Security Architecture

Prof. K SubramanianSM(IEEE, USA), SMACM(USA), FIETE, SMCSI,MAIMA,MAIS(USA),MCFE(USA)SM(IEEE, USA), SMACM(USA), FIETE, SMCSI,MAIMA,MAIS(USA),MCFE(USA)

Director & Professor, Advanced Center for Informatics & Innovative Learning (ACIIL), IGNOUHonorary IT Adviser to CAG of IndiaEx-DDG(NIC), Ministry of Comm. & IT

Emeritus President, eInformation Systems, Security, Audit Association(eISSA)President, Cyber Society of India(Cysi)

24/7/2010 Prof. KS@2010 isaca conference July 2010 Bengaluru 2

Global issues with governance ofcyberspace

• Information Technology & Business: current status and future• Does IT matter? IT--enabled Business - Role of Information, Information Systems - In business - Role of information technology in enabling business - IT dependence• Changing Role of the CIO• Web 2.0 and 3.0 and governing cyberspace• eBusiness, eHealth, eBanking, eGovernance• Current Challenges and Issues

2

Oct 27,2010 Future egovIndia forum Oct 2010 Delhi India 3

Cyberspace is Dynamic, Undefined and Exponential

Countries’ need dynamic laws, keeping pace with the technological advancements

In a Virtual Space, Netizens Exist, Citizens Don’t!

Trust in E-environments Lack of a mature IT

society Absence of Single

governing body Legislation High skill inventory Reduce fear of being

caught Disgruntled Employees

3

09/27/10 4 4

09/27/10 5 5Prof ks@2010 Software architecture series

Fiver tier Architecture for Cyber Space

Data Architecture: an overall plan for the data items (and their relationships) necessary to deliver e-government.

Process Architecture: a plan of the key activities that e-government will support and undertake.

Technology Architecture: how computers will be sized and connected for e-government, and an outline of the software to be used.

Data Management Architecture: how data input, processing, storage and output functions will be divided across the information

technology architecture. Management Architecture:

the policies, standards, human resource systems, management structures, financial systems, etc. necessary to support e-government.

To create a building, you need a sound underlying architecture for that building, based on an architect's plan. The same is true for Security.

Emerging Technologies -Competitive Environments&

Integration Catering through ICE

Technologies

1. IT

2. BT

3. CT

4. ET

5. NT

6. ST

1. Operational Integration

2. Professional Integration (HR)

3. Emotional/Cultural Integration

ICE is the sole integrator & IT/Cyber Governance is Important

Selection of Technologies

•Affordable•Acceptable•Sustainable•Reliable

Creating Trust in an Enterprise• Today's information explosion is creating challenges

for business and technology leaders at virtually every organization. The lack of trusted information and pressure to reduce costs is on the minds of CEOs and senior executives around the world.

• What's required to solve these challenges is a paradigm shift - from generating and managing silos - of information, of talent and skills, of technologies and of projects to an environment where information is a trusted, strategic asset that is shared across the company.

8

Oct 27,2010 Future egovIndia forum Oct 2010 Delhi India 9

10

Transition: Insurance Assurance &

Assurance Layered Framework• Insurance• Audit

Pre, Concurrent, Post• IT Audit– Environmental– Operational– Technology– Network– Financial– Management– Impact

• Electronics Continuous Audit• Certification• Assurance

• Management & Operational Assurance

(Risk & ROI)• Technical Assurance

(Availability, Serviceability & Maintainability)

Financial ASSURANCE• Revenue Assurance (Leakage & Fraud)• Legal Compliance & Assurance

(Governance)

Oct 27,2010 Future egovIndia forum Oct 2010 Delhi India 11

Transition: Insurance Assurance &

Assurance Layered Framework• Insurance• Audit

Pre, Concurrent, Post• IT Audit– Environmental– Operational– Technology– Network– Financial– Management– Impact

• Electronics Continuous Audit• Certification• Assurance

• Management & Operational Assurance

(Risk & ROI)• Technical Assurance

(Availability, Serviceability & Maintainability)

• Revenue Assurance (Leakage & Fraud)• Legal Compliance &

Assurance (Governance)

Why Assurance?Competitive Threats & Way Forward

Internal Competition from Liberalization

World Competition from Globalization

Entrenched Competition Abroad

Asymmetry in Scale, Technology, Brands

Industry Shakeouts and Restructuring

Learn more about own Businesses.

Reach out to all Business & Function Heads.

Sharpen Internal Consultancy Competences.

Proactively Seize the Repertoire of MS & Partners

Foster two way flow of IS & Line Talent.

13

Key Areas of AssuranceKey Areas of Assurance

• OrganizationalOrganizational

- Systems in place to identify & mitigate differing risk perceptions of - Systems in place to identify & mitigate differing risk perceptions of

stakeholders to meet business needs stakeholders to meet business needs

• Supplier Supplier

- Confidence that controls of third party suppliers adequate & - Confidence that controls of third party suppliers adequate & meets meets

organization’s benchmarksorganization’s benchmarks

• Business Partners Business Partners

- Confirmation that security arrangements with partners assess & - Confirmation that security arrangements with partners assess & mitigate mitigate

business riskbusiness risk

• Services & IT Systems Services & IT Systems

- Capability of developers, suppliers of IT services & systems to - Capability of developers, suppliers of IT services & systems to implement effective systems to manage risks to the organization’s implement effective systems to manage risks to the organization’s businessbusiness

14

What and Why of Business What and Why of Business AssuranceAssurance

• Manufacturing: Developing & implementing policies & Manufacturing: Developing & implementing policies & procedures to procedures to ensure operations are ensure operations are efficient, consistent, effective & efficient, consistent, effective & compliant with compliant with lawlaw

• ServicesServices : Process that establishes uninterrupted : Process that establishes uninterrupted delivery of delivery of services to customer and services to customer and protects interest & protects interest & information information

• ProjectProject : Confirmation that business case viable and actual : Confirmation that business case viable and actual costs and time lines in line with plan costs and time lines in line with plan

costs & schedulescosts & schedules

• ObjectiveObjective : Delivers significant commercial value to the : Delivers significant commercial value to the business while fully business while fully

compliant with regulatory compliant with regulatory requirementsrequirements

: To avoid Enron type scandals and comply with : To avoid Enron type scandals and comply with Sarbanes Oxley in US and Clause 49 in India Sarbanes Oxley in US and Clause 49 in India

15

Assurance StakeholdersAssurance Stakeholders

Stakeholders

for business

assurance

Board of Directors

Management

Staff/Employees

Organisation

Customers

Public

Suppliers

Enforcement

& regulatory

authorities

Owner

Creditors

Shareholders

Insurers

Business partners

16

Benefits of Assurance Benefits of Assurance

• Contributes to effectiveness & efficiency of business operationsContributes to effectiveness & efficiency of business operations

• Ensures reliability & continuity of information systemsEnsures reliability & continuity of information systems

• Assists in compliance with laws & regulationsAssists in compliance with laws & regulations

• Assures that organizational risk exposure mitigatedAssures that organizational risk exposure mitigated

• Confirms that internal information accurate & reliableConfirms that internal information accurate & reliable

• Increases investor and lenders confidenceIncreases investor and lenders confidence

1717

Business - technical G

ove

rnm

en

t

reg

ula

tory

Go

vern

me

nt

deve

lopm

ent

al

Bu

siness –

fina

ncial

Civil society

-

informational

Civil society - technical

ICT operations and maintenance

ICT planning and design

Investment in R & D

Marketing and distribution Project management

and construction Training

Borrowing capacity

Capital investment, eg network expansion

ICT technical solutions

Revenue collection

ICT Risk/venture capital

Sales and promotions

Subsidies

Access to development finance

ICT Regulatory powers – price, quality, interconnections, competition)

ICT Transaction/ concession design

Investment promotion

Legal framework for freedom of information

ICT Infrastructure strategy

ICT skills development

Innovation (high risk), eg community telecentres

Local customer knowledge

Capacity to network

A voice for the socially excluded

Expertise in design of ‘relevant’ content

Knowledge of user demand, eg

technology and information gaps

Capacity to mobilise civil society

Human Capacity ICT technicians in govt, business

and civil societyICT user-awareness and skills

Support for Entrepreneurs

Infrastructure Suitable primary architecture

Suitable secondary technology Acceptable cost/risks of

deploymentUniversal access (rural/urban)Adequate subscriber density

EnterpriseAccess to finance and credit

Supportive property rights and commercial lawDevelopment of ICT suppliers and service SMEs

Stimulation of demand, eg govt ‘leads by example’ through procurement

Policy and RegulationsInvestment promotion and

ownership rulesFair tax regimes for business

and society Transparent policy making

Effective regulatory frameworks (price, quality, interconnection,

competition)Adequate institutional capacity

Content and ApplicationsRelevant to development goals

and user needs, eg voice, e-mail, nat/global connectivity Content compatible with

education, cultural sensitivities and language

Affordable access (equipment, connection and content)

Human Capacity

Infrastructure

Enterprise Content & Applications

Policy and Regulation

strategic compact / partnerships

Civil so

ciety

-

info

rma

tiona

l

Design Parameters

1818

Operational IntegrationProfessional Integration (HR)Emotional/Cultural IntegrationICT & Government Business & Services IntegrationMulti Technology coexistence and seamless integrationInformation AssuranceQuality, Currency, Customization/Personalization

ICE is the sole integrator IT Governance is Important

Managing InterdependenciesCritical Issues

• Infrastructure characteristics (Organizational, operational, temporal, spatial)

• Environment (economic, legal /regulatory, technical, social/political)

• Coupling and response behavior (adaptive, inflexible, loose/tight, linear/complex)

• Type of failure (common cause, cascading, escalating)

• Types of interdependencies

(Physical, cyber, logical, geographic)

• State of operations

(normal, stressed /disrupted, repair/restoration)

.19

20

Towards Information Assurance

• Increasingly, the goal isn't about information security but about information assurance, which deals with issues such as data availability and integrity.

• That means organizations should focus not only on risk avoidance but also on risk management, she said. "You have to be able to evaluate risks and articulate them in business terms“

--Jane Scott-Norris, CISO at the U.S. State Department

21

Up The Value Chain

Enabling to rapidly move up the Governance Evolution Staircase

Strategy/PolicyPeopleProcessTechnology

3. TransactionCompetitionConfidentiality/privacyFee for transactionE-authentication

Self-servicesSkill set changes

Portfolio mgmt.Sourcing Inc. business staff

BPRRelationship mgmt.Online interfacesChannel mgmt.

Legacy sys. linksSecurityInformation access24x7 infrastructureSourcing

Funding stream allocationsAgency identity“Big Browser”

Job structuresRelocation/telecommuting

OrganizationPerformance accountability Multiple-programs skills

Privacy reduces

Integrated servicesChange value chain

New processes/servicesChange relationships(G2G, G2B, G2C, G2E)

New applicationsNew data structures

Time

2. InteractionSearchable

DatabasePublic response/ email

Content mgmt.Increased

support staffGovernance

Knowledge mgmt.E-mail best prac.Content mgmt.MetadataData synch.

Search engineE-mail

1. Presence

Publish

Existing

Streamlineprocesses

Web siteMarkup

Trigger

4. Transformation

Cost/Complexity

Define policy and outsource execution

Retain monitoring and control

Outsource service delivery staff

Outsource process execution staff

Outsource customer facing processes

Outsource backend processes

ApplicationsInfrastructure

Value

5. Outsourcing

Constituent

Evolve PPP model

Why information security Governance is important• With security incidents and data breaches having

a huge impact on corporations, security governance or oversight by the board and executive management, has assumed importance.

• Security governance refers to the strategic direction given by the board and executive management for managing information security risks to achieve corporate objectives by reducing losses and liabilities arising from security incidents

Threat & Vulnerability Management

• Authenticating user identities with a range of mechanisms, such as tokens, biometrics and Public Key Infrastructure

• Developing user access policies and procedures, rules and responsibilities and a standardized role structure that helps organizations meet and enforce security standards

• Centralizing user data stores in a single enterprise directory that enables increased efficiencies in user administration, access control and authentication

• Reducing IT operating costs and increasing efficiency by implementing effective user management to support self-service and automate workflow, and by provisioning and instituting flexible user administration

• You need an integrated threat and vulnerability management solution to better monitor, report on and respond to complex security threats and vulnerabilities, as well as meet regulatory requirements.

• You need to protect both your own information assets and those you are custodian of, such as sensitive customer data.

• You want a real-time, integrated snapshot of your security posture.

• You want to correlate events from data emerging from multiple security touch points.

• You need support from a comprehensive inventory of known threat exposures.

• You need to reduce the cost of ownership of your threat and vulnerability management system

24

Risk Identification• Assess current security capabilities, including threat management, vulnerability

management, compliance management, reporting and intelligence analysis. • Define c • Identify technology requirements for bridging security gaps • Integrated Security Information Management • Develop processes to evaluate and prioritize security intelligence information received from

external sources, allowing organizations to minimize risks before an attack • Implement processes that support the ongoing maintenance, evolution and administration of

security standards and policies • Determine asset attributes, such as direct and indirect associations, sensitivity and asset

criticality, to help organizations allocate resources strategically • Assist in aggregating security data from multiple sources in a central repository or

"dashboard" for user-friendly presentation to managers and auditors • Help design and implement a comprehensive security reporting system that provides a

periodic, holistic view of all IT risk and compliance systems and outputs

• Assist in developing governance programs to enforce policies and accountability

25

26

9 Rules of Risk Management• There is no return without risk

– Rewards to go to those who take risks.• Be Transparent

– Risk is measured, and managed by people, not mathematical models.

• Know what you Don’t know– Question the assumptions you make

• Communicate– Risk should be discussed openly

• Diversify– Multiple risk will produce more consistent

rewards• Sow Discipline

– A consistent and rigorous approach will beat a constantly changing strategy

• Use common sense– It is better to be approximately right, than to

be precisely wrong.• Return is only half the question

– Decisions to be made only by considering the risk and return of the possibilities .

RiskMetrics Group

24/7/2010 Prof. KS@2010 isaca conference July 2010 Bengaluru 27

The Insider – Who are They?

• Who is an insider?– Those who work for the target organization or those having relationships with the firm with

some level of access– Employees, contractors, business partners, customers etc.

• CSI/FBI Survey key findings (2007)– average annual losses $350,424 in the past year, up sharply from the $168,000 reported

previous year– Insider attacks have now surpassed viruses as the most common cause of security incidents in

the enterprise– 63 percent of respondents said that losses due to insider-related events accounted for 20

percent of their losses – (prevalence of insider criminals may be overblown by vendors of insider threat tools!)

24/7/2010 Prof. KS@2010 isaca conference July 2010 Bengaluru 28

Solutions Based on Study Recommendations

• Prevention by – Pre-hire screening of employees– Training and education

• Early detection and treat the symptoms– Attack precursors exist, some non-cyber events

• Establish good audit procedures• Disable access at appropriate times• Develop Best practices for the prevention and detection

– Separation of duties and least privilege– Strict password and account management policies

24/7/2010 Prof. KS@2010 isaca conference July 2010 Bengaluru 29

General Solution Steps• Collect data – notion of insider threat • Formulate a model

– Threat modeling technique – graph, empirical• Determine which phase

– Prevention/Detection/Mitigation• Determine application domain

– Commercial/Military• Pick solution methodology

– Signature/Rule based, anomaly based– Pick the right machine learning algorithms

• Data acquisition for evaluation and benchmark• Take a small bite – good threat modeling is already a significance advance!

24/7/2010 Prof. KS@2010 isaca conference July 2010 Bengaluru 30

Insider Threat Modeling

• Privilege escalation by impersonation • Priv. escalation by exploiting vulnerabilities• Own privilege abuse • Social engineering attacks • Colluding attacks

24/7/2010 Prof. KS@2010 isaca conference July 2010 Bengaluru 31

Information-Centric Modeling • University at Buffalo- CEISARE

– Developed the concept of a Capability Acquisition Graph for insider threat assessment

– Part of a DARPA initiative– Built a tool called ICMAP (Information-Centric Modeler and Auditor

Program)– Publications in ACSAC 2004, IEEE DSN 2005, JCO 2005, IEEE ICC 2006,

IFIP 11.9 Digital Forensics Conference 2007 – CURRICULUM: Computing, mathematical, legal, managerial and

informatics – Various CAEs (certified by NSA, DHS), USMA, Syracuse, Buffalo, Stony

Brook, Polytechnic, Pace, RIT

24/7/2010 Prof. KS@2010 isaca conference July 2010 Bengaluru 32

• How is a model instance generated?– Define the scope of the threat– A step-by-step bottom up approach starting with potential targets

• Who constructs the model instance?– A knowledgeable security analyst

• How are costs defined?– Cryptographic access control mechanisms have well-defined costs– Use attack templates, vulnerability reports, attacker’s privilege and

the resources that need to be protected– Low, Medium and High – relative cost assignment

Practical Considerations

3/7/2009 IMT Ghaziabad Lecture Prof. KS@2009 March 200933

Calder- Moir IT Governance Framework

34

Measurement of IT Projects Value and Effectiveness

IT Assessment 1.Validity or Relevance

2.Protectibility 3.Quantifiability 4.Informativeness

5.Generality 6.Transferability 7. Reliability to other parts of

organization

• Effectiveness – Utility– Efficiency– Economy– Control– Security

Assessment of IT Functions

– Strategy– Delivery– Technology– People– Systems

5th December 2007 Cyber assurance for Financial services 35

2(1)(zd)(d)

2(1)(zd)(b)

2(1)(zd)(a)

2(1)(zd)(c)

IndianIT Act

reference

Reliability of information

Compliance

Availability

Integrity

Confidentiality

Efficiency

Effectiveness

IT ActCOBITControl Theory

FrameworkAttributes

IT ServicesIT ServicesObjectives and Certification FrameworkObjectives and Certification Framework

Standards, Standards, Standards

SecurityAuditInteroperabilityInterface

(systems/devises/comm.)

Architecture/Building Blocks/Reusable

HCI (Human Computer Interface)

ProcessEnvironmental

(Physical, Safety)Data Interchange &

mail messagingLayout/Imprint

36

37

Importance of Group Standards -no one standard meets all requirementsISO 27001/BS7799 Vs COBIT Vs CMM & PCMM Vs ITIL

MissionMission

Business ObjectivesBusiness Objectives

Business RisksBusiness Risks

Applicable RisksApplicable Risks

Internal ControlsInternal Controls

ReviewReview

38

Gouvernance & AssuranceGouvernance & Assurance Maturity ModelMaturity Model

39

“To determine how much is too much, so that we can implement appropriate security measures to build adequate confidence and

trust”

“To derive a powerful logic for implementing or not implementing a security measure”

Security/Risk Assurance - Expectations

Oct 27,2010 Future egovIndia forum Oct 2010 Delhi India 40

IT Security predictions 2010-2011 1.Pirated software*

     Pirated software will drive insecurity in much more dynamic ways than previously realized. Users of pirated software are afraid to download updates, thus are exposed to security risks because their software is entirely unpatched. Also, newer versions of pirated software now come with malware pre-installed. As a result, users of pirated software will become the new “Typhoid Marys” of the global computing community.

*IBM's X-Force research team

Oct 27,2010 Future egovIndia forum Oct 2010 Delhi India 41

IT Security predictions 2010-11 2.social networks and ups the ante

Social engineering meets social networks and ups the ante for creative compromises. Criminal organizations are increasingly sophisticated in how they attack different social networking sites. For example, Twitter is being used as a distribution engine for malware. LinkedIn, however, is being used for highly targeted attacks against high-value individuals. We will see these organizations use these sites in creative new ways in 2010 that will accelerate compromises and identity theft, especially as new commercial applications increase the disclosure of valuable personal information on these sites.

Oct 27,2010 Future egovIndia forum Oct 2010 Delhi India 42

IT Security predictions 2010-2011 3.0 Criminals take to the cloud

Criminals take to the cloud. We have already seen the emergence of “exploits as a service.” In 2010 we will see criminals take to cloud computing to increase their efficiency and effectiveness.

Oct 27,2010 Future egovIndia forum Oct 2010 Delhi India 43

IT Security predictions 2010

• a rise in attacks on health care organizations will occur for similar reasons,

• continued attacks on retailers big and small, tax authorities,

• Educational/school systems - anywhere where lots of records are kept by organizations that haven't traditionally had best practice security in place

3/7/2009 IMT Ghaziabad Lecture Prof. KS@2009 March 2009 44

Assurance in the PPP Environment

THANK YOUFor Interaction:

Prof. K. Subramanianksdir@nic.in

ksmanian48@gmail.comksmanian@ignou.ac.in

Tele:011-29533068;23219857

Let us Assure Good Cyber Governance & Business Assurance in Cyber Era