Enterprise Security Architecture FAQs
Transcription
Enterprise Security Architecture FAQs
Enterprise Security Architecture Alvin Tan Security Architect Creative Quest Solutions Sdn Bhd [email protected] PwC CONFIDENTIAL 1 Agenda • Enterprise Security Architecture FAQs • Incorporating Security in Enterprise Architecture • Guidelines • Keeping Current PwC CONFIDENTIAL 2 Enterprise Security Architecture FAQs PwC CONFIDENTIAL 3 Enterprise Security Architecture FAQs • Is the current architecture supporting and adding value to the security of the organization? • How might a security architecture be modified so that it adds more value to the organization? • Based on what we know about what the organization wants to accomplish in the future, will the current security architecture support or hinder that? PwC CONFIDENTIAL 4 Incorporating Security in Enterprise Architecture • Assessment – Basic information (servers, workstation etc) – Infrastructure Security Creating – Application Security Business – Operation Security Risk – People Security Profile – Environment PwC CONFIDENTIAL 5 Incorporating Security in Enterprise Architecture • Infrastructure security (int & ext) – Perimeter (Firewalls, IDS, AntiVirus) – Authentication (Password policies) – Management & Monitoring (staff/vendor) • Application security – Application (Line of Business, High Availability, patches) – Application Design (Password policy, Access controls) – Data Storage & Communication (DES, 3DES. RC2, RC3, RC4, etc) PwC CONFIDENTIAL 6 Incorporating Security in Enterprise Architecture • Operations (Op practices & guidelines) – Environment (self/outsource, SLA, ACs, FWs ) – Security Policy (IT/Business, documentation, guildlines) – Patch & Update Management (Change, Update policy) – Backup & Recovery (logs, Firewall logs, • People – Requirement & Assessment (IT expertise) – Policy & Procedures (hiring process) – Training & Awareness (program exist, frequency) PwC CONFIDENTIAL 7 Enterprise Security Architecture FAQs • Having documented the organization's strategy and structure, the architecture process then flows down into the discrete information technology components such as: • Organization charts, activities, and process flows of how the IT Organization operates • Organization cycles, periods and timing • Suppliers of technology hardware, software, and services • Applications and software inventories and diagrams • Interfaces between applications - that is: events, messages and data flows • Intranet, Extranet, Internet, eCommerce, EDI links with parties within and outside of the organization • Data classifications, Databases and supporting data models • Hardware, platforms, hosting: servers, network components and security devices and where they are kept • Local and wide area networks, Internet connectivity diagrams PwC CONFIDENTIAL 8 Enterprise Security Architecture FAQs answered • The organization must design and implement a process that ensures continual movement from the current state to the future state. The future state will generally be a combination of one or more: • Closing gaps that are present between the current organization strategy and the ability of the IT security dimensions to support it • Closing gaps that are present between the desired future organization strategy and the ability of the security dimensions to support it • Necessary upgrades and replacements that must be made to the IT security architecture based on supplier viability, age and performance of hardware and software, capacity issues, known or anticipated regulatory requirements, and other issues not driven explicitly by the organization's functional management. • On a regular basis, the current state and future state are redefined to account for evolution of the architecture, changes in organizational strategy, and purely external factors such as changes in technology and customer/vendor/government requirements. PwC CONFIDENTIAL 9 Guidelines PwC CONFIDENTIAL 10 Guidelines • • • • • Guidelines for Auditing Guidelines for Securing Operating Systems Guidelines for Monitoring Network Traffic Guidelines for using IDS Guidelines for Securing Wireless Transmissions • Methods for Enforcing Security Policies PwC CONFIDENTIAL 11 Guidelines for Auditing PwC CONFIDENTIAL 12 Guidelines for Auditing the Use of Permissions and User Rights • Use the appropriate group to ensure adequate auditing information • Do not audit everything • Monitor the Audit policy to prevent a rogue administrator from turning off auditing to perform a forbidden action • Configure the size of the security log to accommodate additional auditing information • Audit for successes and failures depending on what is being audited PwC CONFIDENTIAL 13 Guidelines for Securing Operating Systems PwC CONFIDENTIAL 14 Guidelines for Securing Operating Systems File System User Accounts Services • Use NTFS on Web sites running Microsoft Windows • Review directory permissions • Set access control for the anonymous user account • Store executable files in a separate directory • Choose strong passwords for all accounts including the Administrator account • Change passwords frequently • Review user accounts frequently • Maintain strict account policies • Limit membership of the Administrators group • Run necessary services only • Unbind unnecessary services from your Internet adapter cards • Enable auditing • Use encryption when administering your computer remotely • Back up the registry and vital files often • Run virus checks regularly PwC CONFIDENTIAL 15 Guidelines for Monitoring Network Traffic PwC CONFIDENTIAL 16 Guidelines for Monitoring Network Traffic • Document types of allowed network traffic • Observe regular network traffic and look for anomalies • Review logs and network statistics regularly • Set triggers for common intrusions • Use multiple IDS products PwC CONFIDENTIAL 17 Guidelines for using IDS PwC CONFIDENTIAL 18 Guidelines for using IDS • Consider using both network-based IDS and host-based IDS • Frequently update IDS signatures • Understand the nature of intrusions that an IDS can detect • Distinguish between real intrusions and false positives • Deploy an IDS on each network segment • Use a centralized management console to manage an IDS PwC CONFIDENTIAL 19 Methods for Enforcing Security Policies PwC CONFIDENTIAL 20 Smart Cards Firewalls and proxy servers Group Policy Accountable Employees Authorized Hardware and Software Physical Security File Permissions and ACLs PwC Auditing Asset Monitoring CONFIDENTIAL 21 Keeping Current PwC CONFIDENTIAL 22 Keeping Current • • • • • • http://attrition.org/news/ http://www.cert.org/ http://www.ciac.org/ciac/index.html www.securityfocus.com www.securityfocus.com/tools http://sectools.org/ PwC CONFIDENTIAL 23 You can make a difference! Thank You This presentation is for informational purposes only. IASA MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY. PwC IT Architect Symposium 2007 Regional CONFIDENTIAL 24