Enterprise Security Architecture FAQs

Transcription

Enterprise Security Architecture FAQs
Enterprise Security
Architecture
Alvin Tan
Security Architect
Creative Quest Solutions Sdn Bhd
[email protected]
PwC
CONFIDENTIAL
1
Agenda
• Enterprise Security Architecture FAQs
• Incorporating Security in Enterprise
Architecture
• Guidelines
• Keeping Current
PwC
CONFIDENTIAL
2
Enterprise Security Architecture FAQs
PwC
CONFIDENTIAL
3
Enterprise Security Architecture FAQs
• Is the current architecture supporting and adding value to
the security of the organization?
• How might a security architecture be modified so that it
adds more value to the organization?
• Based on what we know about what the organization
wants to accomplish in the future, will the current security
architecture support or hinder that?
PwC
CONFIDENTIAL
4
Incorporating Security in Enterprise Architecture
• Assessment
– Basic information (servers, workstation etc)
– Infrastructure Security
Creating
– Application Security
Business
– Operation Security
Risk
– People Security
Profile
– Environment
PwC
CONFIDENTIAL
5
Incorporating Security in Enterprise Architecture
• Infrastructure security (int & ext)
– Perimeter (Firewalls, IDS, AntiVirus)
– Authentication (Password policies)
– Management & Monitoring (staff/vendor)
• Application security
– Application (Line of Business, High Availability,
patches)
– Application Design (Password policy, Access controls)
– Data Storage & Communication (DES, 3DES. RC2,
RC3, RC4, etc)
PwC
CONFIDENTIAL
6
Incorporating Security in Enterprise Architecture
• Operations (Op practices & guidelines)
– Environment (self/outsource, SLA, ACs, FWs )
– Security Policy (IT/Business, documentation,
guildlines)
– Patch & Update Management (Change, Update policy)
– Backup & Recovery (logs, Firewall logs,
• People
– Requirement & Assessment (IT expertise)
– Policy & Procedures (hiring process)
– Training & Awareness (program exist, frequency)
PwC
CONFIDENTIAL
7
Enterprise Security Architecture FAQs
•
Having documented the organization's strategy and structure, the architecture process then
flows down into the discrete information technology components such as:
•
Organization charts, activities, and process flows of how the IT Organization operates
•
Organization cycles, periods and timing
•
Suppliers of technology hardware, software, and services
•
Applications and software inventories and diagrams
•
Interfaces between applications - that is: events, messages and data flows
•
Intranet, Extranet, Internet, eCommerce, EDI links with parties within and outside of the organization
•
Data classifications, Databases and supporting data models
•
Hardware, platforms, hosting: servers, network components and security devices and where they
are kept
•
Local and wide area networks, Internet connectivity diagrams
PwC
CONFIDENTIAL
8
Enterprise Security Architecture FAQs
answered
•
The organization must design and implement a process that ensures continual
movement from the current state to the future state. The future state will
generally be a combination of one or more:
•
Closing gaps that are present between the current organization strategy and the ability
of the IT security dimensions to support it
•
Closing gaps that are present between the desired future organization strategy and the
ability of the security dimensions to support it
•
Necessary upgrades and replacements that must be made to the IT security
architecture based on supplier viability, age and performance of hardware and
software, capacity issues, known or anticipated regulatory requirements, and other
issues not driven explicitly by the organization's functional management.
•
On a regular basis, the current state and future state are redefined to account for
evolution of the architecture, changes in organizational strategy, and purely external
factors such as changes in technology and customer/vendor/government requirements.
PwC
CONFIDENTIAL
9
Guidelines
PwC
CONFIDENTIAL
10
Guidelines
•
•
•
•
•
Guidelines for Auditing
Guidelines for Securing Operating Systems
Guidelines for Monitoring Network Traffic
Guidelines for using IDS
Guidelines for Securing Wireless
Transmissions
• Methods for Enforcing Security Policies
PwC
CONFIDENTIAL
11
Guidelines for Auditing
PwC
CONFIDENTIAL
12
Guidelines for Auditing the Use of
Permissions and User Rights
• Use the appropriate group to ensure adequate
auditing information
• Do not audit everything
• Monitor the Audit policy to prevent a rogue
administrator from turning off auditing to perform
a forbidden action
• Configure the size of the security log to
accommodate additional auditing information
• Audit for successes and failures depending on
what is being audited
PwC
CONFIDENTIAL
13
Guidelines for Securing Operating Systems
PwC
CONFIDENTIAL
14
Guidelines for Securing Operating Systems
File System
User Accounts
Services
• Use NTFS on Web
sites running
Microsoft Windows
• Review directory
permissions
• Set access control for
the anonymous user
account
• Store executable files
in a separate directory
• Choose strong
passwords for all
accounts including the
Administrator account
• Change passwords
frequently
• Review user accounts
frequently
• Maintain strict account
policies
• Limit membership of
the Administrators
group
• Run necessary
services only
• Unbind unnecessary
services from your
Internet adapter cards
• Enable auditing
• Use encryption when
administering your
computer remotely
• Back up the registry
and vital files often
• Run virus checks
regularly
PwC
CONFIDENTIAL
15
Guidelines for Monitoring Network Traffic
PwC
CONFIDENTIAL
16
Guidelines for Monitoring Network Traffic
• Document types of allowed network traffic
• Observe regular network traffic and look for
anomalies
• Review logs and network statistics regularly
• Set triggers for common intrusions
• Use multiple IDS products
PwC
CONFIDENTIAL
17
Guidelines for using IDS
PwC
CONFIDENTIAL
18
Guidelines for using IDS
• Consider using both network-based IDS and
host-based IDS
• Frequently update IDS signatures
• Understand the nature of intrusions that an IDS
can detect
• Distinguish between real intrusions and false
positives
• Deploy an IDS on each network segment
• Use a centralized management console to
manage an IDS
PwC
CONFIDENTIAL
19
Methods for Enforcing Security Policies
PwC
CONFIDENTIAL
20
Smart Cards
Firewalls and
proxy servers
Group Policy
Accountable
Employees
Authorized
Hardware and
Software
Physical
Security
File Permissions
and ACLs
PwC
Auditing
Asset
Monitoring
CONFIDENTIAL
21
Keeping Current
PwC
CONFIDENTIAL
22
Keeping Current
•
•
•
•
•
•
http://attrition.org/news/
http://www.cert.org/
http://www.ciac.org/ciac/index.html
www.securityfocus.com
www.securityfocus.com/tools
http://sectools.org/
PwC
CONFIDENTIAL
23
You can make a difference!
Thank You
This presentation is for informational purposes only. IASA MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.
PwC IT Architect Symposium 2007
Regional
CONFIDENTIAL
24