Presentation is loading. Please wait.

Presentation is loading. Please wait.

Online Security Myths & Challenges HIGHER COLLEGES OF TECHNOLOGY Abeer Nijmeh Account Manager April 14, 2002.

Published byBarnard Parker Modified over 8 years ago

Similar presentations

Presentation on theme: "Online Security Myths & Challenges HIGHER COLLEGES OF TECHNOLOGY Abeer Nijmeh Account Manager April 14, 2002."— Presentation transcript:

1 Online Security Myths & Challenges HIGHER COLLEGES OF TECHNOLOGY Abeer Nijmeh Account Manager April 14, 2002

2 Agenda  The Internet  Traditional Security Practices & Perceptions  The New Enterprise  Security Plan  Online Business Risks  Protections of Assets/ PKI  Managed Security Services  Q&A

3 The Internet… An efficient means of distributing information, products & services. An efficient means of distributing information, products & services. Offers excellent productivity gains to organizations. Offers excellent productivity gains to organizations. Results in improvement of bottom line. Results in improvement of bottom line. Ideal platform for global commerce. Ideal platform for global commerce. …Is no longer incidental but integral to businesses.

4 BUT!!! The Internet’s fundamental strength is also its most profound inherent weakness  Designed to facilitate information-sharing  Designed as a messaging infrastructure Not secure from exploitation of traditional vulnerabilities The most critical challenge posed is “SECURITY”

5 Traditional Security Practices & Perceptions (1) Driven by “one-size-fits-all” strategies Driven by “one-size-fits-all” strategies Follows piece-mealing enterprise security solutions Follows piece-mealing enterprise security solutions –Firewalls –VPNs –Card Keys Limit outside access to internal resources and systems Limit outside access to internal resources and systems Browser based encryption (SSL) and username / password based authentication schemes Browser based encryption (SSL) and username / password based authentication schemes

6 Traditional Security Practices & Perceptions (2) Security is all about deploying firewalls Security is all about deploying firewalls It is not for our business yet It is not for our business yet Good security implementation is expensive Good security implementation is expensive Security implementation has no Return on Investment (ROI) Security implementation has no Return on Investment (ROI) Someone in the technical department will take care of security implementation Someone in the technical department will take care of security implementation

7 Headquarter Business Partners Remote Offices Internet/IP ATM, Frame Relay POP Home Office Mobile Worker The New Enterprise

8 Security Demands are Changing for Good !!! External Focus Suppliers, Customers, and prospects all need some form of access Distributed Assets Applications and data are distributed across servers, locations, and business units Generate Revenue The goal of security is to enable E-commerce Business Control Business units want the authority to grant access Internal Focus Access is granted to employees only Centralized Assets Applications and data are centralized in fortified IT bunkers Prevent Losses The goal of security is to protect against confidentiality breeches IT Control Security manager decides who gets access TODAYYESTERDAY Forrester Research, Inc.

9 Common Security Issues Eavesdropping (Confidentiality) Information remains intact, but privacy is compromised. Tampering (Integrity) Information in transit is changed or replaced. Impersonation (Authenticity/ Non-repudiation) Spoofing: A person pretending to be someone else. Misrepresentation: A person or organization misrepresenting itself. Availability System operations are disrupted and service is denied. System operations are disrupted and service is denied.

10 Security Plan Establish a security plan/ policy that considers: Business strategy and objectives Business strategy and objectives Identification of threats/vulnerabilities and management of risks Identification of threats/vulnerabilities and management of risks Protection of critical assets & systems Protection of critical assets & systems Elevating security awareness company-wide Elevating security awareness company-wide Continuous monitoring & evaluation of security controls Continuous monitoring & evaluation of security controls

11 Online Business Risks Determinants of risk: Determinants of risk: Online assets, vulnerabilities & threats Assets at risk: Assets at risk: Equipment, data, business reputation Risk profiling: Risk profiling: Assessing risk sensitivity level of assets

12 Security Zones Interconnection Public Zone Low Security Zone Medium Security Zone High Security Zone Courtesy: Information Security- Raising Awareness, Government of Canada PKI Secretariat

13 Protection of Assets Some of the technologies used to address security issues/challenges : Public Key Infrastructure (PKI) Public Key Infrastructure (PKI) Virtual Private Networks (VPN) Virtual Private Networks (VPN) Firewalls Firewalls Intrusion Detection Systems (IDS) Intrusion Detection Systems (IDS) Virus detections software Virus detections software

14 Public Key Infrastructure (PKI) Supports trusted interactions. Supports trusted interactions. Provides authentication, confidentiality, non-repudiation, integrity and access control assurances Provides authentication, confidentiality, non-repudiation, integrity and access control assurances Enables encryption & decryption of online transactions Enables encryption & decryption of online transactions Digital certificates & digital signatures for users & businesses Digital certificates & digital signatures for users & businesses Trusted certification authority role Trusted certification authority role

15 A User’s Private KeyA User’s Public Key(s) Key Pairs

16 Internet Encrypted Message Encrypted Message Digitally Signed Message Digitally Signed Message Recipient’s Public Key Recipient’s Private Key Confidentiality

17 Data Integrity & Authenticity (1) Hash Process Message Digital Signature Message Digest Digitally Signed Message Sender’s Private Key

18 Digitally Signed Message Digest Digital Signature Message Digest Sender’s Public Key Data Integrity& Authenticity (2)

19 PKI – Process Workflow Applies For Certificate Client Registration Authority Certificate Authority Verifies Applicant Identity Send notice Declining application Request Certificate For user Issue Certificate Publish Certificate to The Repository Is the applicants Identity valid? YES NO LDAP 1 2 3 3 4 5

20 http://comtrust.co.ae/Repository.htm Typical User Certificate

21 PKI Enabled VPN Headquarter Business Partners Remote Offices Internet/IP ATM, Frame Relay POP Home Office Mobile Worker

22 E-market places e-Market Market Place Small buyers Small buyers Small suppliers Small suppliers Large Buyers Large Buyers Large suppliers Large suppliers Direct 1-to-1

23 Other Applications E-retailing & online Payments Online stores can enable SSL, authenticate members (CSSL), watch buying patterns, observe casual visitors, reduce or eliminate online frauds Secured E-Mail Messages can be encrypted and digitally signed and message integrity can be verified. Bill Presentment & Payments Presentment and payment of taxes, traffic fines, utility bills, school fees, and presentment of various statements

24 Other Applications Other Applications Subscription based Services On-line magazines can use basic registration information available on certs. to understand usage patterns and replace password based authentication E-Govt. Payment of taxes, secure electronic filling, e-forms, payment of other dues, government bidding process, submission of various documents Access control Digital Certificates can enable access control with respect to various business applications.

25 Elements of Secure Enterprise Authorization Authorization –Directories Authentication Authentication –PKI –Biometrics –Smart Cards Confidentiality Confidentiality –Encryption Policy Policy –Enterprise Commitments Non-Repudiation Non-Repudiation –Digital Certificates –Digital Signatures Integrity Integrity –Digital Signatures Audit Audit –Internal and / or Third Party 24 x 7 24 x 7 –Full Redundancy

26 Managed Security Services (MSS) Experienced security management staff hard to find and expensive to hire Experienced security management staff hard to find and expensive to hire Security management rarely within the core competency of online enterprises Security management rarely within the core competency of online enterprises MSS- Outsourced Security (turns potential security crisis into achievable security policy) MSS- Outsourced Security (turns potential security crisis into achievable security policy) –Customized security management –Single point of contact –Economies of scale –Key advantages for both startups and established players

27 www.comtrust.ae For more information... abeern@emirates.net.ae

Download ppt "Online Security Myths & Challenges HIGHER COLLEGES OF TECHNOLOGY Abeer Nijmeh Account Manager April 14, 2002."

Similar presentations

Public Key Infrastructure and Applications

Public Key Infrastructure and Applications
Security Controls and Systems in E-Commerce

Security Controls and Systems in E-Commerce
(n)Code Solutions A division of GNFC

(n)Code Solutions A division of GNFC
© Southampton City Council Sean Dawtry – Southampton City Council The Southampton Pathfinder for Smart Cards in public services.

© Southampton City Council Sean Dawtry – Southampton City Council The Southampton Pathfinder for Smart Cards in public services.
Topic 8: Secure communication in mobile devices. Choice of secure communication protocols, leveraging SSL for remote authentication and using HTTPS for.

Topic 8: Secure communication in mobile devices. Choice of secure communication protocols, leveraging SSL for remote authentication and using HTTPS for.
1 Supplement III: Security Controls What security services should network systems provide? Confidentiality Access Control Integrity Non-repudiation Authentication.

1 Supplement III: Security Controls What security services should network systems provide? Confidentiality Access Control Integrity Non-repudiation Authentication.
Certification Authority. Overview  Identifying CA Hierarchy Design Requirements  Common CA Hierarchy Designs  Documenting Legal Requirements  Analyzing.

Certification Authority. Overview  Identifying CA Hierarchy Design Requirements  Common CA Hierarchy Designs  Documenting Legal Requirements  Analyzing.
1 Pertemuan 12 Authentication, Encryption, Digital Payments, and Digital Money Matakuliah: M0284/Teknologi & Infrastruktur E-Business Tahun: 2005 Versi:

1 Pertemuan 12 Authentication, Encryption, Digital Payments, and Digital Money Matakuliah: M0284/Teknologi & Infrastruktur E-Business Tahun: 2005 Versi:
Chief Information Officer Branch Gestion du dirigeant principal de l’information “We will have a world class public key infrastructure in place” Prime.

Chief Information Officer Branch Gestion du dirigeant principal de l’information “We will have a world class public key infrastructure in place” Prime.
Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.

Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.
Department of Information Engineering1 Major Concerns in Electronic Commerce Authentication –there must be proof of identity of the parties in an electronic.

Department of Information Engineering1 Major Concerns in Electronic Commerce Authentication –there must be proof of identity of the parties in an electronic.
Lesson 12 Cryptography for E-Commerce. Approaches to Network Security Separate Security Protocol--SSL Application-Specific Security--SHTTP Security with.

Lesson 12 Cryptography for E-Commerce. Approaches to Network Security Separate Security Protocol--SSL Application-Specific Security--SHTTP Security with.
Security+ Guide to Network Security Fundamentals

Security+ Guide to Network Security Fundamentals
Client/Server Computing Model of computing in which very powerful personal computers (clients) are connected in a network with one or more server computers.

Client/Server Computing Model of computing in which very powerful personal computers (clients) are connected in a network with one or more server computers.
6/4/2015National Digital Certification Agency1 Security Engineering and PKI Applications in Modern Enterprises Mohamed HAMDI National.

6/4/2015National Digital Certification Agency1 Security Engineering and PKI Applications in Modern Enterprises Mohamed HAMDI National.
Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.

Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.
Presented by Xiaoping Yu Cryptography and PKI Cosc 513 Operating System Presentation Presented to Dr. Mort Anvari.

Presented by Xiaoping Yu Cryptography and PKI Cosc 513 Operating System Presentation Presented to Dr. Mort Anvari.
CSE 4482, 2009 Session 21 Personal Information Protection and Electronic Documents Act Payment Card Industry standard Web Trust Sys Trust.

CSE 4482, 2009 Session 21 Personal Information Protection and Electronic Documents Act Payment Card Industry standard Web Trust Sys Trust.
Lecture 11 Reliability and Security in IT infrastructure.

Lecture 11 Reliability and Security in IT infrastructure.
Security Overview. 2 Objectives Understand network security Understand security threat trends and their ramifications Understand the goals of network.

Security Overview. 2 Objectives Understand network security Understand security threat trends and their ramifications Understand the goals of network.

Similar presentations

Ads by Google