Presentation is loading. Please wait.

Presentation is loading. Please wait.

General High-Assurance Security Topology

Published byMadeline Hodge Modified over 6 years ago

Similar presentations

Presentation on theme: "General High-Assurance Security Topology"— Presentation transcript:

1 General High-Assurance Security Topology
CHECO Fall Conference 2017 Steven R. Lovaas Colorado State University

2 Overview What’s a Topology and why would we want a general one?
How’s that similar to architectures and frameworks? Core design principles Key enabling technologies How does it work? Scoping Next steps What’s the payoff?

3 What Do I Mean by “Topology”?
Topology = security devices & functions, their arrangement on a network, security zones, access methods. Security elements = people, process, and technology. Technology choices encode and imply policies; So I’d say that a Security Topology covers technology and at least part of process. User Strong auth Firewall Services Web, DNS, NTP Data Authorized access only And from designated user stations

4 Why Would We Want One? Each new requirement or compliance scheme requires a lot of work to figure out if it applies, if we can meet the rules, how it works with our existing controls, how much it’ll cost, where to put it… Sound familiar? What if we had a general set of technologies & processes flexible enough to accommodate additional compliance schemes, new versions, new users, and even requests for new locations? Enter the General High-Assurance Security Topology (GHAST) (with apologies to Gary Gygax)

5 Architecture vs. Framework… and Topology?
Security architecture is something you build (with People, Process, and Technology). There are numerous security frameworks offering guidance for your architecture. PCI-DSS ISO 27001/2 NIST CIST CSF Some are required with a certain kind of data. Others are good description of your use of best practices, to use for auditors, customers

6 Security Architecture
Technology Process People Hardware, software, network, tech controls Policy, procedure, standards Staffing, clearance, background checks, division of responsibilities Forced by type of data Our goal: a general topology of technology and process controls, flexible enough to accommodate multiple frameworks with varying scope and multiple sites PCI-DSS HIPAA Security Rule NIST NISPOM Security Frameworks Best practices, for sharing with auditors and customers, guiding design of systems ISO 27001/2 NIST CSF SOC 2/3

7 Core Principles Principle of Least Privilege Zero Trust Model
Implies separation of duties, default-deny, blacklist/whitelist Zero Trust Model Strong authentication for all devices and users Unprivileged networks Trust no packet Sustainability Expand capacity with growth, funding model viable for the long term, easy to add more sites

8 Key Enabling Technologies
VPN/gateway, per-user ACLs Multi-factor authentication Encrypted storage Virtual machines Physical/virtual firewalls Continuous vulnerability mgmt. Data Loss Prevention Event/log/change correlation and alerting (SIEM) Compliance mgmt., reporting Risk evaluation, reporting Incident response support, automation Physical access control Video monitoring

9 Key Enabling Technologies (CSU* NIST 800-171)
Existing New VPN/gateway, per-user ACLs - Pulse Multi-factor authentication - Duo Virtual machines – VMWare/VCenter Physical/virtual firewalls – Juniper SRX Physical access control Video monitoring Encrypted storage – Dell/EMC array Event/log/change correlation and alerting (SIEM) – tenable.io Compliance mgmt., reporting – tenable.io Incident response workflow – tenable.io Continuous vulnerability mgmt. – tenable.io Data Loss Prevention – tenable.io Risk evaluation, reporting - BitSight Virtual firewalls – VMWare NSX * Proposed solution at CSU

10 So How Does It Work? What’s in Scope?
Three Tiers of Systems Tier 1 – Store, process, transmit covered data (full set of controls) Tier 2 – Services/management interacting w/ Tier 1 (risk-based set of controls) 2a: Security services for T1 (firewalls, authentication) – full set of controls 2b: Direct access to T1 (processing, management) 2c: Services consumed by T1 as well as T2, T3 2d: Indirect access to T1 (through a gateway) – basic/public health controls Tier 3 – No access to T1 (out of scope) Salute to the Open PCI Scoping Toolkit (2012)

11 Scoping and Controls in the GHAST
Tier 1a Storage & processing Tier 1b Direct interaction Tier 2a Security services Tier 2b Connections to Tier 1 Tier 2c Service requests from Tier 1 Tier 2d Indirect mgmt. & access Tier 3 No access In scope for regulations Full set of controls Risk-based selection of controls

12 Example: NIST 800-171 at CSU (proposed)
Tier 1a Dell/EMC storage array (encrypted drives) Virtual or physical processing nodes Tier 1b Switches and local vulnerability scanner? Tier 2a Juniper SRX 5400 VMWare NSX Active Directory Duo proxy Tier 2b Vcenter VMs for jump boxes tenable.io BitSight Tier 2c DNS NTP (others?) Tier 2d Researcher desktops Tier 3 Campus LAN and internet In scope for regulations Full set of controls Risk-based selection of controls (Only devices interacting with Tier 1 are in scope)

13 Once We Build It, What Then?
Watch for growth; may have to add licenses or hard drives Respond to requests to host compliant infrastructure elsewhere Train users and admins Monitor compliance Anticipate adoption of new frameworks

14 And What Will We Have Gained?
Motivation to move high-assurance systems into our datacenter Improving security, performance, power utilization Improvement of security controls and monitoring for ALL central systems Raising all boats Ability to compete for contracts/grants that require higher security Could pay for itself very quickly Introducing advanced security technologies to operational groups Staff development, capability growth

15 Questions? Steven R. Lovaas Information Security Officer
© Monster Manual, by Gary Gygax (1977), TSR Games Steven R. Lovaas Information Security Officer Colorado State University

Download ppt "General High-Assurance Security Topology"

Similar presentations

Creating HIPAA-Compliant Medical Data Applications with Amazon Web Services Presented by, Tulika Srivastava Purdue University.

Creating HIPAA-Compliant Medical Data Applications with Amazon Web Services Presented by, Tulika Srivastava Purdue University.
BalaBit Shell Control Box

BalaBit Shell Control Box
Virtualization and Cloud Computing

Virtualization and Cloud Computing
Security Controls – What Works

Security Controls – What Works
5205 – IT Service Delivery and Support

5205 – IT Service Delivery and Support
Patch Management Module 13. Module 2-421 You Are Here VMware vSphere 4.1: Install, Configure, Manage – Revision A Operations vSphere Environment Introduction.

Patch Management Module 13. Module You Are Here VMware vSphere 4.1: Install, Configure, Manage – Revision A Operations vSphere Environment Introduction.
Mobility Without Vulnerability: Secure and Enable Your Mobile Users, Apps, and Devices David Clapp – Intuitive.

Mobility Without Vulnerability: Secure and Enable Your Mobile Users, Apps, and Devices David Clapp – Intuitive.
Securing Legacy Software SoBeNet User group meeting 25/06/2004.

Securing Legacy Software SoBeNet User group meeting 25/06/2004.
VAP What is a Virtual Application ? A virtual application is an application that has been optimized to run on virtual infrastructure. The application software.

VAP What is a Virtual Application ? A virtual application is an application that has been optimized to run on virtual infrastructure. The application software.
1 Managed Security. 2 Managed Security provides a comprehensive suite of security services to manage and protect your network assets –Managed Firewall.

1 Managed Security. 2 Managed Security provides a comprehensive suite of security services to manage and protect your network assets –Managed Firewall.
Chapter 2 Information Security Overview The Executive Guide to Information Security manual.

Chapter 2 Information Security Overview The Executive Guide to Information Security manual.
Information Security Update CTC 18 March 2015 Julianne Tolson.

Information Security Update CTC 18 March 2015 Julianne Tolson.
ENAM ENAM - INFRA Project 2013.

ENAM ENAM - INFRA Project 2013.
© 2010 VMware Inc. All rights reserved Patch Management Module 13.

© 2010 VMware Inc. All rights reserved Patch Management Module 13.
Module 7: Fundamentals of Administering Windows Server 2008.

Module 7: Fundamentals of Administering Windows Server 2008.
Office of Campus Information Security Driving a Security Architecture by Assessing Risk Stefan Wahe Sr. Information Security Analyst.

Office of Campus Information Security Driving a Security Architecture by Assessing Risk Stefan Wahe Sr. Information Security Analyst.
12 Steps to Cloud Security A guide to securing your Cloud Deployment Vishnu Vettrivel Principal Engineering Lead,

12 Steps to Cloud Security A guide to securing your Cloud Deployment Vishnu Vettrivel Principal Engineering Lead,
Frontline Enterprise Security

Frontline Enterprise Security
Be Microsoft’s first and best customer Enabling world-class and predictable customer, client, and partner experience Protecting Microsoft’s physical and.

Be Microsoft’s first and best customer Enabling world-class and predictable customer, client, and partner experience Protecting Microsoft’s physical and.
OTech CalCloud Security General 1  Meets the operational and compliance requirements of the State  SAM/SIMM  NIST  FedRAMP v2  Other necessary regulatory.

OTech CalCloud Security General 1  Meets the operational and compliance requirements of the State  SAM/SIMM  NIST  FedRAMP v2  Other necessary regulatory.

Similar presentations

Ads by Google