Date post: | 14-Dec-2015 |
Category: |
Documents |
Upload: | ethan-burke |
View: | 213 times |
Download: | 1 times |
1
Information Security Considerations for the Organization
Ed GreenThe Pennsylvania State University
The Abington CollegeRoom 205 Rydal
www.personal.psu.edu/exg13
2
Data and Information• What is data?
– The collection of facts that represent an organization or component thereof• What is information
– Stored facts processed and presented to allow business analysis and decision making
• Why is data important?– Data represents the collected knowledge of the organization
• What does information mean to an organization?– Information is used to make decisions that affect the success of an
organization• Why must data be protected?
– Data must be protected in order to preserve its quality and integrity• Why must information be protected?
– Information must be protected to preserve the organization– Information must be protected to satisfy various legal requirements
3
Critical Legal Requirements
• Foreign Corrupt Practices Act• Export Control Requirements• HIPPA• National Security
– DoD– DoJ– DoS– DoT– DoHS
4
Critical Business Requirements
• Business processes
• Business strategies
• Proprietary information– Trade secrets
• Competitive elements
• Compliance with legal requirements
• Organizational ethical conduct
5
Critical Security Issues
• Access control– Who is allowed to access the system– How are individuals identified?– What is a particular individual allowed to do?
• Information protection– What information is disclosed?– Who is allowed to see what information?– What release controls are required?– How is information preserved?
• Information receipt– What information is received?– How is this information verified?
• Legal obligations– What are the legal requirements?– How is compliance managed?
6
Integration Services
MessageQueue
Adapter
MessageQueue
Adapter
MessageQueue
MessageQueue
Staging
MessageQueue
LegacySystem
BSD
EnterpriseCOTS
ApplicationBSD
DistributedComponent-
basedBSD
DecisionSupportSystem
BSDPlant Control
System
IntranetFacilities
PersonalComputers
Messaging Services
OrganizationDirectory
SecurityServices
SystemManagement
KnowledgeManagement
MetadataRepository
ArchivingService
Enterprise Infrastructure
PortalsB2B
Messaging
7
Networking Model
Private Intranet
Private Intranet
Public InternetPublic Internet
External Users
MessageQueues
Web Server
Application(s)
Business SystemDomain
Directory Services Device Services
MessageBroker Services
Internal Users
OrganizationStructure Service
Trader Services
FirewallEmployee
Remote Access
Enterprise Web Server
PublicApplication(s)
MessageQueues
Public Web Applications
B2B Web Server(s)
B2B MessageQueues
BusinessPartners
RemoteEmployees
Internal Systems
8
Internal versus External Environments
• Internal– Information privacy
• Employees
• Customers
– Access accountability• Audit trails and logs
– Physical control
– Risk avoidance philosophy• Keep the bad guys out
• External– Information privacy
• Proprietary
• Business sensitive
• Employees
• Customers
– Access accountability• Audit trails and logs
– Physical management• Cyber vulnerability
– Risk minimization philosophy• Limit the damage bad guys
can do
9
Security for the Internal Environment – an Example
EMPLOYEE DATABASE
EMPLOYEE
MANAGER
HUMAN RESOURCES
10
Security for the External Environment – an Example
• Following the flow of a need for materials and supplies within an organization
11
Enterprise IT Framework
Application Integrator
. . .. . .
. . .. . .
User Interface
SecuritySecurity
ClientsClients
IndependentIndependentApplicationsApplications
Software thatSoftware thatprovides “commonprovides “commonview” capabilityview” capability
•AuthenticationAuthentication•AuthorizationAuthorization
WEB BrowserWEB Browser
•FinanceFinance•ManufacturingManufacturing•Sales/MarketingSales/Marketing•PersonnelPersonnel•EngineeringEngineering
12
Trading Partner Challenge
Application Integrator
. . .. . .
. . .. . .User Interface
SecuritySecurity
Application Integrator
. . .. . .
. . .. . .User Interface
SecuritySecurity
Application Integrator
. . .. . .
. . .. . .User Interface
SecuritySecurity
Application Integrator
. . .. . .
. . .. . .User Interface
SecuritySecurityApplication Integrator
. . .. . .
. . .. . .User Interface
SecuritySecurity
13
Problem Summary
• Use the understanding of various AEI (Advanced Enterprise Integration) Concepts to describe the occurrence details of an e-Business transaction
14
In the beginning . . .
InventoryManagement
Process
InventoryDatabase
PreparePurchase Order
Recognizes EOQ/JIT level
SupplierCatalog
Purchase OrderMessage
Purchase Order Messagesent for review/approval
ReviewPurchase Order
Purchase OrderMessage
Purchase Order reviewed, approved,and submitted to supplier
FirewallSecurityCheck
•Authorized submitter•Authorized named personnel•Authorized supplier
Destination
Delivery Mode
Message ID
Timestamp
Correlation ID
Reply To
Redelivered
Type
Expiration
Priority
Heade
r sho
ws
dest
inat
ion
as re
view
er
Header shows destination as supplier
To Supplier
PurchaseOrder DB
15
Next, . . . From Purchaser
FirewallSecurityCheck
•Authorized submitter•Authorized named personnel•Authorized trading partner•Authorized recipient
OrderEntry System
InventoryDatabase
ManufactureDatabase
PurchaseOrder System
Fulfillment System
If in inventory, messageSent to fulfillment system
Fulfillment Message
ManufacturingSystem
InventoryDatabase
Manufacturing Message
Fulfillment Message
Purchase Order Message
If not in inventory, messageSent to manufacturing system
Manufacturing system uses data in inventory and manufacturing databases
If raw materials required, purchase order message is sent
When order has been completed, a message is sent to the fulfillment system
Order ReceiptMessage
Acknowledgement message sent
Purchase Order Message
Purchase order is admitted through firewall and passed to order entry system
OrdersDatabase
16
Continuing, . . .
Firewall
Order ReceiptMessage
SecurityCheck•Authorized submitter
•Authorized named personnel•Authorized trading partner•Authorized recipient
FirewallSecurityCheck
•Authorized submitter•Authorized named personnel•Authorized supplier
Purchase OrderManagement
Order ReceiptMessage
Stakeholder StatusMessage
Message is transmitted
Validated message sent to Purchase Order Management System
PurchaseOrder DB
Messages sent to named stakeholders
17
Meanwhile, . . .
Fulfillment System
Fulfillment Message
FulfillmentMessage
Billing Message
Fulfillment Message
Shipping System
Billing System
Firewall
Fulfillment Message
Inventory System
InventoryDatabase
Shipping Notice Message
Fulfillment System sends messages to Shipping and Billing Systems
Billing System prepares and sends bill
Billing System prepares and sends bill
Fulfillment System
Fulfillment Message
FulfillmentMessage
Billing Message
Fulfillment Message
Shipping System
Billing System
Fulfillment Message
Inventory System
InventoryDatabase
Shipping Notice Message
Fulfillment System sends messages to Shipping and Billing Systems
Billing System prepares and sends bill
SecurityCheck
•Authorized submitter•Authorized named personnel•Authorized trading partner•Authorized recipient
BillingDatabase
To Purchaser
18
And, . . .
Firewall
Billing Message
Shipping Notice Message
SecurityCheck
Accounts Payable
Electronic Payment
GeneralLedger DB
PurchaseOrder DB
Receiving System
PurchaseOrder DB
Firewall
ReceiptMessage
Billing message is sent to Accounts Payable
•Authorized submitter•Authorized named personnel•Authorized supplier
•Authorized submitter•Authorized named personnel•Authorized supplier
SecurityCheck
Shipping Notice message is sent to Accounts Payable
Receipt message is sent to Accounts Payable
Electronic Payment is sent to supplier
From Supplier
To Supplier
19
Finally
Firewall
SecurityCheck
•Authorized submitter•Authorized named personnel•Authorized supplier
Electronic Payment
PaymentsPaymentProcessing
GeneralLedger
OrdersDatabase
BillingDatabase
Payment is processed
From Purchaser
20
The Modern Security Conundrum
• The enterprise does not engage in any form of electronic commerce
• The enterprise faithfully conforms to all legal requirements for data and information protection
• The enterprise utilizes electronic mail• The enterprise engages in research that
necessitates collaboration with colleagues employed by other enterprises
21
Security Mechanisms
• Userid/password• Secure keys
– Public/private encryption
• VPN• E-mail• Internet/intranet• Data level• Audit mechanisms• Bio-security
22
Userid/Password
• Traditional method– Identify oneself– Confirm identity
• Marginally adequate in a closed environment; inadequate otherwise– Predictable passwords infrequently changed– Too numerous to mention– Improperly protected
• Simple implementation easily “hacked”– Relational database table
• Userid• Password• Employee_id• <other descriptive data>Primary Key
23
Access Control
• Who is allowed to access the system?– Recognized users
• How are individuals identified?– Userid and password combination
• What is a particular individual allowed to do?– Determined by role/responsibility set
• How is access managed?– Risk management– Risk mitigation
24
Access Control - Authentication
• Process of determining who is requesting access to the information technology environment
• Userid/password combination– Unique – only one such combination exists– Not absolute
25
Access Control - Authentication
USERSUSERS
PASSWORDPASSWORD
@USERID@USERID USER DEMOGRAPHICSUSER DEMOGRAPHICS
@USERID@USERID@PASSWORD@PASSWORD PASSWORD_DATEPASSWORD_DATE
USERIDUSERID
Authentication is the process of Authentication is the process of first confirming the USERID andfirst confirming the USERID andthen matching it to the PASSWORD.then matching it to the PASSWORD.The PASSWORD_DATE is includedThe PASSWORD_DATE is includedto manage password changeto manage password change
USERID/PASSWORD USERID/PASSWORD DIRECTORYDIRECTORY
26
Access Control - Authentication
• Strengths1.
2.
3.
4.
5.
6.
7.
8.
• Weaknesses1.
2.
3.
4.
5.
6.
7.
8. Identify the major strengths and weaknessesIdentify the major strengths and weaknesses of the userid and password authentication of the userid and password authentication
27
Access Control - Authentication
• Is authentication equally critical when considering the Intranet versus considering the Internet?
It is because:It is because:
1.1.
2.2.
3.3.
4.4.
5.5.
It is not because:It is not because:
1.1.
2.2.
3.3.
4.4.
5.5.
DiscussDiscuss
28
Access Control - Authentication
• Userid/password open to security breaching– Represents a significant risk
• Must be mitigated
• Mitigation options– Bio-techniques
• Retina scans• Facial matching• Fingerprinting
– Electronic techniques• Certification
Bio-techniques are Bio-techniques are coming but electronic coming but electronic
techniques are nowtechniques are now
29
Digital Certificates
• Algorithmically generated – Usually includes userid and password– Other identifying information appended
• Produces an electronic signature– Unique to individual
30
Digital Certificates
• What information would you recommend to create a digital signature for intranet-based users?
• What information would you recommend to create a digital signature for internet-based users?
31
Digital Certificates
• Private key– The certificate provided by the originator of a
message• Originator’ signature
– Ensure the authenticity of the message– Validated using public key
• Public key– The template used to validate the authenticity
of a message’s source
32
Message Structure
Message Header Includes destination Identifies source Identifies message (type)
Message Trailer Indicates end of message
Message Contents Must be defined in such a way that it is understood by BOTH sender AND receiver
33
Messaging Infrastructure – Message Format Abstraction
Destination
Delivery Mode
Message ID
Timestamp
Correlation ID
Reply To
Redelivered
Type
Expiration
Priority
Message Properties
34
Authentication with Digital Certificates
Destination
Delivery Mode
Message ID
Timestamp
Correlation ID
Reply To
Redelivered
Type
Expiration
Priority
Message Properties Private KeyPrivate Key
userid/passworduserid/password
35
Authentication with Digital Certificates
Diagram the authentication process Diagram the authentication process using digital certificatesusing digital certificates
36
Access Control - Authorization
• Process of constraining authenticated users to allowed applications, processes and activities
• Can be – Identity-based– Role-based
37
Access Control - Authorization
USERSUSERS
PASSWORDPASSWORD
USERIDUSERID
USER_USER_PROGRAMSPROGRAMS
PROGRAMSPROGRAMS
@PROGRAM_IDENFICATION@PROGRAM_IDENFICATION
PROGRAM_IDENFICATIONPROGRAM_IDENFICATIONUSERIDUSERID
USERIDUSERIDPRGORAM_IDENTIFICATIONPRGORAM_IDENTIFICATION
38
Validation at the Firewall
• Firewall – security barrier on the information superhighway – Prohibit unauthorized senders from releasing
information– Prohibt unauthorized information from being
released– Prohibit acceptance of information from
unauthorized sources– Prohibit acceptance of unauthorized information
39
Validation at the Firewall
• Firewall can be– Hardware-based– Software-based
• Firewall management is an installation responsibility– “Rules of the Road” for the business of managing an
installations web accessibility– Setting the rules – management responsibility
• With technical recommendations from key technical personnel
– Enforcing the rules – web administrator’s responsibility
40
Validation at the FirewallINCOMING MESSAGEINCOMING MESSAGE
MESSAGE BODYMESSAGE BODY
DestinationDelivery Mode
Message IDTimestamp
Correlation IDReply To
RedeliveredType
ExpirationPriority
Message Properties
Message header is inspectedMessage header is inspected - Is this a legitimate message sender?- Is this a legitimate message sender? - Is the sender recognized?- Is the sender recognized? - Is the sender authorized?- Is the sender authorized? - Can the sender’s identify be verified?- Can the sender’s identify be verified?Message body is inspectedMessage body is inspected - Is this type of data authorized?- Is this type of data authorized? - Is the sender authorized to send this data?- Is the sender authorized to send this data? - Is the data valid?- Is the data valid?
Message has passedMessage has passedall firewall testsall firewall tests
Message has not passedMessage has not passedall firewall testsall firewall tests
41
Validation at the FirewallOUTGOING MESSAGEOUTGOING MESSAGE
MESSAGE BODYMESSAGE BODY
DestinationDelivery Mode
Message IDTimestamp
Correlation IDReply To
RedeliveredType
ExpirationPriority
Message Properties
Message header is inspectedMessage header is inspected - Is this a legitimate message sender?- Is this a legitimate message sender? - Is the destination recognized?- Is the destination recognized? - Is the sender authorized?- Is the sender authorized? - Is the destination authorized- Is the destination authorized - Can the sender’s identify be verified?- Can the sender’s identify be verified?Message body is inspectedMessage body is inspected - Is this type of data authorized?- Is this type of data authorized? - Is the sender authorized to send this data?- Is the sender authorized to send this data? - Is the data valid?- Is the data valid?
Message has not passedMessage has not passedall firewall testsall firewall tests
Message has passedMessage has passedall firewall testsall firewall tests
42
Validation at the Firewall
• Questions represent business rules• What are the business rules
– Enterprise-specific– Implementation specific– Set for intranet access– Set for internet access
• Transaction – an exchange of data/information required to complete a business event– Multiple technical transactions– Multiple electronic exchanges– Security checks will be performed every time
• Trust is verified– Never, ever assumed
43
Validation at the Firewall
A patient at this hospital has been admitted in very serious A patient at this hospital has been admitted in very serious condition. A series of tests has been performed; the data condition. A series of tests has been performed; the data collected includes various alphanumeric measurements as collected includes various alphanumeric measurements as well as several medical images. Diary observations (comments well as several medical images. Diary observations (comments by the attending staff have also been captured. The consensus by the attending staff have also been captured. The consensus is that this patient has an unusual illness that the local staff hasis that this patient has an unusual illness that the local staff haslittle or no experience in treating. One of the attending staff little or no experience in treating. One of the attending staff remembers meeting a colleague at a conferences who has hadremembers meeting a colleague at a conferences who has hadexperience treating this illness. An electronic collaboration experience treating this illness. An electronic collaboration session is arranged.session is arranged.
ASSIGNMENTASSIGNMENT: Describe the firewall security that will transpire: Describe the firewall security that will transpireto effect this electronic consultation.to effect this electronic consultation.
44
VPN
• Virtual Private Network– Network within a network allows an enterprise
to turn the Internet into a private network
• Tunneling method of an IP packet within an IP packet
45
Securing Electronic Mail
• Interception at the firewall – inbound – Known sources– Managed attachments
• Interception at the firewall – outbound– Authorized senders– Know destinations– Managed attachments
• Audit and inspection
46
Data Level Security
• Provided via DBMS– Data control language (DCL)– GRANT instruction allocates specific
permissions to DBMS-managed objects– REVOKE takes GRANTed permissions away
• Aligned with users known to DBMS
• very restrictive <= DCL <= very general
47
Audit Mechanisms
• Defined processes and procedures
• Inspections
• Independent reviews
• Logs
• Enforcement procedures and policies
48
Bio-security
• Fingerprints
• Eye scans
• Photo match
49
Implementation Considerations
• “Roll you own”
• Active directory
• PGP
• VPN
50
“Roll Your Own” Security
• Installation designed based on the needs of the enterprise
• Combination of techniques
• Combination of COTS and self-developed
51
Elements of a Security Plan
• Security plan – strategy to protect the assets of an enterprise
• Security plan includes– Assets to be protected
• Business-based• Technology-based
– Processes required– Policies to be enforced– Technologies to be used
• Security plan provides guidance that helps to define the implementation– Not the implementation itself
52
Information SecurityRole of the IT Professional
• Ethical execution of duties and responsibilities– “Do the right thing the right way”
• Understand the enterprise and how it operates – Rules of the road
• Know what is important and why– Legal obligations
• Sensitive • Classified
– Business obligations• Proprietary• Competition sensitive