Download presentation
Presentation is loading. Please wait.
Published byEthan Burke Modified over 8 years ago
1
1 Information Security Considerations for the Organization Ed Green The Pennsylvania State University The Abington College Room 205 Rydal 215-881-7332 exg13@psu.edu www.personal.psu.edu/exg13
2
2 Data and Information What is data? –The collection of facts that represent an organization or component thereof What is information –Stored facts processed and presented to allow business analysis and decision making Why is data important? –Data represents the collected knowledge of the organization What does information mean to an organization? –Information is used to make decisions that affect the success of an organization Why must data be protected? –Data must be protected in order to preserve its quality and integrity Why must information be protected? –Information must be protected to preserve the organization –Information must be protected to satisfy various legal requirements
3
3 Critical Legal Requirements Foreign Corrupt Practices Act Export Control Requirements HIPPA National Security –DoD –DoJ –DoS –DoT –DoHS
4
4 Critical Business Requirements Business processes Business strategies Proprietary information –Trade secrets Competitive elements Compliance with legal requirements Organizational ethical conduct
5
5 Critical Security Issues Access control –Who is allowed to access the system –How are individuals identified? –What is a particular individual allowed to do? Information protection –What information is disclosed? –Who is allowed to see what information? –What release controls are required? –How is information preserved? Information receipt –What information is received? –How is this information verified? Legal obligations –What are the legal requirements? –How is compliance managed?
6
6 Integration Services Message Queue Adapter Message Queue Adapter Message Queue Message Queue Staging Message Queue Legacy System BSD Enterprise COTS Application BSD Distributed Component- based BSD Decision Support System BSD Plant Control System Intranet Facilities Personal Computers Messaging Services Organization Directory Security Services System Management Knowledge Management Metadata Repository Archiving Service Enterprise Infrastructure Portals B2B Messaging
7
7 Networking Model Private Intranet Public Internet External Users Message Queues Web Server Application(s) Business System Domain Directory ServicesDevice Services Message Broker Services Internal Users Organization Structure Service Trader Services Firewall Employee Remote Access Enterprise Web Server Public Application(s) Message Queues Public Web Applications B2B Web Server(s) B2B Message Queues Business Partners Remote Employees Internal Systems
8
8 Internal versus External Environments Internal –Information privacy Employees Customers –Access accountability Audit trails and logs –Physical control –Risk avoidance philosophy Keep the bad guys out External –Information privacy Proprietary Business sensitive Employees Customers –Access accountability Audit trails and logs –Physical management Cyber vulnerability –Risk minimization philosophy Limit the damage bad guys can do
9
9 Security for the Internal Environment – an Example EMPLOYEE DATABASE EMPLOYEE MANAGER HUMAN RESOURCES
10
10 Security for the External Environment – an Example Following the flow of a need for materials and supplies within an organization
11
11 Enterprise IT Framework Application Integrator... User Interface Security Clients IndependentApplications Software that provides “common view” capability AuthenticationAuthentication AuthorizationAuthorization WEB Browser FinanceFinance ManufacturingManufacturing Sales/MarketingSales/Marketing PersonnelPersonnel EngineeringEngineering
12
12 Trading Partner Challenge Application Integrator... User Interface Security Application Integrator... User Interface Security Application Integrator... User Interface Security Application Integrator... User Interface Security Application Integrator... User Interface Security
13
13 Problem Summary Use the understanding of various AEI (Advanced Enterprise Integration) Concepts to describe the occurrence details of an e-Business transaction
14
14 In the beginning... Inventory Management Process Inventory Database Prepare Purchase Order Recognizes EOQ/JIT level Supplier Catalog Purchase Order Message Purchase Order Message sent for review/approval Review Purchase Order Message Purchase Order reviewed, approved, and submitted to supplier Firewall Security Check Authorized submitter Authorized named personnel Authorized supplier Destination Delivery Mode Message ID Timestamp Correlation ID Reply To Redelivered Type Expiration Priority Header shows destination as reviewer Header shows destination as supplier To Supplier Purchase Order DB
15
15 Next,... From Purchaser Firewall Security Check Authorized submitter Authorized named personnel Authorized trading partner Authorized recipient Order Entry System Inventory Database Manufacture Database Purchase Order System Fulfillment System If in inventory, message Sent to fulfillment system Fulfillment Message Manufacturing System Inventory Database Manufacturing Message Fulfillment Message Purchase Order Message If not in inventory, message Sent to manufacturing system Manufacturing system uses data in inventory and manufacturing databases If raw materials required, purchase order message is sent When order has been completed, a message is sent to the fulfillment system Order Receipt Message Acknowledgement message sent Purchase Order Message Purchase order is admitted through firewall and passed to order entry system Orders Database
16
16 Continuing,... Firewall Order Receipt Message Security Check Authorized submitter Authorized named personnel Authorized trading partner Authorized recipient Firewall Security Check Authorized submitter Authorized named personnel Authorized supplier Purchase Order Management Order Receipt Message Stakeholder Status Message Message is transmitted Validated message sent to Purchase Order Management System Purchase Order DB Messages sent to named stakeholders
17
17 Meanwhile,... Fulfillment System Fulfillment Message Fulfillment Message Billing Message Fulfillment Message Shipping System Billing System Firewall Fulfillment Message Inventory System Inventory Database Shipping Notice Message Fulfillment System sends messages to Shipping and Billing Systems Billing System prepares and sends bill Fulfillment System Fulfillment Message Fulfillment Message Billing Message Fulfillment Message Shipping System Billing System Fulfillment Message Inventory System Inventory Database Shipping Notice Message Fulfillment System sends messages to Shipping and Billing Systems Billing System prepares and sends bill Security Check Authorized submitter Authorized named personnel Authorized trading partner Authorized recipient Billing Database To Purchaser
18
18 And,... Firewall Billing Message Shipping Notice Message Security Check Accounts Payable Electronic Payment General Ledger DB Purchase Order DB Receiving System Purchase Order DB Firewall Receipt Message Billing message is sent to Accounts Payable Authorized submitter Authorized named personnel Authorized supplier Authorized submitter Authorized named personnel Authorized supplier Security Check Shipping Notice message is sent to Accounts Payable Receipt message is sent to Accounts Payable Electronic Payment is sent to supplier From Supplier To Supplier
19
19 Finally Firewall Security Check Authorized submitter Authorized named personnel Authorized supplier Electronic Payment Payments Payment Processing General Ledger Orders Database Billing Database Payment is processed From Purchaser
20
20 The Modern Security Conundrum The enterprise does not engage in any form of electronic commerce The enterprise faithfully conforms to all legal requirements for data and information protection The enterprise utilizes electronic mail The enterprise engages in research that necessitates collaboration with colleagues employed by other enterprises
21
21 Security Mechanisms Userid/password Secure keys –Public/private encryption VPN E-mail Internet/intranet Data level Audit mechanisms Bio-security
22
22 Userid/Password Traditional method –Identify oneself –Confirm identity Marginally adequate in a closed environment; inadequate otherwise –Predictable passwords infrequently changed –Too numerous to mention –Improperly protected Simple implementation easily “hacked” –Relational database table Userid Password Employee_id Primary Key
23
23 Access Control Who is allowed to access the system? –Recognized users How are individuals identified? –Userid and password combination What is a particular individual allowed to do? –Determined by role/responsibility set How is access managed? –Risk management –Risk mitigation
24
24 Access Control - Authentication Process of determining who is requesting access to the information technology environment Userid/password combination –Unique – only one such combination exists –Not absolute
25
25 Access Control - Authentication USERS PASSWORD @USERID USER DEMOGRAPHICS USER DEMOGRAPHICS @USERID@PASSWORD PASSWORD_DATE PASSWORD_DATE USERID Authentication is the process of first confirming the USERID and then matching it to the PASSWORD. The PASSWORD_DATE is included to manage password change USERID/PASSWORD DIRECTORY
26
26 Access Control - Authentication Strengths 1. 2. 3. 4. 5. 6. 7. 8. Weaknesses 1. 2. 3. 4. 5. 6. 7. 8. Identify the major strengths and weaknesses of the userid and password authentication
27
27 Access Control - Authentication Is authentication equally critical when considering the Intranet versus considering the Internet? It is because: 1. 1. 2. 2. 3. 3. 4. 4. 5. 5. It is not because: 1. 1. 2. 2. 3. 3. 4. 4. 5. 5. Discuss
28
28 Access Control - Authentication Userid/password open to security breaching –Represents a significant risk Must be mitigated Mitigation options –Bio-techniques Retina scans Facial matching Fingerprinting –Electronic techniques Certification Bio-techniques are coming but electronic techniques are now
29
29 Digital Certificates Algorithmically generated –Usually includes userid and password –Other identifying information appended Produces an electronic signature –Unique to individual
30
30 Digital Certificates What information would you recommend to create a digital signature for intranet-based users? What information would you recommend to create a digital signature for internet-based users?
31
31 Digital Certificates Private key –The certificate provided by the originator of a message Originator’ signature –Ensure the authenticity of the message –Validated using public key Public key –The template used to validate the authenticity of a message’s source
32
32 Message Structure Message Header Includes destination Identifies source Identifies message (type) Message Trailer Indicates end of message Message Contents Must be defined in such a way that it is understood by BOTH sender AND receiver
33
33 Messaging Infrastructure – Message Format Abstraction Destination Delivery Mode Message ID Timestamp Correlation ID Reply To Redelivered Type Expiration Priority Message Properties
34
34 Authentication with Digital Certificates Destination Delivery Mode Message ID Timestamp Correlation ID Reply To Redelivered Type Expiration Priority Message Properties Private Key userid/password userid/password
35
35 Authentication with Digital Certificates Diagram the authentication process using digital certificates
36
36 Access Control - Authorization Process of constraining authenticated users to allowed applications, processes and activities Can be –Identity-based –Role-based
37
37 Access Control - Authorization USERS PASSWORD USERID USER_ PROGRAMS PROGRAMS @PROGRAM_IDENFICATION PROGRAM_IDENFICATION USERID USERIDPRGORAM_IDENTIFICATION
38
38 Validation at the Firewall Firewall – security barrier on the information superhighway –Prohibit unauthorized senders from releasing information –Prohibt unauthorized information from being released –Prohibit acceptance of information from unauthorized sources –Prohibit acceptance of unauthorized information
39
39 Validation at the Firewall Firewall can be –Hardware-based –Software-based Firewall management is an installation responsibility –“Rules of the Road” for the business of managing an installations web accessibility –Setting the rules – management responsibility With technical recommendations from key technical personnel –Enforcing the rules – web administrator’s responsibility
40
40 Validation at the Firewall INCOMING MESSAGE MESSAGE BODY Destination Delivery Mode Message ID Timestamp Correlation ID Reply To Redelivered Type Expiration Priority Message Properties Message header is inspected - Is this a legitimate message sender? - Is this a legitimate message sender? - Is the sender recognized? - Is the sender recognized? - Is the sender authorized? - Is the sender authorized? - Can the sender’s identify be verified? - Can the sender’s identify be verified? Message body is inspected - Is this type of data authorized? - Is this type of data authorized? - Is the sender authorized to send this data? - Is the sender authorized to send this data? - Is the data valid? - Is the data valid? Message has passed all firewall tests Message has not passed all firewall tests
41
41 Validation at the Firewall OUTGOING MESSAGE MESSAGE BODY Destination Delivery Mode Message ID Timestamp Correlation ID Reply To Redelivered Type Expiration Priority Message Properties Message header is inspected - Is this a legitimate message sender? - Is this a legitimate message sender? - Is the destination recognized? - Is the destination recognized? - Is the sender authorized? - Is the sender authorized? - Is the destination authorized - Is the destination authorized - Can the sender’s identify be verified? - Can the sender’s identify be verified? Message body is inspected - Is this type of data authorized? - Is this type of data authorized? - Is the sender authorized to send this data? - Is the sender authorized to send this data? - Is the data valid? - Is the data valid? Message has not passed all firewall tests Message has passed all firewall tests
42
42 Validation at the Firewall Questions represent business rules What are the business rules –Enterprise-specific –Implementation specific –Set for intranet access –Set for internet access Transaction – an exchange of data/information required to complete a business event –Multiple technical transactions –Multiple electronic exchanges –Security checks will be performed every time Trust is verified –Never, ever assumed
43
43 Validation at the Firewall A patient at this hospital has been admitted in very serious condition. A series of tests has been performed; the data collected includes various alphanumeric measurements as well as several medical images. Diary observations (comments by the attending staff have also been captured. The consensus is that this patient has an unusual illness that the local staff has little or no experience in treating. One of the attending staff remembers meeting a colleague at a conferences who has had experience treating this illness. An electronic collaboration session is arranged. ASSIGNMENT: Describe the firewall security that will transpire to effect this electronic consultation.
44
44 VPN Virtual Private Network –Network within a network allows an enterprise to turn the Internet into a private network Tunneling method of an IP packet within an IP packet
45
45 Securing Electronic Mail Interception at the firewall – inbound –Known sources –Managed attachments Interception at the firewall – outbound –Authorized senders –Know destinations –Managed attachments Audit and inspection
46
46 Data Level Security Provided via DBMS –Data control language (DCL) –GRANT instruction allocates specific permissions to DBMS-managed objects –REVOKE takes GRANTed permissions away Aligned with users known to DBMS very restrictive <= DCL <= very general
47
47 Audit Mechanisms Defined processes and procedures Inspections Independent reviews Logs Enforcement procedures and policies
48
48 Bio-security Fingerprints Eye scans Photo match
49
49 Implementation Considerations “Roll you own” Active directory PGP VPN
50
50 “Roll Your Own” Security Installation designed based on the needs of the enterprise Combination of techniques Combination of COTS and self-developed
51
51 Elements of a Security Plan Security plan – strategy to protect the assets of an enterprise Security plan includes –Assets to be protected Business-based Technology-based –Processes required –Policies to be enforced –Technologies to be used Security plan provides guidance that helps to define the implementation –Not the implementation itself
52
52 Information Security Role of the IT Professional Ethical execution of duties and responsibilities –“Do the right thing the right way” Understand the enterprise and how it operates –Rules of the road Know what is important and why –Legal obligations Sensitive Classified –Business obligations Proprietary Competition sensitive
Similar presentations
© 2024 SlidePlayer.com Inc.
All rights reserved.