers Switches Firewall N-IDS H-IDS IPS Hosts Antivirus Access Ctrl Biometrics Smart Cards Power UPS Fire CCTV P-IDS Alarms Others…. 1.Logs 5. Response 2. Encrypted Logs 3. Analysis 6. (Ongoing) Patching Incidence Response Knowledge 4. Alerting
  • Incidence Response Incident Response Analyse Contain Eliminate Restore Lessons Policy Refine Policy Continuous Monitoring T-1 T 0 T 1 T 1 T 3 T 4 T N Communicate
  • Integrated Infosec Framework Vulnerability & Risk Assessment Assess, Audits VA, Pen-Testing, Risk Technology Strategy & Usage Technology, Tools Policy Insfosec Policy, Standards Security Architecture and Technical Standards Technical Architecture Technical Standards, Baselines Security Model Information Classification and Controls Administrative and End-User Guidelines and Procedures Implementation and Configurations Administration Guidelines and Procedures Recovery Processes Incidence Response Processes Enforcement Processes Compliance Mgmt Processes CEO, Senior Management ISMS, Information Assets, IT Infrastructure Awareness, Training, Education Monitoring Processes Monitoring Processes Security Strategy Business Initiatives & Processes Business Initiatives & Processes Vulnerabilities Threats
  • Benefits of integration
    • Better Security
    • Less Vulnerabilities
    • Better Auditing
    • Cost Savings
    • Mitigate legal liability (negligence)
  • Challenges
    • Lack of Standards
    • Focus on technology rather then management
    • Reluctance of physical security to embrace ICT / IT
    • No roadmap for organization readiness
    • www.opensecurityexchange.com
  • Initiatives example
    • www.opensecurityexchange.com
    • X-industry collaboration
    • Initial participants
      • CA
      • Gemplus
      • HID
      • Software House
    • PHYSBITS-Physical Security bridge to IT
  • ?