Download presentation
Presentation is loading. Please wait.
Published byJessie Pitts Modified over 9 years ago
1
Creating a Security Architecture Kim Milford, J.D., CISSP Information Security Manager University of Wisconsin Kim.milford@doit.wisc.edu Copyright Kim Milford, 2003
2
Overview Background: Defining a Security Architecture Why we need A Security Architecture Models A Comprehensive Approach to Information Security
3
Background RFC 2401 (IPSec) Security Architecture: –Goal is to provide various security services for traffic at the IP level ISC 2 : –The totality of security design for a system or application IAA/PKI Standards –Federal Bridge PKI –Shibboleth
4
Background CERT: –Maintain a long-term view and invest in research toward systems and operational techniques that yield networks capable of surviving attacks while protecting sensitive data. In doing so, it is essential to seek fundamental technological solutions and to seek proactive, preventive approaches, not just reactive, curative approaches.
5
Why We Need A Security Architecture Mandates –FERPA –HIPAA –Gramm Leach Bliley Act – TEACH –National Strategy to Secure Cyberspace –DHHS proposed legislation to protect laboratories handling select agent (42 CFR Part 73): 73.11(a) “The security plan must be based on a systematic approach in which threats are defined, vulnerabilities are examined, and risks associated with those vulnerabilities are mitigated with a security systems approach.” 73.11(b)”The plan must: (1) describe …cyber security
6
Why We Need A Security Architecture To Protect: Confidentiality Integrity Availability of IT Resources From: Environmental threats Technical threats Human threats
7
Why We Need A Security Architecture Threats
8
Why We Need A Security Architecture Threats – Continued
9
Why We Need A Security Architecture Threats - Continued
10
Why We Need A Security Architecture Threats – Continued (2002 CSI/FBI Survey): 90% of respondents detected computer security incidents in the past 12 months 80% acknowledged financial losses due to computer security incidents
11
Why We Need A Security Architecture Threats – Continued (2002 CSI/FBI Survey):
12
Security Architecture: Models Historical:
13
Security Architecture: Models
15
The building blocks of security… POLICIES VIRUS PROTECTION PHYSICAL SECURITY PROTECT YOUR SERVERS PROTECT YOUR PCs DISASTER RECOVERY EDUCATION INCIDENT HANDLING FIREWALLS
16
Security Architecture: Models Interlocking Communities Served by Interlocking Information Infrastructures FII DII Electronic Commerce Electronic Mail Electronic Data Interchange Electronic Funds Transfer File Transfer Information Search/Retrieval NII GII Requiring PROTECTDETECTRESPONDRECONSTITUTE Private Citizen Business Sector State, Local Govt Critical Public Safety Federal Govt Natl Security Intel/DOD Internatl Basic Information Security Services * Data Integrity* Data Confidentiality* Transaction Non-Repudiation * User Identification and Authentication* System Availability Through trained system users, maintainers and developers
17
Security Architecture: Models
18
A Comprehensive Approach to Information Security From theory to practice: 1.Perform risk assessment 2.Develop a comprehensive plan to information security –Phased migration 3.Develop an architectural model –Get management's attention –Get system developer’s attention
19
References www.doit.wisc.edu/security www.cert.org Security Project Cookbook, The Burton Group Nigel Willson, Dan Blum, 2002 www.gocsi.comwww.gocsi.com (CSI/FBI survey) Kim.milford@doit.wisc.edu
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.