2005 nys cio conference cyber security 2005 securing enterprise applications andrew g. nagorski...
Post on 21-Dec-2015
217 views
TRANSCRIPT
2005 NYS CIO Conference
Cyber Security 2005
Securing Enterprise ApplicationsAndrew G. Nagorski
Thursday 14 July 2005 2:00 p.m.
2
Topics of Discussion
The rising tide of security breaches
The new frontier of identity access management
Federal regulatory impacts on IT applications
Recommended action plan
4
The rising tide of security breaches
Backup tapes going missing
Laptops being stolen
Isolated servers being hacked
ASP’s having data compromised
International outsourcing sites having breaches
Dramatic new rise in spear phishing
Continued rise in spyware
6
Do you know this guy?
The resident eccentric boasting 20+ years in the IT office
Arrives whenever he wants, leaves at dawn(ish),
Never really sees much sunlight, permanent grooves in the floor beneath his chair
Listservs, Labs, Printing, Email, Calendar, Library, Parking, Facilities, Luminis…
Active Directory, Kerberos, AIX, Solaris, OpenLDAP, SQL Server, tab-delimited files, XML files, DBF’s, LDIF’s, etc…
Student Services, Library Services, School of Law & Business, office of IT, Employee Services, Alumni, Vendors
Office of the President – for exceptions of course
One guy – one very long ponytail, and if he were to be hit by a bus tomorrow…
7
What is Identity Access Management? Identity Access Management is a topic which
addresses an evolving way to manage digital identity in support of authenticating users and providing access to multiple systems.
IAM is a very new, hot topic in IT across all industry sectors.
The open standards that support IAM are still evolving. Product support, beyond the applications funded by Internet2, is not widespread.
Existing providers offer proprietary software solutions which may not survive the coming standards battle.
Today’s IAM climate is one of urgency, but limited action. There is a wait and see what the others will do attitude that prevails – especially in higher ed
8
What is Identity Access Management?
Definition #1: A set of processes and supporting infrastructure for the creation, maintenance, and use of digital identities (unique ids, attributes, credentials, entitlements) Burton Group
Definition #2: “Identity management solutions address enterprises' need to administer (create, modify and delete) user accounts, user profiles and corporate policies across the heterogeneous IT environment via a combination of user roles and business rules.”
“Identity and Access Management Defined,” Gartner Group Research Note 4 November 2003
9
Key Concepts: Terminology IAM – Identity and Access Management – referring to the collection of systems
which manage identity, authN, authZ, and provisioning for an enterprise – the infrastructure of the entire solution
Identification – Associate an identity with a service request
Authentication (AuthN) – Validate that the entity is who they claim to be
Authorization (AuthZ) – Verify that the entity can perform a certain action
Provisioning – Automated creation of user accounts, groups, group membership, and policies in managed systems
Administrative Domain – Resources (including users) managed by a single administrative authority
Identity Federation – Making identity and entitlements portable across autonomous administrative domains
Assertion – Based upon recognized authorities for attributes, an official statement that a fact is true
10
Key Concepts: Digital Identity Subjects/principals (Users, apps) Name, number, other identifier Unique in some scope Persistent, long lived May be “pseudonym” or “true
name”
May have multiple credentials Different strengths, different apps Can change w/ more frequency
Attributes, entitlements, policies More transient, fluid information Often specific to apps or sites
Source: Burton Group
UniqueIdentifier
11
Classifying IAM Solutions: Four Primary Areas
Time
Complexity
EnterpriseDirectory Services
AccessManagement
Provisioning
IdentityFederation
13
Federal regulatory impact on IT applications
”Those who like sausage and have respect for the law should not watch either being made.”
Otto von Bismark
14
Federal regulatory impact on IT applications
Law vs. Regulation
Federal/state lawmakers delegate legislative power to administrative agencies
Regs/rules from these agencies have same legal effect as laws
Rules are posted to Federal Register
Regulatory Impacts
Direct impact on IT implementations and practices
Management team is accountable
Civil and criminal penalties apply for non-compliance
Like death & taxes, more regulations are a certainty
15
Regulations: Gramm-Leach-Bliley Act (GLBA)
Each financial institution must develop, implement and maintain a comprehensive information security program
The program must contain administrative, technical and physical safeguards appropriate to:
the size and complexity of the financial institution;
the nature and scope of its activities; and
the sensitivity of its customer information.
Although the standard is flexible, the Rule sets forth certain required elements.
Penalties for GLBA violations:
$1,000 (individuals) to $500,000 (class)
16
Regulations: Gramm-Leach-Bliley Act (GLBA)
From NACUBO Advisory Report 2003-01
The GLBA broadly defines “financial institution” as any institution engaging in the financial activities enumerated under the Bank Holding Company Act of 1956, including “making, acquiring, brokering, or servicing loans” and “collection agency services.”
Because higher education institutions participate in financial activities, such as making Federal Perkins Loans, FTC regulations consider them financial institutions for GLB Act purposes.
17
Regulations: Gramm-Leach-Bliley Act (GLBA)
From NACUBO Advisory Report 2003-01 (continued)
NACUBO and other higher education associations worked to have colleges and universities exempted from the jurisdiction of FTC because they did not fit the typical definition of a financial institution.
As a result, colleges and universities are deemed to be in compliance with the privacy provisions of the GLB Act if they are in compliance with the Family Educational Rights and Privacy Act (FERPA).
However, higher education institutions are subject to the provisions of the Act related to administrative, technical, and physical safeguarding of customer information.
18
Regulations: HIPAA
Health Insurance Portability & Accountability Act
Published in 1996
PHI (protected health information) must be safeguarded via implementation of policies and procedures
Applies to any stored faculty/admin/student health information, any self-administered/funded healthcare plans
Applies to paper and electronic PHI
Point person must be identified
Penalties for HIPAA violations:
$25,000 (general) to $250,000 (wrongful disclosure)
Up to 10 years imprisonment
19
Regulations: Sarbanes-Oxley Act (SARBOX)
Published in 2002, introduces new responsibilities & restrictions for CEOs/CFOs
Focus on greater disclosure and transparency in financial reporting, internal controls, ethics, audit committee expertise
Management team must establish, maintain, & assess effectiveness of internal controls
SARBOX controls are similar to GLBA and HIPAA: Must safeguard data against unauthorized and improper use, focus is
on corporate accountability in financial reporting
Improved/enhanced audit requirements and controls
SARBOX penalties range from $1 - $5 million, 10 – 20 years imprisonment
20
Regulations: Sarbanes-Oxley Act (SARBOX)
The SEC has extended the date for the Section 404 report on internal control over financial reporting. For larger companies, known as “accelerated filers,” the requirement for the report applies beginning with fiscal years ending after November 15, 2004. For others, the deadline for reports is for fiscal years ending after July 15, 2005.
“Fitch Ratings, which assesses the investment risk of bonds, has begun taking into account whether colleges are voluntarily adopting provisions of the Sarbanes-Oxley Act.” – Chronicle of Higher Education February 13, 2004
21
Regulations: Patriot Act / SEVIS
Patriot Act enacted October 2001
Enhanced Border Security and Visa Entry Reform Act enacted May 2002
This legislation provides simplification for federal officials to receive court orders for student records and amends FERPA to permit “emergency disclosure.”
Calls for full implementation of INS foreign student tracking system (SEVIS)
Notification requirements between Department of State, INS, and institutions to track student entry, enrollment, and changes in status
With court order, Feds investigating terrorism may obtain business and student records
24
Recommended action plan
1. Educate staff and management on Identity Access Management
2. Develop an IAM strategy, framework and plan3. Educate your IT and user management on regulatory
compliance4. Create and disseminate IT security policies, guidelines and
procedures5. Review ASP and outsourcing contracts for international
servicing provisions6. Reduce the use of Social Security numbers where possible.7. Create, disseminate and train all staff on download, backup,
and mobile computing data risks8. Schedule regular specialized audits of networking, systems,
and database security9. If you have a DRP test it, if you have an old DRP maintain it,
if you don’t have a DRP scope it10. Perform security audits of computer room operations,
NOC’s, and server farm environments