Upload
camila-runnels
View
214
Download
0
Tags:
Embed Size (px)
Citation preview
Copyright Critical Software S.A. 1998-2008 All Rights Reserved.
COTS based approach for the Multilevel Security Problem
Bernardo Patrão
© Copyright Critical Software S.A. 1998-2008 All Rights Reserved. 2
Outline
Organizations Security Background Statistics & Lessons Learnt Threats The Multilevel Security Mode CSW Multilevel Security Solution Implementation Methodology Conclusion
© Copyright Critical Software S.A. 1998-2008 All Rights Reserved. 3
Background
Organizations are well protected to manage outside threats: firewalls, antivirus, etc.
Communications services like email are business applications
Confidential information is more and more in digital format
Competitiveness, customer pressure, privacy compliances is each time more demanding (SOX, EU DPD, Basileia II, Identity theft, etc.)
Information leakage has increasing business impact
Data
Hackers
Virus Trojans
SPAM
Confidential Information
Customer Information
IntelectualProperty
Financial
© Copyright Critical Software S.A. 1998-2008 All Rights Reserved. 4
Outline
Organizations Security Background Statistics & Lessons Learnt Threats The Multilevel Security Mode CSW Multilevel Security Solution Implementation Methodology Conclusion
© Copyright Critical Software S.A. 1998-2008 All Rights Reserved. 5
Statistics & Lessons Learned
“80 - 90 per cent of leaks are either unintentional or accidental” Gartner Report
““70% of security breaches that involve losses over $100,000 are perpetrated from inside the enterprise.””
Vista Research
“Leakage of confidential/proprietary information represents 52% of organizations security threats”
Merrill Lynch survey to North American CISOs, July 2006
“loss of customer and proprietary data overtook virus attacks as thesource of the greatest financial losses”
2007 CSI COMPUTER CRIME AND SECURITY SURVEY
© Copyright Critical Software S.A. 1998-2008 All Rights Reserved. 6
Statistics & Lessons Learned
Deutsche Bank Loses Hertz IPO Role Because of E-Mails
“Nov. 8 (Bloomberg) -- Deutsche Bank AG, Germany's largest bank, lost its spot among the underwriters of Hertz Global Holdings Inc.'s initial public offering after an employee sent unauthorized e-mails to about 175 institutional accounts.”
Ubisoft "accidentally" leaks tons of assets
“Over two gigs worth of screenshots, videos, and concept art was apparently accidentally posted by Ubisoft on their public ftp server. Whoops.”
© Copyright Critical Software S.A. 1998-2008 All Rights Reserved. 7
Outline
Organizations Security Background Statistics & Lessons Learnt Threats The Multilevel Security Mode CSW Multilevel Security Solution Implementation Methodology Conclusion
© Copyright Critical Software S.A. 1998-2008 All Rights Reserved. 8
Threats
Confidential information sent by email to external addresses
Failures on the identification of confidential information
Mishandling of confidential information Confidential information stored in
portable devices Misuse of communication and data
sharing services
© Copyright Critical Software S.A. 1998-2008 All Rights Reserved. 9
Outline
Organizations Security Background Statistics & Lessons Learnt Threats The Multilevel Security Mode CSW Multilevel Security Solution Implementation Methodology Conclusion
© Copyright Critical Software S.A. 1998-2008 All Rights Reserved. 10
The Multilevel Security Model
Multilevel security Users have a security
clearance
Objects are assigned with security classification
Users access objects based on their security clearance and the object security classification
Flow of information is controlled based on the object security classification
© Copyright Critical Software S.A. 1998-2008 All Rights Reserved. 11
The Multilevel Security Model
Information Access Control All users have a security clearance
All information should have a security mark and level
The security mark/level should be impossible to forge and easy to identify
The access control depends on the information security mark and on user’s security clearance
All accesses are registered for future auditing
© Copyright Critical Software S.A. 1998-2008 All Rights Reserved. 12
The Multilevel Security Model
Information Flow control Verify the outputs produced by different
sources
Prevent unauthorized users to change the classification mark
Identify the security mark/level, and enforce the defined policy
All the data flow is logged for auditing
© Copyright Critical Software S.A. 1998-2008 All Rights Reserved. 13
Outline
Organizations Security Background Statistics & Lessons Learnt Threats The Multilevel Security Mode CSW Multilevel Security Solution Implementation Methodology Conclusion
© Copyright Critical Software S.A. 1998-2008 All Rights Reserved. 14
CSW Multilevel Security Solution
Information Security requires intervention on all elements of the infrastructure
Workstations Enforce the classification (protection) of office files or email
messages Control what the user can do (change, print, copy-paste, …) Allow classification (protection) of any type of file
Network border Control the information Flow for several communication services
E-mail FTP IMS, …
Corporate Servers Enforce protection policies for information stored on corporate
servers Content Management Servers File Servers Collaboration Servers, …
© Copyright Critical Software S.A. 1998-2008 All Rights Reserved. 15
CSW Multilevel Security Solution
Multilevel Management Tools Configuration
Easy to use, web based tools to manage Marks / Levels Users security clearances Access and Flow Policies
Auditing Consoles tailored to meet the organization
requirements and compliance Data mining solutions for intelligent alarms
and advanced data collection
© Copyright Critical Software S.A. 1998-2008 All Rights Reserved. 16
CSW Multilevel Security Solution1 – Users A and B execute log-in in the organization domain. Authentication and the authorization is performed.Information access policy is enforced
2 – User A classifies a document or an e-mail message with a SecurityMark and saves it or sends it.User B accesses the document or the e-mail message.He can access the document but doesn’t have printing privilege
3 – User B uploads a document to a content manager server; document is marked with the mark defined.Information on the servers is encrypted.
4 – Border Protection Device denies the flow of marked information
5 – Configure the security policy, clearances and marks
6 – Audit for compliance
© Copyright Critical Software S.A. 1998-2008 All Rights Reserved. 17
CSW Multilevel Security Solution – Classification tools
Seamless COTS Tools integration
© Copyright Critical Software S.A. 1998-2008 All Rights Reserved. 18
CSW Multilevel Security Solution – Classification tools
Seamless COTS Tools integration
© Copyright Critical Software S.A. 1998-2008 All Rights Reserved. 19
CSW Multilevel Security Solution – Classification tools
1
3
2
Seamless COTS Tools integration
© Copyright Critical Software S.A. 1998-2008 All Rights Reserved. 20
CSW Multilevel Security Solution – Administration tools
AdministratorConsole
5
Main overview and client update
© Copyright Critical Software S.A. 1998-2008 All Rights Reserved. 21
CSW Multilevel Security Solution – Administration tools
AdministratorConsole
5
Authorization Management (Credentials)
© Copyright Critical Software S.A. 1998-2008 All Rights Reserved. 22
CSW Multilevel Security Solution – Administration tools
AdministratorConsole
5
Classification Marks/Levels Management
© Copyright Critical Software S.A. 1998-2008 All Rights Reserved. 23
CSW Multilevel Security Solution – Administration tools
AdministratorConsole
5
Access and Flow Policies Management
BPD
4
© Copyright Critical Software S.A. 1998-2008 All Rights Reserved. 24
CSW Multilevel Security Solution – Auditing tools
Auditing Tools
© Copyright Critical Software S.A. 1998-2008 All Rights Reserved. 25
Outline
Organizations Security Background Statistics & Lessons Learnt Threats The Multilevel Security Mode CSW Multilevel Security Solution Implementation Methodology Conclusion
© Copyright Critical Software S.A. 1998-2008 All Rights Reserved. 26
Implementation Methodology
1) Perform a Risk Assessment2) Define Security Policies and
Procedures3) Identify COTS Hardware and Software4) Define the configuration for the
System5) Develop Integration Tools to enforce
policies
© Copyright Critical Software S.A. 1998-2008 All Rights Reserved. 27
Outline
Organizations Security Background Statistics & Lessons Learnt Threats The Multilevel Security Mode CSW Multilevel Security Solution Implementation Methodology Conclusion
© Copyright Critical Software S.A. 1998-2008 All Rights Reserved. 28
Conclusion
A ready to use solution and based on well accepted COTS
Smooth learning curve – well known user interfaces
Compatibility with existing systems Low TCO Reduced technological risks Flexibility - Easy customization for specific
client requirements
© Copyright Critical Software S.A. 1998-2008 All Rights Reserved. 29
Questions?
Thank You