Presentation is loading. Please wait.

Presentation is loading. Please wait.

Copyright Critical Software S.A. 1998-2008 All Rights Reserved. COTS based approach for the Multilevel Security Problem Bernardo Patrão.

Published byCamila Runnels Modified over 10 years ago

Similar presentations

Presentation on theme: "Copyright Critical Software S.A. 1998-2008 All Rights Reserved. COTS based approach for the Multilevel Security Problem Bernardo Patrão."— Presentation transcript:

1 Copyright Critical Software S.A. 1998-2008 All Rights Reserved. COTS based approach for the Multilevel Security Problem Bernardo Patrão

2 © Copyright Critical Software S.A. 1998-2008 All Rights Reserved. 2 Outline Organizations Security Background Statistics & Lessons Learnt Threats The Multilevel Security Mode CSW Multilevel Security Solution Implementation Methodology Conclusion

3 © Copyright Critical Software S.A. 1998-2008 All Rights Reserved. 3 Background Organizations are well protected to manage outside threats: firewalls, antivirus, etc. Communications services like email are business applications Confidential information is more and more in digital format Competitiveness, customer pressure, privacy compliances is each time more demanding (SOX, EU DPD, Basileia II, Identity theft, etc.) Information leakage has increasing business impact

4 © Copyright Critical Software S.A. 1998-2008 All Rights Reserved. 4 Outline Organizations Security Background Statistics & Lessons Learnt Threats The Multilevel Security Mode CSW Multilevel Security Solution Implementation Methodology Conclusion

5 © Copyright Critical Software S.A. 1998-2008 All Rights Reserved. 5 Statistics & Lessons Learned 80 - 90 per cent of leaks are either unintentional or accidental Gartner Report 70% of security breaches that involve losses over $100,000 are perpetrated from inside the enterprise. Vista Research Leakage of confidential/proprietary information represents 52% of organizations security threats Merrill Lynch survey to North American CISOs, July 2006 loss of customer and proprietary data overtook virus attacks as the source of the greatest financial losses 2007 CSI COMPUTER CRIME AND SECURITY SURVEY

6 © Copyright Critical Software S.A. 1998-2008 All Rights Reserved. 6 Statistics & Lessons Learned Deutsche Bank Loses Hertz IPO Role Because of E-Mails Nov. 8 (Bloomberg) -- Deutsche Bank AG, Germany's largest bank, lost its spot among the underwriters of Hertz Global Holdings Inc.'s initial public offering after an employee sent unauthorized e-mails to about 175 institutional accounts. Ubisoft "accidentally" leaks tons of assets Over two gigs worth of screenshots, videos, and concept art was apparently accidentally posted by Ubisoft on their public ftp server. Whoops.

7 © Copyright Critical Software S.A. 1998-2008 All Rights Reserved. 7 Outline Organizations Security Background Statistics & Lessons Learnt Threats The Multilevel Security Mode CSW Multilevel Security Solution Implementation Methodology Conclusion

8 © Copyright Critical Software S.A. 1998-2008 All Rights Reserved. 8 Threats Confidential information sent by email to external addresses Failures on the identification of confidential information Mishandling of confidential information Confidential information stored in portable devices Misuse of communication and data sharing services

9 © Copyright Critical Software S.A. 1998-2008 All Rights Reserved. 9 Outline Organizations Security Background Statistics & Lessons Learnt Threats The Multilevel Security Mode CSW Multilevel Security Solution Implementation Methodology Conclusion

10 © Copyright Critical Software S.A. 1998-2008 All Rights Reserved. 10 The Multilevel Security Model Multilevel security Users have a security clearance Objects are assigned with security classification Users access objects based on their security clearance and the object security classification Flow of information is controlled based on the object security classification

11 © Copyright Critical Software S.A. 1998-2008 All Rights Reserved. 11 The Multilevel Security Model Information Access Control All users have a security clearance All information should have a security mark and level The security mark/level should be impossible to forge and easy to identify The access control depends on the information security mark and on users security clearance All accesses are registered for future auditing

12 © Copyright Critical Software S.A. 1998-2008 All Rights Reserved. 12 The Multilevel Security Model Information Flow control Verify the outputs produced by different sources Prevent unauthorized users to change the classification mark Identify the security mark/level, and enforce the defined policy All the data flow is logged for auditing

13 © Copyright Critical Software S.A. 1998-2008 All Rights Reserved. 13 Outline Organizations Security Background Statistics & Lessons Learnt Threats The Multilevel Security Mode CSW Multilevel Security Solution Implementation Methodology Conclusion

14 © Copyright Critical Software S.A. 1998-2008 All Rights Reserved. 14 CSW Multilevel Security Solution Information Security requires intervention on all elements of the infrastructure Workstations Enforce the classification (protection) of office files or email messages Control what the user can do (change, print, copy-paste, …) Allow classification (protection) of any type of file Network border Control the information Flow for several communication services E-mail FTP IMS, … Corporate Servers Enforce protection policies for information stored on corporate servers Content Management Servers File Servers Collaboration Servers, …

15 © Copyright Critical Software S.A. 1998-2008 All Rights Reserved. 15 CSW Multilevel Security Solution Multilevel Management Tools Configuration Easy to use, web based tools to manage Marks / Levels Users security clearances Access and Flow Policies Auditing Consoles tailored to meet the organization requirements and compliance Data mining solutions for intelligent alarms and advanced data collection

16 © Copyright Critical Software S.A. 1998-2008 All Rights Reserved. 16 CSW Multilevel Security Solution 1 – Users A and B execute log-in in the organization domain. Authentication and the authorization is performed. Information access policy is enforced 2 – User A classifies a document or an e-mail message with a Security Mark and saves it or sends it. User B accesses the document or the e-mail message. He can access the document but doesnt have printing privilege 3 – User B uploads a document to a content manager server; document is marked with the mark defined. Information on the servers is encrypted. 4 – Border Protection Device denies the flow of marked information 5 – Configure the security policy, clearances and marks 6 – Audit for compliance

17 © Copyright Critical Software S.A. 1998-2008 All Rights Reserved. 17 CSW Multilevel Security Solution – Classification tools Seamless COTS Tools integration

18 © Copyright Critical Software S.A. 1998-2008 All Rights Reserved. 18 CSW Multilevel Security Solution – Classification tools Seamless COTS Tools integration

19 © Copyright Critical Software S.A. 1998-2008 All Rights Reserved. 19 CSW Multilevel Security Solution – Classification tools 1 3 2 Seamless COTS Tools integration

20 © Copyright Critical Software S.A. 1998-2008 All Rights Reserved. 20 CSW Multilevel Security Solution – Administration tools Main overview and client update

21 © Copyright Critical Software S.A. 1998-2008 All Rights Reserved. 21 CSW Multilevel Security Solution – Administration tools Authorization Management (Credentials)

22 © Copyright Critical Software S.A. 1998-2008 All Rights Reserved. 22 CSW Multilevel Security Solution – Administration tools Classification Marks/Levels Management

23 © Copyright Critical Software S.A. 1998-2008 All Rights Reserved. 23 CSW Multilevel Security Solution – Administration tools Access and Flow Policies Management

24 © Copyright Critical Software S.A. 1998-2008 All Rights Reserved. 24 CSW Multilevel Security Solution – Auditing tools Auditing Tools

25 © Copyright Critical Software S.A. 1998-2008 All Rights Reserved. 25 Outline Organizations Security Background Statistics & Lessons Learnt Threats The Multilevel Security Mode CSW Multilevel Security Solution Implementation Methodology Conclusion

26 © Copyright Critical Software S.A. 1998-2008 All Rights Reserved. 26 Implementation Methodology 1)Perform a Risk Assessment 2)Define Security Policies and Procedures 3)Identify COTS Hardware and Software 4)Define the configuration for the System 5)Develop Integration Tools to enforce policies

27 © Copyright Critical Software S.A. 1998-2008 All Rights Reserved. 27 Outline Organizations Security Background Statistics & Lessons Learnt Threats The Multilevel Security Mode CSW Multilevel Security Solution Implementation Methodology Conclusion

28 © Copyright Critical Software S.A. 1998-2008 All Rights Reserved. 28 Conclusion A ready to use solution and based on well accepted COTS Smooth learning curve – well known user interfaces Compatibility with existing systems Low TCO Reduced technological risks Flexibility - Easy customization for specific client requirements

29 © Copyright Critical Software S.A. 1998-2008 All Rights Reserved. 29 Questions? Thank You

Download ppt "Copyright Critical Software S.A. 1998-2008 All Rights Reserved. COTS based approach for the Multilevel Security Problem Bernardo Patrão."

Similar presentations

Conducting your own Data Life Cycle Audit

Conducting your own Data Life Cycle Audit
1. XP 2 * The Web is a collection of files that reside on computers, called Web servers. * Web servers are connected to each other through the Internet.

1. XP 2 * The Web is a collection of files that reside on computers, called Web servers. * Web servers are connected to each other through the Internet.
Archiving and Retrieving Purchase Orders and Invoices

Archiving and Retrieving Purchase Orders and Invoices
© Copyright 2006 FPT Software 1 © FPT SOFTWARE – TRAINING MATERIAL – Internal use 04e-BM/NS/HDCV/FSOFT v2/3 How to work in Fsoft project Authors: KienNT.

© Copyright 2006 FPT Software 1 © FPT SOFTWARE – TRAINING MATERIAL – Internal use 04e-BM/NS/HDCV/FSOFT v2/3 How to work in Fsoft project Authors: KienNT.
Chapter 9 E-Security. Awad –Electronic Commerce 1/e © 2002 Prentice Hall 2 OBJECTIVES Security in Cyberspace Conceptualizing Security Designing for Security.

Chapter 9 E-Security. Awad –Electronic Commerce 1/e © 2002 Prentice Hall 2 OBJECTIVES Security in Cyberspace Conceptualizing Security Designing for Security.
Chapter 14 Intranets & Extranets. Awad –Electronic Commerce 1/e © 2002 Prentice Hall 2 OBJECTIVES Introduction Technical Infrastructure Planning an Intranet.

Chapter 14 Intranets & Extranets. Awad –Electronic Commerce 1/e © 2002 Prentice Hall 2 OBJECTIVES Introduction Technical Infrastructure Planning an Intranet.
Advanced Piloting Cruise Plot.

Advanced Piloting Cruise Plot.
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L7 1 Network Security 2 Module 6 – Configure Remote Access VPN.

© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L7 1 Network Security 2 Module 6 – Configure Remote Access VPN.
Chapter 1: The Database Environment

Chapter 1: The Database Environment
Chapter 1 The Study of Body Function Image PowerPoint

Chapter 1 The Study of Body Function Image PowerPoint
1 Copyright © 2010, Elsevier Inc. All rights Reserved Fig 2.1 Chapter 2.

1 Copyright © 2010, Elsevier Inc. All rights Reserved Fig 2.1 Chapter 2.
By Rick Clements cle@cypress.com Software Testing 101 By Rick Clements cle@cypress.com.

By Rick Clements Software Testing 101 By Rick Clements
Security Beyond the Firewall Protecting Information in the Enterprise.

Security Beyond the Firewall Protecting Information in the Enterprise.
HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.

HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.
18 Copyright © 2005, Oracle. All rights reserved. Distributing Modular Applications: Introduction to Web Services.

18 Copyright © 2005, Oracle. All rights reserved. Distributing Modular Applications: Introduction to Web Services.
FIGURE 11.1 Circuit for Example 11.1.

FIGURE 11.1 Circuit for Example 11.1.
Jeopardy Q 1 Q 6 Q 11 Q 16 Q 21 Q 2 Q 7 Q 12 Q 17 Q 22 Q 3 Q 8 Q 13

Jeopardy Q 1 Q 6 Q 11 Q 16 Q 21 Q 2 Q 7 Q 12 Q 17 Q 22 Q 3 Q 8 Q 13
Jeopardy Q 1 Q 6 Q 11 Q 16 Q 21 Q 2 Q 7 Q 12 Q 17 Q 22 Q 3 Q 8 Q 13

Jeopardy Q 1 Q 6 Q 11 Q 16 Q 21 Q 2 Q 7 Q 12 Q 17 Q 22 Q 3 Q 8 Q 13
606 CMR 14.00: Background Record Checks What you need to know!

606 CMR 14.00: Background Record Checks What you need to know!
Modern Systems Analyst and as a Project Manager

Modern Systems Analyst and as a Project Manager

Similar presentations

Ads by Google