1

Information Security Considerations for the Organization

Ed GreenThe Pennsylvania State University

The Abington CollegeRoom 205 Rydal

215-881-7332exg13@psu.edu

www.personal.psu.edu/exg13

2

Data and Information• What is data?

– The collection of facts that represent an organization or component thereof• What is information

– Stored facts processed and presented to allow business analysis and decision making

• Why is data important?– Data represents the collected knowledge of the organization

• What does information mean to an organization?– Information is used to make decisions that affect the success of an

organization• Why must data be protected?

– Data must be protected in order to preserve its quality and integrity• Why must information be protected?

– Information must be protected to preserve the organization– Information must be protected to satisfy various legal requirements

3

Critical Legal Requirements

• Foreign Corrupt Practices Act• Export Control Requirements• HIPPA• National Security

– DoD– DoJ– DoS– DoT– DoHS

4

Critical Business Requirements

• Business processes

• Business strategies

• Proprietary information– Trade secrets

• Competitive elements

• Compliance with legal requirements

• Organizational ethical conduct

5

Critical Security Issues

• Access control– Who is allowed to access the system– How are individuals identified?– What is a particular individual allowed to do?

• Information protection– What information is disclosed?– Who is allowed to see what information?– What release controls are required?– How is information preserved?

• Information receipt– What information is received?– How is this information verified?

• Legal obligations– What are the legal requirements?– How is compliance managed?

6

Integration Services

MessageQueue

Adapter

MessageQueue

Adapter

MessageQueue

MessageQueue

Staging

MessageQueue

LegacySystem

BSD

EnterpriseCOTS

ApplicationBSD

DistributedComponent-

basedBSD

DecisionSupportSystem

BSDPlant Control

System

IntranetFacilities

PersonalComputers

Messaging Services

OrganizationDirectory

SecurityServices

SystemManagement

KnowledgeManagement

MetadataRepository

ArchivingService

Enterprise Infrastructure

PortalsB2B

Messaging

7

Networking Model

Private Intranet

Private Intranet

Public InternetPublic Internet

External Users

MessageQueues

Web Server

Application(s)

Business SystemDomain

Directory Services Device Services

MessageBroker Services

Internal Users

OrganizationStructure Service

Trader Services

FirewallEmployee

Remote Access

Enterprise Web Server

PublicApplication(s)

MessageQueues

Public Web Applications

B2B Web Server(s)

B2B MessageQueues

BusinessPartners

RemoteEmployees

Internal Systems

8

Internal versus External Environments

• Internal– Information privacy

• Employees

• Customers

– Access accountability• Audit trails and logs

– Physical control

– Risk avoidance philosophy• Keep the bad guys out

• External– Information privacy

• Proprietary

• Business sensitive

• Employees

• Customers

– Access accountability• Audit trails and logs

– Physical management• Cyber vulnerability

– Risk minimization philosophy• Limit the damage bad guys

can do

9

Security for the Internal Environment – an Example

EMPLOYEE DATABASE

EMPLOYEE

MANAGER

HUMAN RESOURCES

10

Security for the External Environment – an Example

• Following the flow of a need for materials and supplies within an organization

11

Enterprise IT Framework

Application Integrator

. . .. . .

. . .. . .

User Interface

SecuritySecurity

ClientsClients

IndependentIndependentApplicationsApplications

Software thatSoftware thatprovides “commonprovides “commonview” capabilityview” capability

•AuthenticationAuthentication•AuthorizationAuthorization

WEB BrowserWEB Browser

•FinanceFinance•ManufacturingManufacturing•Sales/MarketingSales/Marketing•PersonnelPersonnel•EngineeringEngineering

12

Trading Partner Challenge

Application Integrator

. . .. . .

. . .. . .User Interface

SecuritySecurity

Application Integrator

. . .. . .

. . .. . .User Interface

SecuritySecurity

Application Integrator

. . .. . .

. . .. . .User Interface

SecuritySecurity

Application Integrator

. . .. . .

. . .. . .User Interface

SecuritySecurityApplication Integrator

. . .. . .

. . .. . .User Interface

SecuritySecurity

13

Problem Summary

• Use the understanding of various AEI (Advanced Enterprise Integration) Concepts to describe the occurrence details of an e-Business transaction

14

In the beginning . . .

InventoryManagement

Process

InventoryDatabase

PreparePurchase Order

Recognizes EOQ/JIT level

SupplierCatalog

Purchase OrderMessage

Purchase Order Messagesent for review/approval

ReviewPurchase Order

Purchase OrderMessage

Purchase Order reviewed, approved,and submitted to supplier

FirewallSecurityCheck

•Authorized submitter•Authorized named personnel•Authorized supplier

Destination

Delivery Mode

Message ID

Timestamp

Correlation ID

Reply To

Redelivered

Type

Expiration

Priority

Heade

r sho

ws

dest

inat

ion

as re

view

er

Header shows destination as supplier

To Supplier

PurchaseOrder DB

15

Next, . . . From Purchaser

FirewallSecurityCheck

•Authorized submitter•Authorized named personnel•Authorized trading partner•Authorized recipient

OrderEntry System

InventoryDatabase

ManufactureDatabase

PurchaseOrder System

Fulfillment System

If in inventory, messageSent to fulfillment system

Fulfillment Message

ManufacturingSystem

InventoryDatabase

Manufacturing Message

Fulfillment Message

Purchase Order Message

If not in inventory, messageSent to manufacturing system

Manufacturing system uses data in inventory and manufacturing databases

If raw materials required, purchase order message is sent

When order has been completed, a message is sent to the fulfillment system

Order ReceiptMessage

Acknowledgement message sent

Purchase Order Message

Purchase order is admitted through firewall and passed to order entry system

OrdersDatabase

16

Continuing, . . .

Firewall

Order ReceiptMessage

SecurityCheck•Authorized submitter

•Authorized named personnel•Authorized trading partner•Authorized recipient

FirewallSecurityCheck

•Authorized submitter•Authorized named personnel•Authorized supplier

Purchase OrderManagement

Order ReceiptMessage

Stakeholder StatusMessage

Message is transmitted

Validated message sent to Purchase Order Management System

PurchaseOrder DB

Messages sent to named stakeholders

17

Meanwhile, . . .

Fulfillment System

Fulfillment Message

FulfillmentMessage

Billing Message

Fulfillment Message

Shipping System

Billing System

Firewall

Fulfillment Message

Inventory System

InventoryDatabase

Shipping Notice Message

Fulfillment System sends messages to Shipping and Billing Systems

Billing System prepares and sends bill

Billing System prepares and sends bill

Fulfillment System

Fulfillment Message

FulfillmentMessage

Billing Message

Fulfillment Message

Shipping System

Billing System

Fulfillment Message

Inventory System

InventoryDatabase

Shipping Notice Message

Fulfillment System sends messages to Shipping and Billing Systems

Billing System prepares and sends bill

SecurityCheck

•Authorized submitter•Authorized named personnel•Authorized trading partner•Authorized recipient

BillingDatabase

To Purchaser

18

And, . . .

Firewall

Billing Message

Shipping Notice Message

SecurityCheck

Accounts Payable

Electronic Payment

GeneralLedger DB

PurchaseOrder DB

Receiving System

PurchaseOrder DB

Firewall

ReceiptMessage

Billing message is sent to Accounts Payable

•Authorized submitter•Authorized named personnel•Authorized supplier

•Authorized submitter•Authorized named personnel•Authorized supplier

SecurityCheck

Shipping Notice message is sent to Accounts Payable

Receipt message is sent to Accounts Payable

Electronic Payment is sent to supplier

From Supplier

To Supplier

19

Finally

Firewall

SecurityCheck

•Authorized submitter•Authorized named personnel•Authorized supplier

Electronic Payment

PaymentsPaymentProcessing

GeneralLedger

OrdersDatabase

BillingDatabase

Payment is processed

From Purchaser

20

The Modern Security Conundrum

• The enterprise does not engage in any form of electronic commerce

• The enterprise faithfully conforms to all legal requirements for data and information protection

• The enterprise utilizes electronic mail• The enterprise engages in research that

necessitates collaboration with colleagues employed by other enterprises

21

Security Mechanisms

• Userid/password• Secure keys

– Public/private encryption

• VPN• E-mail• Internet/intranet• Data level• Audit mechanisms• Bio-security

22

Userid/Password

• Traditional method– Identify oneself– Confirm identity

• Marginally adequate in a closed environment; inadequate otherwise– Predictable passwords infrequently changed– Too numerous to mention– Improperly protected

• Simple implementation easily “hacked”– Relational database table

• Userid• Password• Employee_id• <other descriptive data>Primary Key

23

Access Control

• Who is allowed to access the system?– Recognized users

• How are individuals identified?– Userid and password combination

• What is a particular individual allowed to do?– Determined by role/responsibility set

• How is access managed?– Risk management– Risk mitigation

24

Access Control - Authentication

• Process of determining who is requesting access to the information technology environment

• Userid/password combination– Unique – only one such combination exists– Not absolute

25

Access Control - Authentication

USERSUSERS

PASSWORDPASSWORD

@USERID@USERID USER DEMOGRAPHICSUSER DEMOGRAPHICS

@USERID@USERID@PASSWORD@PASSWORD PASSWORD_DATEPASSWORD_DATE

USERIDUSERID

Authentication is the process of Authentication is the process of first confirming the USERID andfirst confirming the USERID andthen matching it to the PASSWORD.then matching it to the PASSWORD.The PASSWORD_DATE is includedThe PASSWORD_DATE is includedto manage password changeto manage password change

USERID/PASSWORD USERID/PASSWORD DIRECTORYDIRECTORY

26

Access Control - Authentication

• Strengths1.

2.

3.

4.

5.

6.

7.

8.

• Weaknesses1.

2.

3.

4.

5.

6.

7.

8. Identify the major strengths and weaknessesIdentify the major strengths and weaknesses of the userid and password authentication of the userid and password authentication

27

Access Control - Authentication

• Is authentication equally critical when considering the Intranet versus considering the Internet?

It is because:It is because:

1.1.

2.2.

3.3.

4.4.

5.5.

It is not because:It is not because:

1.1.

2.2.

3.3.

4.4.

5.5.

DiscussDiscuss

28

Access Control - Authentication

• Userid/password open to security breaching– Represents a significant risk

• Must be mitigated

• Mitigation options– Bio-techniques

• Retina scans• Facial matching• Fingerprinting

– Electronic techniques• Certification

Bio-techniques are Bio-techniques are coming but electronic coming but electronic

techniques are nowtechniques are now

29

Digital Certificates

• Algorithmically generated – Usually includes userid and password– Other identifying information appended

• Produces an electronic signature– Unique to individual

30

Digital Certificates

• What information would you recommend to create a digital signature for intranet-based users?

• What information would you recommend to create a digital signature for internet-based users?

31

Digital Certificates

• Private key– The certificate provided by the originator of a

message• Originator’ signature

– Ensure the authenticity of the message– Validated using public key

• Public key– The template used to validate the authenticity

of a message’s source

32

Message Structure

Message Header Includes destination Identifies source Identifies message (type)

Message Trailer Indicates end of message

Message Contents Must be defined in such a way that it is understood by BOTH sender AND receiver

33

Messaging Infrastructure – Message Format Abstraction

Destination

Delivery Mode

Message ID

Timestamp

Correlation ID

Reply To

Redelivered

Type

Expiration

Priority

Message Properties

34

Authentication with Digital Certificates

Destination

Delivery Mode

Message ID

Timestamp

Correlation ID

Reply To

Redelivered

Type

Expiration

Priority

Message Properties Private KeyPrivate Key

userid/passworduserid/password

35

Authentication with Digital Certificates

Diagram the authentication process Diagram the authentication process using digital certificatesusing digital certificates

36

Access Control - Authorization

• Process of constraining authenticated users to allowed applications, processes and activities

• Can be – Identity-based– Role-based

37

Access Control - Authorization

USERSUSERS

PASSWORDPASSWORD

USERIDUSERID

USER_USER_PROGRAMSPROGRAMS

PROGRAMSPROGRAMS

@PROGRAM_IDENFICATION@PROGRAM_IDENFICATION

PROGRAM_IDENFICATIONPROGRAM_IDENFICATIONUSERIDUSERID

USERIDUSERIDPRGORAM_IDENTIFICATIONPRGORAM_IDENTIFICATION

38

Validation at the Firewall

• Firewall – security barrier on the information superhighway – Prohibit unauthorized senders from releasing

information– Prohibt unauthorized information from being

released– Prohibit acceptance of information from

unauthorized sources– Prohibit acceptance of unauthorized information

39

Validation at the Firewall

• Firewall can be– Hardware-based– Software-based

• Firewall management is an installation responsibility– “Rules of the Road” for the business of managing an

installations web accessibility– Setting the rules – management responsibility

• With technical recommendations from key technical personnel

– Enforcing the rules – web administrator’s responsibility

40

Validation at the FirewallINCOMING MESSAGEINCOMING MESSAGE

MESSAGE BODYMESSAGE BODY

DestinationDelivery Mode

Message IDTimestamp

Correlation IDReply To

RedeliveredType

ExpirationPriority

Message Properties

Message header is inspectedMessage header is inspected - Is this a legitimate message sender?- Is this a legitimate message sender? - Is the sender recognized?- Is the sender recognized? - Is the sender authorized?- Is the sender authorized? - Can the sender’s identify be verified?- Can the sender’s identify be verified?Message body is inspectedMessage body is inspected - Is this type of data authorized?- Is this type of data authorized? - Is the sender authorized to send this data?- Is the sender authorized to send this data? - Is the data valid?- Is the data valid?

Message has passedMessage has passedall firewall testsall firewall tests

Message has not passedMessage has not passedall firewall testsall firewall tests

41

Validation at the FirewallOUTGOING MESSAGEOUTGOING MESSAGE

MESSAGE BODYMESSAGE BODY

DestinationDelivery Mode

Message IDTimestamp

Correlation IDReply To

RedeliveredType

ExpirationPriority

Message Properties

Message header is inspectedMessage header is inspected - Is this a legitimate message sender?- Is this a legitimate message sender? - Is the destination recognized?- Is the destination recognized? - Is the sender authorized?- Is the sender authorized? - Is the destination authorized- Is the destination authorized - Can the sender’s identify be verified?- Can the sender’s identify be verified?Message body is inspectedMessage body is inspected - Is this type of data authorized?- Is this type of data authorized? - Is the sender authorized to send this data?- Is the sender authorized to send this data? - Is the data valid?- Is the data valid?

Message has not passedMessage has not passedall firewall testsall firewall tests

Message has passedMessage has passedall firewall testsall firewall tests

42

Validation at the Firewall

• Questions represent business rules• What are the business rules

– Enterprise-specific– Implementation specific– Set for intranet access– Set for internet access

• Transaction – an exchange of data/information required to complete a business event– Multiple technical transactions– Multiple electronic exchanges– Security checks will be performed every time

• Trust is verified– Never, ever assumed

43

Validation at the Firewall

A patient at this hospital has been admitted in very serious A patient at this hospital has been admitted in very serious condition. A series of tests has been performed; the data condition. A series of tests has been performed; the data collected includes various alphanumeric measurements as collected includes various alphanumeric measurements as well as several medical images. Diary observations (comments well as several medical images. Diary observations (comments by the attending staff have also been captured. The consensus by the attending staff have also been captured. The consensus is that this patient has an unusual illness that the local staff hasis that this patient has an unusual illness that the local staff haslittle or no experience in treating. One of the attending staff little or no experience in treating. One of the attending staff remembers meeting a colleague at a conferences who has hadremembers meeting a colleague at a conferences who has hadexperience treating this illness. An electronic collaboration experience treating this illness. An electronic collaboration session is arranged.session is arranged.

ASSIGNMENTASSIGNMENT: Describe the firewall security that will transpire: Describe the firewall security that will transpireto effect this electronic consultation.to effect this electronic consultation.

44

VPN

• Virtual Private Network– Network within a network allows an enterprise

to turn the Internet into a private network

• Tunneling method of an IP packet within an IP packet

45

Securing Electronic Mail

• Interception at the firewall – inbound – Known sources– Managed attachments

• Interception at the firewall – outbound– Authorized senders– Know destinations– Managed attachments

• Audit and inspection

46

Data Level Security

• Provided via DBMS– Data control language (DCL)– GRANT instruction allocates specific

permissions to DBMS-managed objects– REVOKE takes GRANTed permissions away

• Aligned with users known to DBMS

• very restrictive <= DCL <= very general

47

Audit Mechanisms

• Defined processes and procedures

• Inspections

• Independent reviews

• Logs

• Enforcement procedures and policies

48

Bio-security

• Fingerprints

• Eye scans

• Photo match

49

Implementation Considerations

• “Roll you own”

• Active directory

• PGP

• VPN

50

“Roll Your Own” Security

• Installation designed based on the needs of the enterprise

• Combination of techniques

• Combination of COTS and self-developed

51

Elements of a Security Plan

• Security plan – strategy to protect the assets of an enterprise

• Security plan includes– Assets to be protected

• Business-based• Technology-based

– Processes required– Policies to be enforced– Technologies to be used

• Security plan provides guidance that helps to define the implementation– Not the implementation itself

52

Information SecurityRole of the IT Professional

• Ethical execution of duties and responsibilities– “Do the right thing the right way”

• Understand the enterprise and how it operates – Rules of the road

• Know what is important and why– Legal obligations

• Sensitive • Classified

– Business obligations• Proprietary• Competition sensitive