Information Security in an Ancient Flavour
(Authored by Ullas Tharakan - He is a SME in Information Security)
To present you with an easiest way to understand the pillars of security here is a simple example.....enjoy..
In ancient Rome, when a General in Caesar’s army wanted to send an information to Caesar, before sending the message he made it a point that the information was secure. He used a secret code to encrypt the message, for which the key was known only to Caesar. This helped the message to remain confidential.
Then the general folded the paper and placed a wax seal at the edge, so that Caesar may know if the message was intercepted or not. This ensured integrity.
Then the General stamped the wax with his own seal, so that Caesar may know that this message has come from the general. This ensured authenticity.
Then he passed the envelop to a courier, asking him to carry the message safely to Caesar. This is authorization .
Finally, he requested an acknowledgement from Caesar that he got his message. This is non-repudiation.
Possibly, the concept of auditability was not available at Caesar’s time. It is left to the present you as an exercise on how the general could have also taken care of auditability.
Sunday, May 28, 2006
Friday, May 26, 2006
Directory Services – Implementation Best Practices
(Authored by Ullas Tharakan and Bernard Diwakar)
With the global directory consolidation initiative, Directory services are becoming the foundation of the Identity Management programs. A robust and solid design based on patterns and best practices will ensure that once implemented it will have a long way to go.
1) Decouple LDAP layer and Application Layer – The DIT design changes should have minimum to zero dependency on the application layer. Application change should have a least impact on directory an vice versa
(Authored by Ullas Tharakan and Bernard Diwakar)
With the global directory consolidation initiative, Directory services are becoming the foundation of the Identity Management programs. A robust and solid design based on patterns and best practices will ensure that once implemented it will have a long way to go.
1) Decouple LDAP layer and Application Layer – The DIT design changes should have minimum to zero dependency on the application layer. Application change should have a least impact on directory an vice versa
2) Expose API for LDAP Access – Applications should not be given direct LDAP access, All LDAP connections details should always be encapsulated and Application should be always oblivious about the port and other internal details of LDAP
3) Shallow Tree – Depth of the tree is inversely proportional to performance – Following this, a general rule of thumb says that the DIT should be reasonably shallow unless there are strong reasons to design deep branching levels down the directory tree.
4) Reduce Information Overload – Define and use standard object class that is defined by Standard LDAP RFC. Refrain from storing application specific information in the LDAP. Profile information attribute should focus not to exceed the number 20.
5) Flexibility - General pattern says that 95% of time the directories being designed are based on the organizational structure. Choosing to branch a directory tree based on the organizational structure, such as departments, can lead to a large administrative overhead if the organization is very dynamic and changes often.
6) But in cases where the organizational structures are pretty rigid and have impact and has less inter business interactions the model may be viable. A branching methodology that is flexible, and which still reflects enough information about the organization, must be created. Because the structure of organizations often changes considerably over time, the aim should be to branch the tree in such a way as to minimize the number of necessary changes to the directory tree once the organization has changed. Note that renaming a department entry, for example, has the effect of requiring a change of the DNs of all entries below its branch point. This has an undesirable impact on the service and application layer for several reasons. The example below reflects the impact of renaming branches -
When adding employees to their respective departments, it would be possible to create distinguished names (DN) like cn=Ullas Tharakan, ou=ESS, l=hyd, and dc=esswipro.com. If Ullas Tharakan should at a later time move to another department, his DN will have to change. This results in changing all entries regarding access rights and more. If Ullas Tharakan’s DN had been set to cn=Ullas Tharakan, ou=employees, l=hyd, dc= esswipro.com, then this would not be a problem. An attribute describing which department he belongs to (ou=marketing) could be added to his entry to include this information.
7) Physical or Cultural split criteria: Other criteria that may or should be considered when branching the directory tree include physical or cultural splits in the organization and the nature of the client (human or application).In case if an organization has separate units that are either physically separated or have their own management authorities, you might have a natural requirement to split and separate parts of the DIT.
When adding employees to their respective departments, it would be possible to create distinguished names (DN) like cn=Ullas Tharakan, ou=ESS, l=hyd, and dc=esswipro.com. If Ullas Tharakan should at a later time move to another department, his DN will have to change. This results in changing all entries regarding access rights and more. If Ullas Tharakan’s DN had been set to cn=Ullas Tharakan, ou=employees, l=hyd, dc= esswipro.com, then this would not be a problem. An attribute describing which department he belongs to (ou=marketing) could be added to his entry to include this information.
7) Physical or Cultural split criteria: Other criteria that may or should be considered when branching the directory tree include physical or cultural splits in the organization and the nature of the client (human or application).In case if an organization has separate units that are either physically separated or have their own management authorities, you might have a natural requirement to split and separate parts of the DIT.
9) Geographically Based Criteria: In a time where Global presences in terms of acquisitions or mergers are just the order of the day, there are situations where the employees, business partners, vendors, contractors etc are geographically distributed. It is a best practice to cater to this by designing the DIT on different geographic regions for eg, EMEA, North America, and Asia Pacific. By doing this there is flexibility in terms of managing the data and the Directory Topology in a effective manner. This also provided flexibility to cater to the different data laws in each of the regions.
10) Schema Design: The default ldap v3 schema provided in terms of objectclasses and attributes 9 out of 10 times does cater to most of the implementations, however there may be a need to define some custom objectclasses and attributes. In such a situation the rule of thumb is to define auxiliary classes and by doing this the schema is flexible enough to be used across the enterprise directory.
11) High Availability: This is one of the key considerations in any of the Enterprise Directory Implementations considering the fact that the directory services form the heart of any Identity Management Solutions. The leading directory services vendors in the market do provide robust replications mechanisms that enable high availability and fail over scenarios , however its very essential to consider some of the factors before the replication topologies are finalized upon --
a) Clients accessing the directory services should be replication aware and should process the referrals which basically let the client know which server to communicate for a particular request.
b) Most of the Identity Management products have limitations the way the directory topology is designed and this should be understood before designing any fault tolerant solution.
c) The peak loads in terms of the number of reads and writes need to be also considered.
d) The different data centers where the directory servers will be deployed.
10) Schema Design: The default ldap v3 schema provided in terms of objectclasses and attributes 9 out of 10 times does cater to most of the implementations, however there may be a need to define some custom objectclasses and attributes. In such a situation the rule of thumb is to define auxiliary classes and by doing this the schema is flexible enough to be used across the enterprise directory.
11) High Availability: This is one of the key considerations in any of the Enterprise Directory Implementations considering the fact that the directory services form the heart of any Identity Management Solutions. The leading directory services vendors in the market do provide robust replications mechanisms that enable high availability and fail over scenarios , however its very essential to consider some of the factors before the replication topologies are finalized upon --
a) Clients accessing the directory services should be replication aware and should process the referrals which basically let the client know which server to communicate for a particular request.
b) Most of the Identity Management products have limitations the way the directory topology is designed and this should be understood before designing any fault tolerant solution.
c) The peak loads in terms of the number of reads and writes need to be also considered.
d) The different data centers where the directory servers will be deployed.
Sunday, May 21, 2006
A 14-point plan for starting an Identity Management Program
Ullas Tharakan – is a Identity Management Champion who have involved with Fortune 100 companies for Identity Management Implementation
1. Identify executive leadership. An executive sponsor needs to champion the new Identity Management Program
2. Identify Goals, Objectives and ROI of Identity Management Program
a. Evaluate Points of Support – Compliance Audit, Security Compromises etc
b. Better Helpdesk
c. Improved Security
d. Better User Management control
e. Etc
3. Select a point person. The CISO or another information security leader should manage day-to-day activities and should be hold responsible to champion the program. This person will have the authority to drive the program
4. Define Application Profiling Program. Try to tie business objectives to security objectives. Evaluate authentication, Authorization and User Management Process of Existing Applications
5. Risk Profiling of Application – Review Traces of historical problems on application. Evaluate on these parameters
a. Revenue Impact
b. Level of Security
c. Resulting Help Desk Calls
d. Information Managed by Application
6. Establish Priority Matrix on Application based on the Application Risk and Create buckets of 5 applications for each phase
7. Evaluate and Consolidate Global Directory Initiative – A central Store will be key for Identity Management program, A good User Attribute design requirement will ensure a balance between business Logic and Identity Management Logic
8. Kick Off Role Engineering Program – A crystal create role in the organization will lay foundation to a solid Identity Management Program. Many of the Identity Management programs cripple as the Application stakeholders fail to understand this issue
9. Define Phase Wise Program – Identity implementation is best and smooth at a phase. Avoid BIG BANG Approach. And follow the following guidelines
a. Start with Foundation Build with three low priority Application
b. Add 5 Application ( 3 Normal 1 Medium,1 Complex)
c. Repeat point “b” till you find a logical end
10. Assess and tighten the current state of security. Look at policies, processes, guidelines, standards, existing technology (both hardware and software), training and education. A special eye on the following policies are required
a. User Identity Format Policy
b. Password Policy
c. Account Management Policies
d. Role Management Policies
e. Revise existing policies and develop new ones as needed. This might include an acceptable-use policy and minimal security configuration for any device on a network.
11. Get Endorsed - Have the executive security review board endorse the plans : Use Point number 2 to make a justification –
a. This group should consider budget, timing and prioritization.
b. Review the technical feasibility
c. Assign, schedule, execute and discuss deliverables. Give individuals or teams clear responsibilities and time lines.
12. Change Agent : Setup Change Management Program with this Initiative an Identify a Change Agent
13. Migration Initiative – Last but not the least, remember Identity Management initiative is also a Identity Mess cleanup – Identifying source of authoritative data and migrating them needs a through analysis – Start this by Data Analysis (Identity Data) of different application
14. Identity Technology Selection and Implementation –
a. Build Versus Buy( Best practice – Your core competence is your own Business – Health Care, Manufacturing etc – Go with a Product Strategy)
b. In- House Implementation very Outsourced Implementation ( Best practice – Your core competence is your own Business – Health Care, Manufacturing etc – Go with a Outsourced Implementation )
GOOD LUCK and Go ahead –
1. Identify executive leadership. An executive sponsor needs to champion the new Identity Management Program
2. Identify Goals, Objectives and ROI of Identity Management Program
a. Evaluate Points of Support – Compliance Audit, Security Compromises etc
b. Better Helpdesk
c. Improved Security
d. Better User Management control
e. Etc
3. Select a point person. The CISO or another information security leader should manage day-to-day activities and should be hold responsible to champion the program. This person will have the authority to drive the program
4. Define Application Profiling Program. Try to tie business objectives to security objectives. Evaluate authentication, Authorization and User Management Process of Existing Applications
5. Risk Profiling of Application – Review Traces of historical problems on application. Evaluate on these parameters
a. Revenue Impact
b. Level of Security
c. Resulting Help Desk Calls
d. Information Managed by Application
6. Establish Priority Matrix on Application based on the Application Risk and Create buckets of 5 applications for each phase
7. Evaluate and Consolidate Global Directory Initiative – A central Store will be key for Identity Management program, A good User Attribute design requirement will ensure a balance between business Logic and Identity Management Logic
8. Kick Off Role Engineering Program – A crystal create role in the organization will lay foundation to a solid Identity Management Program. Many of the Identity Management programs cripple as the Application stakeholders fail to understand this issue
9. Define Phase Wise Program – Identity implementation is best and smooth at a phase. Avoid BIG BANG Approach. And follow the following guidelines
a. Start with Foundation Build with three low priority Application
b. Add 5 Application ( 3 Normal 1 Medium,1 Complex)
c. Repeat point “b” till you find a logical end
10. Assess and tighten the current state of security. Look at policies, processes, guidelines, standards, existing technology (both hardware and software), training and education. A special eye on the following policies are required
a. User Identity Format Policy
b. Password Policy
c. Account Management Policies
d. Role Management Policies
e. Revise existing policies and develop new ones as needed. This might include an acceptable-use policy and minimal security configuration for any device on a network.
11. Get Endorsed - Have the executive security review board endorse the plans : Use Point number 2 to make a justification –
a. This group should consider budget, timing and prioritization.
b. Review the technical feasibility
c. Assign, schedule, execute and discuss deliverables. Give individuals or teams clear responsibilities and time lines.
12. Change Agent : Setup Change Management Program with this Initiative an Identify a Change Agent
13. Migration Initiative – Last but not the least, remember Identity Management initiative is also a Identity Mess cleanup – Identifying source of authoritative data and migrating them needs a through analysis – Start this by Data Analysis (Identity Data) of different application
14. Identity Technology Selection and Implementation –
a. Build Versus Buy( Best practice – Your core competence is your own Business – Health Care, Manufacturing etc – Go with a Product Strategy)
b. In- House Implementation very Outsourced Implementation ( Best practice – Your core competence is your own Business – Health Care, Manufacturing etc – Go with a Outsourced Implementation )
GOOD LUCK and Go ahead –
Wednesday, May 10, 2006
Annotations from Fortune 10 CIO Diaries
(Authored by Ullas Tharakan - Draft Version)
A decade back in the early 90’s, I had woken up one morning and went to office on a bright Sunny Day and somebody told me that we need a security strategy. What would have been the reaction “Gosh – What are you talking about – “Security and Strategy. This is not business “. Idea and thoughts on a Security Strategy would have been easily shoved in the corner of the corporate wardrobe, burying with the epitaph “The Utter Nonsense “
But today, as the dependence on IT increases, a new role model is emerging.” The utter Nonsense of yesterday is making sensational sense”. With predictability and on a note of high probability the organizations will keep focusing on Business but will lag behind unless and until the focus is driven at the CIO or Top Management Level. A buoyant force is required to keep up and sustain.
The IT Line
On May 2nd 2005, Information Architecture Manager call me up and explains me that there has been attack and the main revenue generator system was down ~ Just 2 hour down time and a 20 MUS $ loss. One would be forced to think that at middle of night – How can be there a loss of 20 MUSD. Voice emerges from the backend – We are a global company and the sun never sets for us.
On Nov 3rd 2005, IT helpdesk receives a mail from the Database Administrator that a person named Ron Shilling has sends an email from the company’s official email id soliciting administrators for user id and password. Database Administrator was a security aware guy and hence validated with the IT Help desk. Then a reactive action was taken to dissect the incident response. Post mortem revealed that this Ron was a fired from the company around 6 months back and had a disgruntled status and too the horror – couple of CXO Sectary has already compromised critical information of the Top Management
On Dec 31st 2005 ~ the company’s database was hacked and a huge Identity theft occurred. SSN, Patient Profile, Credit card information was compromised. Company has been sued millions by the consumer and have been already grappling with loses though they did good in volume sales
On Jan 2nd 2006 ~ Financial Auditors don’t want to sign as the company grapples with material weakness. The is on the verge to be thrown out of business without it,
The Business Line
CEO of the company on a Sunny day of April 1994 – “Today we are Global Company and reckoning to change the world. Today we announce our new vision – Either we are number one or number two or out of that business. We believe whatever we do we want to define excellence.
CEO of the company on Jan 26th 2006 ~ a cold gloomy day - Ladies & Gentleman- Due to unfortunate series of events we have to file for Bankruptcy protection with the Federal Government
The above is a very true story that’s a classic of bringing the fame to Shame from a truly successful Global company that got lost in the dust.
How do we avoid such events? With the advent of Business driven technology, more and more IT Systems are falling in place to make the organizations more competitive and customer centric. Let us relate Michael Porters Value Chain in the changing Landscape.
(Authored by Ullas Tharakan - Draft Version)
A decade back in the early 90’s, I had woken up one morning and went to office on a bright Sunny Day and somebody told me that we need a security strategy. What would have been the reaction “Gosh – What are you talking about – “Security and Strategy. This is not business “. Idea and thoughts on a Security Strategy would have been easily shoved in the corner of the corporate wardrobe, burying with the epitaph “The Utter Nonsense “
But today, as the dependence on IT increases, a new role model is emerging.” The utter Nonsense of yesterday is making sensational sense”. With predictability and on a note of high probability the organizations will keep focusing on Business but will lag behind unless and until the focus is driven at the CIO or Top Management Level. A buoyant force is required to keep up and sustain.
The IT Line
On May 2nd 2005, Information Architecture Manager call me up and explains me that there has been attack and the main revenue generator system was down ~ Just 2 hour down time and a 20 MUS $ loss. One would be forced to think that at middle of night – How can be there a loss of 20 MUSD. Voice emerges from the backend – We are a global company and the sun never sets for us.
On Nov 3rd 2005, IT helpdesk receives a mail from the Database Administrator that a person named Ron Shilling has sends an email from the company’s official email id soliciting administrators for user id and password. Database Administrator was a security aware guy and hence validated with the IT Help desk. Then a reactive action was taken to dissect the incident response. Post mortem revealed that this Ron was a fired from the company around 6 months back and had a disgruntled status and too the horror – couple of CXO Sectary has already compromised critical information of the Top Management
On Dec 31st 2005 ~ the company’s database was hacked and a huge Identity theft occurred. SSN, Patient Profile, Credit card information was compromised. Company has been sued millions by the consumer and have been already grappling with loses though they did good in volume sales
On Jan 2nd 2006 ~ Financial Auditors don’t want to sign as the company grapples with material weakness. The is on the verge to be thrown out of business without it,
The Business Line
CEO of the company on a Sunny day of April 1994 – “Today we are Global Company and reckoning to change the world. Today we announce our new vision – Either we are number one or number two or out of that business. We believe whatever we do we want to define excellence.
CEO of the company on Jan 26th 2006 ~ a cold gloomy day - Ladies & Gentleman- Due to unfortunate series of events we have to file for Bankruptcy protection with the Federal Government
The above is a very true story that’s a classic of bringing the fame to Shame from a truly successful Global company that got lost in the dust.
How do we avoid such events? With the advent of Business driven technology, more and more IT Systems are falling in place to make the organizations more competitive and customer centric. Let us relate Michael Porters Value Chain in the changing Landscape.
A successful Company X would have this thing driving its core engine – The Horizontals and Verticals, in the new paradigm security is a evolving correction in the IT Landscape
The traditional model of value chain has been existing and driving business with a focus on core competence. With the new advent the core competence needs to be ramped and managed with better control and with a focus on information management.
The new projection looks for efficient grip under to sustain the business model through continuous evolution of the IT Governance system. The Extended value chain needs to be complemented by adapting a framework and an internal organization to drive. As governance and Security are viewed as a Non functional direction, it is imperative that the commitment and force to channel the same should come from the CIO office.
Expecting the business to carry forward and sponsor will be a genuinely unwarranted expectation and is bound to fail. End to End Enterprise Wide Security is nobody business.
At the end, one has to understand that “Security is a like an insurance business, it’s not the cost of having it, it’s the cost of not having it”. Hence the cited clipping in the monologue above will dramatically drag and increase as the time moves on, if the reverence of understanding is not made scared.
With the evolving business line and improving IT infrastructure to support the business line, IT governance model will never be static and will follow a continuous evolution model with the change in business. A base Security Charter with a flexibility to adapt with time is required. Out of box thinking is required to drive the governance model with passion and wisdom. The extended value chain framework will help to drive and control the model
A “how to” High level model to implement the Extended Value chain –
1. Pickup warning signals: Look for clues of patterns on what could have happened over the last few months; the length of data can be decided at a CIO level.
2. Best practices Adaptation: Best practices implementation give a focused and disciplined approach for implementing and sustaining program. Look out for standard security regulatory requirements that your industry domain may have to be in compliance. Following good regulatory compliance methodology will automatically enforce a good control around the framework. Engage good external consultants who can give a drive to this force.
3. Audit to Reinforce: The best suited adaptation needs to be judged through timely audit and remediation that will come through. Audit results will be more genuine if its executed through an external entity
4. Create Awareness Program: Security is best at awareness and vigilance. Ensure your organization have a focus to carry out the change management program creating great awareness across the users in the Enterprise
5. Policy Enhancement Program: With the changing IT Landscape, policies are something which needs to be monitored, validated and retuned. Policy needs to be understood, awareness program is the key to enforce
6. IT Security Governance Team: An organizational structure under the CIO Office is the key to drive such implementations
7. Enterprise Data Classification – Develop a centralized data dictionary use in the Enterprise and define standards that needs to be mandated while using the data based on there sensitivity.
8. Define Security Metrics : Security metrics needs to be defined for the organization to give a quantitative and qualitative inference
Unified Security Framework
- This paper was published and acceppted by ISCIT and ACM Digital portal
In today’s business environment the rate of market change has far out-paced the ability to react effectively. As connectivity and collaboration picks up the pace, the need for a strategic approach to security becomes ever more important – if not critical. Security models have ceased to simply be components that can be “plugged-in” at various points in any business process that requires it and have now evolved into technologies of their own - tightly coupled with the entire business
itself. Several niche products have now diversified from providing a solution in one particular area of security to complete, end-to-end solutions that constantly try to meet and exceed the high customer expectations of security today.
This paper attempts to provide a roadmap with clear implementation breakpoints to building a common, enterprisewide security model.
Unified Security Framework
Authors:
GILSON WILSON
Information Security Consultant
Profile: Holds a B.E in Computer Science and Engineering.
More than 4 years of experience in Information technology working in areas of eCommerce, Web and Security Systems.
Has been associated as a web initiative consultant to GE and Telekom Malaysia among others.
Email: giwilson@deloitte.com
ULLAS O. THARAKAN
Information Security Consultant
Profile: Holds a B.E in Electronics and Telecommunication and a M.B.A in IT Strategy.
More than 5 years of experience in information technology and security systems. Has been associated with NAL, SGI, CMC and Polaris. Has also worked as an information security consultant with the World Bank.
Has also taken up pedagogical activities at IIT Delhi and IIITM Gwalior.
Email: ullaso.tharakan@wipro.com
Introduction
Information Security has to position itself as a business enabler. End users today should receive far more complete protection for the intellectual capital in their care, all with minimal involvement or awareness on their part. As the world becomes increasingly connected, risk rises accordingly. In response, businesses need a means to manage risk without disrupting normal operations or having to invest more money in a security solution than is necessary.
By bringing a wide range of security technologies – protocol analysis, pattern matching, active blocking, malicious code control (active content and/or antivirus), PKI, VPN, vulnerability assessment, policy distribution and enforcement, IDS, application protection, and security decision support – into a common framework, then packaging that framework
to address specific business needs and operational IT functions, the unified security model has redefined what information security means, and how it can be aligned as a measurable business benefit to customers.
Current Scenario
Security technology has become an essential part of normal business operations. As a result, organizations of all
sizes and markets are demanding that security technology reach new levels of effectiveness and value. Information security – the means by which organizations protect valuable digital assets such as accounting records, customer information, and proprietary trade secrets – has struggled to meet this need.
Unified Security Framework
As we move into the future, dependence on “soft data” has been increasing exponentially. Companies worldwide use information technology as the backbone of business processes in order to be more flexible in a competitive marketplace and more importantly - closer to the customer. This has led to the opening up of information systems which have made them more vulnerable from the perspective of security. Applications have their own customized
security models – complete with their own independent user stores and islands of sensitive information.
With the growth of business the number of applications to accomplish business tasks has risen phenomenally.
Management of this number of applications becomes a complex issue, making the life of the end user as well as that of the Chief Information Officer (CIO), tougher than ever. Management of Applications in terms of security increases the overhead cost to the company and on the other hand, end users are forced to remember multiple authentication attributes and credentials leading to the compromise of security in enterprise wide systems.
What we propose here is that, security of all applications needs to be exported into one unified security layer which manages all aspects and components in security from a single-window. The idea is to keep separate the business functionality and the security components of applications. Most security functionalities - like authentication, authorization and access control are usually embedded within the application itself.
Applications maintain their own user base for providing access to multiple functionalities. This kind of scattered
security functionality has implications in terms of manageability and leads to these challenges:-
• Applications have their own User Ids and Passwords on different account policies.
• Applications have their own user management functionalities like Create/Delete users, activate/revoke/grant
permissions for access etc.
• Users are forced to remember Multiple User Id’s and Passwords for each application leading to selection of
weak passwords and/or writing down passwords making it vulnerable to social engineering. With organizational
growth, this factor increases.
• Every time a user joins an Enterprise, he/she needs access to multiple applications. Creation of users in these
various applications are performed by multiple administrators. This creates a loss in productive time.
• Every deletion also calls for the reverse process of creation.
• Enforcing a consistent Information Policy across all applications enterprise-wide becomes tedious and a
massive exercise in itself.
• Similarly with all applications having their own audit mechanism, tracking of incidents becomes a Herculean task. Now the next step is to propose a framework where all applications can use a common security layer for all. required Security Processes. Each application can connect to a common layer and subscribe security services at a centralized level. This makes Security Management easier and ensures consistency in the security process which makes the life of the end user easier when interacting with all applications while enhancing overall security.
The Unified Security Layer provides a single insignia entry to end users while keeping the complex security transactions hidden.
The Unified Security Framework is a container will have all security related processes, practices and technologies at one Layer. Any end user/application can get access to the systems through this channel. Unified Security Framework consists of three distinct components:-
IT Infrastructure: This contains all the applications and defined processes that requires information security.
This consists of hardware, network components, data, operating systems and applications.
Core Security Technologies: These consist of all underlying technologies that provide encryption services, application level security, data security, signature services, certificate and key management and even user management functionalities; when data is in transmission, computation and when idle. This provides complete technology support for data at all levels.
Security Process: Security processes are the functionalities required for providing Authentication, Authorization, Confidentiality, Non Repudiation and higher level of services like Single Sign On, User Provisioning and Centralized/
Delegated Administration using the core security technologies.
- This paper was published and acceppted by ISCIT and ACM Digital portal
In today’s business environment the rate of market change has far out-paced the ability to react effectively. As connectivity and collaboration picks up the pace, the need for a strategic approach to security becomes ever more important – if not critical. Security models have ceased to simply be components that can be “plugged-in” at various points in any business process that requires it and have now evolved into technologies of their own - tightly coupled with the entire business
itself. Several niche products have now diversified from providing a solution in one particular area of security to complete, end-to-end solutions that constantly try to meet and exceed the high customer expectations of security today.
This paper attempts to provide a roadmap with clear implementation breakpoints to building a common, enterprisewide security model.
Unified Security Framework
Authors:
GILSON WILSON
Information Security Consultant
Profile: Holds a B.E in Computer Science and Engineering.
More than 4 years of experience in Information technology working in areas of eCommerce, Web and Security Systems.
Has been associated as a web initiative consultant to GE and Telekom Malaysia among others.
Email: giwilson@deloitte.com
ULLAS O. THARAKAN
Information Security Consultant
Profile: Holds a B.E in Electronics and Telecommunication and a M.B.A in IT Strategy.
More than 5 years of experience in information technology and security systems. Has been associated with NAL, SGI, CMC and Polaris. Has also worked as an information security consultant with the World Bank.
Has also taken up pedagogical activities at IIT Delhi and IIITM Gwalior.
Email: ullaso.tharakan@wipro.com
Introduction
Information Security has to position itself as a business enabler. End users today should receive far more complete protection for the intellectual capital in their care, all with minimal involvement or awareness on their part. As the world becomes increasingly connected, risk rises accordingly. In response, businesses need a means to manage risk without disrupting normal operations or having to invest more money in a security solution than is necessary.
By bringing a wide range of security technologies – protocol analysis, pattern matching, active blocking, malicious code control (active content and/or antivirus), PKI, VPN, vulnerability assessment, policy distribution and enforcement, IDS, application protection, and security decision support – into a common framework, then packaging that framework
to address specific business needs and operational IT functions, the unified security model has redefined what information security means, and how it can be aligned as a measurable business benefit to customers.
Current Scenario
Security technology has become an essential part of normal business operations. As a result, organizations of all
sizes and markets are demanding that security technology reach new levels of effectiveness and value. Information security – the means by which organizations protect valuable digital assets such as accounting records, customer information, and proprietary trade secrets – has struggled to meet this need.
Unified Security Framework
As we move into the future, dependence on “soft data” has been increasing exponentially. Companies worldwide use information technology as the backbone of business processes in order to be more flexible in a competitive marketplace and more importantly - closer to the customer. This has led to the opening up of information systems which have made them more vulnerable from the perspective of security. Applications have their own customized
security models – complete with their own independent user stores and islands of sensitive information.
With the growth of business the number of applications to accomplish business tasks has risen phenomenally.
Management of this number of applications becomes a complex issue, making the life of the end user as well as that of the Chief Information Officer (CIO), tougher than ever. Management of Applications in terms of security increases the overhead cost to the company and on the other hand, end users are forced to remember multiple authentication attributes and credentials leading to the compromise of security in enterprise wide systems.
What we propose here is that, security of all applications needs to be exported into one unified security layer which manages all aspects and components in security from a single-window. The idea is to keep separate the business functionality and the security components of applications. Most security functionalities - like authentication, authorization and access control are usually embedded within the application itself.
Applications maintain their own user base for providing access to multiple functionalities. This kind of scattered
security functionality has implications in terms of manageability and leads to these challenges:-
• Applications have their own User Ids and Passwords on different account policies.
• Applications have their own user management functionalities like Create/Delete users, activate/revoke/grant
permissions for access etc.
• Users are forced to remember Multiple User Id’s and Passwords for each application leading to selection of
weak passwords and/or writing down passwords making it vulnerable to social engineering. With organizational
growth, this factor increases.
• Every time a user joins an Enterprise, he/she needs access to multiple applications. Creation of users in these
various applications are performed by multiple administrators. This creates a loss in productive time.
• Every deletion also calls for the reverse process of creation.
• Enforcing a consistent Information Policy across all applications enterprise-wide becomes tedious and a
massive exercise in itself.
• Similarly with all applications having their own audit mechanism, tracking of incidents becomes a Herculean task. Now the next step is to propose a framework where all applications can use a common security layer for all. required Security Processes. Each application can connect to a common layer and subscribe security services at a centralized level. This makes Security Management easier and ensures consistency in the security process which makes the life of the end user easier when interacting with all applications while enhancing overall security.
The Unified Security Layer provides a single insignia entry to end users while keeping the complex security transactions hidden.
The Unified Security Framework is a container will have all security related processes, practices and technologies at one Layer. Any end user/application can get access to the systems through this channel. Unified Security Framework consists of three distinct components:-
IT Infrastructure: This contains all the applications and defined processes that requires information security.
This consists of hardware, network components, data, operating systems and applications.
Core Security Technologies: These consist of all underlying technologies that provide encryption services, application level security, data security, signature services, certificate and key management and even user management functionalities; when data is in transmission, computation and when idle. This provides complete technology support for data at all levels.
Security Process: Security processes are the functionalities required for providing Authentication, Authorization, Confidentiality, Non Repudiation and higher level of services like Single Sign On, User Provisioning and Centralized/
Delegated Administration using the core security technologies.
7C Framework – Unified Security Framework Implementation
In order to develop this layer, an orchestration of the three would be required.
The 7C Framework proposes a methodology to implement the Unified Security Framework at a higher level. This unified strategy of security looks into the IT Strategy of the organization, evaluating the business risk and fine tuning the Information Security Policy like password management, user accounts etc to fit into the enterprise strategy. Realignment will be required after implementation to standardize this policy.
The 7C Framework solves the problem of multiple credentials in the 2nd phase. User Store Integration (Directory consolidation) is done using a centralized user store for as many applications as possible. This improves manageability and maintainability. This logically leads to a common authorization and Access control model. This could be based on Role, Policy, View, Content, Context or any other type. After the basic set up is in place, it calls for Common Security Audit mechanism which monitors all transactions centrally and at an enterprise level, making it transparent with flexible control on any security incident with a quick turn-around time. The end-user experience is enhanced by a common Single Sign on to access all applications in the next phase. The Common Provisioning mechanism creates and associates users and resources while maintaining consistency of these profiles (using various mechanisms such as synching, using meta-directory etc) across all applications and resources throughout
the enterprise. Finally, delegated and centralized administration provides a single window through which all security features, audits, access controls and even publishing of security policies for user awareness are managed.
Conclusion
Enterprises today need a unified model to achieve high levels of secure computing, tightly interwoven with business processes – which can still remain simple and transparent to users. This can be achieved by implementing the proposed 7C Framework which allows a complete and consistent “common-sense” approach in terms of manageability, maintainability and robustness of architecture.
Subscribe to:
Comments (Atom)