1 / 23

Information Security: Addressing Surety for Various Communities

Information Security: Addressing Surety for Various Communities. Georgia Tech Information Security Center Fall 2004 Distinguished Lecture Series November 4, 2004 Roger Callahan Bank of America. 1. Today *. Discuss the need for information security “surety”. What does that mean?

myrna
Download Presentation

Information Security: Addressing Surety for Various Communities

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Information Security:Addressing Surety for Various Communities Georgia Tech Information Security Center Fall 2004 Distinguished Lecture Series November 4, 2004 Roger Callahan Bank of America 1

  2. Today* • Discuss the need for information security “surety”. • What does that mean? • Emerging indications. • “Surety” framework. *Note: These views represent solely those of the author and not necessarily those of Bank of America.

  3. Source: Bureau of Economic Analysis Data published March 25, 2004

  4. Source: Internet Software Consortium (www.isc.org)

  5. Number of transistors on a microprocessor Source: http://www.intel.com/research/silicon/mooreslaw.htm

  6. Source: “Exploiting Software: How to Break Code”, Gary McGraw and Greg Hoglund, Addison-Wesley 2004

  7. Number of transistors on microprocessor** Today’s amazing information technology environment *Source: Bureau of Economic Analysis Data published March 25, 2004 **Source: http://www.intel.com/research/silicon/mooreslaw.htm *** Source: Internet Software Consortium (www.isc.org) ****Source: “Exploiting Software: How to Break Code”, Gary McGraw and Greg Hoglund, Addison-Wesley 2004

  8. A Perspective • Communications Security (COMSEC) BC • Computer Security (COMPUSEC) 1970 • Information Security (INFOSEC) 1980 • Information Assurance (IA) mid-1990s • Defensive Information Warfare • Critical Infrastructure Protection late-1990s • Critical Infrastructure Assurance • Homeland Security 2001-2003

  9. For Discussion • This complex information technology environment and continuing rapid change in technology challenges everyone. • All businesses, but especially small businesses and personal users, have significant computing and communication power at their disposal and are using it. • Knowledge and diligence are essential to achieving secure use of information systems. • Significant variance in the application of adequate information security practices exists. • Can a new “surety” approach improve the situation?

  10. Value in Centralized Management ApproachesPerimeter Security Experience Each Operational Organizational Unit Manages Their Firewalls

  11. Value in Centralized Management ApproachesPerimeter Security Experience An Information Security Organization Manages a Firewall Utility

  12. People Technology Process Prevent Detect Respond/ Recover Comprehensive Protection Framework Defense in Depth

  13. An Interesting Measure Source: Internet Storm Center – SANS Organization (http://isc.sans.org/survivabilityhistory.php

  14. Proactive Protection Measures • Firewall • Anti-Viral Software • Configurations & Practices that Reduce Risks • Monitoring • Keep Knowledge Current • Apply Software Updates (patches)

  15. Surety Definition: 3) A pledge or formal promise made to secure against loss, damage, or default: a guarantee or security.1 Familiar legal arrangement: Surety Bonds – three-party agreements in which the issuer of the bond (the surety) joins with a second party (the principal) in guaranteeing to a third party (the obligee) the fulfillment of an obligation on the part of the principal. • An obligee is the party (person, corporation or government agency) to whom a bond is given. • The obligee is also the party protected by the bond against loss.2 1The American Heritage Dictionary 2

  16. Other Applications of the Word ‘Surety’ Sandia National Laboratories: • Weapons surety Engineering design concepts related originally to nuclear weapons engineering. • Surety of an information system Defined as ensuring the “correct” operation of an information system through the incorporation of appropriate levels of safety, functionality, confidentiality, availability and integrity1. Through a integrated risk assessment modeling methodology to identify proper design decisions. 1 “Toward a Risk-Based Approach to the Assessment of the Surety of Information Systems” – U.S. DOE Contract DE-AC04-94AL8500

  17. An Information Security Surety Framework • A ‘Managed Service’ that provides a guarantee (“surety”) of a particular level of security that includes recovery, if the guarantee is not met. • Requires: • Business case: • Applicability • Defined levels of security. • Use of risk management (e.g. insurance industry collaboration) • Appropriate public policy and legal construct. • A ‘safe harbor’ for qualified service providers. • Rapid mediation/dispute resolution mechanism • Required technological implementation mechanisms. • Proactive defense in depth approach, remote configuration and management and configuration control, monitoring capability and ability to log and quantify causes of a failure.

  18. Emerging Indications • Automated virus updates • ISP spam and content filtering • Protection from DDOS • QOS options

  19. A Parallel Enterprise Small Business Consumer

  20. Surety For Various Communities Consumers Surety Opportunity Small Businesses Large Enterprises

  21. How could the concept be further developed? An Integrated Effort: • Business Case • Risk Management Options • Public Policy Benefit • Legal Solution • Technological Construct • Dispute Resolution Mechanism • Pilot Implementation

  22. Surety may be in your future… Roger Callahan Phone: 704-388-8455 Email: roger_callahan@bellsouth.net

More Related