WP CS Applying the Four Standards of Security-Based CIA

Expert Reference Series of White Papers

1-800-COURSES wwwglobalknowledgecom

Applying the Four Standards of Security-

Based CIA

Copyright copy2013 Global Knowledge Training LLC All rights reserved 2

Applying the Four Standards of Security-Based CIA Kerry Doyle MA MSr CPL

IntroductionConstant change in the technology landscape has been mirrored by the steady evolution of information security The current information system environment is increasingly complex comprising storage servers LANsWANs workstations Unified Communications Intranet and Internet connections

Recent innovations such as social media have had a profound effect on security deployment within companies introducing new threats and vulnerabilities Moreover the explosion of related trends such as bring your own device (BYOD) further compromises security because users are accessing corporate content (data applications e-mails etc) from remote locations beyond perimeter security for example

Increased threat sophistication requires equally effective defense responses In addition to measuring compli-ance incorporating logsaudits and using outsourced security services and point products defining corporate-wide security policies is a critical first step Based on the C-I-A information security triad (confidentiality integ-rity availability) key areas to address should include questions such as ldquoWho sees the datardquo ldquoHas the data been corruptedrdquo and ldquoCan I access the server and data as neededrdquo

The range of security-based concerns and solutions is extensive and covers operational procedural environmen-tal and system-related areas In this white paper wersquoll explore the principles of information security and the four standards of security-based CIA that can effectively protect your environment

Standard 1 Operational Security and Identity Access Management (IAM)In order to protect against threats to the confidentiality integrity and availability of information assets orga-nizations need to put in place coherent security measures and policies The goal should be to define the opera-tional procedures guidelines and practices for configuring and managing security within an environment

The importance of having a corporate security policy in place cannot be understated Not only does it minimize risk it helps to show due diligence and compliance in terms of regulations that affect nearly every industry from finance to healthcare (PCI Sarbanes-Oxley HIPAA etc)


Because organizations face an array of both internal and external threats they require a thorough systematized approach to security Performing risk analysis is an important first step Security vulnerability assessments com-bined with protocols to follow and well-defined counter-actions are all part of creating a methodical approach to protection

Performing regular assessments of current security policies is also important It ensures that corporate policies are up to date and that an organization is able to respond adequately to new and developing threats

Establishing identityaccess management (IAM) controls guarantees that effective operational measures are in place in terms of security IAM tools and processes offer a critical framework for managing electronic identities Moreover well-defined business policies for IAM and for assigning access rights should be centrally controlled and enforced consistently across an organization

A centralized framework supports the critical processes that are the basis for successful identity access and risk management They include

bull Establishing compliance initiatives and meeting regulation requirements

bull Controlling user accessinstituting lifecycle management

bull Ensuring accountability

bull Automating processes to manage access risk

Increasingly organizations are choosing automated IAM approaches that include centralized dashboards of-fering data analysis via graphs charts and reports as well as advanced analytics that can be applied to pre-defined or customized security reports

In terms of operational security IAM controls can establish a clear operational ldquosnapshotrdquo of user access that enables corrective actions to be undertaken as needed Such an approach also ensures that all governance ac-tions are ldquostickyrdquo that is unable to be reversed unless approved by a recognized authority

In addition IAM has direct links to areas like security information and event management (SIEM) Often ad-ministrators are overwhelmed by the sheer amount of security data they must process Analysts and administra-tors have only enough time to manage the most critical SIEM notifications These include an excess of solution challenges (more issues than time to address) and false-positive overload Itrsquos no surprise that streamlined IAM controls can offer administrators critical support

Standard 2 Ensuring Procedural SecurityProcedural security looks at information security from the point of view of managementworkforce policies and controls Some examples include personnel screening policies guidelines for classifying and accessing informa-tion and procedures for assigning IDs and user access status to name a few


In terms of management policies well-defined and logical procedures ensure a measure of accountability and assurance They provide for the tracing of actions and events back in time to the users systems or processes to establish responsibility

The first step to procedural security involves identification Once a stakeholder is identified then authentication and authorization can take place Authentication is based on the axiom What You Know (passwords PINs codes etc) What You Have (keys tokens etc) and What You Are (biometric authentication fingerprint iris etc)

Logs and audit trails represent the next step in procedural security These relay detailed information about system-related actions and events as long as the integrity of the data can be established lsquoFunctionalityrsquo versus lsquoassurancersquo is one aspect of procedural security that is the most challenging Essentially the question centers on whether certain security actions performed were indeed successfully implemented

Confidentiality the ability to circumvent security controls has led to more stringent measures such as cryptog-raphy Encryption converts plain text into ciphered text ensuring a measure of confidentiality If intercepted illegally ciphered data canrsquot be easily read The Advanced Encryption Standard (AES) is a fast efficient algorithm for data at rest trusted platform modules (TPMs) can encrypt whole drives and SMIME encrypts e-mail

When it comes to ensuring integrity for example a hashing algorithm can create a hash or number for reli-able data security Detection systems can calculate hash consistency for all types of files including e-mails and protect against tampering Any modifications for example if a file is infected with a virus indicate that a file has lost integrity

Procedural controls for protecting against loss of availability extend to systems that provide redundancies back-ups and fault-tolerance Such failure systems ensure that if a security measure or control has failed the system is not rendered to an insecure state Backups make sure that data stays current Redundancies extend to servers that provide failover protection For example in the case of one server being compromised another secure server can instantly take its place

Standard 3 Taking Control of Physical Environment SecurityData center or physical environment security is centered on the notion of availability Attacks such as distributed denial of service (DDoS) cross-site scripting and advanced persistent threats (APTs) represent actions whose goal is to deny availability

Such initiatives strike at the heart of most data centers which are based on near 247 access For example a primary aim of DDoS attacks is to deny users resources and to inflict collateral damage Downed servers which are the primary consequence of these attacks can be costly to both users and companies


Natural and man-made disasters also affect availability although theyrsquore less frequent and not as severe as planned attacks To ensure physical security frequent off-site backups are critical As mentioned earlier redun-dancy also offers a key environment security feature

Operational measures for protection overlap with initiatives that ensure physical environment security A multi-layer approach is meant to cover any shortfalls or inadequacies It includes

bull Separate Security Agents Individual discrete agents manage network endpoint and virtual security However this defense in-depth approach consists of multiple agents that can be challenging to coordinate and control

bull Multi-vendor Approach Combining the protection of multiple vendors reduces the overall risk posture Thatrsquos because if a threat eludes one vendor agent therersquos a greater possibility it will be denied by the second agent

bull Security Intelligence Layer Encompassing an entire landscape with an integrated view of security means that different point products can now be unified such an intelligence layer combined with a pre-existing security landscape offers comprehensive protection and better value

In addition to the multi-layer approach having good business continuity (BC) and disaster recovery (DR) capa-bilities in place are critical These represent key components of effective physical environment security

To achieve this protection level increasing numbers of companies are also turning to suite-based products Instead of creating manual ldquohome-brewrdquo security solutions with ad hoc technologies they choose third-party suite-based access governance solutions that offer automated user-friendly security tools Most of these solu-tions centralize identity data capture business policy model roles and proactively manage user and resource risk factors

Standard 4 NetworkApplication Security Certain security controls are more relevant to an organizationrsquos physical infrastructure while others have more to do with management and administration When it comes to system-related security such as network safe-guards or application controls a number of diverse technologies offer protection

Generally the most effective and secure network environments are based on the principles of least privilege minimization and compartmentalization These are also considered universal security principles and can be applied to a number of areas

In terms of applications and network architecture these standards should be considered fundamental

bull Least Privilege This prevention measure reduces the number of privileges that can be assigned to either users or administrators and IT staff Minimizing the number of capabilities reduces the potential for possible abuse and limits the extent of damage

All information system environments can benefit from the least privilege measure However such security controls are especially important for networks because any abuse can have far-reaching implications


bull Minimization The principle of minimization prohibits the use of any system beyond its designated function For example a server designated for email could not have unrelated software installed or be used for purposes other than email Such limitations increase security minimize misuse and enhance system performance

bull Compartmentalization The use of compartments works to limit damage caused by unforeseen disasters or attacks Having applications and processes separated from one another increases security because the effects or malfunctions of compromised systems can be isolated Such a powerful security mechanism ensures that the effects of disasters or attacks can be contained until solutions are found

Itrsquos necessary to create precise processes that define and control network access and configuration capabili-ties A well-functioning change management process means that any system-based alterations are logged and executed in a controlled way Logs can then be checked for any deviations or violations of a network security policy

The concept of authorization is important here because network- and system-related access restrictions can limit changes and minimize potential damage from deliberate misconfigurations Moreover the concept of dual control reinforces security across a network

Such a procedure assigns different responsibilities between the security group and administrative group in charge of network processes A combination of checks and balances ensures that network configuration logs are controlled not by administrators but by the security group which could identify compromises in a network

ConclusionAs organizations evaluate the available approaches to information security they need to address a number of considerations in terms of operational procedural environmental and system-related areas

Itrsquos no longer about just protecting data Businesses need to formulate coherent systematic approaches to security by incorporating regulatory compliance periodic assessments and the application of relevant tools to eliminate security issues

Effective authentication and authorization are basic principles that should be applied along with log-keeping and audit trails Moreover any physical environment should incorporate a multi-layer approach to compensate for inadequacies Finally effective protection of applications and networks is essential

It requires a framework based on the concepts of least privilege minimization and compartmentalization to guarantee a comprehensive approach to company-wide security Such high levels of optimization help to ensure that an organizationrsquos information security approach is both well-rounded and flexible enough to meet current and future threats


Learn MoreLearn more about how you can improve productivity enhance efficiency and sharpen your competitive edge through training

Cybersecurity Foundations

Security+ Prep Course (SYO-301)

Visit wwwglobalknowledgecom or call 1-800-COURSES (1-800-268-7737) to speak with a Global Knowledge training advisor

About the AuthorKerry Doyle (MA MSr CPL) writes for a diverse group of companies based in technology business and higher education As an educator former editor at PC Computing reporter for PC Week Magazine and editor at ZDNetCNetcom he specializes in computing trends vital to IT professionals from virtualization and open source to disaster recovery and network storage


Applying the Four Standards of Security-Based CIA Kerry Doyle MA MSr CPL

IntroductionConstant change in the technology landscape has been mirrored by the steady evolution of information security The current information system environment is increasingly complex comprising storage servers LANsWANs workstations Unified Communications Intranet and Internet connections

Recent innovations such as social media have had a profound effect on security deployment within companies introducing new threats and vulnerabilities Moreover the explosion of related trends such as bring your own device (BYOD) further compromises security because users are accessing corporate content (data applications e-mails etc) from remote locations beyond perimeter security for example

Increased threat sophistication requires equally effective defense responses In addition to measuring compli-ance incorporating logsaudits and using outsourced security services and point products defining corporate-wide security policies is a critical first step Based on the C-I-A information security triad (confidentiality integ-rity availability) key areas to address should include questions such as ldquoWho sees the datardquo ldquoHas the data been corruptedrdquo and ldquoCan I access the server and data as neededrdquo

The range of security-based concerns and solutions is extensive and covers operational procedural environmen-tal and system-related areas In this white paper wersquoll explore the principles of information security and the four standards of security-based CIA that can effectively protect your environment

Standard 1 Operational Security and Identity Access Management (IAM)In order to protect against threats to the confidentiality integrity and availability of information assets orga-nizations need to put in place coherent security measures and policies The goal should be to define the opera-tional procedures guidelines and practices for configuring and managing security within an environment

The importance of having a corporate security policy in place cannot be understated Not only does it minimize risk it helps to show due diligence and compliance in terms of regulations that affect nearly every industry from finance to healthcare (PCI Sarbanes-Oxley HIPAA etc)
































































































































































































Documents

WP CS Applying the Four Standards of Security-Based CIA