270 likes | 442 Vues
Online Security Myths & Challenges. HIGHER COLLEGES OF TECHNOLOGY. Abeer Nijmeh Account Manager April 14, 2002. Agenda. The Internet. Traditional Security Practices & Perceptions. The New Enterprise. Security Plan. Online Business Risks. Protections of Assets/ PKI.
E N D
Online SecurityMyths & Challenges HIGHER COLLEGES OF TECHNOLOGY Abeer Nijmeh Account Manager April 14, 2002
Agenda • The Internet • Traditional Security Practices & Perceptions • The New Enterprise • Security Plan • Online Business Risks • Protections of Assets/ PKI • Managed Security Services • Q&A
The Internet… • An efficient means of distributing information, products & services. • Offers excellent productivity gains to organizations. • Results in improvement of bottom line. • Ideal platform for global commerce. • …Is no longer incidental but integral to businesses.
BUT!!! • The Internet’s fundamental strength is also its most profound inherent weakness • Designed to facilitate information-sharing • Designed as a messaging infrastructure • Not secure from exploitation of traditional vulnerabilities • The most critical challenge posed is “SECURITY”
Traditional Security Practices & Perceptions (1) • Driven by “one-size-fits-all” strategies • Follows piece-mealing enterprise security solutions • Firewalls • VPNs • Card Keys • Limit outside access to internal resources and systems • Browser based encryption (SSL) and username / password based authentication schemes
Traditional Security Practices & Perceptions (2) • Security is all about deploying firewalls • It is not for our business yet • Good security implementation is expensive • Security implementation has no Return on Investment (ROI) • Someone in the technical department will take care of security implementation
The New Enterprise Remote Offices Home Office POP Internet/IP ATM, FrameRelay POP Business Partners Headquarter POP Mobile Worker
Security Demands are Changing for Good !!! YESTERDAY TODAY Internal Focus Access is granted to employees only External Focus Suppliers, Customers, and prospects all need some form of access Centralized Assets Applications and data are centralized in fortified IT bunkers Distributed Assets Applications and data are distributed across servers, locations, and business units Prevent Losses The goal of security is to protect against confidentiality breeches Generate Revenue The goal of security is to enable E-commerce IT Control Security manager decides who gets access Business Control Business units want the authority to grant access Forrester Research, Inc.
Common Security Issues • Eavesdropping (Confidentiality) Information remains intact, but privacy is compromised. • Tampering (Integrity) Information in transit is changed or replaced. • Impersonation (Authenticity/ Non-repudiation) Spoofing: A person pretending to be someone else. Misrepresentation: A person or organization misrepresenting itself. • Availability System operations are disrupted and service is denied.
Security Plan Establish a security plan/ policy that considers: • Business strategy and objectives • Identification of threats/vulnerabilities and management of risks • Protection of critical assets & systems • Elevating security awareness company-wide • Continuous monitoring & evaluation of security controls
Online Business Risks • Determinants of risk: Online assets, vulnerabilities & threats • Assets at risk: Equipment, data, business reputation • Risk profiling: Assessing risk sensitivity level of assets
Security Zones Public Zone Low Security Zone Medium Security Zone High Security Zone Interconnection Courtesy: Information Security- Raising Awareness, Government of Canada PKI Secretariat
Protection of Assets Some of the technologies used to address security issues/challenges : • Public Key Infrastructure (PKI) • Virtual Private Networks (VPN) • Firewalls • Intrusion Detection Systems (IDS) • Virus detections software
Public Key Infrastructure (PKI) • Supports trusted interactions. • Provides authentication, confidentiality, non-repudiation, integrity and access control assurances • Enables encryption & decryption of online transactions • Digital certificates & digital signatures for users & businesses • Trusted certification authority role
Key Pairs A User’s Private Key A User’s Public Key(s)
Internet Confidentiality Recipient’s Public Key Recipient’s Private Key Encrypted Message Encrypted Message Digitally Signed Message Digitally Signed Message
Message Hash Process Digitally Message Signed Digital Digest Signature Message Sender’s Private Key Data Integrity & Authenticity (1)
Data Integrity& Authenticity (2) Message Digest Message Digitally Signed Message Digital Signature Message Digest Sender’s Public Key
PKI – Process Workflow 1 Applies For Certificate 2 Verifies Applicant Identity Registration Authority Client 3 NO Send notice Declining application Issue Certificate Is the applicants Identity valid? 5 3 YES Request Certificate For user 4 Certificate Authority LDAP Publish Certificate to The Repository
Typical User Certificate http://comtrust.co.ae/Repository.htm
PKI Enabled VPN Remote Offices Home Office POP Internet/IP ATM, FrameRelay POP Business Partners Headquarter POP Mobile Worker
E-market places Large Buyers Large suppliers Small buyers Small suppliers Direct 1-to-1 MarketPlace e-Market
Other Applications Online stores can enable SSL, authenticate members (CSSL), watch buying patterns, observe casual visitors, reduce or eliminate online frauds E-retailing & online Payments Messages can be encrypted and digitally signed and message integrity can be verified. SecuredE-Mail Presentment and payment of taxes, traffic fines, utility bills, school fees, and presentment of various statements Bill Presentment & Payments
Other Applications On-line magazines can use basic registration information available on certs. to understand usage patterns and replace password based authentication Subscriptionbased Services Payment of taxes, secure electronic filling, e-forms, payment of other dues, government bidding process, submission of various documents E-Govt. Digital Certificates can enable access control with respect to various business applications. Accesscontrol
Elements of Secure Enterprise • Authorization • Directories • Authentication • PKI • Biometrics • Smart Cards • Confidentiality • Encryption • Policy • Enterprise Commitments • Non-Repudiation • Digital Certificates • Digital Signatures • Integrity • Digital Signatures • Audit • Internal and / or Third Party • 24 x 7 • Full Redundancy
Managed Security Services (MSS) • Experienced security management staff hard to find and expensive to hire • Security management rarely within the core competency of online enterprises • MSS- Outsourced Security (turns potential security crisis into achievable security policy) • Customized security management • Single point of contact • Economies of scale • Key advantages for both startups and established players
www.comtrust.ae For more information... abeern@emirates.net.ae