May 30 th – 31 st, 2007 Chateau Laurier Ottawa. Putting Secure Information Sharing and Access Management Into Practice John Hewie Microsoft Canada Tim.

Slides:

Advertisements

Similar presentations

Unified Communications Bill Palmer ADNET Technologies, Inc.

Advertisements

Selecting the Right Network Access Protection (NAP) Architecture Infrastructure Planning and Design Published: June 2008 Updated: November 2011.

5.1 Overview of Network Access Protection What is Network Access Protection NAP Scenarios NAP Enforcement Methods NAP Platform Architecture NAP Architecture.

Wireless and Network Security Integration Defense by Hi-5 Marc Hogue Chris Jacobson Alexandra Korol Mark Ordonez Jinjia Xi.

System Center Configuration Manager Push Software By, Teresa Behm.

PETs and ID Management Privacy & Security Workshop JC Cannon Privacy Strategist Corporate Privacy Group Microsoft Corporation.

Unleashing the Power of Ubiquitous Connectivity with IPv6 Sandeep K. Singhal, Ph.D Director of Program Management Windows Networking.

© 2008 McAfee, Inc. “Endpoint” Security Defining the endpoints and how to protect them.

Security and Policy Enforcement Mark Gibson Dave Northey

WIRELESS SECURITY DEFENSE T-BONE & TONIC: ALY BOGHANI JOAN OLIVER MIKE PATRICK AMOL POTDAR May 30, /30/2009.

Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.

Information Security in Real Business

Brian Bradley.  Data is any type of stored digital information.  Security is about the protection of assets.  Prevention: measures taken to protect.

Wireless Network Security. Access Networks Core Networks The Current Internet: Connectivity and Processing Transit Net Private Peering NAP Public Peering.

Chapter 11: Dial-Up Connectivity in Remote Access Designs

CISCO CONFIDENTIAL – DO NOT DUPLICATE OR COPY Protecting the Business Network and Resources with CiscoWorks VMS Security Management Software Girish Patel,

Norman SecureSurf Protect your users when surfing the Internet.

Chapter 6 Configuring, Monitoring & Troubleshooting IPsec

Module 9 Configuring Server Security Compliance. Module Overview Securing a Windows Infrastructure Overview of EFS Configuring an Audit Policy Overview.

Module 2: Managing User and Computer Accounts

Resiliency Rules: 7 Steps for Critical Infrastructure Protection.

Clinic Security and Policy Enforcement in Windows Server 2008.

Real Security for Server Virtualization Rajiv Motwani 2 nd October 2010.

Module 9 Configuring Server Security Compliance. Module Overview Securing a Windows Infrastructure Overview of EFS Configuring an Audit Policy Overview.

Security Imperatives in a New Workplace Partnering to Protect Digital Information in the 21st Century Presented by Michael Ferris, Alaska Enterprise Solutions.

1 Week #7 Network Access Protection Overview of Network Access Protection How NAP Works Configuring NAP Monitoring and Troubleshooting NAP.

1. Windows Vista Enterprise And Mid-Market User Scenarios 2. Customer Profiling And Segmentation Tools 3. Windows Vista Business Value And Infrastructure.

Microsoft Active Directory(AD) A presentation by Robert, Jasmine, Val and Scott IMT546 December 11, 2004.

70-411: Administering Windows Server 2012

Implementing Network Access Protection

Objectives Configure routing in Windows Server 2008 Configure Routing and Remote Access Services in Windows Server 2008 Network Address Translation 1.

Keep Your Information Safe! Josh Heller Sr. Product Manager Microsoft Corporation SIA206.

Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®

Module 14: Configuring Server Security Compliance

1 CISCO SAFE: VALIDATED SECURITY REFERENCE ARCHITECTURE What It Is Business Transformation Top Questions To Ask To Initiate The Sale Where It Fits KEY.

Module 9: Configuring IPsec. Module Overview Overview of IPsec Configuring Connection Security Rules Configuring IPsec NAP Enforcement.

Module 11: Remote Access Fundamentals

Module 8: Configuring Network Access Protection

Module 9: Fundamentals of Securing Network Communication.

1 Introduction to Microsoft Windows 2000 Windows 2000 Overview Windows 2000 Architecture Overview Windows 2000 Directory Services Overview Logging On to.

Empowering people-centric IT Unified device management Access and information protection Desktop Virtualization Hybrid Identity.

Module 14: Securing Windows Server Overview Introduction to Securing Servers Implementing Core Server Security Hardening Servers Microsoft Baseline.

Module 7 Planning and Deploying Messaging Compliance.

Configuring Network Access Protection

INTRUSION DETECTION SYSYTEM. CONTENT Basically this presentation contains, What is TripWire? How does TripWire work? Where is TripWire used? Tripwire.

Marin Frankovic Datacenter TSP

Cryptography and Network Security Sixth Edition by William Stallings.

Module 10: Windows Firewall and Caching Fundamentals.

© ITT Educational Services, Inc. All rights reserved. IS3230 Access Security Unit 7 Authentication Methods and Requirements.

May 30 th – 31 st, 2007 Chateau Laurier Ottawa. Getting it Done: Understanding the Security Features of Windows Vista Kai Axford, CISSP, MCSE-Security.

Understand Audit Policies LESSON Security Fundamentals.

Understand Network Isolation Part 2 LESSON 3.3_B Security Fundamentals.

BUFFERZONE Advanced Endpoint Security Data Connectors-Charlotte January 2016 Company Confidential.

Be Microsoft’s first and best customer Enabling world-class and predictable customer, client, and partner experience Protecting Microsoft’s physical and.

Keep Your Information Safe! Josh Heller Sr. Product Manager Microsoft Corporation SIA206.

VPN. CONFIDENTIAL Agenda Introduction Types of VPN What are VPN Tokens Types of VPN Tokens RSA How tokens Work How does a user login to VPN using VPN.

Asif Jinnah Field Desktop Services Enabling a Flexible Workforce, an insider’s view.

GFI LANguard Matt Norris Dave Hone Chris Gould. GFI LANguard: Description Through the performances of the three (3) cornerstones of vulnerability management:

Unit 2 Personal Cyber Security and Social Engineering Part 2.

Advanced Endpoint Security Data Connectors-Charlotte January 2016

Stop Those Prying Eyes Getting to Your Data

Advanced Security Architecture System Engineer Cisco: practice-questions.html.

Skyhigh Enables Enterprises to Use Productivity Tools of Microsoft Office 365 While Meeting Their Security, Compliance & Governance Requirements Partner.

Datacastle RED Delivers a Proven, Enterprise-Class Endpoint Data Protection Solution that Is Scalable to Millions of Devices on the Microsoft Azure Platform.

How to Mitigate the Consequences What are the Countermeasures?

Bethesda Cybersecurity Club

System Center Marketing

Designing IIS Security (IIS – Internet Information Service)

Microsoft Data Insights Summit

Chapter 21 Successfully Implementing The Information System

Presentation transcript:

May 30 th – 31 st, 2007 Chateau Laurier Ottawa

Putting Secure Information Sharing and Access Management Into Practice John Hewie Microsoft Canada Tim Upton Titus Labs Inc.

How do we share information in a secure and cost effective manner that allows for timely and effective access by the right individuals ? How do we move from “need to isolate” to “need to share securely”? Many policies exist that encumber information sharing across department / agency The Challenge

SIPRNET GWAN NSANET(IWS) JIWCS(IWS) Site TS/SI/TK/B Ops Net Stu-III Red Phone JWICS VTC OSINT READOUTMulti-Net(IWS) SecurePolycom The Current Solution

Physical separation is the norm Each network will have its own storage, network, servers and desktops This results in: High total cost of ownership For example, USCENTCOM operates several distinct networks at same classification level but with different caveats Multiple accounts per user Difficult collaboration Duplication of information Complex security management Information sharing via sneaker net or retyping information Today’s Solution - Multiple Everything

SISA - “Secure Information Sharing Architecture” Partnership between Microsoft, Cisco, EMC, Decru and Titus An approach for collapsing many physical networks into virtual “compartments” on one physical network Original goals for military sharing requirements but solution components applicable to anyone who has a need to share information securely. SISA is a secure collaboration framework built upon a single physical network What is SISA?

Demo Title Secure Information Sharing Architecture

Use a single source for authentication: Active Directory Enforce user specific rights and network privileges based group membership Ensure best security protection against known and unknown threats Validate security posture of each host system Automatically enforce system update remediation Consolidated monitoring of computer and network security Secure data at rest and in transit Make it affordable Leverage existing hardware, software and training investments Protect compartmented data within a single IT system Leverage guidance defined in DCID 6-3 P rotection level 3 (PL3) addresses compartmentalization at the same “ security classification” level Approach

Architectural Service Components Access Protection Services End-Device Lockdown and Health Network Protection/ Policy Enforcement Content Protection Services Data Protection Services WatchDog Services Network Path Isolation Application AuthN and AuthZ Document and File Encryption Application Lockdown Data at Rest Isolation and Encryption Intelligent Auditing

Access Protection Services for End-Devices Establish healthy end-devices, protection against malicious code attacks Group Policy, Cisco Security Agent (CSA) Access Protection Services for Networks Port authentication, path isolation, policy enforcement on network devices 802.1x, NAC, Domain isolation (IPSec), VLANs Content Protection Services Collaboration services with protection against inadvertent disclosure of files, documents and s AD, Office, RMS, Titus Labs Data Protection Services Protection of data at rest DECRU, VSANS (Cryptainers) Watchdog Services Intelligent auditing, intrusion attempt detection, anomalous behavior reporting CS-MARS Component Descriptions

Demo Title Content Protection Services

Customer Title US Department of Veterans Affairs

US Veterans Affairs 250,000 users Experienced largest information security breach (26.5 millions records) Issued Request for Proposal: (low hanging fruit of the SISA architecture) “Classification of messages” “Easy to use, non-intrusive” “Interact with Windows RMS” “Deploy in 90 days”

Veterans Affairs Service Components Access Protection Services End-Device Lockdown and Health Network Protection/ Policy Enforcement Content Protection Services Data Protection Services WatchDog Services Network Path Isolation Application AuthN and AuthZ Document and File Encryption Application Lockdown Data at Rest Isolation and Encryption Intelligent Auditing

SISA Key Benefits Tiered approach that delivers multiple layers of security controls Commercial off-the-shelf infrastructure that takes advantage of current investments and skill sets Familiar user interfaces to speed training Authentication at the user, machine, and port levels Network admission control that applies policy-based admission criteria to each endpoint before allowing connection Encryption for stored and in-transit data Cryptographic segmentation of stored data for significant consolidation cost savings Access to stored data based on permissions set in Microsoft Active Directory Digital rights management of and attachments Security monitoring and reporting tools that provide pertinent, actionable information for managers

Where are We? CENTCOM functional prototype completed June 2006 NSA review completed January 2007 Working with SOCEUR for upcoming exercise Working on refresh of the architecture

Want to Know More?