Upload
stephen-bates
View
407
Download
0
Embed Size (px)
Citation preview
Proprietary and Confidential
Security Presentation Presented by: Stephen Bates
Jeffrey Gehl Larry Hymson Jeremy Gulban
May 23, 2001
www.acuent.com
Proprietary and Confidential
q Introduction
q Network Security
q PeopleSoft Security
Agenda
www.acuent.com
Proprietary and Confidential
About Acuent ♦ 18 Year History - founded in 1983 ♦ 9 Year Partnership with PeopleSoft
♦ One of PeopleSoft’s Original Partners ♦ Largest Privately Held PeopleSoft House in the US
♦ Over 350+ PeopleSoft implementations ♦ 400+ employees ♦ Core Skills
– PeopleSoft – Business Process Improvement / Change Management – Integration and Application Middleware – J2EE/DNA Platforms (Certified MCSD, Certified Java
Specialists) – Security
Strength & Experience
Proprietary and Confidential
Irvine, CA
Parsippany, NJ
Atlanta, GA
Chicago, IL Vienna, VA
Seattle, WA
Headquarters
Existing Offices
Planned for 2001
www.acuent.com
Nationwide Offices
Proprietary and Confidential
External Content
e-Enabling the Enterprise Acuent offers a full roster of services that help enable enterprise-wide Internet, Intranet and, Extranet initiatives
Employees Customers Suppliers
Marketplaces Organization
ERP Content Repository
B2BX
B2B B2C B2E
www.acuent.com
Proprietary and Confidential
e*Markets
Commercial e*Business
Enterprise Application Solutions
e*Engineering
www.acuent.com
Acuent Lines of Business
Management Consulting
Technology Assessment
Services
Change Management
Strategy Development
Services
Performance Management
www.acuent.com
e*Engineering
Proprietary and Confidential
Technology Assessment
Services
Transformation Management
Business Integration
Management
e*Security
Infrastructure & Database
Development Services
Custom & Packaged
Application Development
Portal Solutions
e*Commerce Solutions
e*Strategy Services
Front-end Design Services
www.acuent.com
Commercial e*Business
Proprietary and Confidential
Technology Assessment
Services
Transformation Services
Business Improvement
Services
Post Production Support
Training
Upgrades
Software Implementations
Infrastructure & Database
Development Services
www.acuent.com
Enterprise Application Solutions
Proprietary and Confidential
ERP PeopleSoft
Oracle Lawson
CRM Vantive
Business Intelligence
Brio Sagent
e-Commerce Vignette
BroadVision
Portals Plumtree Sequoia iPlanet
PeopleSoft
Procurement CommerceOne
Middleware Neon Vitria
WebSphere
iPlanet
ColdFusion
WebMethods
ATG Dynamo
SilverStream
Sun
Oracle Se
rver
Pac
kage
s & To
ols
e-Bu
sines
s Pac
kage
d App
licat
ions
www.acuent.com
Acuent Alliances
Proprietary and Confidential
Business Services
Financial Services Utilities Health
Care Public Sector
GE Capital
Manufacturing
The MacManus
Group
www.acuent.com
Commitment to Client Satisfaction
Proprietary and Confidential
Our People
Adaptability
Integrity
Innovation
Our Customers
Strategies
Our Culture Acuent
Partnerships
Solutions Versatility
www.acuent.com
Proprietary and Confidential
q Why security? è Market Trends è Demand è Solving the business problems
q Security Objectives q Vulnerability Assessments q Developing a security policy q Resources
Security Outline: what we’re going to talk about today
Proprietary and Confidential
q Firewalls q Intrusion Detection Systems q Anti-Virus efforts q Browser Vulnerabilities q Demilitarized Zones q Virtual Private Networks q Public Key Infrastructures & Vendor implementations
è Certificate Authorities è Certificate Revocation Lists è Secure Messaging via S/MIME and/or PGP
q Security Routers & Access Control Lists q Unix or Microsoft System Vulnerabilities q IPSec q Extensive Auditing Procedures q Security of Storage, Backup & Recovery
What we’re NOT going to talk about today
Proprietary and Confidential
Security is a process, not a product. Traditional computer security has relied
heavily on firewalls, intrusion detection systems, and other prevention products.
All can be valuable components to a
security process, but they are also very fragile. They can be exploited, disabled, or simply circumvented.
BLUF: Bottom Line Up Front on Security
Proprietary and Confidential
q Small and medium business finding Internet connectivity critical
q Enterprises need to upgrade existing router-based infrastructure in enterprises to enhance security
q ISPs providing secure managed solutions, and protecting their own network
q All businesses recognizing need to build intranets and extranets
Market Trends
Proprietary and Confidential
q Permit corporate connectivity with the Internet q Leverage the Internet and protect corporate resources q Create internal network perimeters q Enable secure communications with business partners q Provide high-speed policy enforcement
Trusted Network
Untrusted Network (Partner)
Untrusted Network II (Internet)
Driving Demand for Security
Proprietary and Confidential
Internet Business Need
Security Complexity
Internet Access
VPN and Extranets
Internet Presence
Networked Commerce
OK, so what’s the business problem?
Proprietary and Confidential
q Applications è World Wide Web and e-mail access
q Security issues è Protection of internal resources from outsiders è Limiting external privileges of internal users è Visibility of internal network addresses è Auditing usage and possible attacks
Internet
Enable Internet Access
Proprietary and Confidential
q Additional applications è E-mail server managed locally è Web server provides presence
q Additional security issues è Protection of public resources è Separation of public and internal networks
WWW Internet
Enable Internet Presence
Proprietary and Confidential
q Additional applications è Electronic commerce with controlled access
to business systems for ordering, etc.
q Additional security issues è Secure gateway-internal communication è Client-commerce gateway data privacy è Strong application authentication of client
Commerce Gateways
Internal Business Systems
Internet
Enable Networked Commerce
Proprietary and Confidential
Mobile/Home Users
q Additional applications è Private connections over public network è Virtual Private Network (VPN)
q Additional security issues è Encryption between remote users/sites and HQ è Strong network authentication of client
HQ Remote
Site
Extranet Partner
Internet
Enable VPN and Extranets
Proprietary and Confidential
q Assets è What information assets do you have? è Rank assets based on criticality
q Vulnerabilities è Weakness or flaw that enables a threat to attack an information system
q Threats è An entity capable of causing harm to an information systems (Hackers,
Insiders, Natural Disasters, etc.) q Risk
è The likelihood that a threat can exploit a vulnerability to attack a system q Countermeasures
è Mechanisms to minimize the risk to information assets è Can be technical or non-technical in nature
“Security” Concerns
Proprietary and Confidential
Impact: Costs of a Root Compromise
q Tangibles è Admin time - rebuild, restore, reconfigure è End users - Downtime/service unavailable, lost
time due to new passwords, etc. è Management - Decision making/approval process,
legal, etc. q Intangibles
è Customer Faith / Trust è The “Blame Game”
Proprietary and Confidential
Transparent Access Security
Authentication Authorization
Auditing
Nonrepudiation
Confidentiality Data Integrity
Policy Management
Connectivity
Performance
Ease of Use
Manageability
Availability
Security Objective: Balance Business Needs with Risks
Proprietary and Confidential
Vulnerability Assessment Benefits
q Identify all applicable vulnerabilities q Proper configuration of system
components q Educate users, IT staff, and management
on threats è internal è external
q Current technical solutions to threat access routes
q Network security trends analysis q Assist in security risk management
planning q Assist in developing a workable, viable
security policy
UNIVERSAL PASSPORT
Kjkjkjdgdk kjdkjfdkI kdfjkdj IkejkejKkdkd fdKKjkdjd KjkdjfkdKjkd
Kjdkfjkdj Kjdk
USA
************************
************************
Kdkfldkaloee kjfkjajjakjkjkjkajkjfiejijgkd kdjfkdkdkdkddfkdjfkdjkdkd
kfjdkkdjkfd kfjdkfjdkjkdjkdjkaj
kjfdkjfkdjkfjkjajjajdjfla kjdfkjeiieie fkeieooei
UNIVERSAL PASSPORT
Proprietary and Confidential
What Is a “Security Policy”?
“A security policy is a formal statement of the rules by which
people who are given access to an organization's technology and information assets must abide.”
Source: RFC 2196, Site Security Handbook draft
Proprietary and Confidential
UNIVERSAL PASSPORT
Kjkjkjdgdk kjdkjfdkI kdfjkdj IkejkejKkdkd fdKKjkdjd KjkdjfkdKjkd Kjdkfjkdj Kjdk
USA
************************
************************
Kdkfldkaloee kjfkjajjakjkjkjkajkjfiejijgkd kdjfkdkdkdkddfkdjfkdjkdkd
kfjdkkdjkfd kfjdkfjdkjkdjkdjkaj
kjfdkjfkdjkfjkjajjajdjfla kjdfkjeiieie
fkeieooei
First Steps in Designing a Security Policy
q Who are our users?
q What information needs to be protected?
q What are their privileges?
q Where is our information?
Proprietary and Confidential
Policy Management
Restrictive
Closed Open
Designing and implementing appropriate Security Policy
q Open security policy è Permit everything that is not expressly denied
q Restrictive security policy è Combination of specific permissions/specific restrictions
q Closed security policy è That which is not expressly permitted is denied
Proprietary and Confidential
q Process and Progress, not perfection overnight! q Form a core group of advocates with shared views q Target management and leaders most likely to be influential
in creating a positive security culture q Use case studies and actual events to make your points q Develop a written policy and publish it q Get management buy-in for your policies beforehand q Use a positive approach: focus on opportunities for
improvement, not reduction of failure q Recognize & reward positive behavior
Improving Security Education
See Network World Security Newsletter at: http://www.nwfusion.com/newsletters/sec/0424sec2.html
Proprietary and Confidential
q RFCs: http://www.ietf.org/rfc.html è 1173: Responsibilities of Host and Net Managers è 2350 - Expectations for Computer Security Incident Response è 2196 - Site Security Handbook è 2504 - Users' Security Handbook
q Vendors è Configuration and patches/hotfixes è Anti-Virus Updates
q Crypto-Gram: http://www.counterpane.com/crypto-gram.html q System Administrator and Network Security Institute (SANS): http://www.sans.org
è Worst Mistakes committed by Executives, End Users, and IT Personnel è Top Ten System and Software Vulnerabilities
q Computer Incident Advisory Capability (CIAC): http://ciac.llnl.gov q CERT Coordination Center (CERT/CC): http://www.cert.org q Forum of Incident Response and Security Teams (FIRST): http://www.first.org
Security Resources & Best Practices