Presentation on theme: "Information Security Microsoft Legal Spotlight Presented by LawNet and Microsoft Alan Hakimi US Lead Architect for Security Microsoft Services Scott D."— Presentation transcript:
Information Security Microsoft Legal Spotlight Presented by LawNet and Microsoft Alan Hakimi US Lead Architect for Security Microsoft Services Scott D. Gilgallon Legal Vertical Manager, San Francisco Microsoft Corporation
Information Security The defined set of organizational policies, procedures, practices, and technology which protect information assets with a reasonable assurance of safety Note: It is imperative for organizations to document this defined set
Information Security Compliance The measurement of effectiveness of the defined set of organizational policies, procedures, practices, and technology which protect information assets with a reasonable assurance of safety based on regulatory statutes and accepted standard practices. Safe from whom? Who and what requires safety? Which regulatory statutes apply? What are accepted standard practices? What is reasonable? How does one measure effectiveness? How do I create the defined set?
Individual control of personal data Products, online services adhere to fair information principles Protects individuals right to be left alone Resilient to attack Protects confidentiality, integrity, availability of data and systems Engineering Excellence Dependable, performs at expected levels Available when needed Open, transparent interaction with customers Address issues with products and services Help customers find appropriate solutions Microsoft Initiative
Basic Security Objectives Confidentiality. The concealment of information or information assets Integrity. Protection of the content of information and the source of data Availability. Ability to use the information asset
The Business Case Organizations are adopting a zero- tolerance for security breaches Organizations reputation and fiscal health are at stake Organizations must meet the legal standard of reasonable care Organizations must protect privileged or personal information
Security Enabled Business Reduce Security Risk Assess the environment Improve isolation and resiliency Develop and implement controls Risk Level Impact to Business Probability of Attack ROI Connected Productive Increase Business Value Connect with customers Integrate with partners Empower employees
Security Risk Management Addresses the safety element of information security What is the threat to your organization? What information assets require protection in your organization? Which assets are vulnerable?
Security Risk Management Protect information assets ConfidentialityIntegrityAvailability Threat Assessment Human Non Human Vulnerability Analysis TechnologyPeopleProcess
Threat: Attackers Attackers want to disrupt the information services from running Attacker wish to view, modify, steal data from the information service Attackers are motivated by religious beliefs, political views, ethnic backgrounds, nationality, reputation, and wealth
Threat: Other Lawyers Lawyers take legal action against individuals or organizations May be on behalf of employees, customers, or other organization The risk stems from: Failure to protect data Illegal, irresponsible, fraudulent, ignorant or unethical behavior
Legalese and Threat Mitigation Tort is a wrong that are civil in nature that violate someones right or duty. A right is a legal claim as to not have others interfere with a protected interest including property and privacy A duty is a legal obligation not to interfere with protected interest Negligence (negligent tort) it some conduct that creates and unreasonable risk of harm, or that fails to protect against harm
Risk Management & Decision Support Unacceptable Risk Acceptable Risk Information security defines probability Probability of threat/exploit Impact of vulnerability to business LowHigh High Business defines impact Risk management drives risk to an acceptable level
Security Solutions Scope Provides a way to group threats and controls Spans people, process, and technology Defense in depth Network Host Application Data Physical Manage risk where IT assets are similar Define roles & accountability for each environment Create processes to assess, control, and measure each environment Common security environments Unmanaged Devices Managed Clients Managed Servers
Framework for a Security-Enabled Business Security Leadership & Culture Management commitment to proactive risk managementManagement commitment to proactive risk management Security defined in terms of value to the businessSecurity defined in terms of value to the business Clearly defined vision, mission, and scopeClearly defined vision, mission, and scope Well-defined roles and accountabilityWell-defined roles and accountability Risk Management & Decision Support Consistent and repeatable process to assess and prioritize riskConsistent and repeatable process to assess and prioritize risk Formal decision support process to identify the most effective solution based on a cost/benefit analysisFormal decision support process to identify the most effective solution based on a cost/benefit analysis Security Solutions Blueprint View of security solutions across enterprise IT assetsView of security solutions across enterprise IT assets Common approach and understanding of current investments and future needsCommon approach and understanding of current investments and future needs Measurement of resultsMeasurement of results
SecurityLeadership Security Leadership & Culture Business drivers Regulatory mandates Industry standards Customer confidence Security strategy ProactiveReactive SecurityPrinciplesBusinessDriversSecurityStrategy Roles
Assessing Risk Security Environments Unmanaged Devices Managed Clients Managed Servers PhysicalNetworkHost AppsData Defense in Depth Evaluate risk for each intersection Evaluate risk for each intersection Provides holistic view of information security Provides holistic view of information security Each intersection contains risk rating and mitigation strategy Each intersection contains risk rating and mitigation strategy Unacceptable Control in Progress Acceptable
Risk Assessment Results Security Environments Unmanaged Devices Managed Clients Managed Servers PhysicalNetworkHost AppsData Defense in Depth Unacceptable Control in Progress Acceptable
Commit to a Course of Action Evaluate available or new IT security control options Use cost/benefit analysis to identify which gaps represent the greatest relative risk Create a formal, repeatable decision support process to prioritize solutions
Measuring Results Security Environments Unmanaged Devices Managed Clients Managed Servers PhysicalNetworkHost AppsData Defense in Depth Unacceptable Control in Progress Acceptable
Taking the Next Steps Formalize your security strategy Refer to standards youve already identified and use our framework where you think its appropriate Execute risk management process Establish IT security objectives Inventory vulnerabilities and existing security controls Assess risk Commit to a course of action Implement security controls Measure results
Risks While the potential for damage from an attacker is more evident, an attacker does not file lawsuits for: Harassment or discrimination Privacy invasion Disclosure of confidential information Copyright infringement Investment fraud That may be your or your organizations job That may be your or your organizations job Therefore you must also mitigate the risk of another attorney filing a lawsuit against your organization.
Security Risk Management Microsoft advocates using a risk driven approach to help manage security risks within an organization This must have involvement of senior management, stakeholders IT staff must have business awareness to understand where security investments can have the best ROI Security depends on balancing cost and risk through the appropriate use of technology, policy, outsourcing, and insurance.
Security Risk Management Results Helps organization determine what are reasonable mitigation strategies to counteract threats and minimize vulnerabilities called countermeasures and safeguards. Some risks cannot be reasonably be mitigated against, therefore contingency plans can be created for the risk the organization wishes to own. Other risks can be transferred to third parties, accepted, etc. These mitigation strategies and contingency plan address the reasonable element of information security.
Regulatory Factors Addresses the regulatory element of information security USA PATRIOT Act Department of Homeland Security (DHS) Health Insurance Portability and Accountability Act (HIPAA) Sarbanes-Oxley (SOX) Computer Fraud and Abuse Act (CFAA) Digital Millennium Copyright Act (DMCA) Gramm-Leach-Bliley (GLB)
IT Security Solutions Building Systems with Security Assurance In order to meet the goals of information security, all IT solutions must address these five areas to meet the business objectives for security This is an attempt to address the accepted practices for information security Identity Management Assess Management Secure Data Management Audit Management Resiliency and Integrity Management
Identity Management The set of tools, policies, and practices that manage digital identities CredentialsPasswords Provisioning / Deprovisioning Attribute Synchronization Coverage Areas Directory Services Authentication
Access Management The set of tools, policies, and practices that controls access to information assets Entitlements Access Control Lists RolesGroups Coverage Areas Authorization
Audit Management The set of tools, policies, and practices that monitor and track the access to information assets EventsTrackingLoggingReportingAuditors Coverage Areas Event Management Event Aggregation Event Reporting Event Analysis - Forensics
Secure Data Management The set of tools, policies, and practices that secure data within information assets Data Storage Secured Transmission and Reception of Data across Communication Networks Coverage Areas CryptographyPrivacy Data Classification Schemes
Resiliency and Integrity Management The set of tools, policies, and practices that keep information assets healthy and functional Health Checking Availability Intrusion Detection Coverage Areas Malware Detection and Eradication Systems Management Operations Management
Information Security Compliance Recap Questions and Answers Safe from whom and who requires safety? Security Risk Management – Asset Identification, Threat Analysis, and Vulnerability Assessment Which regulatory statutes apply? Security Risk Management – Business Requirements for Definition of Reasonable Assurance What are standard practices? Defense in Depth for Deploying Countermeasures Use Five Security Areas for Building Secure Solutions What is reasonable? Security Risk Management – Risk Analysis How does one measure effectiveness? Security Risk Management – Risk Tracking and Reporting Use ISO 17799 and Common Criteria to measure trustworthiness effectiveness Use external audit procedures to measure effectiveness of regulatory controls as required by business How does one create the defined set? Security Risk Management – Countermeasure and Safeguard Development for Remediation Strategy Definition of Security Architecture
What does the law profession need? Confidential Communications Client – Attorney Privilege Secure Storage of Documents Legal Documents Privacy of Client Information Client Data Security Evidence of an Action Legal Binding Signatures Crime or Other Inappropriate Activity
Public Key Infrastructure Public Key Infrastructures are quickly becoming a security enabler for most organizations and eventually will be a must have Why?Encryption Digital Signatures Multi-Factor Authenication
Digital signature Encryption Digital Certificate Authentication Integrity Confidentiality Proof of transaction Confirmed in-house or by trusted organization Guarantee information has not been tampered with Encrypted messages to ensure secure trusted transactions; must be securely stored Assures originator cannot disavow transaction; enables use of trusted, binding transaction receipts based on identity and/or role Business drivers To provide authentication and trust
PKI value proposition Its all about the applications PKI is... Not a solution… Not an application… Not a solution to thwart hackers… A technology useful in some applications that provide a security solution
PKI value proposition PKI applicationscustomer demand Encrypting File System Protecting data on mobile stations Secure E-mail Protecting data collaboration between partners Smartcard logon Requiring stronger logon security SSL Protecting web server transactions Remote Access L2TP/IPSEC VPN solutions
PKI value proposition PKI applications Fastest emerging demand Wireless and 802.1x What is slow, but growing Digital signatures, signed transactions PKI enabled application logon Client side SSL logon to web sites Smartcards for consumers Where is the killer application?
What PKI is and isnt PKI is an enabling technology PKI is not a solution, in and of itself Some business uses for PKI Secure communications Data needs to be safe in transit Secure data Data needs to be safe in storage Establishing digital identity For people, systems, processes Secure transactions Same or better safeguards than the paper world
Recommended Reading American Bar Association Information Security committee has published PKI Assessment Guidelines (PAG) http://www.abanet.org/scitech/ec/isc/home.html
Windows Platform Security Solutions ScenarioRisksSolutions Mobile Users Encrypted File System (EFS) Encrypted File System (EFS) IPSEC, L2TP IPSEC, L2TP Lost/Stolen LaptopLost/Stolen Laptop Dial-up AttacksDial-up Attacks E-commerce False Identity/ImpostorFalse Identity/Impostor Theft data/moneyTheft data/money Transaction modificationTransaction modification Public Key Infrastructure (PKI) Public Key Infrastructure (PKI) Integrated Certificate Authority Integrated Certificate Authority SSL/TLS SSL/TLS Home Office IPSEC, L2TP IPSEC, L2TP Kerberos and PKIKerberos and PKI SSL/TLS, S/MIME SSL/TLS, S/MIME On-wire Internet AttacksOn-wire Internet Attacks Dial-up AttacksDial-up Attacks False Identity/ImpostorFalse Identity/Impostor LAN / WAN False Identity/ImpostorFalse Identity/Impostor Password Sharing/GuessingPassword Sharing/Guessing Adds/Moves/ChangesAdds/Moves/Changes Kerberos and PKI Kerberos and PKI Smart Cards, Biometrics Smart Cards, Biometrics Group Policy, Delegated Admin Group Policy, Delegated Admin Applications False Identity/ImpostorFalse Identity/Impostor Password passingPassword passing Path of least resistance codingPath of least resistance coding Malicious Code (Trojan horse)Malicious Code (Trojan horse) Kerberos, NTLMv2, Smart Cards Kerberos, NTLMv2, Smart Cards Impersonation, Auditing Impersonation, Auditing SSPI, CryptoAPI SSPI, CryptoAPI Code Signing and Policy Code Signing and Policy Public Key Infrastructure (PKI)Public Key Infrastructure (PKI) Integrated CAIntegrated CA IPSEC, L2TP, SSL/TSL, S/MIMEIPSEC, L2TP, SSL/TSL, S/MIME Extranets False Identity/ImpostorFalse Identity/Impostor Data TheftData Theft On-wire Internet AttacksOn-wire Internet Attacks Active Directory Integration Active Directory Integration Delegated Administration Delegated Administration Auditing Improvements Auditing Improvements Security Templates Security Templates Management Too many places to secureToo many places to secure Unfamiliar with employee rolesUnfamiliar with employee roles Dont Know who did whatDont Know who did what Configuration and DriftConfiguration and Drift
Microsoft Product Portfolio Identity Management Windows Server 2003 – Active Directory Windows Server 2003 – Certificate Services Windows – Active Directory Application Mode Microsoft Identity Integration Server 2003 Access Management Windows Server 2003 Windows – Authorization Manager Windows Rights Management Server Secure Data Management Windows Server 2003 – Certificate Services Internet Acceleration Server 2004 – Firewall and Proxy Services Windows – Encryption File Service Audit Management Microsoft Audit Collection System Microsoft Windows Microsoft Operations Manager Resiliency and Integrity Management Windows XP – SP2 Firewall Windows Server 2003 – Network Load balancing, Clustering Systems Management Server 2003 – Patch and Update Management Microsoft Operations Manager – Systems Health Management
Microsoft Product Portfolio Coming Attractions Active Directory Federation Services Active Protection Technology Network Access Protection
How we can help…. Microsoft Services US Center of Excellence for Security Security Risk Management Engagement Security Remediation Engagement Security Architectural Engagement Security Solution Deployment Engagement Security Operations Engagement PKI Architecture and Implementation is one of our most common engagements in the security space
Questions Microsoft Services Alan Hakimi firstname.lastname@example.org Microsoft Legal Vertical Manager Scott D. Gilgallon email@example.com
Resources Microsoft Services http://www.microsoft.com/services/microsoftservices/default.mspx http://www.microsoft.com/services/microsoftservices/default.mspx Microsoft Security http://www.microsoft.com/security http://www.microsoft.com/security Security Guidance Center http://www.microsoft.com/security/guidance How Microsoft IT Secures Microsoft http://www.microsoft.com/technet/itsolutions/msit E-Learning Clinics https://www.microsoftelearning.com/security Events and Webcasts http://www.microsoft.com/seminar/events/security.mspx American Bar Association – Information Security Committee http://www.abanet.org/scitech/ec/isc/home.html