Copyright Critical Software S.A. 1998-2008 All Rights Reserved. COTS based approach for the...

Copyright Critical Software S.A. 1998-2008 All Rights Reserved.

COTS based approach for the Multilevel Security Problem

Bernardo Patrão

© Copyright Critical Software S.A. 1998-2008 All Rights Reserved. 2

Outline

Organizations Security Background Statistics & Lessons Learnt Threats The Multilevel Security Mode CSW Multilevel Security Solution Implementation Methodology Conclusion


Background

Organizations are well protected to manage outside threats: firewalls, antivirus, etc.

Communications services like email are business applications

Confidential information is more and more in digital format

Competitiveness, customer pressure, privacy compliances is each time more demanding (SOX, EU DPD, Basileia II, Identity theft, etc.)

Information leakage has increasing business impact

Data

Hackers

Virus Trojans

SPAM

Confidential Information

Customer Information

IntelectualProperty

Financial


Outline



Statistics & Lessons Learned

“80 - 90 per cent of leaks are either unintentional or accidental” Gartner Report

““70% of security breaches that involve losses over $100,000 are perpetrated from inside the enterprise.””

Vista Research

“Leakage of confidential/proprietary information represents 52% of organizations security threats”

Merrill Lynch survey to North American CISOs, July 2006

“loss of customer and proprietary data overtook virus attacks as thesource of the greatest financial losses”

2007 CSI COMPUTER CRIME AND SECURITY SURVEY


Statistics & Lessons Learned

Deutsche Bank Loses Hertz IPO Role Because of E-Mails

“Nov. 8 (Bloomberg) -- Deutsche Bank AG, Germany's largest bank, lost its spot among the underwriters of Hertz Global Holdings Inc.'s initial public offering after an employee sent unauthorized e-mails to about 175 institutional accounts.”

Ubisoft "accidentally" leaks tons of assets

“Over two gigs worth of screenshots, videos, and concept art was apparently accidentally posted by Ubisoft on their public ftp server. Whoops.”


Outline



Threats

Confidential information sent by email to external addresses

Failures on the identification of confidential information

Mishandling of confidential information Confidential information stored in

portable devices Misuse of communication and data

sharing services


Outline



The Multilevel Security Model

Multilevel security Users have a security

clearance

Objects are assigned with security classification

Users access objects based on their security clearance and the object security classification

Flow of information is controlled based on the object security classification



Information Access Control All users have a security clearance

All information should have a security mark and level

The security mark/level should be impossible to forge and easy to identify

The access control depends on the information security mark and on user’s security clearance

All accesses are registered for future auditing



Information Flow control Verify the outputs produced by different

sources

Prevent unauthorized users to change the classification mark

Identify the security mark/level, and enforce the defined policy

All the data flow is logged for auditing


Outline



CSW Multilevel Security Solution

Information Security requires intervention on all elements of the infrastructure

Workstations Enforce the classification (protection) of office files or email

messages Control what the user can do (change, print, copy-paste, …) Allow classification (protection) of any type of file

Network border Control the information Flow for several communication services

E-mail FTP IMS, …

Corporate Servers Enforce protection policies for information stored on corporate

servers Content Management Servers File Servers Collaboration Servers, …


CSW Multilevel Security Solution

Multilevel Management Tools Configuration

Easy to use, web based tools to manage Marks / Levels Users security clearances Access and Flow Policies

Auditing Consoles tailored to meet the organization

requirements and compliance Data mining solutions for intelligent alarms

and advanced data collection


CSW Multilevel Security Solution1 – Users A and B execute log-in in the organization domain. Authentication and the authorization is performed.Information access policy is enforced

2 – User A classifies a document or an e-mail message with a SecurityMark and saves it or sends it.User B accesses the document or the e-mail message.He can access the document but doesn’t have printing privilege

3 – User B uploads a document to a content manager server; document is marked with the mark defined.Information on the servers is encrypted.

4 – Border Protection Device denies the flow of marked information

5 – Configure the security policy, clearances and marks

6 – Audit for compliance


CSW Multilevel Security Solution – Classification tools

Seamless COTS Tools integration



1

3

2



CSW Multilevel Security Solution – Administration tools

AdministratorConsole

5

Main overview and client update




5

Authorization Management (Credentials)




5

Classification Marks/Levels Management




5

Access and Flow Policies Management

BPD

4


CSW Multilevel Security Solution – Auditing tools

Auditing Tools


Outline



Implementation Methodology

1) Perform a Risk Assessment2) Define Security Policies and

Procedures3) Identify COTS Hardware and Software4) Define the configuration for the

System5) Develop Integration Tools to enforce

policies


Outline



Conclusion

A ready to use solution and based on well accepted COTS

Smooth learning curve – well known user interfaces

Compatibility with existing systems Low TCO Reduced technological risks Flexibility - Easy customization for specific

client requirements


Questions?

Thank You

Copyright Critical Software S.A. 1998-2008 All Rights Reserved. COTS based approach for the...

Documents

Transcript of Copyright Critical Software S.A. 1998-2008 All Rights Reserved. COTS based approach for the...