Protecting Corporate Data

Enterprise Storage: A Strategy to Consider Information Security Security policy and standards

Data Security and Compliance

Why Data is a Priority?

2

What do you consider to pose the biggest current threat to your organizations (multiple responses) overall security? Leakage of confidential/ proprietary information Unpatched vulnerabilities Insider attacks Spyware Phishing attacks Malicious Code Spam Denial of Service attacks Fraud Keystroke loggers 52% 24% 18% 14% 10% 4% 4% 4% 2% 2%

Cost of Data Breaches $140/record

Indirect Costs $1.5M $15/record

Direct Costs $5.0M $50/record

Opportunity Costs $7.5M $75/record

Source: Merrill Lynch survey of 50 North American CISOs, July 2006

Source: Ponemon Institute SVB Alliant

Data Security and Compliance

Common Questions
3

Where is my confidential data? Where is my data going? Who is using data? How can I protect it? What is the impact of loosing

crucial data ?

How do I get started? How much does it cost?

Multiple Layers of security in place to protect: 4

Physical Security Personal Security

Operational Security
Communications Security Network Security

Information Security

Critical Characteristics of Information

5

Availability:

Who need to access information to do so without interference or obstruction and to receive it in the required format.

Accuracy:

Free from mistakes or errors.

Authenticity:

Quality or state of being genuine or original, rather than the reproduction or fabrication.

Confidentiality:

State of preventing exposure to unauthorized individuals.

Integrity:

State of being whole, complete and uncorrupted.

Utility:

State of having value for some purpose.

How Things Have Changed Hardware

7 Component
User Interface
Connection Monitors

1970s
Mainframe terminals
Direct Connection Monochrome character display using vacuum tubes

Now
Desktops, Laptops, PDAs, Cell Phones
Direct connection, LANs, WAN, wireless, ISDN etc. Full color pixel-based matrix display, PDAs

Unit of storage capacity

Processor Speed Processor Storage interface Storage Media

Kilobytes and megabytes

Kilobytes per second Sequential processing 80-column hole-punch cards Magnetic Tapes

Gigabytes and terabytes

Gigabits per second Multitasking/multiprocessing Desktops, workstations, terminals, laptops, wireless devices Floppy disks, Hard drives, CDs, CDRs, CDRW, DVDR, Zip drives

How Things Have Changed Software and Data

8 Area of Concern
Operating System Type of Data Word Processor Calculations Scheduling Presentations Music Architecture design Video Pictures Programming Language

1970s
Mainframe Specific: IBM, Unisys, Honeywell, HP, etc.

Now
Microsoft (2000/XP), UNIX (e.g. Solaris, SGI, AIX), Linux, MAC OS X

Characters/Text N/A Manual typewriter N/A - Paper, Calculators N/A Paper calendar N/A - Special order clear slides N/A - Radio N/A - Paper blueprints used N/A TV N/A Camera COBOL

Text, graphics, audio, video etc. Word, WordPerfect Spreadsheet (e.g. Excel, Lotus 1-2-3) Outlook, GroupWise PowerPoint MP3 files CAD software
Stored and real-time AVI files; cameras on desktop, doorways, etc.

Digital files VB, Java, XML etc.

How Things Have Changed IT Security

9
Subject/Topic
Users System architecture System Access Data Connection Data Availability Access Concerns Data security Data storage Communications protocols Environment protection

1970s
Limited to those with direct connect terminals Single mainframe Only required a terminal with direct wiring Clear text By request Internal access via terminal at desk Tape library Clear text Vendor specific for terminal access Building, rooms, lock boxes, fire suppressors

Now
Anyone on the Internet Many interconnected networks of various configurations Network access with User ID, password, authentication, single sign-on Clear and encrypted Available on the Internet Internal access, anyone on LAN, Internet users Data on disks, CDs, hard drive, laptops, PDAs, and other media Compressed, encrypted, large volume Many: HTTP, FTP, SSL, Telnet, SSH, IMAP, UDP, TCP, etc. Same plus firewalls (network and personal), IDS, anti-virus software

10

Security & Integrity

Security
11

Concerns

mechanisms for controlling access to data. of data against unauthorized disclosure, alteration, or destruction

Protection

Protection

accidental misuse.

of the Database against or intentional loss, or

Tools of Security Management

12

- Access controls

Encryption Virus Defenses Backup Files Security Monitors Biometric Security Disaster Recovery Firewalls

I - Access Control Devices

Access control encompasses two processes: Confirming identity of entity accessing a logical or physical area (authentication) Determining which actions that entity can perform in that physical or logical area (authorization)

13

Authentication Mechanisms
14

Mechanism types:

Something you know Something you have Something you are Something you do

II CRYPTOGRAPHY
The word cryptography in Greek means secret writing. The term today refers to the science and art of transforming messages to make them secure and immune to attacks.

15

Cryptography components

In cryptography, the encryption/decryption algorithms are public; the keys are secret.
16

III FIREWALLS
A firewall is a device (usually a router or a computer) installed between the internal network of an organization and the rest of the Internet. It is designed to forward some packets and filter (not forward) others.

17

How Firewall Works?

18

Hacker

Disallowed - traffic is stopped because it did not meet specified criteria Allowed - only traffic meeting specified Internet criteria allowed through

Corporate Network

Disallowed - traffic is stopped because it did not Firewall meet specified criteria

(software or hardware)

Additional Readings
2004 CSI/FBI Computer Crime and Security Survey

www.gocsi.com

Secure Socket Layer

http://www.windowsecurity.com/articles/Secure_S ocket_Layer.html E-commerce http://www.sans.org/rr/whitepapers/ecommerce/5 69.php

SET To Pull Down the Security Barrier in Front of

20

Security: Top Business Priority

Security: Top Business Priority

21

The pressure to mitigate business & IT risk seems to be increasing 22

External & business

Customers & service levels

External threats seem more visible, frequent New security risks emerge each month Requirements grow for compliance & risk management to protect corporate reputation

Web-based business & demanding customers require better level of IT service More applications & processes are becoming business-critical Potential to use high availability as a differentiator

Operational & technical

24 x 7 global operations shrink the window for back-up & downtime Mergers & IT consolidation put more pressure on centralized IT systems Dynamic business & IT environment impacts continuity and IT processes more often

Executives are asking tougher questions..

23 The past Today

Do we really need a disaster recovery plan?

CEO

Am I sure that my business can keep going in a crisis or emergency?

Do we have service level agreements with our users?

CIO

Are we building operational excellence into our IT service?

If the system fails, how quickly can it recover? The past

IT Manager

How can we get the right levels of security & availability in our new system from day one? Today

24

Impact of LOSS

Customers need to identify business & IT risks

25

high

natural disaster- fire, flood, adverse weather man made disaster- terrorism, malicious damage

security breach- hacker

denial of service attack virus attack internal security/fraud Compliance risk application failure power/ network failure software failure hardware failure planned downtime

low low frequency

impact

high

.. they should understand the potential causes of26downtime

Causes of unplanned downtime
Uncertain 7% Environmental Factors (Natural Disaster) 8% Network Transmission Failure 17% Software System Failure 27%

Human Error 18%

Hardware System Failure 23%

Source: Contingency Planning Research,, Inc, a division of Eagle Rock Alliance, Ltd., West Orange, NJ.

Impact of downtime
27
Revenue: Direct loss, compensatory payment, lost future revenues, billing losses and investment losses Productivity: Number employee x impacted x hours out x burdened hours = ? Damaged reputation: Customers, competitors gain advantage, suppliers, financial markets, business partners Financial performance: Revenue recognition, cash flow, credit rating, stock price, regulatory fines
$ Millions $ Billions Exponential increase Financial performance Damaged reputation Productivity/ employees

$ Impact

Direct financial/ customer Constant increase Days

Minutes

Time Downtim e

The indirect impact of downtime can be far more severe and unpredictable

28

Information Security Management

Process Flow Corporate 29 Information Security Management

CORPORATE INFORMATION SECURITY MANAGEMENT PROCESS
Development Monitoring Measurement Improvement Maximize the use of all application of information security management Sharing good practice in information security management across business units Improvement of existing policies

Develop Corporate Information Security Policy Develop Controlling Framework Develop Support system Framework

Monitor & Review Information Security Policy Awareness Monitor & Review Information Security Level for the Servers & Desktops (PC, Notebook, and else)

Measurement of compliance to ISO 27001 & COBIT Analysis of system vulnerabilities Analysis on Information Security incidents Review of existing policies

Information Security Policy, Standards

and Practices
30

Communities of interest must consider

policies as basis for all information security efforts. addressed and technologies used.

Policies direct how issues should be

Security policies are

least expensive controls to execute but most difficult to implement.

31

32

Security Professionals and the Organization

33

Management should have:

Chief Information Officer (CIO)

Translates the strategic plans of the organization as a whole into strategic information plans for the Information Systems.

Chief information security officer (CISO)

Assessment, management and implementation of securing the information in the organization.

34

Security Project Team

Team leader/Project Manager Security policy developers Risk assessment specialists Security professionals Systems administrators End users

CASELET1.
American Family Insurance: Evaluating Security s
When undertaking a new development project,
35

American Family enables the business unit project managers to set security requirements themselves. A key element is a template developed by the companys IT security advisers that outlines the following key security criteria. Business unit managers must then establish security requirements for the new business system being developed for their unit based on these ten criteria.

Ex.2 Contd. : Ten Criteria

36

Authentication: Who r u? 2. Authorization: What can you do? 3. Confidentiality & reliability: Privacy & dependability 4. Monitoring & tracking: What did you do? 5. Backup & recovery: Rebuilding the system 6. Physical security: Locking the others out 7. Change Management: Protecting the business process 8. Legal Requirements: What the law expects 9. Training & awareness: What you need to know? 10. Contingency planning: What if?
1.

37

Why

Recovery IS Needed?

Database Recovery
1 Purpose of Database Recovery

To bring the database into the last consistent state, which existed prior to the failure. To preserve transaction properties (Atomicity, Consistency, Isolation and Durability).

Example: If the system crashes before a fund transfer transaction completes its execution, then either one or both accounts may have incorrect value. Thus, the database must be restored to the state before the transaction modified any of the accounts.

Chapter 19-38

Types of Failures
39

A transaction can be partially executed due to:

A computer failure(hardware, software, network,) A transaction error (overflow, division by zero,) An exception condition (lack of data) A concurrency control enforcement (dead lock, timeout,) Disk Failures Physical Problems and catastrophes An abort command in the transaction program

Other Problems
40

System failures may occur Types of failures:

System crash Transaction or system error Local errors Concurrency control enforcement Disk failure Physical failures

DBMS has a

database against system failures

Recovery Subsystem to protect

Recovery
1. Mirroring keep two copies of the database and maintain them simultaneously

2. Backup periodically dump the complete state of the database to some form of tertiary storage

3. System Logging the log keeps track of all transaction operations affecting the values of database items. The log is kept on disk so that it is not affected by failures except for disk and catastrophic failures.

Transaction Log
For recovery from any type of failure data values prior to modification (BFIM - BeFore Image) and the new value after modification (AFIM AFter Image) are required. These values and other information is stored in a sequential file called Transaction log. A sample log is given below. Back P and Next P point to the previous and next log records of the same transaction.
T ID T1 T1 T2 T1 T1 T3 T1 Back P Next P Operation Data item Begin 0 1 1 4 Write X Begin 0 8 2 5 W Y 4 7 R M 0 9 R N 5 nil End BFIM X = 100 AFIM X = 200

Y = 50 Y = 100 M = 200 M = 200 N = 400 N = 400

Transaction Roll-back (Undo) and Roll-Forward (Redo) To maintain atomicity, a transactions operations are redone or undone. Undo: Restore all BFIMs on to disk (Remove all AFIMs). Redo: Restore all AFIMs on to disk. Database recovery is achieved either by performing only Undos or only Redos or by a combination of the two. These operations are recorded in the log as they happen.