Copyright Critical Software S.A. 1998-2008 All Rights Reserved. COTS based approach for the Multilevel Security Problem Bernardo Patrão.

Slides:



Advertisements
Similar presentations
Conducting your own Data Life Cycle Audit
Advertisements

1. XP 2 * The Web is a collection of files that reside on computers, called Web servers. * Web servers are connected to each other through the Internet.
Archiving and Retrieving Purchase Orders and Invoices
© Copyright 2006 FPT Software 1 © FPT SOFTWARE – TRAINING MATERIAL – Internal use 04e-BM/NS/HDCV/FSOFT v2/3 How to work in Fsoft project Authors: KienNT.
Chapter 9 E-Security. Awad –Electronic Commerce 1/e © 2002 Prentice Hall 2 OBJECTIVES Security in Cyberspace Conceptualizing Security Designing for Security.
Chapter 14 Intranets & Extranets. Awad –Electronic Commerce 1/e © 2002 Prentice Hall 2 OBJECTIVES Introduction Technical Infrastructure Planning an Intranet.
Advanced Piloting Cruise Plot.
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L7 1 Network Security 2 Module 6 – Configure Remote Access VPN.
Chapter 1: The Database Environment
Chapter 1 The Study of Body Function Image PowerPoint
1 Copyright © 2010, Elsevier Inc. All rights Reserved Fig 2.1 Chapter 2.
By Rick Clements Software Testing 101 By Rick Clements
Security Beyond the Firewall Protecting Information in the Enterprise.
HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.
18 Copyright © 2005, Oracle. All rights reserved. Distributing Modular Applications: Introduction to Web Services.
FIGURE 11.1 Circuit for Example 11.1.
Jeopardy Q 1 Q 6 Q 11 Q 16 Q 21 Q 2 Q 7 Q 12 Q 17 Q 22 Q 3 Q 8 Q 13
Jeopardy Q 1 Q 6 Q 11 Q 16 Q 21 Q 2 Q 7 Q 12 Q 17 Q 22 Q 3 Q 8 Q 13
606 CMR 14.00: Background Record Checks What you need to know!
Modern Systems Analyst and as a Project Manager
Communicating over the Network
1 Proofpoint, Inc. Proprietary and Confidential ©2010 Proofpoint Protection/Privacy Offering Proofpoint Privacy Accurately detect ePHI in s Integrated.
1 Implementing Internet Web Sites in Counseling and Career Development James P. Sampson, Jr. Florida State University Copyright 2003 by James P. Sampson,
Understanding the benefits and the risks. Presented by Corey Nachreiner, CISSP BYOD - Bring Your Own Device or Bring Your Own Danger?
Privacy Impact Assessment Future Directions TRICARE Management Activity HEALTH AFFAIRS 2009 Data Protection Seminar TMA Privacy Office.
P-Card User Guide Standard Profile July RCNJ-BOA Purchasing Card User Guide – Standard Profile Ramapo College and Bank of America VISA Procurement.
© SafeNet Confidential and Proprietary Administering SafeNet StorageSecure Smart Card Module 3: Lesson 5 SafeNet StorageSecure Storage Security Course.
IRIS Computing Orientation Lars Rohrbach Instructional and Research Information Systems (IRIS) 1 E LECTRICAL E NGINEERING AND C OMPUTER S CIENCES U NIVERSITY.
©2013 Check Point Software Technologies Ltd. | [Unrestricted] For everyone Best Practices to Secure the Mobile Enterprise Macy Torrey
Review Ch. 3 – Connecting to the Worlds Information © 2010, 2006 South-Western, Cengage Learning.
ACT User Meeting June Your entitlements window Entitlements, roles and v1 security overview Problems with v1 security Tasks, jobs and v2 security.
Campaign Overview Mailers Mailing Lists
Mobile Devices and Wireless Tracy Jackson Liz Nenni Matt Hinson Chris Eiben.
15-1 Copyright © 2013 Pearson Education, Inc. publishing as Prentice Hall Chapter 15 Money and Banking.
Chapter 15 Integrated Services Digital Network ISDN Services History Subscriber Access Layers BISDN WCB/McGraw-Hill The McGraw-Hill Companies, Inc., 1998.
Chapter 11: The X Window System Guide To UNIX Using Linux Third Edition.
25 July, 2014 Hailiang Mei, TU/e Computer Science, System Architecture and Networking 1 Hailiang Mei Remote Terminal Management.
VOORBLAD.
ONE® Mail Training Presentation North York General Hospital North York General Hospital.
Copyright © 2006 by The McGraw-Hill Companies, Inc. All rights reserved. McGraw-Hill Technology Education Introduction to Computer Administration Introduction.
Lets play bingo!!. Calculate: MEAN Calculate: MEDIAN
Services Course Windows Live SkyDrive Participant Guide.
Understanding Generalist Practice, 5e, Kirst-Ashman/Hull
2  Industry trends and challenges  Windows Server 2012: Modern workstyle, enabled  Access from virtually anywhere, any device  Full Windows experience.
By CA. Pankaj Deshpande B.Com, FCA, D.I.S.A. (ICA) 1.
25 seconds left…...
XP New Perspectives on Browser and Basics Tutorial 1 1 Browser and Basics Tutorial 1.
Services Course Windows Live SkyDrive Participant Guide.
What’s New in WatchGuard Dimension v1.2
We will resume in: 25 Minutes.
©2008 Prentice Hall Business Publishing, Auditing 12/e, Arens/Beasley/Elder The Impact of Information Technology on the Audit Process Chapter 12.
McGraw-Hill©The McGraw-Hill Companies, Inc., 2001 Chapter 16 Integrated Services Digital Network (ISDN)
Introduction to ikhlas ikhlas is an affordable and effective Online Accounting Solution that is currently available in Brunei.
© 2007 BST. All rights reserved. Confidential Information. SLU – 1 PDS_139 (0503) L2 Applying Problem- Solving Tools.
© Paradigm Publishing, Inc Excel 2013 Level 2 Unit 2Managing and Integrating Data and the Excel Environment Chapter 6Protecting and Sharing Workbooks.
Welcome to the GIG Event 1. MICROSOFT ACTIVE DIRECTORY SERVICES Presenter: Avinesh MCP, MCTS 2.
Preventing Good People From Doing Bad Things Best Practices for Cloud Security Brian Anderson Chief Marketing Officer & Author of “Preventing Good People.
Security Controls – What Works
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
SEC835 Database and Web application security Information Security Architecture.
Digital Forensics Dr. Bhavani Thuraisingham The University of Texas at Dallas Lecture #6 Forensics Services September 10, 2007.
OCTAVE-S on TradeSolution Inc.. Introduction Phase 1: Critical Assets and threats Phase 2: Critical IT Components Phase 3: Changes Required in current.
Ali Pabrai, CISSP, CSCS ecfirst, chairman & ceo Preparing for a HIPAA Security Audit.
Customer Interface for wuw.com 1.Context. Customer Interface for wuw.com 2. Content Our web-site can be classified as an service-dominant website. 3.
Chapter 2 Securing Network Server and User Workstations.
Introduction to Information Security
Information Security Measures Confidentiality IntegrityAccessibility Information cannot be available or disclosed to unauthorized persons, entities or.
Safe’n’Sec IT security solutions for enterprises of any size.
Threat Landscape for Data Security
Presentation transcript:

Copyright Critical Software S.A All Rights Reserved. COTS based approach for the Multilevel Security Problem Bernardo Patrão

© Copyright Critical Software S.A All Rights Reserved. 2 Outline Organizations Security Background Statistics & Lessons Learnt Threats The Multilevel Security Mode CSW Multilevel Security Solution Implementation Methodology Conclusion

© Copyright Critical Software S.A All Rights Reserved. 3 Background Organizations are well protected to manage outside threats: firewalls, antivirus, etc. Communications services like are business applications Confidential information is more and more in digital format Competitiveness, customer pressure, privacy compliances is each time more demanding (SOX, EU DPD, Basileia II, Identity theft, etc.) Information leakage has increasing business impact

© Copyright Critical Software S.A All Rights Reserved. 4 Outline Organizations Security Background Statistics & Lessons Learnt Threats The Multilevel Security Mode CSW Multilevel Security Solution Implementation Methodology Conclusion

© Copyright Critical Software S.A All Rights Reserved. 5 Statistics & Lessons Learned per cent of leaks are either unintentional or accidental Gartner Report 70% of security breaches that involve losses over $100,000 are perpetrated from inside the enterprise. Vista Research Leakage of confidential/proprietary information represents 52% of organizations security threats Merrill Lynch survey to North American CISOs, July 2006 loss of customer and proprietary data overtook virus attacks as the source of the greatest financial losses 2007 CSI COMPUTER CRIME AND SECURITY SURVEY

© Copyright Critical Software S.A All Rights Reserved. 6 Statistics & Lessons Learned Deutsche Bank Loses Hertz IPO Role Because of s Nov. 8 (Bloomberg) -- Deutsche Bank AG, Germany's largest bank, lost its spot among the underwriters of Hertz Global Holdings Inc.'s initial public offering after an employee sent unauthorized s to about 175 institutional accounts. Ubisoft "accidentally" leaks tons of assets Over two gigs worth of screenshots, videos, and concept art was apparently accidentally posted by Ubisoft on their public ftp server. Whoops.

© Copyright Critical Software S.A All Rights Reserved. 7 Outline Organizations Security Background Statistics & Lessons Learnt Threats The Multilevel Security Mode CSW Multilevel Security Solution Implementation Methodology Conclusion

© Copyright Critical Software S.A All Rights Reserved. 8 Threats Confidential information sent by to external addresses Failures on the identification of confidential information Mishandling of confidential information Confidential information stored in portable devices Misuse of communication and data sharing services

© Copyright Critical Software S.A All Rights Reserved. 9 Outline Organizations Security Background Statistics & Lessons Learnt Threats The Multilevel Security Mode CSW Multilevel Security Solution Implementation Methodology Conclusion

© Copyright Critical Software S.A All Rights Reserved. 10 The Multilevel Security Model Multilevel security Users have a security clearance Objects are assigned with security classification Users access objects based on their security clearance and the object security classification Flow of information is controlled based on the object security classification

© Copyright Critical Software S.A All Rights Reserved. 11 The Multilevel Security Model Information Access Control All users have a security clearance All information should have a security mark and level The security mark/level should be impossible to forge and easy to identify The access control depends on the information security mark and on users security clearance All accesses are registered for future auditing

© Copyright Critical Software S.A All Rights Reserved. 12 The Multilevel Security Model Information Flow control Verify the outputs produced by different sources Prevent unauthorized users to change the classification mark Identify the security mark/level, and enforce the defined policy All the data flow is logged for auditing

© Copyright Critical Software S.A All Rights Reserved. 13 Outline Organizations Security Background Statistics & Lessons Learnt Threats The Multilevel Security Mode CSW Multilevel Security Solution Implementation Methodology Conclusion

© Copyright Critical Software S.A All Rights Reserved. 14 CSW Multilevel Security Solution Information Security requires intervention on all elements of the infrastructure Workstations Enforce the classification (protection) of office files or messages Control what the user can do (change, print, copy-paste, …) Allow classification (protection) of any type of file Network border Control the information Flow for several communication services FTP IMS, … Corporate Servers Enforce protection policies for information stored on corporate servers Content Management Servers File Servers Collaboration Servers, …

© Copyright Critical Software S.A All Rights Reserved. 15 CSW Multilevel Security Solution Multilevel Management Tools Configuration Easy to use, web based tools to manage Marks / Levels Users security clearances Access and Flow Policies Auditing Consoles tailored to meet the organization requirements and compliance Data mining solutions for intelligent alarms and advanced data collection

© Copyright Critical Software S.A All Rights Reserved. 16 CSW Multilevel Security Solution 1 – Users A and B execute log-in in the organization domain. Authentication and the authorization is performed. Information access policy is enforced 2 – User A classifies a document or an message with a Security Mark and saves it or sends it. User B accesses the document or the message. He can access the document but doesnt have printing privilege 3 – User B uploads a document to a content manager server; document is marked with the mark defined. Information on the servers is encrypted. 4 – Border Protection Device denies the flow of marked information 5 – Configure the security policy, clearances and marks 6 – Audit for compliance

© Copyright Critical Software S.A All Rights Reserved. 17 CSW Multilevel Security Solution – Classification tools Seamless COTS Tools integration

© Copyright Critical Software S.A All Rights Reserved. 18 CSW Multilevel Security Solution – Classification tools Seamless COTS Tools integration

© Copyright Critical Software S.A All Rights Reserved. 19 CSW Multilevel Security Solution – Classification tools Seamless COTS Tools integration

© Copyright Critical Software S.A All Rights Reserved. 20 CSW Multilevel Security Solution – Administration tools Main overview and client update

© Copyright Critical Software S.A All Rights Reserved. 21 CSW Multilevel Security Solution – Administration tools Authorization Management (Credentials)

© Copyright Critical Software S.A All Rights Reserved. 22 CSW Multilevel Security Solution – Administration tools Classification Marks/Levels Management

© Copyright Critical Software S.A All Rights Reserved. 23 CSW Multilevel Security Solution – Administration tools Access and Flow Policies Management

© Copyright Critical Software S.A All Rights Reserved. 24 CSW Multilevel Security Solution – Auditing tools Auditing Tools

© Copyright Critical Software S.A All Rights Reserved. 25 Outline Organizations Security Background Statistics & Lessons Learnt Threats The Multilevel Security Mode CSW Multilevel Security Solution Implementation Methodology Conclusion

© Copyright Critical Software S.A All Rights Reserved. 26 Implementation Methodology 1)Perform a Risk Assessment 2)Define Security Policies and Procedures 3)Identify COTS Hardware and Software 4)Define the configuration for the System 5)Develop Integration Tools to enforce policies

© Copyright Critical Software S.A All Rights Reserved. 27 Outline Organizations Security Background Statistics & Lessons Learnt Threats The Multilevel Security Mode CSW Multilevel Security Solution Implementation Methodology Conclusion

© Copyright Critical Software S.A All Rights Reserved. 28 Conclusion A ready to use solution and based on well accepted COTS Smooth learning curve – well known user interfaces Compatibility with existing systems Low TCO Reduced technological risks Flexibility - Easy customization for specific client requirements

© Copyright Critical Software S.A All Rights Reserved. 29 Questions? Thank You

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.