370 likes | 539 Views
Supply Chain World 2000. Securing the New E-conomy April 11, 2000. Anne Gugel, CISSP Baltimore Technologies (703)749-1406 agugel@baltimore.com. BCP - v1.0 - 04/99. e-Security - The Challenge. Impact of the Internet. Need for e-Security. Current Legislation. Resources Available.
E N D
Supply Chain World 2000 Securing the New E-conomyApril 11, 2000 Anne Gugel, CISSP Baltimore Technologies (703)749-1406 agugel@baltimore.com BCP - v1.0 - 04/99
e-Security - The Challenge Impact of the Internet Need for e-Security Current Legislation Resources Available Technical Security Solutions Critical Success Factors BCP - v1.0 - 04/99
Internet is Driving e-Business By 2002 the global e-Commerce software market will be worth $2.8 billionDatamonitor There will be 200 million Internet users by 2002Intelliquest The Internet e-Commerce market will grow to $1.2 billion by 2002IDC BCP - v1.0 - 04/99
0% 5% 10% 15% 20% 25% 30% Benefits of e-Business Single biggest benefit to organizations surveyed New markets /customers Speed of response Cost savings Flexibility / adaptability Simplificationof tasks Source: KPMG BCP - v1.0 - 04/99
Typical e-Business Users • Finance and BankingInter-bank transactions, corporate banking and trading services ... • GovernmentFiling tax returns, submitting tenders, filing customs dockets ... • e-Commerce NetworksSupply-chain management, trading, buying and selling ... • HealthcareAccess to patient records, non-repudiable communications ... • ManufacturingSupply-chain management ... BCP - v1.0 - 04/99
e-Business Users by Sector 36% of 500 companies surveyed are involved in e-Business Source: KPMG BCP - v1.0 - 04/99
The Growth of Internet / intranet Security 1997 - 2001 (source: Datamonitor) BCP - v1.0 - 04/99
Internet Security Issues “ On average, every site newly installed on the Web will be accessed within 28 seconds and attacked within 5 hours ” “ 60% of hackers said the opportunity for accessing systems are increasing, aided by the growth of the Internet ” “75% of organisations surveyed reported financial losses due to security breaches ranging from financial fraud to theft of information to laptop computer theft ” “ 60% of networks are penetrated over 30 times a year ” Computacenter Survey - 1997 Computer Crime and Security Survey - WarRoom Research, Internet Week, March 1998 BCP - v1.0 - 04/99
E-Crime - The Perpetrators Taken from a CSI / FBI Survey of detected computer crime BCP - v1.0 - 04/99
The Role of e-Security Protective • Protection of key assets - information, reputation • Corporate governance - legal obligations Business enabling • Creating new business opportunities - Internet • Enabling new working practices - intranet e-Security underpins customer confidence in the organisation and the services it provides BCP - v1.0 - 04/99
E-Business Security Requirement Protection of information - from end-to-end - • Consistently • From point of entry • To point of use • Independent of network and network topology • Including authentication of sender . . . • . . . and receiver BCP - v1.0 - 04/99
Enterprise and e-Commerce Security • Enterprise security drivers • Internally focused • Business process re-engineering • Protection of corporate assets • Intranet and extranet • e-Commerce security drivers • Externally focused • New routes to customers and markets • Creating customer confidence • Internet BCP - v1.0 - 04/99
Keys to Enterprise Security • Risk Assessment • Policy and Procedures • Security Education, Training and Awareness • Technical Security Solutions • Certification and Accreditation • Intrusion Detection and Incident Response • Disaster Recovery and Business Continuity Planning
Legislation • Computer Security Act, 1987 (PL100-235) • Government Information Security Act, 1999 (S.1993) • OMB Circulars • A-130, A-123, A-127 • PPD 62, 63 • Critical Infrastructure Protection Program • Privacy Act of 1974 BCP - v1.0 - 04/99
Legislation Con’t • For status of recently enacted and proposed legislation: http://www.thomas.loc.gov • Security and Freedom through Encryption (SAFE) Act (H.R.850) • Cellular telephone privacy • (106) H.R. 514 - Wireless Privacy Enhancement Act of 1999. • P.L. 105-172 - Wireless Telephone Protection ActGovernment Computer Security Act 1987 • Health Insurance Portability and Protection Act (HIPPA) 1996 • Concept of “Due Diligence”
Electronic Signature Legislation • H.R. 1572Digital Signature Act • H.R. 1685Internet Growth and Development Act • H.R. 1714(Electronic Signatures in Global and National Commerce Act) • Government Paperwork Elimination Act (GPEA) 1999 • Requires the use of digital signatures with electronic transactions by 2003. • 50 states have enacted digital signature legislation • http://www.mbc.com/ecommerce/legis/table01.html • Medical Information Privacy and Security Act (H.R.1057)
Government Resources • CERT (sm) Coordination Center • Publishes list of product vulnerabilities • www.cert.org • Federal Computer Incident Response Capability (Fed CIRC) • www.fedcirc.gov • Forum of Incident Response and Security Teams (FIRST) • www.first.org • Federal Bureau of Investigation (FBI) National Infrastructure Protection Program (NIPC) • www.fbi.gov/nipc • Computer Incident Advisory Capability (CIAC) • ciac@llnl.gov BCP - v1.0 - 04/99
Product Evaluation Programs • Common Criteria • Recognized universally by the following countries: • US, Canada, UK, Australia, France, Germany, Netherlands • Common Criteria home page: http://csrc.nist.gov/cc/ • List of evaluated products • http://niap.nist.gov/cc-scheme/ValidatedProducts.html • FIPS 140-1; FIPS 140-2 • Details and other FIPS cryptographic standards (DES, DSS, SHS) • http://csrc.nist.gov/cryptval/ • List of validated products • http://csrc.nist.gov/cryptval/140-1/1401vend.htm BCP - v1.0 - 04/99
Technical Considerations • Policy Implementation • Scalability • Flexibility • Interoperability • Standards Based Development • Training and Support
Operational Considerations • Policy Implementation • Ease of Use • Graphic user interface vs command line interface • Training and experience required to implement and operate in accordance with policies • Ease of Management • Education, Training and Awareness • User Acceptance
e- Security Creates Confidence Confidence . . . • . . . in the identity of an individual or applicationAUTHENTICATION • . . . that information can be kept privateCONFIDENTIALITY • . . . that information cannot be manipulatedINTEGRITY • . . . that information cannot be disownedNON-REPUDIATION BCP - v1.0 - 04/99
Common E-Security Technologies • Virtual Private Networks (VPN) IPSEC • Email Security Solutions (S/MIME v2, 3) • Access Control • smart cards, biometrics • single sign-on solutions • Firewalls • Intrusion Detection Systems • Anti-virus tools • Active Content Scanners • Public Key Infrastructure
e-Security Technology features Authentication Integrity Non- repudiation Confidentiality ü Anti-virus ü ü Firewalls ü ü Access Control ü Encryption ü ü ü ü Public Key Infrastructure BCP - v1.0 - 04/99
Data confidentiality Encryption PKI - Public Key Infrastructure PKI uses public key cryptography to deliver - Data integrity Digital signatures Authentication Digital signatures and certificates Non-repudiation Digital signatures and certificates BCP - v1.0 - 04/99
Given the growing importance of public key cryptography to many applications from e-mail to electronic commerce, a PKI is probably the most critical information security investment a company will make in the next three years. An Analyst’s View Source: Ira Machefsky, Giga Group BCP - v1.0 - 04/99
A PKI Comprises . . . Certificate Authority Directory PKI-enabled Applications Security Policy BCP - v1.0 - 04/99
CA Directory Services RA End Entity Certificate Revocation Certificate Publication Certificate Generation Certificate Archiving Certificate Expiration Verification of Applicant PKI, End Entities and Certification Process CA - Certification Authority • Controls policy • Generates certificates • Manages revocation lists • Updates directory • Protects issuer (CA) keys RA - Registration Authority • Identifies end entity • Allocates to roles • Interface to end entities DS - Directory Services • Publishes end entity information End Entities(users, applications, etc.) BCP - v1.0 - 04/99
Benefits of PKI - ( I ) • Users unknown to one another can communicate securely provided that they have a ‘chain of trust’ via CA(s) • Reduces problems of securely distributing secret keys • No need for pre-agreed key material • Supports ‘many to many’ relationships BCP - v1.0 - 04/99
Benefits of PKI - ( II ) • Highly scalable • Enables use of the same technology for a wide range of applications • Standards based - so products can inter-operate Enables cryptographic services to secure applications over insecure networks and hence enables electronic business BCP - v1.0 - 04/99
Case Study : European Bank Enterprise-wide cryptographic infrastructure Current Situation • Different solutions for the same problems • Security integrated in the applications • Re-use of solutions is a problem • Variety of different tools • Integration of partial solutions is difficult • Parts of the infrastructure not covered • Policy (end-to-end) is not facilitated BCP - v1.0 - 04/99
Case Study : European Bank Enterprise-wide cryptographic infrastructure Business Requirements • Infrastructure based • Multi-platform support • Performance scalability • Session based or store-and-forward • Hardware independence • Availability BCP - v1.0 - 04/99
Case Study : European Bank Enterprise-wide cryptographic infrastructure Security Requirements • End-to-end message security • Node authentication • Software integrity • Automated key management • Standards based • DES and RSA • Use of existing technology and existing suppliers BCP - v1.0 - 04/99
Directory Services MVS Back-endDataProcessing Tandem Host security Host security Front-endTransaction Processing Corporate Crypto servers Network Crypto servers AS400 Workstation security Registration Authority Host security User W/S and Servers Key management Certificate Authorities Crypto servers Case Study : European Bank Enterprise-wide cryptographic infrastructure BCP - v1.0 - 04/99
A European Bank We selected Baltimore because of their understanding of the security needs of the banking sector. We expect their PKI and their systems integration capability will give us exactly the solution we require. VP - IT Solutions Division BCP - v1.0 - 04/99
Industry Trends • Globally distributed infrastructures • Variety in platforms • NT, Unix, Linux, HP, etc • Use of public networks • External connections • Moving from perimeter to end-to-end security • Expanding use of digital signatures and certificates BCP - v1.0 - 04/99
Industry Trends Con’t • Emerging technologies • Wireless • Personal Digital Assistants, Internet ready cell phone • XML • Emergence of open, standards-based systems • Requirement to support new and legacy applications • Demand for higher levels of assurance • strong identification and authentication, non-repudiation, confidentiality, trusted third parties
Business needs must drive security agenda Security should not impact on users Security should enable business, not hinder Solution should provide end-to-end security Critical Success Factors Technology is NOT the primary issue BCP - v1.0 - 04/99