Presentation is loading. Please wait.

Presentation is loading. Please wait.

Copyright Critical Software S.A. 1998-2008 All Rights Reserved. COTS based approach for the Multilevel Security Problem Bernardo Patrão.

Similar presentations


Presentation on theme: "Copyright Critical Software S.A. 1998-2008 All Rights Reserved. COTS based approach for the Multilevel Security Problem Bernardo Patrão."— Presentation transcript:

1 Copyright Critical Software S.A All Rights Reserved. COTS based approach for the Multilevel Security Problem Bernardo Patrão

2 © Copyright Critical Software S.A All Rights Reserved. 2 Outline Organizations Security Background Statistics & Lessons Learnt Threats The Multilevel Security Mode CSW Multilevel Security Solution Implementation Methodology Conclusion

3 © Copyright Critical Software S.A All Rights Reserved. 3 Background Organizations are well protected to manage outside threats: firewalls, antivirus, etc. Communications services like are business applications Confidential information is more and more in digital format Competitiveness, customer pressure, privacy compliances is each time more demanding (SOX, EU DPD, Basileia II, Identity theft, etc.) Information leakage has increasing business impact

4 © Copyright Critical Software S.A All Rights Reserved. 4 Outline Organizations Security Background Statistics & Lessons Learnt Threats The Multilevel Security Mode CSW Multilevel Security Solution Implementation Methodology Conclusion

5 © Copyright Critical Software S.A All Rights Reserved. 5 Statistics & Lessons Learned per cent of leaks are either unintentional or accidental Gartner Report 70% of security breaches that involve losses over $100,000 are perpetrated from inside the enterprise. Vista Research Leakage of confidential/proprietary information represents 52% of organizations security threats Merrill Lynch survey to North American CISOs, July 2006 loss of customer and proprietary data overtook virus attacks as the source of the greatest financial losses 2007 CSI COMPUTER CRIME AND SECURITY SURVEY

6 © Copyright Critical Software S.A All Rights Reserved. 6 Statistics & Lessons Learned Deutsche Bank Loses Hertz IPO Role Because of s Nov. 8 (Bloomberg) -- Deutsche Bank AG, Germany's largest bank, lost its spot among the underwriters of Hertz Global Holdings Inc.'s initial public offering after an employee sent unauthorized s to about 175 institutional accounts. Ubisoft "accidentally" leaks tons of assets Over two gigs worth of screenshots, videos, and concept art was apparently accidentally posted by Ubisoft on their public ftp server. Whoops.

7 © Copyright Critical Software S.A All Rights Reserved. 7 Outline Organizations Security Background Statistics & Lessons Learnt Threats The Multilevel Security Mode CSW Multilevel Security Solution Implementation Methodology Conclusion

8 © Copyright Critical Software S.A All Rights Reserved. 8 Threats Confidential information sent by to external addresses Failures on the identification of confidential information Mishandling of confidential information Confidential information stored in portable devices Misuse of communication and data sharing services

9 © Copyright Critical Software S.A All Rights Reserved. 9 Outline Organizations Security Background Statistics & Lessons Learnt Threats The Multilevel Security Mode CSW Multilevel Security Solution Implementation Methodology Conclusion

10 © Copyright Critical Software S.A All Rights Reserved. 10 The Multilevel Security Model Multilevel security Users have a security clearance Objects are assigned with security classification Users access objects based on their security clearance and the object security classification Flow of information is controlled based on the object security classification

11 © Copyright Critical Software S.A All Rights Reserved. 11 The Multilevel Security Model Information Access Control All users have a security clearance All information should have a security mark and level The security mark/level should be impossible to forge and easy to identify The access control depends on the information security mark and on users security clearance All accesses are registered for future auditing

12 © Copyright Critical Software S.A All Rights Reserved. 12 The Multilevel Security Model Information Flow control Verify the outputs produced by different sources Prevent unauthorized users to change the classification mark Identify the security mark/level, and enforce the defined policy All the data flow is logged for auditing

13 © Copyright Critical Software S.A All Rights Reserved. 13 Outline Organizations Security Background Statistics & Lessons Learnt Threats The Multilevel Security Mode CSW Multilevel Security Solution Implementation Methodology Conclusion

14 © Copyright Critical Software S.A All Rights Reserved. 14 CSW Multilevel Security Solution Information Security requires intervention on all elements of the infrastructure Workstations Enforce the classification (protection) of office files or messages Control what the user can do (change, print, copy-paste, …) Allow classification (protection) of any type of file Network border Control the information Flow for several communication services FTP IMS, … Corporate Servers Enforce protection policies for information stored on corporate servers Content Management Servers File Servers Collaboration Servers, …

15 © Copyright Critical Software S.A All Rights Reserved. 15 CSW Multilevel Security Solution Multilevel Management Tools Configuration Easy to use, web based tools to manage Marks / Levels Users security clearances Access and Flow Policies Auditing Consoles tailored to meet the organization requirements and compliance Data mining solutions for intelligent alarms and advanced data collection

16 © Copyright Critical Software S.A All Rights Reserved. 16 CSW Multilevel Security Solution 1 – Users A and B execute log-in in the organization domain. Authentication and the authorization is performed. Information access policy is enforced 2 – User A classifies a document or an message with a Security Mark and saves it or sends it. User B accesses the document or the message. He can access the document but doesnt have printing privilege 3 – User B uploads a document to a content manager server; document is marked with the mark defined. Information on the servers is encrypted. 4 – Border Protection Device denies the flow of marked information 5 – Configure the security policy, clearances and marks 6 – Audit for compliance

17 © Copyright Critical Software S.A All Rights Reserved. 17 CSW Multilevel Security Solution – Classification tools Seamless COTS Tools integration

18 © Copyright Critical Software S.A All Rights Reserved. 18 CSW Multilevel Security Solution – Classification tools Seamless COTS Tools integration

19 © Copyright Critical Software S.A All Rights Reserved. 19 CSW Multilevel Security Solution – Classification tools Seamless COTS Tools integration

20 © Copyright Critical Software S.A All Rights Reserved. 20 CSW Multilevel Security Solution – Administration tools Main overview and client update

21 © Copyright Critical Software S.A All Rights Reserved. 21 CSW Multilevel Security Solution – Administration tools Authorization Management (Credentials)

22 © Copyright Critical Software S.A All Rights Reserved. 22 CSW Multilevel Security Solution – Administration tools Classification Marks/Levels Management

23 © Copyright Critical Software S.A All Rights Reserved. 23 CSW Multilevel Security Solution – Administration tools Access and Flow Policies Management

24 © Copyright Critical Software S.A All Rights Reserved. 24 CSW Multilevel Security Solution – Auditing tools Auditing Tools

25 © Copyright Critical Software S.A All Rights Reserved. 25 Outline Organizations Security Background Statistics & Lessons Learnt Threats The Multilevel Security Mode CSW Multilevel Security Solution Implementation Methodology Conclusion

26 © Copyright Critical Software S.A All Rights Reserved. 26 Implementation Methodology 1)Perform a Risk Assessment 2)Define Security Policies and Procedures 3)Identify COTS Hardware and Software 4)Define the configuration for the System 5)Develop Integration Tools to enforce policies

27 © Copyright Critical Software S.A All Rights Reserved. 27 Outline Organizations Security Background Statistics & Lessons Learnt Threats The Multilevel Security Mode CSW Multilevel Security Solution Implementation Methodology Conclusion

28 © Copyright Critical Software S.A All Rights Reserved. 28 Conclusion A ready to use solution and based on well accepted COTS Smooth learning curve – well known user interfaces Compatibility with existing systems Low TCO Reduced technological risks Flexibility - Easy customization for specific client requirements

29 © Copyright Critical Software S.A All Rights Reserved. 29 Questions? Thank You


Download ppt "Copyright Critical Software S.A. 1998-2008 All Rights Reserved. COTS based approach for the Multilevel Security Problem Bernardo Patrão."

Similar presentations


Ads by Google