ESTABLISHING TRUSTWORTHY

COMPUTING (TC) IN AN
ENTERPRISE Ramesh Shanmuganathan
Executive Vice President / Group CIO
John Keells Group

18th May 2009

 AGENDA

 What is Trustworthy Computing (TC)?

 The business need for Trustworthy
Computing
 Principles, Framework and Architecture of
Trustworthy Computing
 How do I realize Trustworthy Computing ?
 Q& A
What is Trustworthy Computing (TC)?
TRUSTWORTHY COMPUTING (TC)
 Security - A system that is resilient to attack, and the
confidentiality, integrity, and availability of both the system and
its data are protected.

 Reliability - A system that is dependable, is available when

needed, and performs as expected and at appropriate levels.

 Privacy – A system that people can use to control and protect

their personal information and organizations that choose to use
the information.

 Business integrity – Ability to maintain the highest standards in

business conduct, to ensure integrity and transparency in all
business practices, and to address society's ethical, legal, and
commercial expectations
TRUSTWORTHY COMPUTING ADDRESSES
Confidentiality
◄ Prevents intentional or unintentionally unauthorized disclosure
Integrity
◄ Ensures consistency by preventing unauthorized modifications
Availability
◄ Makes reliable and timely access of data and/or computing resources
Identification
◄ Means by which users claim their identities to the system
Authentication
◄ Establishes the user’s identity and ensures that the user’s are who
they claim to be.
Authorization
◄ Establishes the user’s authorization levels once a user’s identity is
established
Accountability
◄ Ability to determine the actions and behaviours of a user within a
system
 Journey
ending
but it is a never
is not a destination
Trustworthy Computing
What is the business need for TC?
BUSINESS IS CHANGING
Yesterday Today
Internal Focus External Focus
Suppliers, customers, and
Access is granted to prospects all need some
employees only
form of access

Centralized Assets Distributed Assets

Applications and data are
centralized in fortified IT
bunkers
Applications and data are
distributed across servers,
locations, and business units

Prevent Losses Generate Revenue

The goal of security is to The goal of security is to
protect against enable eCommerce
confidentiality breaches

IT Control Business Control

Security manager Business units want the
decides who gets access authority to grant access

Source: Forrester Research, Inc.

 TODAY’S COMPUTING CONTEXT…
 How do I secure my IT domain?

 How do I ensure that the people who are accessing the domain are the
people who have been authorized to do so?

 How do I ensure that the authentication is non-repudiatable?

 How do I ensure that availability and assurance of information access ?

 How do I ensure confidentiality and integrity of information stored,

accessed and distributed?

 How do I audit and review my security policy in light of an evolving and

dynamic business environment?

 How do I manage misuse and abuse of privileges?

 How do I manage external threats from hackers, spams and viruses?

Weakest link can become a
vulnerability
 NEED TO DEFEND AGAINST CRIMINAL
1 1
EXPLOITATION
1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2
9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 0 0 0 0 0 0
7 7 7 8 8 8 8 8 8 8 8 8 8 9 9 9 9 9 9 9 9 9 9 0 0 0 0 0 0
7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5
Standalone Systems – Disk/Diskette Sharing Client-server/PC-LAN Networks Internet Collaboration (Email, Web, IRC, IM, P2P, File Sharing)
• Apple II Computer • First Self-destruct • Slammer
• Commodore program (Richard • Blaster
• Atari Skrenta) • WeiChia
• TI-99 • First Self-replicate • Code Red
• TRS-80 program (Skrenta’s • Nimda
Elk Cloner) • Stealth virus (Whale)
• Variable Encryption (1260) • • MyDoom
• First Worm • Ken • ©Brain Virus • First Philippines’ • Sasser
developed in Thompson developed by “Concept” “I LOVE
Xerox Palo Alto demo first two Pakistanis’ Macro Virus Criminal Exploitation
YOU” virus• Melissa’s author
• Melissa
Trojan • Yale, virus ($80m) sentenced 20
Horse Cascade, • Phishing • Excel Macro months jail
• Fred
Cohen’s
Experimentation
Jerusalem, begins in Virus (cross
Lehigh, etc. AOL platform)
VAX Viruses • Morris’ Worm
Discovery • “Cukoo’s
Information Warfare

Egg” in LBL • “Solar Sunrise” - • DDoS on 13

• FBI arrest • Robert T • Kevin Two California “root” servers
“414s” Hacker Morris fined Mitnick Teens attack on
Group $10K, 3 years arrested, five 500 Military,
probation years Govt, & Private
• Phishing
imprisonment Computer
attacks
Systems
Protocol Weaknesses/Buffer overflow proliferated
• SPAM Mails
Insecure Default/Weak Security Techniques/Feature Misuse/Social Engineering • Spyware •
Computer Crimes • Bots Pharming
Cyber Crimes
attacks
UK Green Book to BS 7799 to ISO 17799 (DNS
poisoning)
Trusted Operating Systems (Orange Book) Trusted Network (Red Book) – ITSEC Common Criteria (ISO 15408)
 ABILITY TO MANAGE THE THREATS MATRIX

Natural
Human Threats
Disasters

Malicious Non-
Malicious

Outsiders Insiders Stuff Happens

Flood
Hackers Disgruntled Forgotten Passwords
Fire
Criminals or Former Lost Encryption Keys
Earthquake
Competitors Employees Accidental Deletion
Hurricane
Governments No/Bad Back-Ups
Cyber-terror
ANTICIPATE AND DEFEND AGAINST THE
POSSIBLE ATTACK SURFACE
Unknowns No
Open Ports Auditing
Open File
Shares
Weak Port
Passwords Password Scanners Worms
Cracking
Systems
Viruses too complex

Trojan Horses

Unused Services
Left On
Un-patched
Web Server

Network Denial of
Spoofing Service

Excessive privileges

Poisons
No (Packets, DNS,
Policies etc.) Packet Sniffing
ADDRESS THE EXTERNAL THREATS THAT’S
OBVIOUS!

Organizational
Attacks
Attackers

Automated
Restricted Data Attacks

DoS
Accidental
Breaches Connection Fails
In Security Denial of
Viruses, Service (DoS)
Trojan Horses,
and Worms
ADDRESS THE INTERNAL THREAT THAT’S
OBLIVIOUS!
MANAGE THE VIRTUAL DYNAMICS
Attacker needs to understand only one vulnerability
Defender needs to secure all entry points
Attackers have unlimited time
Defender works with time and cost constraints
Attackers vs. Defenders

Secure systems are more difficult to use

Complex and strong passwords are difficult to remember
Users prefer simple passwords
Security vs. Usability

Do I
need
users and management think that security does not add any
security business value
…
Addressing vulnerabilities before it becomes a disaster
Security As an Afterthought
BALANCE THE ACT
Principles , Framework & Architecture of TC
 ENDORSE IT/IS GOVERNANCE AS
BASELINE
 It’s not security through Obscurity
 It’s an alignment of business objectives/needs with IT investments and
services
 It is as vital and important as Corporate / business governance
 It needs commitment/endorsement from the C-level to be successful!

Governance of Information Technology /Information Security

B T
U Business / Technology E
IT
S User perspective & C
Perspective & POLICY MANAGEMENT Integration
H
I Process management
N
N Management
User Security Systems O
E
Management Management Management L
S
Applications Infrastructure O
S
G
ICT Infrastructure Y
USE REGULATION AND STANDARDS AS A
GUIDELINE IN CONTEXT

SEC Reporting Requirement?

Federal Version of SB 1386? PIPEDA

CA SB1386 EU Data Protection Act

SEC Regs
Sarbanes-Oxley
FISMA

HIPAA GLBA BASEL II

ADDRESS THE PERTINENT ISSUES
Authentication, Directory,
Federation

Development tools
for secure code
Policy, Code (Identity,
Updates)

Isolation
(Firewall, Quarantine)
ENABLE BUSINESS IN A SECURE
CONTEXT
 Business Agility
 Embracing IT enabled delivery channels
 360 view of customers - knowledge is power!
 Effective roll-out of corporate/business
strategies
 Better time to market

 Return on Investment
 Insurance analogy – security is a necessary evil?
 Risk Management =F (Fear, Uncertainty, Doubt)?
 Confidentiality-Integrity-Availability(CIA) vs
Disclosure-Alteration-Distruction (DAD)
SIMPLIFY, STANDARDIZE & OPTIMIZE

Growth PC maintenance Malicious

Customer service Server sprawl attacks, viruses, spam,
etc.
Regulatory Legacy platforms
compliance Evolving threats
Deployment and
Device maintenance Patch management,
management VPN, etc.
Identity
Varying skill sets management Secure access
(employees, partners
Mobility Software updates and customers)
 Business need as the driver

Efficiency & Effectiveness

GOALS

Scalability | Accessibility | Availability

RESULTS

Privacy | Integrity | Authenticity

PROCESSES
Authentication | Authorization | Audit
TOOLS
Firewall | Intrusion Detection | Cryptography | VPN | Virus protection
 COMPREHEND THE BUSINESS/ IT STRATEGY

Basic Organized Optimized Dynamic

Centrally Managed Fully automated IT

Uncoordinated, IT Infrastructure Managed and management dynamic
manual with some consolidated IT resource usage and
automation Infrastructure business linked SLA's
infrastructure

Reduce
Objective React Manage complexity Agility

Ability to Slow, weeks to Weeks Days Minutes

Change months

High, As
Resource Unknown Known, poor Optimized needed
Utilization

Processes Policy-
Ad hoc Defined Mature based
& Automation

Arbitrary Class of Business

Business No SLAs
SLAs Service SLAs SLAs
Alignment

Role of Cost Center Efficient Business Strategic

IT Cost Center Enabler Asset
USE PDCA A BASELINE
 Build on an IT Governance model
Information Criteria:
Effectiveness
Business
Efficiency Processes
Confidentiality
Integrity
Availability PO1 Define a Strategic IT Plan
Compliance PO2 Define the Information Architecture
Reliability PO3 Determine Technological Direction
PO4 Define the IT Organization and Relationships
PO5 Manage the IT Investment
IT Resources PO6 Communicate Management Aims and Direction
PO7 Manage Human Resources
ME1 Monitor the Process Data PO8 Ensure Compliance with External Requirements
ME2 Assess Internal Control Adequacy Applications PO9 Assess Risks
ME3 Obtain Independent Assurance Technology PO10 Manage Projects
ME4 Provide for Independent Audit Facilities PO11 Manage Quality
People

Monitor &
Evaluate Plan &

CoBIT Organize

DS1 Define and Manage Service Levels

DS2 Manage Third-Party Services
DS3 Manage Performance and Capacity
DS4 Ensure Continuous Service
DS5 Ensure Systems Security
DS6 Identify and Allocate Costs
DS7 Educate and Train Users
DS8 Assist and Advise Customers
DS9 Manage the Configuration
DS10 Manage Problems and Incidents
DS11 Manage Data
DS12 Manage Facilities
DS13 Manage Operations
Deliver &
Support Acquire &
Implement
AI1 Identify Automated Solutions
AI2 Acquire and Maintain Application Software
AI3 Acquire and Maintain Technology Infrastructure
AI4 Develop and Maintain Procedures
AI5 Install and Accredit Systems
AI6 Manage Changes
Framework/Architecture for TC
(Hybrid of ISO 27001 & CoBIT)

Business drivers

Information Security Policy

Information Security Organization

Asset evaluation, classifications and control

Blue printing, Control measures and management

Systems acquisition, Implementation, Delivery & Support

Security deployment , enforcement & risk mitigation

Access Control & incident management

Business Continuity & Compliance

How do I realize TC ?
MAPPING THE BUSINESS NEEDS TO TC

Source: © Ernst & Young LLP

PROACTIVE SECURITY PROGRAM
= BUSINESS ENABLER
 identify - ID Critical Assets and Assess Risk

 plan - Develop a Proactive Security Program

 act - Implement Tailored InfoSec Roadmap including

Policies, Training, and Technology

 check - Ongoing Monitoring, Auditing, Updating, &

Adjusting
 Comprehensive Security Policy

• Blue Print for Good Security Program

• Standards Based – ISO 27001, CoBIT
• Management Buy In
• High Level to Technical
• Business Driven Not Vendor Driven
• Non-Static
RIGID ENFORCEMENT OF THE SECURITY POLICY
 Minimize Exposure to Vulnerabilities
 Prepare for Attacks on Our Systems
 Manage Internal Staff Behavior
 Manage External Access and Activity
 Maintain Appropriate Security Configurations
& Response Strategies
 Exploit Built-in Security Features
 Measure and Record Patterns and Trends
for Future Security Planning
THE 3 “D”S AND 5 STEP APPROACH
3 “D”s
 Defense
 Deterrence
 Detection
5 steps
 Assets – What is to be protected?
 Risks – What are the threats, vulnerabilities?
 Protections – How will the assets be
protected?
 Tools – What will be done to protect them?
 Priorities – In what order will the protective
steps be implemented ( multi-layered
methodology) ?
A Layered, Defense in depth
Approach

Security Policy

Physical Security

User / Data Security

Application / Host Security

Network / Perimeter Security

TRUSTWORTHY COMPUTING - BUILDING
BLOCKS ( TECHNOLOGIES AND OPTIONS)
Authentication( Biometrics, Tokens, Digital
User signatures/certificates, Kerberos), Encryption,
AV, Malware, Personal FW, Patch Mgmt, etc

Data Encryption (DES, 3DES,AES), Hashing, Digital

signatures/ certificates, backups, etc

Application Application hardening, Identity & Access Mgmt (

SSO/LDAP), Authentication/ Authorization, etc

OS hardening/Patch mgmt, Host IDS/IPS,

Host ,Encryption ( IPSec, SSL, TSL, RPC),
Authentication/Authorization, etc

Network Partitioning (VLANs, Domains, ACL, EACL),

Network IDS/IPS,

Perimeter Firewalls( Stateful, packet, Proxies, VPN , AAA,

Physical Security Guards, locks, tracking devices, HSM

Policies, Procedures, &

Awareness User education against social engineering
TRUSTWORTHY COMPUTING - A REAL-LIFE
EXAMPLE..

Restricted Network Corporate Network

Remediation System Health
Servers Servers

Here you go.

Can I have
updates? Ongoing policy
updates to Network
May I have access? Policy Server
Requesting access. Should this client be
Here’s my current
Here’s my new restricted based
health status.
health status. on its health?

According to
You are given policy, the client is Network
Client Network
restricted access notto
up update.
to date. Policy
until fix-up. Access
Quarantine client, Server
Device
request
Grant
(DHCP, VPN) Client access.
it to access to full intranet.
is granted
update.
TRUSTWORTHY COMPUTING
SCENARIO #1: BLOCKING NETWORK ATTACKS

 Filtering Router (NAT)

 Firewall and AntiVirus
/ Spyware Gateways
 Secure E-Mail / Anti-
Spam
 Secure Web Filtering
 Discovery and
Mitigation
 IDS / IPS
 Managed Security
Services
 DDoS Defense Tools
TRUSTWORTHY COMPUTING
SCENARIO #2: BLOCKING HOST ATTACKS

 Host IPS
 Spyware Removal
 Personal Firewalls and
Scan and Block Systems
 Personal AntiVirus
 RootKit Detection and
Removal
TRUSTWORTHY COMPUTING
SCENARIO #3: ELIMINATING SECURITY VULNERABILITIES
 Vulnerability
Management and
Penetration Testing
 Patch and
Configuration
Management and
Compliance
 Application Security
Testing
TRUSTWORTHY COMPUTING
SCENARIO #4: SAFELY SUPPORTING AUTHORIZED
USERS

 ID and Access Management

 File Encryption
 Secure Communication
 PKI
 VPN
 Secure Remote Access
 Strong Authentication
TRUSTWORTHY COMPUTING
SCENARIO #5: MINIMIZING BUSINESS LOSSES AND
MAXIMIZING EFFECTIVENESS
 Secure Information Management
 Fraud in Business Transactions
 Security Skills Development
 Forensics Tools
 Regulatory Compliance Tools
 Log Management
 Business Recovery
 Back-Up
TRUSTWORTHY COMPUTING
SCENARIO #6:CONTINUOUS MONITORING & REVIEW

Customer
Need
Q&A
 A parting thought……….

“when the rate of change inside an organization is slower

than the rate of change outside an organization, the
end is in sight.”

- Jack Welch ( 1997)

Thank you!

Contact: ramesh@keells.com