Post on 08-May-2015
description
transcript
Orlando Moreno, PMPVP of OPERATIONS
omoreno@hotmail.com 408.656.2498
Information ProtectionEffectively Building a Security Architecture
omoreno@hotmail.com 2
Security Threats Are Growing
Security Incidents Reported to CERT
0
10,000
20,000
30,000
40,000
50,000
60,000
# of incidents
2001: 52,000+ incidents(Code Red, Nimda)
Computer Emergency Response Team (CERT) is a federally funded research and development center specializing in Internet security operated by Carnegie Mellon University.
‘88 ‘89 ‘90 ‘91 ‘92 ‘93 ‘94 ‘95 ‘96 ‘97 ‘98 ‘99 ‘00 ‘01
1988: 6 incidents
(Morris Worm)
omoreno@hotmail.com 3
The Past Year — Shaping InfoSec
Code Red, Nimda,
Slammer
September 11th
WorldCom, Enron Legal, Regulatory
We’re Vulnerable
Significant Threats
Increased Oversight
omoreno@hotmail.com 4
The Past Year
Lessons Learned …– We’re vulnerable
– Security is everyone’s responsibility
– Security threats & risks are evolving
– Security is a process not a product
Where We Are Going …– Accountability: Organizational, Vendor, Individual
– Integrated/Distributed Security: OpSys, Apps & Network
– Process Oriented: Managed with Metrics
– Standards & Regulations: Compliance
omoreno@hotmail.com 5
Security — Business Perspective
WallStreet
BusinessPartners
Cyber War
Competitors Privacy
Consumers
RegulationsInformationProtection
Insurance
Legal LegalInsuranceInsurance
Legal RegulationsRegulations
Insurance Consumers
Consumers
Regulations
Privacy
Privacy
Consumers
Competitors
Competitors Privacy
Cyber War
Cyber War
Competitors
BusinessPartners
BusinessPartners
Cyber War
WallStreet
WallStreet
BusinessPartners
omoreno@hotmail.com 6
Similar & Different Perspectives
Privacy
Data Protection
Liability
Regulation
Due Diligence
Standards
Technology
omoreno@hotmail.com 7
Security — Technical Perspective
Home Network
ApplicationsDesktops
DBsRemote Offices
Business Partners
Competitor
Consumers
Supply Chains
Development Chains
Demand Chains
omoreno@hotmail.com 8
Business View of Security
Risks vary in potential and impact on business processes
omoreno@hotmail.com 9
Manufacturing
How Am I Doing?
A
B
C
D
F
Information Sharing
InformationSecurity
Civilian Government
Defense/Intelligence
Financial Services
Health Care
Energy
Utilities Communications
omoreno@hotmail.com 10
Process View of Security
1. People: Everyone has a role in information security.
2. Architecture: Aligns security with business, sets management expectations.
3. Awareness: For expectations to be adhered to they have to be communicated.
4. Technologies: Security is enforced through selection of products that support the architecture requirements.
Architecture
People
Awareness
Technologies
omoreno@hotmail.com 11
Security Considerations
Authentication– Is the requester who they claim to be?
Authorization– Are they allowed to do what they are asking to do?
Audit/Accountability– How do we hold them responsible for their actions?
Confidentiality– How do we keep requests and responses secret?
Integrity– How do we know messages are not changed in transit?
Administration– How do we manage the data for all this?
omoreno@hotmail.com 12
Building a Security Architecture
WANConnections
Business Unit
Business Unit
A
A
A
A
Perimeter
Perimeter
Perimeter
RemoteExternal Users/Sites
omoreno@hotmail.com 13
Developing the Security Architecture
Security Architecture
Requirements
Business Needs
Regulations
Legal Issues
Business Partners
omoreno@hotmail.com 14
The Purpose of a Security Architecture
Understand business requirements– Legal, regulatory, business partner
Discussion of where you are and where you are going– 5 year plan — What will security look like tomorrow?
Define standards and principles – Architecture standards = Regulations, international standards– Technology standards = communication, desktop, server– Operational standards = Range of options
Establish Policy– Defines appropriate behavior
Provides metrics for measurement– What is to measured and how
Gives technical instruction– Topology, technical descriptions, techniques
omoreno@hotmail.com 15
Risk Management
Pervasive Principles
Broad Functional Principles
Detailed Principles
Regulations & Legislation
Business Risk
Business Requirements
Security Architecture
omoreno@hotmail.com 16
Risk Management
AA
BBCC
DD
EE
FFDueDiligence
IncreasedControls
omoreno@hotmail.com 17
Where Does Security Fit?
Requirements/Definition
Design
DevelopTest &Debug
Deploy and Maintain
11
44 33
2255
Focus of the Past
Focus of the Future
omoreno@hotmail.com 18
TEITM of Integrating Security
Performance& Flexibility
Cost
Security
omoreno@hotmail.com 19
C&A + Continuous Assessment
System Accreditation“A management decision . . . to
authorize operation of an IT system based on the results of a certification process and other relevant considerations…”
NIST 800-37
Security Certification“A comprehensive analysis of the
technical and non-technical aspects of an IT system in its operational environment to determine compliance to stated security requirements and controls…” NIST 800-37
Continuous Assessment
– Event/Incident Monitoring
– Vulnerability Management
– Configuration Management
– Risk/Threat Management
– Compliance Management
omoreno@hotmail.com 20
Auditing Compliance
External
2 — Assessment
3 — Respond to Gaps Third-Party Validation
Internal
1 — Documentation
omoreno@hotmail.com 21
Why Security?
Risk: there is a business risk, and it is growing.
Governance: we are seeing increased pressure on boards and executive management in regards to information protection.
Architecture: defining a security architecture gives you something to manage and measure against as well as a road map to your destination.
Integration: building security in is more cost-effective than bandaging security on.
Process: security is not just a technical problem, put a people and policies problem as well.