Date post: | 08-May-2015 |
Category: |
Technology |
Upload: | orlando-moreno |
View: | 194 times |
Download: | 0 times |
Orlando Moreno, PMPVP of OPERATIONS
[email protected] 408.656.2498
Information ProtectionEffectively Building a Security Architecture
Security Threats Are Growing
Security Incidents Reported to CERT
0
10,000
20,000
30,000
40,000
50,000
60,000
# of incidents
2001: 52,000+ incidents(Code Red, Nimda)
Computer Emergency Response Team (CERT) is a federally funded research and development center specializing in Internet security operated by Carnegie Mellon University.
‘88 ‘89 ‘90 ‘91 ‘92 ‘93 ‘94 ‘95 ‘96 ‘97 ‘98 ‘99 ‘00 ‘01
1988: 6 incidents
(Morris Worm)
The Past Year — Shaping InfoSec
Code Red, Nimda,
Slammer
September 11th
WorldCom, Enron Legal, Regulatory
We’re Vulnerable
Significant Threats
Increased Oversight
The Past Year
Lessons Learned …– We’re vulnerable
– Security is everyone’s responsibility
– Security threats & risks are evolving
– Security is a process not a product
Where We Are Going …– Accountability: Organizational, Vendor, Individual
– Integrated/Distributed Security: OpSys, Apps & Network
– Process Oriented: Managed with Metrics
– Standards & Regulations: Compliance
Security — Business Perspective
WallStreet
BusinessPartners
Cyber War
Competitors Privacy
Consumers
RegulationsInformationProtection
Insurance
Legal LegalInsuranceInsurance
Legal RegulationsRegulations
Insurance Consumers
Consumers
Regulations
Privacy
Privacy
Consumers
Competitors
Competitors Privacy
Cyber War
Cyber War
Competitors
BusinessPartners
BusinessPartners
Cyber War
WallStreet
WallStreet
BusinessPartners
Similar & Different Perspectives
Privacy
Data Protection
Liability
Regulation
Due Diligence
Standards
Technology
Security — Technical Perspective
Home Network
ApplicationsDesktops
DBsRemote Offices
Business Partners
Competitor
Consumers
Supply Chains
Development Chains
Demand Chains
Business View of Security
Risks vary in potential and impact on business processes
Manufacturing
How Am I Doing?
A
B
C
D
F
Information Sharing
InformationSecurity
Civilian Government
Defense/Intelligence
Financial Services
Health Care
Energy
Utilities Communications
Process View of Security
1. People: Everyone has a role in information security.
2. Architecture: Aligns security with business, sets management expectations.
3. Awareness: For expectations to be adhered to they have to be communicated.
4. Technologies: Security is enforced through selection of products that support the architecture requirements.
Architecture
People
Awareness
Technologies
Security Considerations
Authentication– Is the requester who they claim to be?
Authorization– Are they allowed to do what they are asking to do?
Audit/Accountability– How do we hold them responsible for their actions?
Confidentiality– How do we keep requests and responses secret?
Integrity– How do we know messages are not changed in transit?
Administration– How do we manage the data for all this?
Building a Security Architecture
WANConnections
Business Unit
Business Unit
A
A
A
A
Perimeter
Perimeter
Perimeter
RemoteExternal Users/Sites
Developing the Security Architecture
Security Architecture
Requirements
Business Needs
Regulations
Legal Issues
Business Partners
The Purpose of a Security Architecture
Understand business requirements– Legal, regulatory, business partner
Discussion of where you are and where you are going– 5 year plan — What will security look like tomorrow?
Define standards and principles – Architecture standards = Regulations, international standards– Technology standards = communication, desktop, server– Operational standards = Range of options
Establish Policy– Defines appropriate behavior
Provides metrics for measurement– What is to measured and how
Gives technical instruction– Topology, technical descriptions, techniques
Risk Management
Pervasive Principles
Broad Functional Principles
Detailed Principles
Regulations & Legislation
Business Risk
Business Requirements
Security Architecture
Where Does Security Fit?
Requirements/Definition
Design
DevelopTest &Debug
Deploy and Maintain
11
44 33
2255
Focus of the Past
Focus of the Future
C&A + Continuous Assessment
System Accreditation“A management decision . . . to
authorize operation of an IT system based on the results of a certification process and other relevant considerations…”
NIST 800-37
Security Certification“A comprehensive analysis of the
technical and non-technical aspects of an IT system in its operational environment to determine compliance to stated security requirements and controls…” NIST 800-37
Continuous Assessment
– Event/Incident Monitoring
– Vulnerability Management
– Configuration Management
– Risk/Threat Management
– Compliance Management
Auditing Compliance
External
2 — Assessment
3 — Respond to Gaps Third-Party Validation
Internal
1 — Documentation
Why Security?
Risk: there is a business risk, and it is growing.
Governance: we are seeing increased pressure on boards and executive management in regards to information protection.
Architecture: defining a security architecture gives you something to manage and measure against as well as a road map to your destination.
Integration: building security in is more cost-effective than bandaging security on.
Process: security is not just a technical problem, put a people and policies problem as well.