Did you miss the bus regarding Network Security ?
"Network is computer" - Sun microsystem's network vision is more than a reality.With the use of networks for sharing information, come additional risks that contribute to the network security concerns.
1)Distributed File Storing - Concerns
File servers can control users' accesses to various parts of the file system. This is usually done by allowing a user to attach a certain file system (or directory) to the user's workstation, to be used as a local disk. This presents two potential problems. First, the server may only provide access protection to the directory level, so that a user granted access to a directory, has access to all files contained in that directory. To minimize risk in this situation, proper structuring and management of the network file system is important. The second problem is caused by inadequate protection mechanisms on the local workstation. For example, a personal computer (PC) may provide minimal or no protection of the information stored on it. A user that copies a file from the server to the local drive on the PC, looses the protection offered by the file when it was stored on the server. For some types of information, this may be acceptable. However, other types of information may require more stringent protections. This requirement focuses on the need for controls in the PC environment.
2) Remote Computing - Concerns
Remote computing must be controlled so that only authorized users may access remote components and remote applications. Servers must be able to authenticate remote users who request services or applications. These requests may also call for the local and remote servers to authenticate to each other. The inability to authenticate can lead to unauthorized users being granted access to remote servers and applications. There must be some level of assurance regarding the integrity of applications utilized by many users over a network.
3) Topologies and Protocols - Concerns
The topologies and protocols used today demand that messages be made available to many nodes in reaching the desired destination. This is much cheaper and easier to maintain than providing a direct physical path from every machine to every machine. (In large networks, direct paths are not feasible.) The possible threats inherent include both active and passive wiretapping. Passive wiretapping includes not only information release but also traffic analysis (using addresses, other header data, message length, and message frequency). Active wiretapping includes message stream modifications (including modification, delay, duplication, deletion or counterfeiting).
4) Messaging Services - Concerns
Messaging services add additional risk to information that is stored on a server or in transit. Inadequately protected email can easily be captured and perhaps altered and retransmitted, affecting both the confidentiality and integrity of the message.
5)Other Network Security Concerns
Other network security problems include
· Inadequate network management and security policies
· Lack of training for proper network usage and security
· Inadequate protection mechanisms in the workstation environment
· Inadequate protection during transmission.
A weak security policy also contributes to the risk associated with a network. A formal security policy governing the use of networks should be in place to demonstrate management's position on the importance of protecting valued assets. A security policy is a concise statement of top management's position on information values, protection responsibilities and organizational commitment (Security strategy and implementation are discussed later). A strong network security policy should be in place to provide direction and support from the highest levels of management. The policy should identify the role that each employee has in assuring that the network and the information it carries are adequately protected.
The Network security policy should stress the importance of and provide support for network management. Network management should be given the necessary funding, time and resources. Poor network management may result in security lapses. The resulting problems could include security settings becoming too lax, security procedures not being performed correctly, even the necessary security mechanisms not being implemented.
The use of PCs in the network environment can also contribute to the risk of the network. In general, PCs have a relative lack of control with regard to authenticating users, controlling access to files, auditing etc. In most cases, the protection applied to information that is stored and processed on a server, does not follow the information when it is sent locally to a PC.
Lack of user awareness regarding the security of the network can also add risk. Users who are not familiar with the security mechanisms, procedures etc. may use them improperly and perhaps less securely. Responsibilities for implementing security mechanisms and procedures and following the policies regarding the use of the PC in a network environment, usually fall on the user of the PC. Users must be given the proper guidance and training necessary to maintain an acceptable level of protection in the network environment.
Saturday, October 28, 2006
Section 404 SOX Compliance
A complete federated identity access management and collaboration platform to comply with Sarbanes-Oxley.
Business problem
Sarbanes-Oxley Act (SOX) was passed to reform the accounting practices, financial disclosures and corporate governance of public companies.
Section 404 of SOX requires the management to perform an annual assessment of internal controls over financial disclosures and obtain attestation from external auditors.
Compliance requires major changes in corporate governance, accounting, auditing and financial reporting practices. It requires companies to strengthen and document their internal controls and corporate IT systems to support the affected business processes. It requires adherence to structured, documented identity access management security practices that protect information.
Compliance creates new demands on IT. Systems once thought to be secure and capable of maintaining user confidentiality must be readdressed. Unauthorized access to systems and the data they contain may unwittingly permit individuals to alter information or commit acts of fraud that may damage the company and cause it to violate regulatory standards.
SOX is just one of many pieces of legislation that require this level of compliance: Gramm - Leach - Bliley Act (GLB), 21 CFR Part 11, HIPAA, and the California Database Security Breach Notification Act are examples of the many items enacted within the last several years.
Solution
Ensure that only authorized users are allowed access to systems.
Employ access granularity that specifically defines what people can view or actions they can take once they have gained access to the systems. For example, a financial analyst may be granted access to view financial data for report construction but not be allowed to initiate a transaction or modify the information.
Maintain centralized control over who is authorized to access particular systems, what information within the system they are authorized to access, and when a user leaves the company, ensures their access rights are completely revoked from all systems.
Sunday, July 09, 2006
Genomics: A future Global Privacy and Identity Challenge
(Author - Ullas O Tharakan)
2020 AD: World a better place. Get ready for the ultimate shopping experience, the designer babies. Imagine the fertility Hospital near your lane offer you to manipulate the Gene sequence to get you the perfect baby with intelligence as Einstein, Blue eyes – sort of Tom Cruise killer Looks and the so called perfect shape. Days are not far away, when Designer Babies becomes a reality and Hitler infamy ambition of defining a super human unintentionally finds a place in the Society.
Genome research has given a new dimension to “code” human beings. Humans are not just by chance; they are manipulated to fit the best, defying the Darwin’s Law of Evolution, making it an instant process than a gradual one spread across thousands of years. Entire human gene has already been decoded in the ambitious Human Genome project. In the projected future, going to be closer than we think, Governments and organizations will have has to concentrate to protect people from the negative side of this individual problem, there is a need to demarcate the goods and bad of this unprecedented innovation. Already there has been ban on human cloning world wide, a well-respected step taken by governments worldwide.
With the intense research and the indecorous intention to make business, there could be lot of loopholes, which will affect the humans worldwide. For example, when a Baby is born, he/she will walk out of the maternity with a Human Code CD - a more futuristic form of Birth Certificates. CD will contain the entire Genome code of the baby. This specifies predictive disease list with accurate prediction on likely hood of disease occurrence. Early prediction of disease will be always an advantage as it could help to improve the quality of life and as well as increase the natural lifespan by taking preventive medications.
But what happens if somebody else gets to access to these information. It would be the ultimate disaster for somebody in waiting. Governments need to redefine the existing laws in order to prevent this. The social, ethical and legal issues will have a daunting effect on the individual. Fairness of usage of information will be a big issue. For example Insurance companies can target you for high money and can also deny your qualification for Insurance. Pharmaceutical companies can create customized drugs eventually this being used a one-to-one marketing campaign at a premium cost. Corporate can disqualify you from job because of your predicted future based on genes.
This could lead to Psychological impact, stigmatization, and discrimination due to an individual’s man made genetic differences – the existing ones and the expected ones.
There will be Conceptual and philosophical implications regarding human responsibility, free will vs. genetic determinism, and concepts of health and disease. This will lead to Commercialization of humans design as products including property rights (patents, copyrights, and trade secrets) and accessibility to data and materials needs to be mandated.
In order to make this Genetic experience fruitful and more poised towards humanity governments worldwide should initiate a due diligence. Governments would need to establish a Global Genetic Privacy Protection (GGPP) model to enable a framework for protecting the future human rights violation. Worldwide Health Ministry Departments needs to foray over a period of time for a GGPP model. This model needs to start with these basic aspects:
- Embryonic stage manipulation: Protection of the Genetic Trait Modification
- Gene Selective Manipulation Law
- Human Code access Protection Law (Practices can be extended from the existing HIPPA global laws)
Better, governments worldwide start enacting a law and stop this world moving towards the digital apartheid era preventing the human community from the next privacy disaster in waiting.
(Author - Ullas O Tharakan)
2020 AD: World a better place. Get ready for the ultimate shopping experience, the designer babies. Imagine the fertility Hospital near your lane offer you to manipulate the Gene sequence to get you the perfect baby with intelligence as Einstein, Blue eyes – sort of Tom Cruise killer Looks and the so called perfect shape. Days are not far away, when Designer Babies becomes a reality and Hitler infamy ambition of defining a super human unintentionally finds a place in the Society.
Genome research has given a new dimension to “code” human beings. Humans are not just by chance; they are manipulated to fit the best, defying the Darwin’s Law of Evolution, making it an instant process than a gradual one spread across thousands of years. Entire human gene has already been decoded in the ambitious Human Genome project. In the projected future, going to be closer than we think, Governments and organizations will have has to concentrate to protect people from the negative side of this individual problem, there is a need to demarcate the goods and bad of this unprecedented innovation. Already there has been ban on human cloning world wide, a well-respected step taken by governments worldwide.
With the intense research and the indecorous intention to make business, there could be lot of loopholes, which will affect the humans worldwide. For example, when a Baby is born, he/she will walk out of the maternity with a Human Code CD - a more futuristic form of Birth Certificates. CD will contain the entire Genome code of the baby. This specifies predictive disease list with accurate prediction on likely hood of disease occurrence. Early prediction of disease will be always an advantage as it could help to improve the quality of life and as well as increase the natural lifespan by taking preventive medications.
But what happens if somebody else gets to access to these information. It would be the ultimate disaster for somebody in waiting. Governments need to redefine the existing laws in order to prevent this. The social, ethical and legal issues will have a daunting effect on the individual. Fairness of usage of information will be a big issue. For example Insurance companies can target you for high money and can also deny your qualification for Insurance. Pharmaceutical companies can create customized drugs eventually this being used a one-to-one marketing campaign at a premium cost. Corporate can disqualify you from job because of your predicted future based on genes.
This could lead to Psychological impact, stigmatization, and discrimination due to an individual’s man made genetic differences – the existing ones and the expected ones.
There will be Conceptual and philosophical implications regarding human responsibility, free will vs. genetic determinism, and concepts of health and disease. This will lead to Commercialization of humans design as products including property rights (patents, copyrights, and trade secrets) and accessibility to data and materials needs to be mandated.
In order to make this Genetic experience fruitful and more poised towards humanity governments worldwide should initiate a due diligence. Governments would need to establish a Global Genetic Privacy Protection (GGPP) model to enable a framework for protecting the future human rights violation. Worldwide Health Ministry Departments needs to foray over a period of time for a GGPP model. This model needs to start with these basic aspects:
- Embryonic stage manipulation: Protection of the Genetic Trait Modification
- Gene Selective Manipulation Law
- Human Code access Protection Law (Practices can be extended from the existing HIPPA global laws)
Better, governments worldwide start enacting a law and stop this world moving towards the digital apartheid era preventing the human community from the next privacy disaster in waiting.
Tuesday, July 04, 2006
CyberLaw : Overview of the Indian IT Act 2000
(Authored by Ullas Tharakan)
In India, the IT Bill 2000 was adopted in October 2000 and is called the Information Technology Act 2000. This act consists of 12 parts and runs into a length of 44 pages.
• Part I of the Act: Outlines the general purpose of the Act, provides definitions for terminologies used within the Act and defines the scope of the application of the Act
• Part II of the Act: In this section, electronic records and electronic signatures are dealt as taken care of. With limited exceptions, electronic records and signatures must be accorded the same treatment as paper records and signatures for purposes of complying with statutory writing, signature, evidentiary and record-keeping requirements. But this does not compel the Government organizations to accept or issue electronic document, if they do not wish to do so. This part addresses the acceptance and use of electronic records and electronic signatures by governmental entities.
• Part III of the Act: This addresses the integrity and authentication of secure electronic records and secure electronic signatures. The concept of a secure electronic record or a secure electronic signature will foster the growth of electronic commerce by providing businesses with assurances that records and signatures which meet the statutory definitions of "secure" records or signatures will be accorded the heightened evidentiary presumptions necessary to make business transactions effectively nonrepudiable.
• Part IV of the Act: This addresses issues of electronic contracting. This Part deals with the form in which an offer and an acceptance may be expressed and legal recognition of contracts formed in an electronic medium. This Part aims to provide increased legal certainty as to the conclusion of contracts by electronic means.
• Part V of the Act: This provides for the appointment and functioning of a Controller for Certifying Authorities who will regulate the issuance of digital certificates by licensed Certifying Authorities.
• Parts VI and VII of the Act: These part addresses the legal issues related to the use of digital signatures. Digital signature technology, which utilizes asymmetric cryptography technology, has been developed to facilitate secure transactions over the Internet and other computer networks. Although the electronic contracting sections of the Act have been drafted to be technologically neutral, these parts have been included to establish rules for the use of the most prominent current technology.
• Part VIII of the Act: Provides for penalties and for their adjudication by an adjudicating officer appointed by the Central Government.
• Part IX of the Act: Provides for the formation, composition, functioning and powers of a Cyber Regulations Appellate Tribunal to which appeal shall lie from the orders of the adjudicating officer. The Civil Court shall not have jurisdiction with reference to the offences set out under this Act. An appeal shall lie to the High Court from the orders of the Cyber Regulations Appellate Tribunal.
• Part X of the Act: Provides criminal penalties for intentional damages or destruction of information systems or data, intentional "trespass" into a system and intentional theft of computer services, tampering with data, interrupting network services and intentionally introducing viruses into computers or computer networks.
• Part XI of the Act: Deals with issues relating to the liability of network service providers.
• Part XII of the Act: Sets out miscellaneous provisions with respect to power to search premises, removal of difficulties, etc.
(Authored by Ullas Tharakan)
In India, the IT Bill 2000 was adopted in October 2000 and is called the Information Technology Act 2000. This act consists of 12 parts and runs into a length of 44 pages.
• Part I of the Act: Outlines the general purpose of the Act, provides definitions for terminologies used within the Act and defines the scope of the application of the Act
• Part II of the Act: In this section, electronic records and electronic signatures are dealt as taken care of. With limited exceptions, electronic records and signatures must be accorded the same treatment as paper records and signatures for purposes of complying with statutory writing, signature, evidentiary and record-keeping requirements. But this does not compel the Government organizations to accept or issue electronic document, if they do not wish to do so. This part addresses the acceptance and use of electronic records and electronic signatures by governmental entities.
• Part III of the Act: This addresses the integrity and authentication of secure electronic records and secure electronic signatures. The concept of a secure electronic record or a secure electronic signature will foster the growth of electronic commerce by providing businesses with assurances that records and signatures which meet the statutory definitions of "secure" records or signatures will be accorded the heightened evidentiary presumptions necessary to make business transactions effectively nonrepudiable.
• Part IV of the Act: This addresses issues of electronic contracting. This Part deals with the form in which an offer and an acceptance may be expressed and legal recognition of contracts formed in an electronic medium. This Part aims to provide increased legal certainty as to the conclusion of contracts by electronic means.
• Part V of the Act: This provides for the appointment and functioning of a Controller for Certifying Authorities who will regulate the issuance of digital certificates by licensed Certifying Authorities.
• Parts VI and VII of the Act: These part addresses the legal issues related to the use of digital signatures. Digital signature technology, which utilizes asymmetric cryptography technology, has been developed to facilitate secure transactions over the Internet and other computer networks. Although the electronic contracting sections of the Act have been drafted to be technologically neutral, these parts have been included to establish rules for the use of the most prominent current technology.
• Part VIII of the Act: Provides for penalties and for their adjudication by an adjudicating officer appointed by the Central Government.
• Part IX of the Act: Provides for the formation, composition, functioning and powers of a Cyber Regulations Appellate Tribunal to which appeal shall lie from the orders of the adjudicating officer. The Civil Court shall not have jurisdiction with reference to the offences set out under this Act. An appeal shall lie to the High Court from the orders of the Cyber Regulations Appellate Tribunal.
• Part X of the Act: Provides criminal penalties for intentional damages or destruction of information systems or data, intentional "trespass" into a system and intentional theft of computer services, tampering with data, interrupting network services and intentionally introducing viruses into computers or computer networks.
• Part XI of the Act: Deals with issues relating to the liability of network service providers.
• Part XII of the Act: Sets out miscellaneous provisions with respect to power to search premises, removal of difficulties, etc.
Smart Tips for Information Security Policy Design Process
(Authored by Ullas Tharakan)
A policy design should follow a well thought of process. The following steps are considered to arrive at the process.
· Choose the policy development team.
· Designate a person or “body” to serve as the official policy interpreter.
· Decide on the scope and goals of the policy.
(Scope should be a statement about what is covered by the policy.)
· Decide on how specific should be the policy.
All people affected by the policy should be provided an opportunity to review and comment on the policy before it becomes official.
· Unrealistic for large organizations.
· Often difficult to get the information out and ensure people read it.
· Incorporate policy awareness as a part of employee orientation.
· Provide refresher overview course on policies once or twice a year.
While creating the policies and processes, one must keep in mind that policies should be:
· Be implementable and enforceable.
· Be concise and easy to understand.
· Be a balance of protection with productivity.
· Be updated regularly to reflect the evolution of the organization.
Policies should:
· State reasons why policy is needed.
· Describe what is covered by the policies - whom, what, and where.
· Define contacts and responsibilities to outside agencies.
· Discuss how violations will be handled.
Determining Level of Control
· Security needs and culture play major roles.
· Security policies MUST balance level of control with level of productivity.
· If policies are too restrictive, people will find ways to circumvent controls.
· Technical controls are not always possible.
· Must have management commitment on level of control.
(Authored by Ullas Tharakan)
A policy design should follow a well thought of process. The following steps are considered to arrive at the process.
· Choose the policy development team.
· Designate a person or “body” to serve as the official policy interpreter.
· Decide on the scope and goals of the policy.
(Scope should be a statement about what is covered by the policy.)
· Decide on how specific should be the policy.
All people affected by the policy should be provided an opportunity to review and comment on the policy before it becomes official.
· Unrealistic for large organizations.
· Often difficult to get the information out and ensure people read it.
· Incorporate policy awareness as a part of employee orientation.
· Provide refresher overview course on policies once or twice a year.
While creating the policies and processes, one must keep in mind that policies should be:
· Be implementable and enforceable.
· Be concise and easy to understand.
· Be a balance of protection with productivity.
· Be updated regularly to reflect the evolution of the organization.
Policies should:
· State reasons why policy is needed.
· Describe what is covered by the policies - whom, what, and where.
· Define contacts and responsibilities to outside agencies.
· Discuss how violations will be handled.
Determining Level of Control
· Security needs and culture play major roles.
· Security policies MUST balance level of control with level of productivity.
· If policies are too restrictive, people will find ways to circumvent controls.
· Technical controls are not always possible.
· Must have management commitment on level of control.
Tuesday, June 13, 2006
Sneak Peek of Proposed United States Privacy-Related Bills in 2005
(by Ullas Tharakan)
A sneak peek on the upcoming Encryption market which will domainate information security in the coming years. Number of new legislation is geared up to protect customer privacy will drive the organizations to implemented better and new controls. A snapshot of the new upcoming legislations in the US Market below -
H.R. 82, Social Security On-line Privacy Protection Act—Introduced 1/4/2005 by Rep. Rodney Frelinghuysen (NJ); prohibits an interactive computer service from disclosing to a third party an individual's Social Security number or related personally identifiable information without the individual's prior informed written consent. The bill also requires such service to permit an individual to revoke any consent at any time.
S. 29, Social Security Number Misuse Prevention Act—Introduced 1/24/2005 by Sen. Dianne Feinstein (CA); amends the Federal criminal code to prohibit the display, sale, or purchase of Social Security numbers without the affirmatively expressed consent of the individual, except in specified circumstances.
S. 116, Privacy Act of 2005—Introduced 1/24/2005 by Sen. Dianne Feinstein (CA); to require the consent of an individual prior to the sale and marketing of such individual's personally identifiable information, and for other purposes
S. 751, Notification of Risk to Personal Data Act—Introduced 4/11/2005 by Sen. Dianne Feinstein (CA); requires a business or government entity to notify an individual in writing or
email when it is believed that personal information has been compromised, with the exception of situations relating to criminal investigation or national security purposes.
S. 768, Comprehensive Identity Theft Prevention Act—Introduced 4/12/3005 by Sen. Charles Schumer (NY); creates a new Federal Trade Commission (FTC) office of identity theft to help victims restore their identities.
S. 1216, Financial Privacy Breach Notification Act of 2005—Introduced 6/9/2005 by Sen. Jon Corzine (NJ); amends GLBA to require a financial institution to promptly notify the following entities whenever a breach of personal information has occurred at such institution: each customer affected by such breach; certain consumer reporting agencies; and appropriate law enforcement agencies. Furthermore, it requires any person that maintains personal information for or on behalf of a financial institution to promptly notify the institution of any case in which such customer information has been breached.
S. 1326, Notification of Risk to Personal Data Act—Introduced 6/28/2005 by Sen. Jeff Sessions (AL); requires any entity that owns or licenses sensitive personal information to implement and maintain "reasonable" security and notification procedures and practices appropriate to the nature of the information; preempts any state laws which relate "in any way to electronic information security standards or notification."
S. 1332, Personal Data Privacy and Security Act of 2005—Introduced 6/29/2005 by Sen. Arlen Specter (PA) and Sen. Patrick Leahy (VT); deals with different issues relating to identity theft and security breaches, specifically providing security measures that require "business entities" that have information on more than 10,000 United States persons to adopt measures, commensurate with the sensitivity of the data and the size and complexity of the entities activities.
S. 1336, Consumer Identity Protection and Security Act—Introduced 6/29/2005 by Sen. Mark Pryor (AR); establishes procedures for the protection of consumers from misuse of, and unauthorized access to, sensitive personal information contained in private information files maintained by commercial entities engaged in, or affecting, interstate commerce.
S. 1408, Identity Theft Protection Act—Introduced 7/14/2005 by Sen. Gordon Smith (OR) and Sen. Bill Nelson (FL); strengthens data protection and safeguards, requires data breach notification, and further prevents identity theft.
(by Ullas Tharakan)
A sneak peek on the upcoming Encryption market which will domainate information security in the coming years. Number of new legislation is geared up to protect customer privacy will drive the organizations to implemented better and new controls. A snapshot of the new upcoming legislations in the US Market below -
H.R. 82, Social Security On-line Privacy Protection Act—Introduced 1/4/2005 by Rep. Rodney Frelinghuysen (NJ); prohibits an interactive computer service from disclosing to a third party an individual's Social Security number or related personally identifiable information without the individual's prior informed written consent. The bill also requires such service to permit an individual to revoke any consent at any time.
S. 29, Social Security Number Misuse Prevention Act—Introduced 1/24/2005 by Sen. Dianne Feinstein (CA); amends the Federal criminal code to prohibit the display, sale, or purchase of Social Security numbers without the affirmatively expressed consent of the individual, except in specified circumstances.
S. 116, Privacy Act of 2005—Introduced 1/24/2005 by Sen. Dianne Feinstein (CA); to require the consent of an individual prior to the sale and marketing of such individual's personally identifiable information, and for other purposes
S. 751, Notification of Risk to Personal Data Act—Introduced 4/11/2005 by Sen. Dianne Feinstein (CA); requires a business or government entity to notify an individual in writing or
email when it is believed that personal information has been compromised, with the exception of situations relating to criminal investigation or national security purposes.
S. 768, Comprehensive Identity Theft Prevention Act—Introduced 4/12/3005 by Sen. Charles Schumer (NY); creates a new Federal Trade Commission (FTC) office of identity theft to help victims restore their identities.
S. 1216, Financial Privacy Breach Notification Act of 2005—Introduced 6/9/2005 by Sen. Jon Corzine (NJ); amends GLBA to require a financial institution to promptly notify the following entities whenever a breach of personal information has occurred at such institution: each customer affected by such breach; certain consumer reporting agencies; and appropriate law enforcement agencies. Furthermore, it requires any person that maintains personal information for or on behalf of a financial institution to promptly notify the institution of any case in which such customer information has been breached.
S. 1326, Notification of Risk to Personal Data Act—Introduced 6/28/2005 by Sen. Jeff Sessions (AL); requires any entity that owns or licenses sensitive personal information to implement and maintain "reasonable" security and notification procedures and practices appropriate to the nature of the information; preempts any state laws which relate "in any way to electronic information security standards or notification."
S. 1332, Personal Data Privacy and Security Act of 2005—Introduced 6/29/2005 by Sen. Arlen Specter (PA) and Sen. Patrick Leahy (VT); deals with different issues relating to identity theft and security breaches, specifically providing security measures that require "business entities" that have information on more than 10,000 United States persons to adopt measures, commensurate with the sensitivity of the data and the size and complexity of the entities activities.
S. 1336, Consumer Identity Protection and Security Act—Introduced 6/29/2005 by Sen. Mark Pryor (AR); establishes procedures for the protection of consumers from misuse of, and unauthorized access to, sensitive personal information contained in private information files maintained by commercial entities engaged in, or affecting, interstate commerce.
S. 1408, Identity Theft Protection Act—Introduced 7/14/2005 by Sen. Gordon Smith (OR) and Sen. Bill Nelson (FL); strengthens data protection and safeguards, requires data breach notification, and further prevents identity theft.
Sunday, June 11, 2006
Protecting Personal Information:
Gearing you towards the art of Compliance – Part 1
(Authored by Ullas O Tharakan)
Gearing you towards the art of Compliance – Part 1
(Authored by Ullas O Tharakan)
With increase in network and computers, the information sharing and storing has become easy than ever. The sharing and storage medium could range from pocket PC’s to Cray Supercomputers. This has also let to induce malpractice based on data. Hence the government and corporate bodies world wide has tightened the framework with mandated data protection law. The core of data protection law is to present a framework to protect the personal information, which has a potential to offer mal practices.
This article explores the privacy concern and what’s going in the world to protect privacy information
News and Happenings
Each county has evolved with its own cyber law and has mandated data privacy grounds. The law is governed in terms of domestic movement of data i.e. within states versus within International boundaries.
Laws in different countries but do have similarities and to an extent differ minutely. Compliance becomes tricky for organizations that do business at international level.. For example a company doing business Europe and US needs to follow US and European union applicable guidelines while using the personal data. E.g. Telephone number generally not comes under the privacy law in US but in Europe – One has to take a written consent of the Employee before using it.
OECD (Organization for Economic Cooperation and Development was the first organization to issue guidelines for cross borders data flow. With the time the legislations are becoming strict with increased penalty for non compliance
The major challenges that span across the organization in terms of compliance related to Personal Identifier information are –
1)Definition of personal information across the organization
2)Origin of Personal information
3)Storage of Personal Information
4)Validation with respect to all the laws that are applicable
5)Who can access
6)Where can one access
7)Tracking Personal Information Flows
8)Keeping up with Laws and regulations
Defining Personal Identifier information – The identification can be governed by the Corporate Policy, information Policy, Laws and regulations. Below we will try to identify some of the stand set of the personal identifier information –
First Name or Initial ,Last Name , Video programming activity ,“Black Box” data , Social Security number , Email address , Personnel files ,GPS data , Payment history, Income , Military history , Criminal charges, convictions and court records , Merchandise and product order history , Financial transaction information , License and certificate numbers , Account numbers , Internet URLs , Device identifiers (for example, serial numbers) , Hospital dates of: birth, admission, discharge, death ,Geographic subdivisions smaller than a state (street address) , Health Plan beneficiary numbers , Medical records numbers , Fraud alerts, Service subscription history , Fax number , Telephone number , Employment history , Body identifier (for example, tattoos, scars) , Education records , Descriptive consumer listings , Customer relationships , Credit reports and credit scores , Credit card purchases , Loan or deposit balances , Credit card numbers , Vehicle identifiers (for example, license plate numbers) , Conversations (recorded or overheard) ,Voting history ,California ID numbers , Debit card numbers , Biometric identifiers (such as DNA, finger, iris, and voice prints) , Information concerning children , Biometric identifiers (for example, finger and voice prints) , Internet Protocol (IP) addresses , Any identifier the FTC determines permits the contacting of a specific individual , Medical care information (for example, organ donations, medications, disability info) , Unique identifiers that can be attributed to a specific individual , Full-face (and comparable), photographic images
I will continue this article in the next part…till then Happy reading
Sunday, May 28, 2006
Information Security in an Ancient Flavour
(Authored by Ullas Tharakan - He is a SME in Information Security)
To present you with an easiest way to understand the pillars of security here is a simple example.....enjoy..
In ancient Rome, when a General in Caesar’s army wanted to send an information to Caesar, before sending the message he made it a point that the information was secure. He used a secret code to encrypt the message, for which the key was known only to Caesar. This helped the message to remain confidential.
Then the general folded the paper and placed a wax seal at the edge, so that Caesar may know if the message was intercepted or not. This ensured integrity.
Then the General stamped the wax with his own seal, so that Caesar may know that this message has come from the general. This ensured authenticity.
Then he passed the envelop to a courier, asking him to carry the message safely to Caesar. This is authorization .
Finally, he requested an acknowledgement from Caesar that he got his message. This is non-repudiation.
Possibly, the concept of auditability was not available at Caesar’s time. It is left to the present you as an exercise on how the general could have also taken care of auditability.
(Authored by Ullas Tharakan - He is a SME in Information Security)
To present you with an easiest way to understand the pillars of security here is a simple example.....enjoy..
In ancient Rome, when a General in Caesar’s army wanted to send an information to Caesar, before sending the message he made it a point that the information was secure. He used a secret code to encrypt the message, for which the key was known only to Caesar. This helped the message to remain confidential.
Then the general folded the paper and placed a wax seal at the edge, so that Caesar may know if the message was intercepted or not. This ensured integrity.
Then the General stamped the wax with his own seal, so that Caesar may know that this message has come from the general. This ensured authenticity.
Then he passed the envelop to a courier, asking him to carry the message safely to Caesar. This is authorization .
Finally, he requested an acknowledgement from Caesar that he got his message. This is non-repudiation.
Possibly, the concept of auditability was not available at Caesar’s time. It is left to the present you as an exercise on how the general could have also taken care of auditability.
Friday, May 26, 2006
Directory Services – Implementation Best Practices
(Authored by Ullas Tharakan and Bernard Diwakar)
With the global directory consolidation initiative, Directory services are becoming the foundation of the Identity Management programs. A robust and solid design based on patterns and best practices will ensure that once implemented it will have a long way to go.
1) Decouple LDAP layer and Application Layer – The DIT design changes should have minimum to zero dependency on the application layer. Application change should have a least impact on directory an vice versa
(Authored by Ullas Tharakan and Bernard Diwakar)
With the global directory consolidation initiative, Directory services are becoming the foundation of the Identity Management programs. A robust and solid design based on patterns and best practices will ensure that once implemented it will have a long way to go.
1) Decouple LDAP layer and Application Layer – The DIT design changes should have minimum to zero dependency on the application layer. Application change should have a least impact on directory an vice versa
2) Expose API for LDAP Access – Applications should not be given direct LDAP access, All LDAP connections details should always be encapsulated and Application should be always oblivious about the port and other internal details of LDAP
3) Shallow Tree – Depth of the tree is inversely proportional to performance – Following this, a general rule of thumb says that the DIT should be reasonably shallow unless there are strong reasons to design deep branching levels down the directory tree.
4) Reduce Information Overload – Define and use standard object class that is defined by Standard LDAP RFC. Refrain from storing application specific information in the LDAP. Profile information attribute should focus not to exceed the number 20.
5) Flexibility - General pattern says that 95% of time the directories being designed are based on the organizational structure. Choosing to branch a directory tree based on the organizational structure, such as departments, can lead to a large administrative overhead if the organization is very dynamic and changes often.
6) But in cases where the organizational structures are pretty rigid and have impact and has less inter business interactions the model may be viable. A branching methodology that is flexible, and which still reflects enough information about the organization, must be created. Because the structure of organizations often changes considerably over time, the aim should be to branch the tree in such a way as to minimize the number of necessary changes to the directory tree once the organization has changed. Note that renaming a department entry, for example, has the effect of requiring a change of the DNs of all entries below its branch point. This has an undesirable impact on the service and application layer for several reasons. The example below reflects the impact of renaming branches -
When adding employees to their respective departments, it would be possible to create distinguished names (DN) like cn=Ullas Tharakan, ou=ESS, l=hyd, and dc=esswipro.com. If Ullas Tharakan should at a later time move to another department, his DN will have to change. This results in changing all entries regarding access rights and more. If Ullas Tharakan’s DN had been set to cn=Ullas Tharakan, ou=employees, l=hyd, dc= esswipro.com, then this would not be a problem. An attribute describing which department he belongs to (ou=marketing) could be added to his entry to include this information.
7) Physical or Cultural split criteria: Other criteria that may or should be considered when branching the directory tree include physical or cultural splits in the organization and the nature of the client (human or application).In case if an organization has separate units that are either physically separated or have their own management authorities, you might have a natural requirement to split and separate parts of the DIT.
When adding employees to their respective departments, it would be possible to create distinguished names (DN) like cn=Ullas Tharakan, ou=ESS, l=hyd, and dc=esswipro.com. If Ullas Tharakan should at a later time move to another department, his DN will have to change. This results in changing all entries regarding access rights and more. If Ullas Tharakan’s DN had been set to cn=Ullas Tharakan, ou=employees, l=hyd, dc= esswipro.com, then this would not be a problem. An attribute describing which department he belongs to (ou=marketing) could be added to his entry to include this information.
7) Physical or Cultural split criteria: Other criteria that may or should be considered when branching the directory tree include physical or cultural splits in the organization and the nature of the client (human or application).In case if an organization has separate units that are either physically separated or have their own management authorities, you might have a natural requirement to split and separate parts of the DIT.
9) Geographically Based Criteria: In a time where Global presences in terms of acquisitions or mergers are just the order of the day, there are situations where the employees, business partners, vendors, contractors etc are geographically distributed. It is a best practice to cater to this by designing the DIT on different geographic regions for eg, EMEA, North America, and Asia Pacific. By doing this there is flexibility in terms of managing the data and the Directory Topology in a effective manner. This also provided flexibility to cater to the different data laws in each of the regions.
10) Schema Design: The default ldap v3 schema provided in terms of objectclasses and attributes 9 out of 10 times does cater to most of the implementations, however there may be a need to define some custom objectclasses and attributes. In such a situation the rule of thumb is to define auxiliary classes and by doing this the schema is flexible enough to be used across the enterprise directory.
11) High Availability: This is one of the key considerations in any of the Enterprise Directory Implementations considering the fact that the directory services form the heart of any Identity Management Solutions. The leading directory services vendors in the market do provide robust replications mechanisms that enable high availability and fail over scenarios , however its very essential to consider some of the factors before the replication topologies are finalized upon --
a) Clients accessing the directory services should be replication aware and should process the referrals which basically let the client know which server to communicate for a particular request.
b) Most of the Identity Management products have limitations the way the directory topology is designed and this should be understood before designing any fault tolerant solution.
c) The peak loads in terms of the number of reads and writes need to be also considered.
d) The different data centers where the directory servers will be deployed.
10) Schema Design: The default ldap v3 schema provided in terms of objectclasses and attributes 9 out of 10 times does cater to most of the implementations, however there may be a need to define some custom objectclasses and attributes. In such a situation the rule of thumb is to define auxiliary classes and by doing this the schema is flexible enough to be used across the enterprise directory.
11) High Availability: This is one of the key considerations in any of the Enterprise Directory Implementations considering the fact that the directory services form the heart of any Identity Management Solutions. The leading directory services vendors in the market do provide robust replications mechanisms that enable high availability and fail over scenarios , however its very essential to consider some of the factors before the replication topologies are finalized upon --
a) Clients accessing the directory services should be replication aware and should process the referrals which basically let the client know which server to communicate for a particular request.
b) Most of the Identity Management products have limitations the way the directory topology is designed and this should be understood before designing any fault tolerant solution.
c) The peak loads in terms of the number of reads and writes need to be also considered.
d) The different data centers where the directory servers will be deployed.
Sunday, May 21, 2006
A 14-point plan for starting an Identity Management Program
Ullas Tharakan – is a Identity Management Champion who have involved with Fortune 100 companies for Identity Management Implementation
1. Identify executive leadership. An executive sponsor needs to champion the new Identity Management Program
2. Identify Goals, Objectives and ROI of Identity Management Program
a. Evaluate Points of Support – Compliance Audit, Security Compromises etc
b. Better Helpdesk
c. Improved Security
d. Better User Management control
e. Etc
3. Select a point person. The CISO or another information security leader should manage day-to-day activities and should be hold responsible to champion the program. This person will have the authority to drive the program
4. Define Application Profiling Program. Try to tie business objectives to security objectives. Evaluate authentication, Authorization and User Management Process of Existing Applications
5. Risk Profiling of Application – Review Traces of historical problems on application. Evaluate on these parameters
a. Revenue Impact
b. Level of Security
c. Resulting Help Desk Calls
d. Information Managed by Application
6. Establish Priority Matrix on Application based on the Application Risk and Create buckets of 5 applications for each phase
7. Evaluate and Consolidate Global Directory Initiative – A central Store will be key for Identity Management program, A good User Attribute design requirement will ensure a balance between business Logic and Identity Management Logic
8. Kick Off Role Engineering Program – A crystal create role in the organization will lay foundation to a solid Identity Management Program. Many of the Identity Management programs cripple as the Application stakeholders fail to understand this issue
9. Define Phase Wise Program – Identity implementation is best and smooth at a phase. Avoid BIG BANG Approach. And follow the following guidelines
a. Start with Foundation Build with three low priority Application
b. Add 5 Application ( 3 Normal 1 Medium,1 Complex)
c. Repeat point “b” till you find a logical end
10. Assess and tighten the current state of security. Look at policies, processes, guidelines, standards, existing technology (both hardware and software), training and education. A special eye on the following policies are required
a. User Identity Format Policy
b. Password Policy
c. Account Management Policies
d. Role Management Policies
e. Revise existing policies and develop new ones as needed. This might include an acceptable-use policy and minimal security configuration for any device on a network.
11. Get Endorsed - Have the executive security review board endorse the plans : Use Point number 2 to make a justification –
a. This group should consider budget, timing and prioritization.
b. Review the technical feasibility
c. Assign, schedule, execute and discuss deliverables. Give individuals or teams clear responsibilities and time lines.
12. Change Agent : Setup Change Management Program with this Initiative an Identify a Change Agent
13. Migration Initiative – Last but not the least, remember Identity Management initiative is also a Identity Mess cleanup – Identifying source of authoritative data and migrating them needs a through analysis – Start this by Data Analysis (Identity Data) of different application
14. Identity Technology Selection and Implementation –
a. Build Versus Buy( Best practice – Your core competence is your own Business – Health Care, Manufacturing etc – Go with a Product Strategy)
b. In- House Implementation very Outsourced Implementation ( Best practice – Your core competence is your own Business – Health Care, Manufacturing etc – Go with a Outsourced Implementation )
GOOD LUCK and Go ahead –
1. Identify executive leadership. An executive sponsor needs to champion the new Identity Management Program
2. Identify Goals, Objectives and ROI of Identity Management Program
a. Evaluate Points of Support – Compliance Audit, Security Compromises etc
b. Better Helpdesk
c. Improved Security
d. Better User Management control
e. Etc
3. Select a point person. The CISO or another information security leader should manage day-to-day activities and should be hold responsible to champion the program. This person will have the authority to drive the program
4. Define Application Profiling Program. Try to tie business objectives to security objectives. Evaluate authentication, Authorization and User Management Process of Existing Applications
5. Risk Profiling of Application – Review Traces of historical problems on application. Evaluate on these parameters
a. Revenue Impact
b. Level of Security
c. Resulting Help Desk Calls
d. Information Managed by Application
6. Establish Priority Matrix on Application based on the Application Risk and Create buckets of 5 applications for each phase
7. Evaluate and Consolidate Global Directory Initiative – A central Store will be key for Identity Management program, A good User Attribute design requirement will ensure a balance between business Logic and Identity Management Logic
8. Kick Off Role Engineering Program – A crystal create role in the organization will lay foundation to a solid Identity Management Program. Many of the Identity Management programs cripple as the Application stakeholders fail to understand this issue
9. Define Phase Wise Program – Identity implementation is best and smooth at a phase. Avoid BIG BANG Approach. And follow the following guidelines
a. Start with Foundation Build with three low priority Application
b. Add 5 Application ( 3 Normal 1 Medium,1 Complex)
c. Repeat point “b” till you find a logical end
10. Assess and tighten the current state of security. Look at policies, processes, guidelines, standards, existing technology (both hardware and software), training and education. A special eye on the following policies are required
a. User Identity Format Policy
b. Password Policy
c. Account Management Policies
d. Role Management Policies
e. Revise existing policies and develop new ones as needed. This might include an acceptable-use policy and minimal security configuration for any device on a network.
11. Get Endorsed - Have the executive security review board endorse the plans : Use Point number 2 to make a justification –
a. This group should consider budget, timing and prioritization.
b. Review the technical feasibility
c. Assign, schedule, execute and discuss deliverables. Give individuals or teams clear responsibilities and time lines.
12. Change Agent : Setup Change Management Program with this Initiative an Identify a Change Agent
13. Migration Initiative – Last but not the least, remember Identity Management initiative is also a Identity Mess cleanup – Identifying source of authoritative data and migrating them needs a through analysis – Start this by Data Analysis (Identity Data) of different application
14. Identity Technology Selection and Implementation –
a. Build Versus Buy( Best practice – Your core competence is your own Business – Health Care, Manufacturing etc – Go with a Product Strategy)
b. In- House Implementation very Outsourced Implementation ( Best practice – Your core competence is your own Business – Health Care, Manufacturing etc – Go with a Outsourced Implementation )
GOOD LUCK and Go ahead –
Wednesday, May 10, 2006
Annotations from Fortune 10 CIO Diaries
(Authored by Ullas Tharakan - Draft Version)
A decade back in the early 90’s, I had woken up one morning and went to office on a bright Sunny Day and somebody told me that we need a security strategy. What would have been the reaction “Gosh – What are you talking about – “Security and Strategy. This is not business “. Idea and thoughts on a Security Strategy would have been easily shoved in the corner of the corporate wardrobe, burying with the epitaph “The Utter Nonsense “
But today, as the dependence on IT increases, a new role model is emerging.” The utter Nonsense of yesterday is making sensational sense”. With predictability and on a note of high probability the organizations will keep focusing on Business but will lag behind unless and until the focus is driven at the CIO or Top Management Level. A buoyant force is required to keep up and sustain.
The IT Line
On May 2nd 2005, Information Architecture Manager call me up and explains me that there has been attack and the main revenue generator system was down ~ Just 2 hour down time and a 20 MUS $ loss. One would be forced to think that at middle of night – How can be there a loss of 20 MUSD. Voice emerges from the backend – We are a global company and the sun never sets for us.
On Nov 3rd 2005, IT helpdesk receives a mail from the Database Administrator that a person named Ron Shilling has sends an email from the company’s official email id soliciting administrators for user id and password. Database Administrator was a security aware guy and hence validated with the IT Help desk. Then a reactive action was taken to dissect the incident response. Post mortem revealed that this Ron was a fired from the company around 6 months back and had a disgruntled status and too the horror – couple of CXO Sectary has already compromised critical information of the Top Management
On Dec 31st 2005 ~ the company’s database was hacked and a huge Identity theft occurred. SSN, Patient Profile, Credit card information was compromised. Company has been sued millions by the consumer and have been already grappling with loses though they did good in volume sales
On Jan 2nd 2006 ~ Financial Auditors don’t want to sign as the company grapples with material weakness. The is on the verge to be thrown out of business without it,
The Business Line
CEO of the company on a Sunny day of April 1994 – “Today we are Global Company and reckoning to change the world. Today we announce our new vision – Either we are number one or number two or out of that business. We believe whatever we do we want to define excellence.
CEO of the company on Jan 26th 2006 ~ a cold gloomy day - Ladies & Gentleman- Due to unfortunate series of events we have to file for Bankruptcy protection with the Federal Government
The above is a very true story that’s a classic of bringing the fame to Shame from a truly successful Global company that got lost in the dust.
How do we avoid such events? With the advent of Business driven technology, more and more IT Systems are falling in place to make the organizations more competitive and customer centric. Let us relate Michael Porters Value Chain in the changing Landscape.
(Authored by Ullas Tharakan - Draft Version)
A decade back in the early 90’s, I had woken up one morning and went to office on a bright Sunny Day and somebody told me that we need a security strategy. What would have been the reaction “Gosh – What are you talking about – “Security and Strategy. This is not business “. Idea and thoughts on a Security Strategy would have been easily shoved in the corner of the corporate wardrobe, burying with the epitaph “The Utter Nonsense “
But today, as the dependence on IT increases, a new role model is emerging.” The utter Nonsense of yesterday is making sensational sense”. With predictability and on a note of high probability the organizations will keep focusing on Business but will lag behind unless and until the focus is driven at the CIO or Top Management Level. A buoyant force is required to keep up and sustain.
The IT Line
On May 2nd 2005, Information Architecture Manager call me up and explains me that there has been attack and the main revenue generator system was down ~ Just 2 hour down time and a 20 MUS $ loss. One would be forced to think that at middle of night – How can be there a loss of 20 MUSD. Voice emerges from the backend – We are a global company and the sun never sets for us.
On Nov 3rd 2005, IT helpdesk receives a mail from the Database Administrator that a person named Ron Shilling has sends an email from the company’s official email id soliciting administrators for user id and password. Database Administrator was a security aware guy and hence validated with the IT Help desk. Then a reactive action was taken to dissect the incident response. Post mortem revealed that this Ron was a fired from the company around 6 months back and had a disgruntled status and too the horror – couple of CXO Sectary has already compromised critical information of the Top Management
On Dec 31st 2005 ~ the company’s database was hacked and a huge Identity theft occurred. SSN, Patient Profile, Credit card information was compromised. Company has been sued millions by the consumer and have been already grappling with loses though they did good in volume sales
On Jan 2nd 2006 ~ Financial Auditors don’t want to sign as the company grapples with material weakness. The is on the verge to be thrown out of business without it,
The Business Line
CEO of the company on a Sunny day of April 1994 – “Today we are Global Company and reckoning to change the world. Today we announce our new vision – Either we are number one or number two or out of that business. We believe whatever we do we want to define excellence.
CEO of the company on Jan 26th 2006 ~ a cold gloomy day - Ladies & Gentleman- Due to unfortunate series of events we have to file for Bankruptcy protection with the Federal Government
The above is a very true story that’s a classic of bringing the fame to Shame from a truly successful Global company that got lost in the dust.
How do we avoid such events? With the advent of Business driven technology, more and more IT Systems are falling in place to make the organizations more competitive and customer centric. Let us relate Michael Porters Value Chain in the changing Landscape.
A successful Company X would have this thing driving its core engine – The Horizontals and Verticals, in the new paradigm security is a evolving correction in the IT Landscape
The traditional model of value chain has been existing and driving business with a focus on core competence. With the new advent the core competence needs to be ramped and managed with better control and with a focus on information management.
The new projection looks for efficient grip under to sustain the business model through continuous evolution of the IT Governance system. The Extended value chain needs to be complemented by adapting a framework and an internal organization to drive. As governance and Security are viewed as a Non functional direction, it is imperative that the commitment and force to channel the same should come from the CIO office.
Expecting the business to carry forward and sponsor will be a genuinely unwarranted expectation and is bound to fail. End to End Enterprise Wide Security is nobody business.
At the end, one has to understand that “Security is a like an insurance business, it’s not the cost of having it, it’s the cost of not having it”. Hence the cited clipping in the monologue above will dramatically drag and increase as the time moves on, if the reverence of understanding is not made scared.
With the evolving business line and improving IT infrastructure to support the business line, IT governance model will never be static and will follow a continuous evolution model with the change in business. A base Security Charter with a flexibility to adapt with time is required. Out of box thinking is required to drive the governance model with passion and wisdom. The extended value chain framework will help to drive and control the model
A “how to” High level model to implement the Extended Value chain –
1. Pickup warning signals: Look for clues of patterns on what could have happened over the last few months; the length of data can be decided at a CIO level.
2. Best practices Adaptation: Best practices implementation give a focused and disciplined approach for implementing and sustaining program. Look out for standard security regulatory requirements that your industry domain may have to be in compliance. Following good regulatory compliance methodology will automatically enforce a good control around the framework. Engage good external consultants who can give a drive to this force.
3. Audit to Reinforce: The best suited adaptation needs to be judged through timely audit and remediation that will come through. Audit results will be more genuine if its executed through an external entity
4. Create Awareness Program: Security is best at awareness and vigilance. Ensure your organization have a focus to carry out the change management program creating great awareness across the users in the Enterprise
5. Policy Enhancement Program: With the changing IT Landscape, policies are something which needs to be monitored, validated and retuned. Policy needs to be understood, awareness program is the key to enforce
6. IT Security Governance Team: An organizational structure under the CIO Office is the key to drive such implementations
7. Enterprise Data Classification – Develop a centralized data dictionary use in the Enterprise and define standards that needs to be mandated while using the data based on there sensitivity.
8. Define Security Metrics : Security metrics needs to be defined for the organization to give a quantitative and qualitative inference
Unified Security Framework
- This paper was published and acceppted by ISCIT and ACM Digital portal
In today’s business environment the rate of market change has far out-paced the ability to react effectively. As connectivity and collaboration picks up the pace, the need for a strategic approach to security becomes ever more important – if not critical. Security models have ceased to simply be components that can be “plugged-in” at various points in any business process that requires it and have now evolved into technologies of their own - tightly coupled with the entire business
itself. Several niche products have now diversified from providing a solution in one particular area of security to complete, end-to-end solutions that constantly try to meet and exceed the high customer expectations of security today.
This paper attempts to provide a roadmap with clear implementation breakpoints to building a common, enterprisewide security model.
Unified Security Framework
Authors:
GILSON WILSON
Information Security Consultant
Profile: Holds a B.E in Computer Science and Engineering.
More than 4 years of experience in Information technology working in areas of eCommerce, Web and Security Systems.
Has been associated as a web initiative consultant to GE and Telekom Malaysia among others.
Email: giwilson@deloitte.com
ULLAS O. THARAKAN
Information Security Consultant
Profile: Holds a B.E in Electronics and Telecommunication and a M.B.A in IT Strategy.
More than 5 years of experience in information technology and security systems. Has been associated with NAL, SGI, CMC and Polaris. Has also worked as an information security consultant with the World Bank.
Has also taken up pedagogical activities at IIT Delhi and IIITM Gwalior.
Email: ullaso.tharakan@wipro.com
Introduction
Information Security has to position itself as a business enabler. End users today should receive far more complete protection for the intellectual capital in their care, all with minimal involvement or awareness on their part. As the world becomes increasingly connected, risk rises accordingly. In response, businesses need a means to manage risk without disrupting normal operations or having to invest more money in a security solution than is necessary.
By bringing a wide range of security technologies – protocol analysis, pattern matching, active blocking, malicious code control (active content and/or antivirus), PKI, VPN, vulnerability assessment, policy distribution and enforcement, IDS, application protection, and security decision support – into a common framework, then packaging that framework
to address specific business needs and operational IT functions, the unified security model has redefined what information security means, and how it can be aligned as a measurable business benefit to customers.
Current Scenario
Security technology has become an essential part of normal business operations. As a result, organizations of all
sizes and markets are demanding that security technology reach new levels of effectiveness and value. Information security – the means by which organizations protect valuable digital assets such as accounting records, customer information, and proprietary trade secrets – has struggled to meet this need.
Unified Security Framework
As we move into the future, dependence on “soft data” has been increasing exponentially. Companies worldwide use information technology as the backbone of business processes in order to be more flexible in a competitive marketplace and more importantly - closer to the customer. This has led to the opening up of information systems which have made them more vulnerable from the perspective of security. Applications have their own customized
security models – complete with their own independent user stores and islands of sensitive information.
With the growth of business the number of applications to accomplish business tasks has risen phenomenally.
Management of this number of applications becomes a complex issue, making the life of the end user as well as that of the Chief Information Officer (CIO), tougher than ever. Management of Applications in terms of security increases the overhead cost to the company and on the other hand, end users are forced to remember multiple authentication attributes and credentials leading to the compromise of security in enterprise wide systems.
What we propose here is that, security of all applications needs to be exported into one unified security layer which manages all aspects and components in security from a single-window. The idea is to keep separate the business functionality and the security components of applications. Most security functionalities - like authentication, authorization and access control are usually embedded within the application itself.
Applications maintain their own user base for providing access to multiple functionalities. This kind of scattered
security functionality has implications in terms of manageability and leads to these challenges:-
• Applications have their own User Ids and Passwords on different account policies.
• Applications have their own user management functionalities like Create/Delete users, activate/revoke/grant
permissions for access etc.
• Users are forced to remember Multiple User Id’s and Passwords for each application leading to selection of
weak passwords and/or writing down passwords making it vulnerable to social engineering. With organizational
growth, this factor increases.
• Every time a user joins an Enterprise, he/she needs access to multiple applications. Creation of users in these
various applications are performed by multiple administrators. This creates a loss in productive time.
• Every deletion also calls for the reverse process of creation.
• Enforcing a consistent Information Policy across all applications enterprise-wide becomes tedious and a
massive exercise in itself.
• Similarly with all applications having their own audit mechanism, tracking of incidents becomes a Herculean task. Now the next step is to propose a framework where all applications can use a common security layer for all. required Security Processes. Each application can connect to a common layer and subscribe security services at a centralized level. This makes Security Management easier and ensures consistency in the security process which makes the life of the end user easier when interacting with all applications while enhancing overall security.
The Unified Security Layer provides a single insignia entry to end users while keeping the complex security transactions hidden.
The Unified Security Framework is a container will have all security related processes, practices and technologies at one Layer. Any end user/application can get access to the systems through this channel. Unified Security Framework consists of three distinct components:-
IT Infrastructure: This contains all the applications and defined processes that requires information security.
This consists of hardware, network components, data, operating systems and applications.
Core Security Technologies: These consist of all underlying technologies that provide encryption services, application level security, data security, signature services, certificate and key management and even user management functionalities; when data is in transmission, computation and when idle. This provides complete technology support for data at all levels.
Security Process: Security processes are the functionalities required for providing Authentication, Authorization, Confidentiality, Non Repudiation and higher level of services like Single Sign On, User Provisioning and Centralized/
Delegated Administration using the core security technologies.
- This paper was published and acceppted by ISCIT and ACM Digital portal
In today’s business environment the rate of market change has far out-paced the ability to react effectively. As connectivity and collaboration picks up the pace, the need for a strategic approach to security becomes ever more important – if not critical. Security models have ceased to simply be components that can be “plugged-in” at various points in any business process that requires it and have now evolved into technologies of their own - tightly coupled with the entire business
itself. Several niche products have now diversified from providing a solution in one particular area of security to complete, end-to-end solutions that constantly try to meet and exceed the high customer expectations of security today.
This paper attempts to provide a roadmap with clear implementation breakpoints to building a common, enterprisewide security model.
Unified Security Framework
Authors:
GILSON WILSON
Information Security Consultant
Profile: Holds a B.E in Computer Science and Engineering.
More than 4 years of experience in Information technology working in areas of eCommerce, Web and Security Systems.
Has been associated as a web initiative consultant to GE and Telekom Malaysia among others.
Email: giwilson@deloitte.com
ULLAS O. THARAKAN
Information Security Consultant
Profile: Holds a B.E in Electronics and Telecommunication and a M.B.A in IT Strategy.
More than 5 years of experience in information technology and security systems. Has been associated with NAL, SGI, CMC and Polaris. Has also worked as an information security consultant with the World Bank.
Has also taken up pedagogical activities at IIT Delhi and IIITM Gwalior.
Email: ullaso.tharakan@wipro.com
Introduction
Information Security has to position itself as a business enabler. End users today should receive far more complete protection for the intellectual capital in their care, all with minimal involvement or awareness on their part. As the world becomes increasingly connected, risk rises accordingly. In response, businesses need a means to manage risk without disrupting normal operations or having to invest more money in a security solution than is necessary.
By bringing a wide range of security technologies – protocol analysis, pattern matching, active blocking, malicious code control (active content and/or antivirus), PKI, VPN, vulnerability assessment, policy distribution and enforcement, IDS, application protection, and security decision support – into a common framework, then packaging that framework
to address specific business needs and operational IT functions, the unified security model has redefined what information security means, and how it can be aligned as a measurable business benefit to customers.
Current Scenario
Security technology has become an essential part of normal business operations. As a result, organizations of all
sizes and markets are demanding that security technology reach new levels of effectiveness and value. Information security – the means by which organizations protect valuable digital assets such as accounting records, customer information, and proprietary trade secrets – has struggled to meet this need.
Unified Security Framework
As we move into the future, dependence on “soft data” has been increasing exponentially. Companies worldwide use information technology as the backbone of business processes in order to be more flexible in a competitive marketplace and more importantly - closer to the customer. This has led to the opening up of information systems which have made them more vulnerable from the perspective of security. Applications have their own customized
security models – complete with their own independent user stores and islands of sensitive information.
With the growth of business the number of applications to accomplish business tasks has risen phenomenally.
Management of this number of applications becomes a complex issue, making the life of the end user as well as that of the Chief Information Officer (CIO), tougher than ever. Management of Applications in terms of security increases the overhead cost to the company and on the other hand, end users are forced to remember multiple authentication attributes and credentials leading to the compromise of security in enterprise wide systems.
What we propose here is that, security of all applications needs to be exported into one unified security layer which manages all aspects and components in security from a single-window. The idea is to keep separate the business functionality and the security components of applications. Most security functionalities - like authentication, authorization and access control are usually embedded within the application itself.
Applications maintain their own user base for providing access to multiple functionalities. This kind of scattered
security functionality has implications in terms of manageability and leads to these challenges:-
• Applications have their own User Ids and Passwords on different account policies.
• Applications have their own user management functionalities like Create/Delete users, activate/revoke/grant
permissions for access etc.
• Users are forced to remember Multiple User Id’s and Passwords for each application leading to selection of
weak passwords and/or writing down passwords making it vulnerable to social engineering. With organizational
growth, this factor increases.
• Every time a user joins an Enterprise, he/she needs access to multiple applications. Creation of users in these
various applications are performed by multiple administrators. This creates a loss in productive time.
• Every deletion also calls for the reverse process of creation.
• Enforcing a consistent Information Policy across all applications enterprise-wide becomes tedious and a
massive exercise in itself.
• Similarly with all applications having their own audit mechanism, tracking of incidents becomes a Herculean task. Now the next step is to propose a framework where all applications can use a common security layer for all. required Security Processes. Each application can connect to a common layer and subscribe security services at a centralized level. This makes Security Management easier and ensures consistency in the security process which makes the life of the end user easier when interacting with all applications while enhancing overall security.
The Unified Security Layer provides a single insignia entry to end users while keeping the complex security transactions hidden.
The Unified Security Framework is a container will have all security related processes, practices and technologies at one Layer. Any end user/application can get access to the systems through this channel. Unified Security Framework consists of three distinct components:-
IT Infrastructure: This contains all the applications and defined processes that requires information security.
This consists of hardware, network components, data, operating systems and applications.
Core Security Technologies: These consist of all underlying technologies that provide encryption services, application level security, data security, signature services, certificate and key management and even user management functionalities; when data is in transmission, computation and when idle. This provides complete technology support for data at all levels.
Security Process: Security processes are the functionalities required for providing Authentication, Authorization, Confidentiality, Non Repudiation and higher level of services like Single Sign On, User Provisioning and Centralized/
Delegated Administration using the core security technologies.
7C Framework – Unified Security Framework Implementation
In order to develop this layer, an orchestration of the three would be required.
The 7C Framework proposes a methodology to implement the Unified Security Framework at a higher level. This unified strategy of security looks into the IT Strategy of the organization, evaluating the business risk and fine tuning the Information Security Policy like password management, user accounts etc to fit into the enterprise strategy. Realignment will be required after implementation to standardize this policy.
The 7C Framework solves the problem of multiple credentials in the 2nd phase. User Store Integration (Directory consolidation) is done using a centralized user store for as many applications as possible. This improves manageability and maintainability. This logically leads to a common authorization and Access control model. This could be based on Role, Policy, View, Content, Context or any other type. After the basic set up is in place, it calls for Common Security Audit mechanism which monitors all transactions centrally and at an enterprise level, making it transparent with flexible control on any security incident with a quick turn-around time. The end-user experience is enhanced by a common Single Sign on to access all applications in the next phase. The Common Provisioning mechanism creates and associates users and resources while maintaining consistency of these profiles (using various mechanisms such as synching, using meta-directory etc) across all applications and resources throughout
the enterprise. Finally, delegated and centralized administration provides a single window through which all security features, audits, access controls and even publishing of security policies for user awareness are managed.
Conclusion
Enterprises today need a unified model to achieve high levels of secure computing, tightly interwoven with business processes – which can still remain simple and transparent to users. This can be achieved by implementing the proposed 7C Framework which allows a complete and consistent “common-sense” approach in terms of manageability, maintainability and robustness of architecture.
Subscribe to:
Comments (Atom)