Acuent Security

Proprietary and Confidential

Security Presentation Presented by: Stephen Bates

Jeffrey Gehl Larry Hymson Jeremy Gulban

May 23, 2001

www.acuent.com


q Introduction

q Network Security

q PeopleSoft Security

Agenda

www.acuent.com


About Acuent ♦  18 Year History - founded in 1983 ♦  9 Year Partnership with PeopleSoft

♦  One of PeopleSoft’s Original Partners ♦  Largest Privately Held PeopleSoft House in the US

♦  Over 350+ PeopleSoft implementations ♦  400+ employees ♦  Core Skills

–  PeopleSoft –  Business Process Improvement / Change Management –  Integration and Application Middleware –  J2EE/DNA Platforms (Certified MCSD, Certified Java

Specialists) –  Security

Strength & Experience


Irvine, CA

Parsippany, NJ

Atlanta, GA

Chicago, IL Vienna, VA

Seattle, WA

Headquarters

Existing Offices

Planned for 2001

www.acuent.com

Nationwide Offices


External Content

e-Enabling the Enterprise Acuent offers a full roster of services that help enable enterprise-wide Internet, Intranet and, Extranet initiatives

Employees Customers Suppliers

Marketplaces Organization

ERP Content Repository

B2BX

B2B B2C B2E

www.acuent.com


e*Markets

Commercial e*Business

Enterprise Application Solutions

e*Engineering

www.acuent.com

Acuent Lines of Business

Management Consulting

Technology Assessment

Services

Change Management

Strategy Development

Services

Performance Management

www.acuent.com

e*Engineering



Services

Transformation Management

Business Integration

Management

e*Security

Infrastructure & Database

Development Services

Custom & Packaged

Application Development

Portal Solutions

e*Commerce Solutions

e*Strategy Services

Front-end Design Services

www.acuent.com

Commercial e*Business



Services

Transformation Services

Business Improvement

Services

Post Production Support

Training

Upgrades

Software Implementations

Infrastructure & Database

Development Services

www.acuent.com

Enterprise Application Solutions


ERP PeopleSoft

Oracle Lawson

CRM Vantive

Business Intelligence

Brio Sagent

e-Commerce Vignette

BroadVision

Portals Plumtree Sequoia iPlanet

PeopleSoft

Procurement CommerceOne

Middleware Neon Vitria

WebSphere

iPlanet

ColdFusion

WebMethods

ATG Dynamo

SilverStream

Sun

Oracle Se

rver

Pac

kage

s & To

ols

e-Bu

sines

s Pac

kage

d App

licat

ions

www.acuent.com

Acuent Alliances


Business Services

Financial Services Utilities Health

Care Public Sector

GE Capital

Manufacturing

The MacManus

Group

www.acuent.com

Commitment to Client Satisfaction


Our People

Adaptability

Integrity

Innovation

Our Customers

Strategies

Our Culture Acuent

Partnerships

Solutions Versatility

www.acuent.com


q  Why security? è Market Trends è Demand è Solving the business problems

q  Security Objectives q  Vulnerability Assessments q  Developing a security policy q  Resources

Security Outline: what we’re going to talk about today


q  Firewalls q  Intrusion Detection Systems q  Anti-Virus efforts q  Browser Vulnerabilities q  Demilitarized Zones q  Virtual Private Networks q  Public Key Infrastructures & Vendor implementations

è  Certificate Authorities è  Certificate Revocation Lists è  Secure Messaging via S/MIME and/or PGP

q  Security Routers & Access Control Lists q  Unix or Microsoft System Vulnerabilities q  IPSec q  Extensive Auditing Procedures q  Security of Storage, Backup & Recovery

What we’re NOT going to talk about today


Security is a process, not a product. Traditional computer security has relied

heavily on firewalls, intrusion detection systems, and other prevention products.

All can be valuable components to a

security process, but they are also very fragile. They can be exploited, disabled, or simply circumvented.

BLUF: Bottom Line Up Front on Security


q  Small and medium business finding Internet connectivity critical

q  Enterprises need to upgrade existing router-based infrastructure in enterprises to enhance security

q  ISPs providing secure managed solutions, and protecting their own network

q  All businesses recognizing need to build intranets and extranets

Market Trends


q  Permit corporate connectivity with the Internet q  Leverage the Internet and protect corporate resources q  Create internal network perimeters q  Enable secure communications with business partners q  Provide high-speed policy enforcement

Trusted Network

Untrusted Network (Partner)

Untrusted Network II (Internet)

Driving Demand for Security


Internet Business Need

Security Complexity

Internet Access

VPN and Extranets

Internet Presence

Networked Commerce

OK, so what’s the business problem?


q  Applications è World Wide Web and e-mail access

q  Security issues è Protection of internal resources from outsiders è Limiting external privileges of internal users è Visibility of internal network addresses è Auditing usage and possible attacks

Internet

Enable Internet Access


q  Additional applications è E-mail server managed locally è Web server provides presence

q  Additional security issues è Protection of public resources è Separation of public and internal networks

E-Mail

WWW Internet

Enable Internet Presence


q  Additional applications è Electronic commerce with controlled access

to business systems for ordering, etc.

q  Additional security issues è Secure gateway-internal communication è Client-commerce gateway data privacy è Strong application authentication of client

Commerce Gateways

Internal Business Systems

Internet

Enable Networked Commerce


Mobile/Home Users

q  Additional applications è Private connections over public network è Virtual Private Network (VPN)

q  Additional security issues è Encryption between remote users/sites and HQ è Strong network authentication of client

HQ Remote

Site

Extranet Partner

Internet

Enable VPN and Extranets


q Assets è What information assets do you have? è Rank assets based on criticality

q Vulnerabilities è Weakness or flaw that enables a threat to attack an information system

q Threats è An entity capable of causing harm to an information systems (Hackers,

Insiders, Natural Disasters, etc.) q Risk

è The likelihood that a threat can exploit a vulnerability to attack a system q Countermeasures

è Mechanisms to minimize the risk to information assets è Can be technical or non-technical in nature

“Security” Concerns


Impact: Costs of a Root Compromise

q  Tangibles è Admin time - rebuild, restore, reconfigure è End users - Downtime/service unavailable, lost

time due to new passwords, etc. è Management - Decision making/approval process,

legal, etc. q  Intangibles

è Customer Faith / Trust è The “Blame Game”


Transparent Access Security

Authentication Authorization

Auditing

Nonrepudiation

Confidentiality Data Integrity

Policy Management

Connectivity

Performance

Ease of Use

Manageability

Availability

Security Objective: Balance Business Needs with Risks


Vulnerability Assessment Benefits

q  Identify all applicable vulnerabilities q Proper configuration of system

components q Educate users, IT staff, and management

on threats è internal è external

q Current technical solutions to threat access routes

q Network security trends analysis q Assist in security risk management

planning q Assist in developing a workable, viable

security policy

UNIVERSAL PASSPORT

Kjkjkjdgdk kjdkjfdkI kdfjkdj IkejkejKkdkd fdKKjkdjd KjkdjfkdKjkd

Kjdkfjkdj Kjdk

USA

************************

************************

Kdkfldkaloee kjfkjajjakjkjkjkajkjfiejijgkd kdjfkdkdkdkddfkdjfkdjkdkd

kfjdkkdjkfd kfjdkfjdkjkdjkdjkaj

kjfdkjfkdjkfjkjajjajdjfla kjdfkjeiieie fkeieooei

UNIVERSAL PASSPORT


What Is a “Security Policy”?

“A security policy is a formal statement of the rules by which

people who are given access to an organization's technology and information assets must abide.”

Source: RFC 2196, Site Security Handbook draft


UNIVERSAL PASSPORT

Kjkjkjdgdk kjdkjfdkI kdfjkdj IkejkejKkdkd fdKKjkdjd KjkdjfkdKjkd Kjdkfjkdj Kjdk

USA

************************

************************

Kdkfldkaloee kjfkjajjakjkjkjkajkjfiejijgkd kdjfkdkdkdkddfkdjfkdjkdkd

kfjdkkdjkfd kfjdkfjdkjkdjkdjkaj

kjfdkjfkdjkfjkjajjajdjfla kjdfkjeiieie

fkeieooei

First Steps in Designing a Security Policy

q Who are our users?

q What information needs to be protected?

q What are their privileges?

q Where is our information?


Policy Management

Restrictive

Closed Open

Designing and implementing appropriate Security Policy

q Open security policy è Permit everything that is not expressly denied

q Restrictive security policy è Combination of specific permissions/specific restrictions

q Closed security policy è That which is not expressly permitted is denied


q  Process and Progress, not perfection overnight! q  Form a core group of advocates with shared views q  Target management and leaders most likely to be influential

in creating a positive security culture q  Use case studies and actual events to make your points q  Develop a written policy and publish it q  Get management buy-in for your policies beforehand q  Use a positive approach: focus on opportunities for

improvement, not reduction of failure q  Recognize & reward positive behavior

Improving Security Education

See Network World Security Newsletter at: http://www.nwfusion.com/newsletters/sec/0424sec2.html


q  RFCs: http://www.ietf.org/rfc.html è 1173: Responsibilities of Host and Net Managers è 2350 - Expectations for Computer Security Incident Response è 2196 - Site Security Handbook è 2504 - Users' Security Handbook

q  Vendors è Configuration and patches/hotfixes è Anti-Virus Updates

q  Crypto-Gram: http://www.counterpane.com/crypto-gram.html q  System Administrator and Network Security Institute (SANS): http://www.sans.org

è Worst Mistakes committed by Executives, End Users, and IT Personnel è Top Ten System and Software Vulnerabilities

q  Computer Incident Advisory Capability (CIAC): http://ciac.llnl.gov q  CERT Coordination Center (CERT/CC): http://www.cert.org q  Forum of Incident Response and Security Teams (FIRST): http://www.first.org

Security Resources & Best Practices