Working Remotely Vpn Paradigm


Published on

Published in: Technology, Business
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Working Remotely Vpn Paradigm

  1. 1. unclassified - 2007 VPN Security Constructs: Simplifying but improving remote access controls for VPN accounts Peter Param Manager IT Security
  2. 2. Business Requirement for forging a templated environment <ul><li>Known ACLs – creating access controls based on the work and access of existing roles but managing remote connectivity issues </li></ul><ul><li>Expediancy – by having quick turnarounds without relying on availability of key personnel </li></ul><ul><li>Known entry points – All access entry/exit areas will be known and therefore incident escalation procedures will have known variables to work with (as opposed to campus wide potentials) </li></ul><ul><li>Predictable scope of access – Scope of access is known so social engineering activities will stand out. </li></ul>unclassified - 2007
  3. 3. eRecords Security: Compliancy & Governance <ul><li>HIPAA – not required today, Australian best practises recommended, its about privacy and security of protected health information. </li></ul><ul><li>Sarbanes-Oxley , named for the two Congressmen who sponsored it, on the surface doesn't have much to do with IT security. The law was passed to restore the public's confidence in corporate governance by making chief executives of publicly traded companies personally validate financial statements and other information. Companies' having proper &quot; internal controls “ is essential It's hard to sign off on the validity of data if the systems maintaining it aren't secure. Compliancy is NOT required unless dealing directly with US firms. </li></ul><ul><li>Privacy Act - The Information Privacy Principles are the base line privacy standards which the Commonwealth and ACT government agencies need to comply with in relation to personal information kept in their records. Covers collection , dissemination , solicitation , storage , use and disclosure of private information. </li></ul><ul><li>Australia Legislation – There is a whole lot of regulatory requirements for records (e.g. retirement schedules, etc,etc) that may impact eRecords security. Cybercrime act 2001… </li></ul>unclassified - 2007
  4. 4. eRecords Security: Cybercrime Act 2001 <ul><li>Cybercrime Act 2001… </li></ul><ul><ul><li>A person is guilty of an offence if: </li></ul></ul><ul><ul><li>(a) the person causes: </li></ul></ul><ul><ul><li>(i) any unauthorised access to data held in a computer; or </li></ul></ul><ul><ul><li>(ii) any unauthorised modification of data held in a computer; or </li></ul></ul><ul><ul><li>(iii) any unauthorised impairment of electronic communication to or from a computer; and </li></ul></ul><ul><ul><li>(b) the person knows the access, modification or impairment is unauthorised; and </li></ul></ul><ul><ul><li>(c) the person intends to commit, or facilitate the commission of, a serious offence against a law of the Commonwealth (whether by that person or another person) by the access, modification or impairment. </li></ul></ul>unclassified - 2007
  5. 5. eRecords Security: Trust <ul><li>Privacy </li></ul><ul><ul><li>Non-disclosure </li></ul></ul><ul><ul><li>Deletion </li></ul></ul><ul><ul><li>Encryption </li></ul></ul><ul><li>Confidentiality </li></ul><ul><ul><li>Document classification (as taken from DSD ACSI33 documentation, e.g. unclassified, in-confidence, restricted) </li></ul></ul>unclassified - 2007
  6. 6. eRecords Security: Identity Management <ul><li>Authentication & Access control, Audit trail, Non-repudiation </li></ul><ul><li>Authentication – Verifying the person </li></ul><ul><li>Access Control – What access that person has </li></ul><ul><li>Audit Trail – What activity in trusted areas </li></ul><ul><li>has the person done </li></ul><ul><li>Non-repudiation – Has the system confirmed the </li></ul><ul><li>person’s receipt of a </li></ul><ul><li>document. </li></ul>unclassified - 2007
  7. 7. eRecords Security: IT group initiatives <ul><li>‘ Context’ – Document Management </li></ul><ul><li>PKI – Public Key Infrastructure </li></ul><ul><li>Risk/Threat Assessment – 1 st steps in IT security compliancy </li></ul><ul><li>Security Policies – Policies regarding IT Security . </li></ul>unclassified - 2007
  8. 8. eRecords Security: Security Policies <ul><li>Existing Policies: </li></ul><ul><ul><li>Non-disclosure </li></ul></ul><ul><ul><li>Acceptable usage </li></ul></ul><ul><li>Proposed Policies: </li></ul><ul><ul><li>Acceptable Encryption Policy </li></ul></ul><ul><ul><li>Analog Line Policy </li></ul></ul><ul><ul><li>Automatically Forwarded Email Policy </li></ul></ul><ul><ul><li>DB Credentials Policy </li></ul></ul><ul><ul><li>Dial-in Access Policy </li></ul></ul><ul><ul><li>Information Sensitivity Policy </li></ul></ul><ul><ul><li>Internet DMZ Equipment Policy </li></ul></ul><ul><ul><li>Wireless Communication Policy </li></ul></ul>unclassified - 2007
  9. 9. eRecords Security: Threat Assessment Example unclassified - 2007 Very Low Low Minor Low Illegal access to call records data. Very Low High Serious Low Weak authentication and/or poor password management. Very Low High Grave Low Compromise by subversive programming of the PABX via dialup access. Nil Critical Grave Medium Physical access violation to PABX room High Integrity of Public PABX. Low High Serious Medium Poor password management. Very Low High Serious Low Weak authentication Very Low High Serious Low Root violation of Internal Mail server. Low Extreme Serious Very High Inadvertent distribution of sensitive email to outside addressee or distribution groups. Protection of sensitive emails on the internal network. Countermeasure(s) Priority Rating Required Risk Resultant Risk Harm, if threat is realised Threat Likelihood Threat to Asset Asset