Information Protection


Published on

Effectively Building a Security Architecture

Published in: Technology, News & Politics
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Information Protection

  1. 1. Information Protection Effectively Building a Security Architecture Orlando Moreno, PMP VP of OPERATIONS [email_address] 408.656.2498
  2. 2. Security Threats Are Growing Security Incidents Reported to CERT 0 10,000 20,000 30,000 40,000 50,000 60,000 # of incidents 2001: 52,000+ incidents (Code Red, Nimda) Computer Emergency Response Team (CERT) is a federally funded research and development center specializing in Internet security operated by Carnegie Mellon University. ‘ 88 ‘ 89 ‘ 90 ‘ 91 ‘ 92 ‘ 93 ‘ 94 ‘ 95 ‘ 96 ‘ 97 ‘ 98 ‘ 99 ‘ 00 ‘ 01 1988: 6 incidents (Morris Worm)
  3. 3. The Past Year — Shaping InfoSec Code Red, Nimda, Slammer September 11th WorldCom, Enron Legal, Regulatory We’re Vulnerable Significant Threats Increased Oversight
  4. 4. The Past Year <ul><li>Lessons Learned … </li></ul><ul><ul><li>We’re vulnerable </li></ul></ul><ul><ul><li>Security is everyone’s responsibility </li></ul></ul><ul><ul><li>Security threats & risks are evolving </li></ul></ul><ul><ul><li>Security is a process not a product </li></ul></ul><ul><li>Where We Are Going … </li></ul><ul><ul><li>Accountability: Organizational, Vendor, Individual </li></ul></ul><ul><ul><li>Integrated/Distributed Security: OpSys, Apps & Network </li></ul></ul><ul><ul><li>Process Oriented: Managed with Metrics </li></ul></ul><ul><ul><li>Standards & Regulations: Compliance </li></ul></ul>
  5. 5. Security — Business Perspective Wall Street Business Partners Cyber War Competitors Privacy Consumers Regulations Information Protection Insurance Legal Legal Insurance Insurance Legal Regulations Regulations Insurance Consumers Consumers Regulations Privacy Privacy Consumers Competitors Competitors Privacy Cyber War Cyber War Competitors Business Partners Business Partners Cyber War Wall Street Wall Street Business Partners
  6. 6. Similar & Different Perspectives Privacy Data Protection Liability Regulation Due Diligence Standards Technology
  7. 7. Security — Technical Perspective Home Network Applications Desktops DBs Remote Offices Business Partners Competitor Consumers Supply Chains Development Chains Demand Chains
  8. 8. Business View of Security <ul><li>Risks vary in potential and impact on business processes </li></ul>Business Risk Technical Risk Business Risk Technical Risk
  9. 9. How Am I Doing? Manufacturing A B C D F Information Sharing Information Security Civilian Government Defense/ Intelligence Financial Services Health Care Energy Utilities Communications
  10. 10. Process View of Security <ul><li>People: Everyone has a role in information security. </li></ul><ul><li>Architecture: Aligns security with business, sets management expectations. </li></ul><ul><li>Awareness: For expectations to be adhered to they have to be communicated. </li></ul><ul><li>Technologies: Security is enforced through selection of products that support the architecture requirements. </li></ul>Awareness Technologies Architecture People
  11. 11. Security Considerations <ul><li>Authentication </li></ul><ul><ul><li>Is the requester who they claim to be? </li></ul></ul><ul><li>Authorization </li></ul><ul><ul><li>Are they allowed to do what they are asking to do? </li></ul></ul><ul><li>Audit/Accountability </li></ul><ul><ul><li>How do we hold them responsible for their actions? </li></ul></ul><ul><li>Confidentiality </li></ul><ul><ul><li>How do we keep requests and responses secret? </li></ul></ul><ul><li>Integrity </li></ul><ul><ul><li>How do we know messages are not changed in transit? </li></ul></ul><ul><li>Administration </li></ul><ul><ul><li>How do we manage the data for all this? </li></ul></ul>
  12. 12. Building a Security Architecture WAN Connections Enterprise Business Unit Business Unit A A A A Perimeter Perimeter Perimeter Remote External Users/Sites
  13. 13. Developing the Security Architecture Security Architecture Requirements Business Needs Regulations Legal Issues Business Partners
  14. 14. The Purpose of a Security Architecture <ul><li>Understand business requirements </li></ul><ul><ul><li>Legal, regulatory, business partner </li></ul></ul><ul><li>Discussion of where you are and where you are going </li></ul><ul><ul><li>5 year plan — What will security look like tomorrow? </li></ul></ul><ul><li>Define standards and principles </li></ul><ul><ul><li>Architecture standards = Regulations, international standards </li></ul></ul><ul><ul><li>Technology standards = communication, desktop, server </li></ul></ul><ul><ul><li>Operational standards = Range of options </li></ul></ul><ul><li>Establish Policy </li></ul><ul><ul><li>Defines appropriate behavior </li></ul></ul><ul><li>Provides metrics for measurement </li></ul><ul><ul><li>What is to measured and how </li></ul></ul><ul><li>Gives technical instruction </li></ul><ul><ul><li>Topology, technical descriptions, techniques </li></ul></ul>
  15. 15. Risk Management Pervasive Principles Broad Functional Principles Detailed Principles Regulations & Legislation Business Risk Business Requirements Security Architecture
  16. 16. Risk Management A B C D E F Due Diligence Increased Controls
  17. 17. Where Does Security Fit? Requirements/Definition Design Develop Test & Debug Deploy and Maintain 1 4 3 2 5 Focus of the Past Focus of the Future
  18. 18. TEI TM of Integrating Security Performance & Flexibility Cost Security
  19. 19. C&A + Continuous Assessment <ul><li>System Accreditation </li></ul><ul><li>“ A management decision . . . to authorize operation of an IT system based on the results of a certification process and other relevant considerations…” </li></ul><ul><li> NIST 800-37 </li></ul><ul><li>Security Certification </li></ul><ul><li>“ A comprehensive analysis of the technical and non-technical aspects of an IT system in its operational environment to determine compliance to stated security requirements and controls…” NIST 800-37 </li></ul><ul><li>Continuous Assessment </li></ul><ul><ul><li>Event/Incident Monitoring </li></ul></ul><ul><ul><li>Vulnerability Management </li></ul></ul><ul><ul><li>Configuration Management </li></ul></ul><ul><ul><li>Risk/Threat Management </li></ul></ul><ul><ul><li>Compliance Management </li></ul></ul>
  20. 20. Auditing Compliance External 2 — Assessment 3 — Respond to Gaps Third-Party Validation Internal 1 — Documentation
  21. 21. Why Security? <ul><li>Risk: there is a business risk, and it is growing. </li></ul><ul><li>Governance: we are seeing increased pressure on boards and executive management in regards to information protection. </li></ul><ul><li>Architecture: defining a security architecture gives you something to manage and measure against as well as a road map to your destination. </li></ul><ul><li>Integration: building security in is more cost-effective than bandaging security on. </li></ul><ul><li>Process: security is not just a technical problem, put a people and policies problem as well. </li></ul>