Reliable Security Current State, Challenges, Desired State S. Rao Vasireddy Bell Laboratories, Alcatel-Lucent Tel: 732-582-7179

Slides:



Advertisements
Similar presentations
Requirements Engineering Processes – 2
Advertisements

Assurance Services Independent professional services that “improve the quality of information, or its context, for decision makers” Assurance service encompass.
The Need For Trust in Communications Networks Carlos Solari Bell Labs, Security Solutions May 2007.
The Managing Authority –Keystone of the Control System
IBM Corporate Environmental Affairs and Product Safety
EMS Checklist (ISO model)
Top-Down Network Design Chapter Nine Developing Network Management Strategies Copyright 2010 Cisco Press & Priscilla Oppenheimer.
Dr Lami Kaya ISO Information Security Management System (ISMS) Certification Overview Dr Lami Kaya
Vision: A strong and capable civil society, cooperating and responsive to Cambodias development challenges 1.
I-Secure Product Overview © 2010 ECC International. All Rights Reserved 1 ECC International PHILIPPINES :: MALAYSIA :: VIETNAM © 2010.
Compliance storyboard: Classifying & controlling content at the input device.
1 Quality of Service Issues Network design and security Lecture 12.
Checking & Corrective Action
Environmental Management Systems Refresher
Information Privacy and Data Protection Lexpert Seminar David YoungDecember 9, 2013 Breach Prevention – Due Diligence and Risk Reduction.
Internal Control–Integrated Framework
Massachusetts Digital Government Summit October 19, 2009 IT Management Frameworks An Overview of ISO 27001:2005.
Registry system data exchange General design requirements Pre-sessional Consultations on Registries 19 October 2002 New Delhi, India UNFCCC secretariat.
Cloud computing security related works in ITU-T SG17
Secure Systems Research Group - FAU Process Standards (and Process Improvement)
Notes: Update as of 1/13/2010. Vulnerabilities are included for SQL Server 2000, SQL Server 2005, SQL Server Oracle (8i, 9i, 9iR2, 10g, 10gR2,11g),
HIPAA Security Rule Overview and Compliance Program Presented by: Lennox Ramkissoon, CISSP The People’s Hospital HIPAA Security Manager The Hospital June.
QA Programs for Local Health Departments
CTO Office Reliability & Security Distinctions and Interactions Hal Lockhart BEA Systems.
Security Controls – What Works
Internal Control Concepts Knowledge. Best Practices for IT Governance IT Governance Structure of Relationship Audit Role in IT Governance.
Environmental Management Systems Refresher
E-Government Security and necessary Infrastructures Dimitrios Lekkas Dept. of Systems and Products Design Engineering University of the Aegean
Ch3. CP AND ENVIRONMENTAL MANAGEMENT SYSTEMS Course on Cleaner Production Middle East Technical University Department of Environmental Engineering Ankara.
First Practice - Information Security Management System Implementation and ISO Certification.
Vulnerability Assessments
Chapter 8 Information Systems Controls for System Reliability— Part 1: Information Security Copyright © 2012 Pearson Education, Inc. publishing as Prentice.
Information Systems Controls for System Reliability -Information Security-
Public Key Infrastructure Ammar Hasayen ….
Information Security Compliance System Owner Training Richard Gadsden Information Security Office Office of the CIO – Information Services Sharon Knowles.
Effective Methods for Software and Systems Integration
ISO 9001 Auditing Practices Group
Information Security Governance 25 th June 2007 Gordon Micallef Vice President – ISACA MALTA CHAPTER.
MethodGXP The Solution for the Confusion.
Software Engineering Term Paper
GRC - Governance, Risk MANAGEMENT, and Compliance
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.
7-Oct-15 System Auditing. AUDITING Auditing is a systematic process of objectively obtaining and evaluating evidence regarding assertions about economic.
© 2011 Underwriters Laboratories Inc. All rights reserved. This document may not be reproduced or distributed without authorization. ASSET Safety Management.
IT Requirements Management Balancing Needs and Expectations.
Security Standards and Threat Evaluation. Main Topic of Discussion  Methodologies  Standards  Frameworks  Measuring threats –Threat evaluation –Certification.
The Value of Common Criteria Evaluations Stuart Katzke, Ph.D. Senior Research Scientist National Institute of Standards & Technology 100 Bureau Drive;
Security is not just… 1 A Compliance Exercise Certification and Accreditation FISMA.
Disaster Recover Planning & Federal Information Systems Management Act Requirements December 2007 Central Maryland ISACA Chapter.
IT Strategy for Business © Oxford University Press 2008 All rights reserved Chapter 12 IT Security Strategies.
Assessment Workshop Title of the Project (date). Project Title Assessment Workshop October 25, 2015© Company Name All rights reserved2 Agenda Purpose.
IntelliDrive SM Vehicle Safety Communications Working Toward V2V Deployment John Harding July 20, 2010.
Audit Planning Process
1 Chapter Nine Conducting the IT Audit Lecture Outline Audit Standards IT Audit Life Cycle Four Main Types of IT Audits Using COBIT to Perform an Audit.
Knowing What You Missed Forensic Techniques for Investigating Network Traffic.
1 MISA Model Douglas Petry Manager Information Security Architecture Methodist Health System Managed Information Security.
Foundations of Information Systems in Business. System ® System  A system is an interrelated set of business procedures used within one business unit.
TMS - Cooperation partner of TÜV SÜD EFFECTIVE SERVICE MANAGEMENT based on ISO/IEC & ISO/IEC
Chapter 40 Network Security (Access Control, Encryption, Firewalls)
ISO Most Common Problems May 25, 2000 Underwriters Laboratories Inc. May 25, 2000 Underwriters Laboratories Inc.
Castlebridge associates | | Castlebridge changing how people think about information How to Implement the.
K. Salah1 Security Protocols in the Internet IPSec.
Pertemuan 14 Matakuliah: A0214/Audit Sistem Informasi Tahun: 2007.
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.
International Safety Rating System
Overview of Environmental Management Systems Using ISO John Rupe Forest Service Rocky Mountain Region.
IS4680 Security Auditing for Compliance
IS4680 Security Auditing for Compliance
ITU-T Workshop on Security, Seoul (Korea), May 2002
Albeado - Enabling Smart Energy
Presentation transcript:

Reliable Security Current State, Challenges, Desired State S. Rao Vasireddy Bell Laboratories, Alcatel-Lucent Tel:

All Rights Reserved © Alcatel-Lucent 2006, ##### 2 | Presentation Title | Month 2006 Quality of Service Quality of Service: Availability 99.95%; Packet Loss You cannot improve what you cannot measure – Lord Kelvin Quality of Security ?

All Rights Reserved © Alcatel-Lucent 2006, ##### 3 | Presentation Title | Month 2006 What is Quality of Security? Quality of security requires establishment of a set of metrics that can be: – Consistently measured and tracked – Engineered to achieve comprehensive network security Example metric: Encryption protocol strength – Measured by Time to Break Encryption (TBE) = 10 N years Security metrics should be enablers to measure and engineer security, similar to the role played by performance and reliability metrics. Key Length Number of Key Combinations 40-bit DES4 HrsSeconds~ bit DES140 days~ Hrs~ bit 3DES NA~10 21 years~ 10 24

All Rights Reserved © Alcatel-Lucent 2006, ##### 4 | Presentation Title | Month 2006 Characteristics of Metrics Specific, Measurable, Attainable, Repeatable, Time-dependent (SMART) Measurable attributes that can be objective or subjective Provide evidence of effectiveness for security engineering (e.g. 99% of traffic has communications security) Network security is implemented by several measures. Example techniques: Encrypt traffic with Integrity checks Authenticate transactions and processes Log & analyze security events Ensure that traffic from Source A reaches intended Destination X Harden ports, Interfaces and Operating Systems Prevent/filter unwarranted traffic Adhere to security policy and operations/management procedures Security metrics should represent the technology, process and operational measures required to achieve comprehensive security

All Rights Reserved © Alcatel-Lucent 2006, ##### 5 | Presentation Title | Month 2006 Current State of Quality of Security Technology, standards and measurement techniques are still evolving – Lack comprehensive measurement and tracking for the emerging engineering discipline Qualitative measures: – An estimate of the state of security – Example: 95%+ success rate for zero-day virus prevention. Not an accurate measure of availability Need additional measures such as: – P% of transactions authenticated – Q% of the events logged & analyzed – R% guarantee that traffic from Source A reaches Destination X – 100% of the procedure that are relevant to network operations and security policy are followed Current focus Gap Mainly driven by security compliance audits, penetration tests etc. – Compliance to policy, regulatory and legal requirements – Reactive as opposed to proactive measures

All Rights Reserved © Alcatel-Lucent 2006, ##### 6 | Presentation Title | Month 2006 Challenges A security metric is not independent by itself – Dependencies exist on other metrics and operational procedures – A fix that will result in improved quality for one metric may positively or negatively impact other Quality of security requires process as well as technology based metrics. Technology based Metrics need to be embedded in the process metrics as a stop gap measure to compensate for the lack of measuring tools.

All Rights Reserved © Alcatel-Lucent 2006, ##### 7 | Presentation Title | Month 2006 A Foundation for Quality of Security Security Frameworks, Process/ certification guidelines: – Define Metrics, Architecture – Help build the security Genome for networks – Example: ITU-T X.805, ISO/IEC 27001, NIST NETWORK Technology Specific Standards: – Define/Specify new technologies, protocols and operations/management techniques – IETF, IEEE, ISO/IEC, ITU, 3GPP, 3GPP2, ANSI, ETSI ITU-T X.805 together with other security standards provides a framework to establish metrics for security.

All Rights Reserved © Alcatel-Lucent 2006, ##### 8 | Presentation Title | Month 2006 A standards Based Approach for Evaluating Quality of Security ITU-T X.805 NIST, NRIC etc Security Frameworks, Verification tools Standards, BPs Metrics % Compliance Access Control Authentication Non-Repudiation Data Confidentiality Communication Security Data Integrity Availability Privacy Process, policy compliance Status Summary – A systematic measure, akin to broadly accepted ways to measuring performance and reliability, is needed for quality of security – A combination of technical, process and operational methods are needed to implement quality of security to cover all phases of security life-cycle – Industry standards and best practices provide a foundation for evaluating quality of security

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.