Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Information Security Considerations for the Organization Ed Green The Pennsylvania State University The Abington College Room 205 Rydal 215-881-7332.

Published byEthan Burke Modified over 8 years ago

Similar presentations

Presentation on theme: "1 Information Security Considerations for the Organization Ed Green The Pennsylvania State University The Abington College Room 205 Rydal 215-881-7332."— Presentation transcript:

1 1 Information Security Considerations for the Organization Ed Green The Pennsylvania State University The Abington College Room 205 Rydal 215-881-7332 exg13@psu.edu www.personal.psu.edu/exg13

2 2 Data and Information What is data? –The collection of facts that represent an organization or component thereof What is information –Stored facts processed and presented to allow business analysis and decision making Why is data important? –Data represents the collected knowledge of the organization What does information mean to an organization? –Information is used to make decisions that affect the success of an organization Why must data be protected? –Data must be protected in order to preserve its quality and integrity Why must information be protected? –Information must be protected to preserve the organization –Information must be protected to satisfy various legal requirements

3 3 Critical Legal Requirements Foreign Corrupt Practices Act Export Control Requirements HIPPA National Security –DoD –DoJ –DoS –DoT –DoHS

4 4 Critical Business Requirements Business processes Business strategies Proprietary information –Trade secrets Competitive elements Compliance with legal requirements Organizational ethical conduct

5 5 Critical Security Issues Access control –Who is allowed to access the system –How are individuals identified? –What is a particular individual allowed to do? Information protection –What information is disclosed? –Who is allowed to see what information? –What release controls are required? –How is information preserved? Information receipt –What information is received? –How is this information verified? Legal obligations –What are the legal requirements? –How is compliance managed?

6 6 Integration Services Message Queue Adapter Message Queue Adapter Message Queue Message Queue Staging Message Queue Legacy System BSD Enterprise COTS Application BSD Distributed Component- based BSD Decision Support System BSD Plant Control System Intranet Facilities Personal Computers Messaging Services Organization Directory Security Services System Management Knowledge Management Metadata Repository Archiving Service Enterprise Infrastructure Portals B2B Messaging

7 7 Networking Model Private Intranet Public Internet External Users Message Queues Web Server Application(s) Business System Domain Directory ServicesDevice Services Message Broker Services Internal Users Organization Structure Service Trader Services Firewall Employee Remote Access Enterprise Web Server Public Application(s) Message Queues Public Web Applications B2B Web Server(s) B2B Message Queues Business Partners Remote Employees Internal Systems

8 8 Internal versus External Environments Internal –Information privacy Employees Customers –Access accountability Audit trails and logs –Physical control –Risk avoidance philosophy Keep the bad guys out External –Information privacy Proprietary Business sensitive Employees Customers –Access accountability Audit trails and logs –Physical management Cyber vulnerability –Risk minimization philosophy Limit the damage bad guys can do

9 9 Security for the Internal Environment – an Example EMPLOYEE DATABASE EMPLOYEE MANAGER HUMAN RESOURCES

10 10 Security for the External Environment – an Example Following the flow of a need for materials and supplies within an organization

11 11 Enterprise IT Framework Application Integrator... User Interface Security Clients IndependentApplications Software that provides “common view” capability AuthenticationAuthentication AuthorizationAuthorization WEB Browser FinanceFinance ManufacturingManufacturing Sales/MarketingSales/Marketing PersonnelPersonnel EngineeringEngineering

12 12 Trading Partner Challenge Application Integrator... User Interface Security Application Integrator... User Interface Security Application Integrator... User Interface Security Application Integrator... User Interface Security Application Integrator... User Interface Security

13 13 Problem Summary Use the understanding of various AEI (Advanced Enterprise Integration) Concepts to describe the occurrence details of an e-Business transaction

14 14 In the beginning... Inventory Management Process Inventory Database Prepare Purchase Order Recognizes EOQ/JIT level Supplier Catalog Purchase Order Message Purchase Order Message sent for review/approval Review Purchase Order Message Purchase Order reviewed, approved, and submitted to supplier Firewall Security Check Authorized submitter Authorized named personnel Authorized supplier Destination Delivery Mode Message ID Timestamp Correlation ID Reply To Redelivered Type Expiration Priority Header shows destination as reviewer Header shows destination as supplier To Supplier Purchase Order DB

15 15 Next,... From Purchaser Firewall Security Check Authorized submitter Authorized named personnel Authorized trading partner Authorized recipient Order Entry System Inventory Database Manufacture Database Purchase Order System Fulfillment System If in inventory, message Sent to fulfillment system Fulfillment Message Manufacturing System Inventory Database Manufacturing Message Fulfillment Message Purchase Order Message If not in inventory, message Sent to manufacturing system Manufacturing system uses data in inventory and manufacturing databases If raw materials required, purchase order message is sent When order has been completed, a message is sent to the fulfillment system Order Receipt Message Acknowledgement message sent Purchase Order Message Purchase order is admitted through firewall and passed to order entry system Orders Database

16 16 Continuing,... Firewall Order Receipt Message Security Check Authorized submitter Authorized named personnel Authorized trading partner Authorized recipient Firewall Security Check Authorized submitter Authorized named personnel Authorized supplier Purchase Order Management Order Receipt Message Stakeholder Status Message Message is transmitted Validated message sent to Purchase Order Management System Purchase Order DB Messages sent to named stakeholders

17 17 Meanwhile,... Fulfillment System Fulfillment Message Fulfillment Message Billing Message Fulfillment Message Shipping System Billing System Firewall Fulfillment Message Inventory System Inventory Database Shipping Notice Message Fulfillment System sends messages to Shipping and Billing Systems Billing System prepares and sends bill Fulfillment System Fulfillment Message Fulfillment Message Billing Message Fulfillment Message Shipping System Billing System Fulfillment Message Inventory System Inventory Database Shipping Notice Message Fulfillment System sends messages to Shipping and Billing Systems Billing System prepares and sends bill Security Check Authorized submitter Authorized named personnel Authorized trading partner Authorized recipient Billing Database To Purchaser

18 18 And,... Firewall Billing Message Shipping Notice Message Security Check Accounts Payable Electronic Payment General Ledger DB Purchase Order DB Receiving System Purchase Order DB Firewall Receipt Message Billing message is sent to Accounts Payable Authorized submitter Authorized named personnel Authorized supplier Authorized submitter Authorized named personnel Authorized supplier Security Check Shipping Notice message is sent to Accounts Payable Receipt message is sent to Accounts Payable Electronic Payment is sent to supplier From Supplier To Supplier

19 19 Finally Firewall Security Check Authorized submitter Authorized named personnel Authorized supplier Electronic Payment Payments Payment Processing General Ledger Orders Database Billing Database Payment is processed From Purchaser

20 20 The Modern Security Conundrum The enterprise does not engage in any form of electronic commerce The enterprise faithfully conforms to all legal requirements for data and information protection The enterprise utilizes electronic mail The enterprise engages in research that necessitates collaboration with colleagues employed by other enterprises

21 21 Security Mechanisms Userid/password Secure keys –Public/private encryption VPN E-mail Internet/intranet Data level Audit mechanisms Bio-security

22 22 Userid/Password Traditional method –Identify oneself –Confirm identity Marginally adequate in a closed environment; inadequate otherwise –Predictable passwords infrequently changed –Too numerous to mention –Improperly protected Simple implementation easily “hacked” –Relational database table Userid Password Employee_id Primary Key

23 23 Access Control Who is allowed to access the system? –Recognized users How are individuals identified? –Userid and password combination What is a particular individual allowed to do? –Determined by role/responsibility set How is access managed? –Risk management –Risk mitigation

24 24 Access Control - Authentication Process of determining who is requesting access to the information technology environment Userid/password combination –Unique – only one such combination exists –Not absolute

25 25 Access Control - Authentication USERS PASSWORD @USERID USER DEMOGRAPHICS USER DEMOGRAPHICS @USERID@PASSWORD PASSWORD_DATE PASSWORD_DATE USERID Authentication is the process of first confirming the USERID and then matching it to the PASSWORD. The PASSWORD_DATE is included to manage password change USERID/PASSWORD DIRECTORY

26 26 Access Control - Authentication Strengths 1. 2. 3. 4. 5. 6. 7. 8. Weaknesses 1. 2. 3. 4. 5. 6. 7. 8. Identify the major strengths and weaknesses of the userid and password authentication

27 27 Access Control - Authentication Is authentication equally critical when considering the Intranet versus considering the Internet? It is because: 1. 1. 2. 2. 3. 3. 4. 4. 5. 5. It is not because: 1. 1. 2. 2. 3. 3. 4. 4. 5. 5. Discuss

28 28 Access Control - Authentication Userid/password  open to security breaching –Represents a significant risk Must be mitigated Mitigation options –Bio-techniques Retina scans Facial matching Fingerprinting –Electronic techniques Certification Bio-techniques are coming but electronic techniques are now

29 29 Digital Certificates Algorithmically generated –Usually includes userid and password –Other identifying information appended Produces an electronic signature –Unique to individual

30 30 Digital Certificates What information would you recommend to create a digital signature for intranet-based users? What information would you recommend to create a digital signature for internet-based users?

31 31 Digital Certificates Private key –The certificate provided by the originator of a message Originator’ signature –Ensure the authenticity of the message –Validated using public key Public key –The template used to validate the authenticity of a message’s source

32 32 Message Structure Message Header Includes destination Identifies source Identifies message (type) Message Trailer Indicates end of message Message Contents Must be defined in such a way that it is understood by BOTH sender AND receiver

33 33 Messaging Infrastructure – Message Format Abstraction Destination Delivery Mode Message ID Timestamp Correlation ID Reply To Redelivered Type Expiration Priority Message Properties

34 34 Authentication with Digital Certificates Destination Delivery Mode Message ID Timestamp Correlation ID Reply To Redelivered Type Expiration Priority Message Properties Private Key userid/password userid/password

35 35 Authentication with Digital Certificates Diagram the authentication process using digital certificates

36 36 Access Control - Authorization Process of constraining authenticated users to allowed applications, processes and activities Can be –Identity-based –Role-based

37 37 Access Control - Authorization USERS PASSWORD USERID USER_ PROGRAMS PROGRAMS @PROGRAM_IDENFICATION PROGRAM_IDENFICATION USERID USERIDPRGORAM_IDENTIFICATION

38 38 Validation at the Firewall Firewall – security barrier on the information superhighway –Prohibit unauthorized senders from releasing information –Prohibt unauthorized information from being released –Prohibit acceptance of information from unauthorized sources –Prohibit acceptance of unauthorized information

39 39 Validation at the Firewall Firewall can be –Hardware-based –Software-based Firewall management is an installation responsibility –“Rules of the Road” for the business of managing an installations web accessibility –Setting the rules – management responsibility With technical recommendations from key technical personnel –Enforcing the rules – web administrator’s responsibility

40 40 Validation at the Firewall INCOMING MESSAGE MESSAGE BODY Destination Delivery Mode Message ID Timestamp Correlation ID Reply To Redelivered Type Expiration Priority Message Properties Message header is inspected - Is this a legitimate message sender? - Is this a legitimate message sender? - Is the sender recognized? - Is the sender recognized? - Is the sender authorized? - Is the sender authorized? - Can the sender’s identify be verified? - Can the sender’s identify be verified? Message body is inspected - Is this type of data authorized? - Is this type of data authorized? - Is the sender authorized to send this data? - Is the sender authorized to send this data? - Is the data valid? - Is the data valid? Message has passed all firewall tests Message has not passed all firewall tests

41 41 Validation at the Firewall OUTGOING MESSAGE MESSAGE BODY Destination Delivery Mode Message ID Timestamp Correlation ID Reply To Redelivered Type Expiration Priority Message Properties Message header is inspected - Is this a legitimate message sender? - Is this a legitimate message sender? - Is the destination recognized? - Is the destination recognized? - Is the sender authorized? - Is the sender authorized? - Is the destination authorized - Is the destination authorized - Can the sender’s identify be verified? - Can the sender’s identify be verified? Message body is inspected - Is this type of data authorized? - Is this type of data authorized? - Is the sender authorized to send this data? - Is the sender authorized to send this data? - Is the data valid? - Is the data valid? Message has not passed all firewall tests Message has passed all firewall tests

42 42 Validation at the Firewall Questions represent business rules What are the business rules –Enterprise-specific –Implementation specific –Set for intranet access –Set for internet access Transaction – an exchange of data/information required to complete a business event –Multiple technical transactions –Multiple electronic exchanges –Security checks will be performed every time Trust is verified –Never, ever assumed

43 43 Validation at the Firewall A patient at this hospital has been admitted in very serious condition. A series of tests has been performed; the data collected includes various alphanumeric measurements as well as several medical images. Diary observations (comments by the attending staff have also been captured. The consensus is that this patient has an unusual illness that the local staff has little or no experience in treating. One of the attending staff remembers meeting a colleague at a conferences who has had experience treating this illness. An electronic collaboration session is arranged. ASSIGNMENT: Describe the firewall security that will transpire to effect this electronic consultation.

44 44 VPN Virtual Private Network –Network within a network allows an enterprise to turn the Internet into a private network Tunneling method of an IP packet within an IP packet

45 45 Securing Electronic Mail Interception at the firewall – inbound –Known sources –Managed attachments Interception at the firewall – outbound –Authorized senders –Know destinations –Managed attachments Audit and inspection

46 46 Data Level Security Provided via DBMS –Data control language (DCL) –GRANT instruction allocates specific permissions to DBMS-managed objects –REVOKE takes GRANTed permissions away Aligned with users known to DBMS very restrictive <= DCL <= very general

47 47 Audit Mechanisms Defined processes and procedures Inspections Independent reviews Logs Enforcement procedures and policies

48 48 Bio-security Fingerprints Eye scans Photo match

49 49 Implementation Considerations “Roll you own” Active directory PGP VPN

50 50 “Roll Your Own” Security Installation designed based on the needs of the enterprise Combination of techniques Combination of COTS and self-developed

51 51 Elements of a Security Plan Security plan – strategy to protect the assets of an enterprise Security plan includes –Assets to be protected Business-based Technology-based –Processes required –Policies to be enforced –Technologies to be used Security plan provides guidance that helps to define the implementation –Not the implementation itself

52 52 Information Security Role of the IT Professional Ethical execution of duties and responsibilities –“Do the right thing the right way” Understand the enterprise and how it operates –Rules of the road Know what is important and why –Legal obligations Sensitive Classified –Business obligations Proprietary Competition sensitive

Download ppt "1 Information Security Considerations for the Organization Ed Green The Pennsylvania State University The Abington College Room 205 Rydal 215-881-7332."

Similar presentations

Internet Protocol Security (IP Sec)

Internet Protocol Security (IP Sec)
Enabling Secure Internet Access with ISA Server

Enabling Secure Internet Access with ISA Server
Public Key Infrastructure A Quick Look Inside PKI Technology Investigation Center 3/27/2002.

Public Key Infrastructure A Quick Look Inside PKI Technology Investigation Center 3/27/2002.
Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.

Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.
Bringing HIPAA to Hospital Systems HIPAA impact on hospital systems viaMD solution for HIPAA compliance W e b e n a b l i n g Pa t i e n t A d m i t t.

Bringing HIPAA to Hospital Systems HIPAA impact on hospital systems viaMD solution for HIPAA compliance W e b e n a b l i n g Pa t i e n t A d m i t t.
SECURITY IN E-COMMERCE VARNA FREE UNIVERSITY Prof. Teodora Bakardjieva.

SECURITY IN E-COMMERCE VARNA FREE UNIVERSITY Prof. Teodora Bakardjieva.
Certification Authority. Overview  Identifying CA Hierarchy Design Requirements  Common CA Hierarchy Designs  Documenting Legal Requirements  Analyzing.

Certification Authority. Overview  Identifying CA Hierarchy Design Requirements  Common CA Hierarchy Designs  Documenting Legal Requirements  Analyzing.
Access Control Methodologies

Access Control Methodologies
1 Pertemuan 12 Authentication, Encryption, Digital Payments, and Digital Money Matakuliah: M0284/Teknologi & Infrastruktur E-Business Tahun: 2005 Versi:

1 Pertemuan 12 Authentication, Encryption, Digital Payments, and Digital Money Matakuliah: M0284/Teknologi & Infrastruktur E-Business Tahun: 2005 Versi:
Network Isolation Using Group Policy and IPSec Paula Kiernan Senior Consultant Ward Solutions.

Network Isolation Using Group Policy and IPSec Paula Kiernan Senior Consultant Ward Solutions.
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
2 An Overview of Telecommunications and Networks Telecommunications: the _________ transmission of signals for communications (home net) (home net)

2 An Overview of Telecommunications and Networks Telecommunications: the _________ transmission of signals for communications (home net) (home net)
DESIGNING A PUBLIC KEY INFRASTRUCTURE

DESIGNING A PUBLIC KEY INFRASTRUCTURE
Security Controls – What Works

Security Controls – What Works
Information Security Policies and Standards

Information Security Policies and Standards
16.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.

16.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.
Part 5:Security Network Security (Access Control, Encryption, Firewalls)

Part 5:Security Network Security (Access Control, Encryption, Firewalls)
Electronic Commerce Yong Choi School of Business CSU, Bakersfield.

Electronic Commerce Yong Choi School of Business CSU, Bakersfield.
ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.

ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.
Chapter 8 Security Transparencies © Pearson Education Limited 1995, 2005.

Chapter 8 Security Transparencies © Pearson Education Limited 1995, 2005.

Similar presentations

Ads by Google