it security risks
DESCRIPTION
IT Security Risks. Introduction. IT security threats are a growing reality Everyone is at risk - governments, corporations, individuals. Governments. Corporations. Foreign Policy National Security. Financial HR/Employee. Domestic Programs. - PowerPoint PPT PresentationTRANSCRIPT
eaglehawk
IT Security Risks
2
Introduction
IT security threats are a growing reality Everyone is at risk - governments, corporations, individuals
GovernmentsForeign Policy National Security
Domestic Programs
CorporationsFinancial HR/Employee
Intellectual Property
Individuals
Financial Medical
Personal
3
Recent Breaches
A sampling of some recent high-profile activity makes the point:
27 Apr – Sony PlayStation Network Hacked, 77m Accounts At Risk
16 Apr – Internet Mistake Reveals UK Nuclear Submarine Secrets
15 Apr – Texas Controller Exposes Personal Data On Millions
04 Apr – Targeted Attacks Expected After Massive Epsilon Email Breach
30 Mar – Australian PM Computers Hacked, Chinese Attack Suspected
24 Mar – European Commission Hit By Cyberattack
18 Mar – Hackers Breach EMC Security Division, RSA SecurID Tokens
07 Mar – Hackers Attack French Govt Computers Seeking G20 Secrets
17 Feb – Chinese-Based Cyberattack On Key Canadian Departments
4
Control Over Digital Assets Control over how these assets are used Control over who has access to these assets (my focus today)
The Costs Of Losing Control Are Not Theoretical Non-financial costs are significant (reputation/credibility)
e.g., Wikileaks, Google users in China, Identity Theft Financial costs are staggering (lost revenues/customers)
In US (2010) an average corporate breach cost $7.2 million ($214/record) In UK (2010) an average corporate breach cost £1.9 million (£71/record)
What’s At Stake
5
The Nature of the Threats Errors: Unintentional or unrecognised breakdowns in security
System Design Errors, e.g., insecure hardware/software, faulty configurations Procedural Errors, e.g., insufficient security policies, ineffectual implementation Human Errors, e.g., the lost laptop problem
Attacks: Unauthorised access to systems and assets
Vandalism, e.g., denial of service Cybercrime, e.g., criminal intrusion, employee retaliation
SUCCESSFUL ATTACKS REQUIRE ERRORS
6
Three Ways To Confront IT Security Risks
Rule #1: PROTECT THE DATA ITSELF Assume that the system will be compromised Notwithstanding all other protections, assume environmental or
procedural failure Encrypt all high-value data assets
CONTAIN EXPOSURE BY MAKING THE DATA UNUSABLE
7
Three Ways To Confront IT Security Risks Rule #1: PROTECT THE DATA ITSELF
Rule #2: EMPLOY FINE-GRAINED ACCESS CONTROL Assume that the system will be compromised Control access over all steps in the path to digital assets
Discrete access control over the system, apps, functions, keys, data Need-To-Share requires Need-To-Know criteria to control access
CONTAIN EXPOSURE BY MANAGING ACCESS
8
Three Ways To Confront IT Security Risks Rule #1: PROTECT THE DATA ITSELF Rule #2: EMPLOY FINE-GRAINED ACCESS CONTROL
Rule #3: IMPLEMENT COMPREHENSIVE AUDIT PROCESSES Assume that the system will be compromised Maintain audit over all paths to the digital assets & activity with the
assets themselves Look over everyone’s shoulder all the time
Adopt centralised audit to enable standardized, real-time oversight
CONTAIN EXPOSURE WITH FORENSIC-LIKE TRACKING
9
Applying The Rules – Two Everyday Examples Rule #1: PROTECT THE DATA ITSELF Rule #2: EMPLOY FINE-GRAINED ACCESS CONTROL Rule #3: IMPLEMENT COMPREHENSIVE AUDIT PROCESSES
Example 1 (Rules 1, 2, and 3):
Protecting Files Outside The Trusted Environment
Example 2 (Rules 2 and 3):
Securing Access To Network & Cloud Services
10
Protecting Files Outside The Trusted Environment The Requirement: Sensitive files must be accessed away from the office, e.g.,
Off-site work at a remote customer location Employees working at home
Remote access back into the trusted environment is prohibited
An Unfortunately Common Occurrence The sensitive file is copied onto a mobile device, e.g., a laptop or USB drive The mobile device is physically transported outside the trusted environment This commonly employed formula-for-disaster can easily lead to:
COMPLETE LOSS OF CONTROL OVER THE DIGIT ASSETS
11
Protecting Files Outside The Trusted Environment
A Solution Employing The Rules
Within The Trusted Environment Prepare the digital file: Encrypt the file Manage access to the encryption key Audit everything
From Any Remote Location Retrieve the digital file: Authorise access for the Remote User Retrieve encrypted file, retrieve decryption key Audit everything
CONTROL OVER THE DIGITAL ASSET IS MAINTAINED
12
Securing Network & Cloud Services The Requirement: Replace legacy applications with a broad array of Network & Cloud services
The IT Security Challenge: Access control over numerous disparate services provided by a multitude of
unaffiliated vendors Little or no uniformity in access control processes/capabilities across
services/vendors Extreme complexity and costs in managing access at the individual service level
An Unfortunately Common Occurrence Proceed with Network & Cloud initiatives, skip over the access control
problem for now Don’t design access control into the solution, slap it on later (if we get hacked)
13
Securing Network & Cloud Services
A Solution Employing The Rules
Externalise Access Control From Individual Network & Cloud Services Centralise access control functions
Relieve individual services of access control administration Avoid the complexity/costs of managing access control at the individual service level
Implement Comprehensive, Fine-Grained Access Control Control access to all Network & Cloud services & components
Adopt a centralised “War Room” approach controlling who-gets-at-what
Implement Comprehensive Audit Of All Activity Standardised, real-time oversight of access
ACCESS CONTROL TO NETWORK & CLOUD SERVICES IS MAINTAINED