Presentation is loading. Please wait.

Presentation is loading. Please wait.

ONAP Risk Assessment – Preparation Material - Overview of the Process - Terminology - Assumptions 2018-05-30.

Published bySuhendra Irawan Modified over 4 years ago

Similar presentations

Presentation on theme: "ONAP Risk Assessment – Preparation Material - Overview of the Process - Terminology - Assumptions 2018-05-30."— Presentation transcript:

1 ONAP Risk Assessment – Preparation Material - Overview of the Process - Terminology - Assumptions

2 Introduction The purpose of Risk Assessment (RA): produce a prioritized list of security improvements Identify risks Rate the identified risks Recommend treatment for the risks with unacceptable high level The following slides have a brief description of The RA process and terminology The scope of RA workshop, planned for the F2F event in Beijing June 2018 The proposed assumptions for the RA WS

3 The Process of Risk Assessment
Preparation phase, need to have these clear before WS Scope (see separate slide) & ensure relevant participants Assumptions (see separate slide) The Core of Risk Assessment: F2F Workshop Risk identification is the main focus Think from different angles, like: main use cases, functionality, deployment, operations. Good if persons with different background/roles participate in RA. Make full use of the F2F aspect: creativity, brainstorming Completion phase Put together the WS outcome eg. in form of mindmap Risk rating in follow-up meetings Recommendations by security sub-committee, including the risk mitigation plan for the risks with unacceptable high level Proposal: TSC to sign off the RA output material & risk mitigation plan TBD: Handling and exposure of the RA output material

4 The scope of Risk Assessment
General: security and privacy (privacy regulations) related risks Beijing release of the following ONAP components VID; External API; Controllers, DCAE SO UI components: SDC and Use-Case UI, Portal The “ONAP architecture level”, eg Data at rest, Data in transit Container deployment of ONAP: any specifics for this case Send checklist of the few most important/typical risk items for all projects, to be checked & reported back (to be checked, there was earlier a ~similar activity)

5 The Assumptions for Risk Assessment
Assumptions that should be agreed prior to (very latest at) the RA WS: ONAP deployment environment Level of protection around ONAP: something between a “walled garden” and Internet Any assumed security mechanisms in the infra? Like self-encrypting storage. ONAP operational aspects? Eg, the assumption can be that multiple organizations (w/o mutual trust) can be users of one ONAP deployment. Division between ONAP & the rest of service provider’s OSS/BSS Which functionalities shall be covered by ONAP vs. are assumed to be covered outside of ONAP For example: data de-identification of the Personally Identifiable Information (PII) is needed when trouble-shooting data originating from VNFs is sent back to VNF vendors. ONAP or ‘some other entity’ needs to perform this.

6 Concepts, Definitions Asset Something that has a value, can be tangible or intangible (like information) Attack An assault on system security that derives from an intelligent threat, i.e., an intelligent act that is a deliberate attempt (especially in the sense of a method or technique) to evade security services and violate the security policy of a system. An attack violates one or more of the following properties of an asset: Confidentiality the asset property that information is not made available or disclosed to unauthorized individuals, entities, or processes Integrity the asset property of safeguarding the accuracy and completeness of assets Availability the asset property of being accessible and usable upon demand by an authorized entity Threat A potential for violation of security, which exists when there is a circumstance, capability, action, or event that could breach security and cause harm Vulnerability A flaw or weakness in a system's design, implementation, or operation and management that could be exploited to violate the system's security policy Impact The business impact caused by a security incident, when the attacker exploits the vulnerability and realizes the threat Probability The likelihood of the security incident to occur due to an attacker exploiting the vulnerability and realizing the threat Risk An expectation of loss expressed as the probability that a particular threat will exploit a particular vulnerability with a particular harmful result Risk assessment Systematically identify the assets and threats to those, quantify loss exposures (i.e., loss potential) based on estimated frequencies and costs of occurrence, and (optionally) recommend how to allocate resources to countermeasures so as to minimize total exposure

7 Concepts, Definitions Impact values

8 Concepts, Definitions Probability values

9 Concepts, Definitions Risk Levels: Low (L), Medium (M), High (H), Very High (VH)

10 Identification of a Risk – A Fictious Example
Risk identification (= main focus in the F2F WS) Asset: VNF O&M passwords at rest (in storage / other) Threat (can be several per asset): unauthorized disclosure Vulnerability (can be several per threat): passwords included in plain text in a log file Existing controls: only specific user/group has read access to the log file Risk rating Impact (business impact if the risk materializes): “major” Probability (of the risk to ever materialize): “likely”  HIGH risk level (according to the table on previous slide) Risk mitigation plan, done eg. for all the VERY HIGH and HIGH level risks In this could be: do not include any secrets in any log files in plain text

Download ppt "ONAP Risk Assessment – Preparation Material - Overview of the Process - Terminology - Assumptions 2018-05-30."

Similar presentations

Network Security Chapter 1 - Introduction.

Network Security Chapter 1 - Introduction.
Module 1 Evaluation Overview © Crown Copyright (2000)

Module 1 Evaluation Overview © Crown Copyright (2000)
OCTAVESM Process 4 Create Threat Profiles

OCTAVESM Process 4 Create Threat Profiles
Cryptography and Network Security 2 nd Edition by William Stallings Note: Lecture slides by Lawrie Brown and Henric Johnson, Modified by Andrew Yang.

Cryptography and Network Security 2 nd Edition by William Stallings Note: Lecture slides by Lawrie Brown and Henric Johnson, Modified by Andrew Yang.
Information System Audit : © South-Asian Management Technologies Foundation Chapter 4: Information System Audit Requirements.

Information System Audit : © South-Asian Management Technologies Foundation Chapter 4: Information System Audit Requirements.
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.

HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
1 Network Security Ola Flygt Växjö University +46 470 70 86 49.

1 Network Security Ola Flygt Växjö University
Lecture 1: Overview modified from slides of Lawrie Brown.

Lecture 1: Overview modified from slides of Lawrie Brown.
1 Cryptography and Network Security Third Edition by William Stallings Lecturer: Dr. Saleem Al_Zoubi.

1 Cryptography and Network Security Third Edition by William Stallings Lecturer: Dr. Saleem Al_Zoubi.
1 An Overview of Computer Security computer security.

1 An Overview of Computer Security computer security.
Introducing Computer and Network Security

Introducing Computer and Network Security
Computer Security: Principles and Practice

Computer Security: Principles and Practice
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Quantitative.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Quantitative.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Qualitative.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Qualitative.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.
Risk Assessment Frameworks

Risk Assessment Frameworks
Application Threat Modeling Workshop

Application Threat Modeling Workshop
Introduction to Network Defense

Introduction to Network Defense
SEC835 Database and Web application security Information Security Architecture.

SEC835 Database and Web application security Information Security Architecture.
Cryptography and Network Security Overview & Chapter 1 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Overview & Chapter 1 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.

Similar presentations

Ads by Google