1 / 27

Online Security Myths & Challenges

Online Security Myths & Challenges. HIGHER COLLEGES OF TECHNOLOGY. Abeer Nijmeh Account Manager April 14, 2002. Agenda. The Internet. Traditional Security Practices & Perceptions. The New Enterprise. Security Plan. Online Business Risks. Protections of Assets/ PKI.

tabib
Télécharger la présentation

Online Security Myths & Challenges

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Online SecurityMyths & Challenges HIGHER COLLEGES OF TECHNOLOGY Abeer Nijmeh Account Manager April 14, 2002

  2. Agenda • The Internet • Traditional Security Practices & Perceptions • The New Enterprise • Security Plan • Online Business Risks • Protections of Assets/ PKI • Managed Security Services • Q&A

  3. The Internet… • An efficient means of distributing information, products & services. • Offers excellent productivity gains to organizations. • Results in improvement of bottom line. • Ideal platform for global commerce. • …Is no longer incidental but integral to businesses.

  4. BUT!!! • The Internet’s fundamental strength is also its most profound inherent weakness • Designed to facilitate information-sharing • Designed as a messaging infrastructure • Not secure from exploitation of traditional vulnerabilities • The most critical challenge posed is “SECURITY”

  5. Traditional Security Practices & Perceptions (1) • Driven by “one-size-fits-all” strategies • Follows piece-mealing enterprise security solutions • Firewalls • VPNs • Card Keys • Limit outside access to internal resources and systems • Browser based encryption (SSL) and username / password based authentication schemes

  6. Traditional Security Practices & Perceptions (2) • Security is all about deploying firewalls • It is not for our business yet • Good security implementation is expensive • Security implementation has no Return on Investment (ROI) • Someone in the technical department will take care of security implementation

  7. The New Enterprise Remote Offices Home Office POP Internet/IP ATM, FrameRelay POP Business Partners Headquarter POP Mobile Worker

  8. Security Demands are Changing for Good !!! YESTERDAY TODAY Internal Focus Access is granted to employees only External Focus Suppliers, Customers, and prospects all need some form of access Centralized Assets Applications and data are centralized in fortified IT bunkers Distributed Assets Applications and data are distributed across servers, locations, and business units Prevent Losses The goal of security is to protect against confidentiality breeches Generate Revenue The goal of security is to enable E-commerce IT Control Security manager decides who gets access Business Control Business units want the authority to grant access Forrester Research, Inc.

  9. Common Security Issues • Eavesdropping (Confidentiality) Information remains intact, but privacy is compromised. • Tampering (Integrity) Information in transit is changed or replaced. • Impersonation (Authenticity/ Non-repudiation) Spoofing: A person pretending to be someone else. Misrepresentation: A person or organization misrepresenting itself. • Availability System operations are disrupted and service is denied.

  10. Security Plan Establish a security plan/ policy that considers: • Business strategy and objectives • Identification of threats/vulnerabilities and management of risks • Protection of critical assets & systems • Elevating security awareness company-wide • Continuous monitoring & evaluation of security controls

  11. Online Business Risks • Determinants of risk: Online assets, vulnerabilities & threats • Assets at risk: Equipment, data, business reputation • Risk profiling: Assessing risk sensitivity level of assets

  12. Security Zones Public Zone Low Security Zone Medium Security Zone High Security Zone Interconnection Courtesy: Information Security- Raising Awareness, Government of Canada PKI Secretariat

  13. Protection of Assets Some of the technologies used to address security issues/challenges : • Public Key Infrastructure (PKI) • Virtual Private Networks (VPN) • Firewalls • Intrusion Detection Systems (IDS) • Virus detections software

  14. Public Key Infrastructure (PKI) • Supports trusted interactions. • Provides authentication, confidentiality, non-repudiation, integrity and access control assurances • Enables encryption & decryption of online transactions • Digital certificates & digital signatures for users & businesses • Trusted certification authority role

  15. Key Pairs A User’s Private Key A User’s Public Key(s)

  16. Internet Confidentiality Recipient’s Public Key Recipient’s Private Key Encrypted Message Encrypted Message Digitally Signed Message Digitally Signed Message

  17. Message Hash Process Digitally Message Signed Digital Digest Signature Message Sender’s Private Key Data Integrity & Authenticity (1)

  18. Data Integrity& Authenticity (2) Message Digest Message Digitally Signed Message Digital Signature Message Digest Sender’s Public Key

  19. PKI – Process Workflow 1 Applies For Certificate 2 Verifies Applicant Identity Registration Authority Client 3 NO Send notice Declining application Issue Certificate Is the applicants Identity valid? 5 3 YES Request Certificate For user 4 Certificate Authority LDAP Publish Certificate to The Repository

  20. Typical User Certificate http://comtrust.co.ae/Repository.htm

  21. PKI Enabled VPN Remote Offices Home Office POP Internet/IP ATM, FrameRelay POP Business Partners Headquarter POP Mobile Worker

  22. E-market places Large Buyers Large suppliers Small buyers Small suppliers Direct 1-to-1 MarketPlace e-Market

  23. Other Applications Online stores can enable SSL, authenticate members (CSSL), watch buying patterns, observe casual visitors, reduce or eliminate online frauds E-retailing & online Payments Messages can be encrypted and digitally signed and message integrity can be verified. SecuredE-Mail Presentment and payment of taxes, traffic fines, utility bills, school fees, and presentment of various statements Bill Presentment & Payments

  24. Other Applications On-line magazines can use basic registration information available on certs. to understand usage patterns and replace password based authentication Subscriptionbased Services Payment of taxes, secure electronic filling, e-forms, payment of other dues, government bidding process, submission of various documents E-Govt. Digital Certificates can enable access control with respect to various business applications. Accesscontrol

  25. Elements of Secure Enterprise • Authorization • Directories • Authentication • PKI • Biometrics • Smart Cards • Confidentiality • Encryption • Policy • Enterprise Commitments • Non-Repudiation • Digital Certificates • Digital Signatures • Integrity • Digital Signatures • Audit • Internal and / or Third Party • 24 x 7 • Full Redundancy

  26. Managed Security Services (MSS) • Experienced security management staff hard to find and expensive to hire • Security management rarely within the core competency of online enterprises • MSS- Outsourced Security (turns potential security crisis into achievable security policy) • Customized security management • Single point of contact • Economies of scale • Key advantages for both startups and established players

  27. www.comtrust.ae For more information... abeern@emirates.net.ae

More Related