Trusted Systems in an Outsourced Environment - PowerPoint PPT Presentation

1 / 26
About This Presentation
Title:

Trusted Systems in an Outsourced Environment

Description:

support for system administrator and operator functions ... Role Based Access Control (RBACPP); Controlled Access (CAPP) Assurance Level EAL4 ... – PowerPoint PPT presentation

Number of Views:41
Avg rating:3.0/5.0
Slides: 27
Provided by: informat1893
Category:

less

Transcript and Presenter's Notes

Title: Trusted Systems in an Outsourced Environment


1
Trusted Systems in an Outsourced
Environment Professor William J (Bill) Caelli,
AO Assistant Dean Strategy
Innovation Faculty of Information
Technology Queensland University of
Technology Brisbane, Qld. 4000 Australia
2
Trusted Systems in an Outsourced Environment
Research for this presentation has been supported
by a grant (DP0449644) from the Australian
Research Council (ARC)
3
Trusted Systems in an Outsourced Environment
  • Emerging Requirements for Security
  • Differing nature of requirements
  • Trusted systems background
  • B means Business Mapping the need
  • Deploying trusted systems
  • Future trends.

4
Trusted Systems in an Outsourced Environment
  • Emerging Requirements for Security
  • Differing nature of requirements
  • Trusted systems background
  • B means Business Mapping the need
  • Deploying trusted systems
  • Future trends.

5
Survey, 5 weeks ending 12 Sept 2004/USA
6
Survey, 5 weeks ending 12 Sept 2004/USA
Nature of Data Security Breaches
69
7
Trusted Systems in an Outsourced Environment
  • Emerging Requirements for Security
  • Differing nature of requirements
  • Trusted systems background
  • B means Business Mapping the need
  • Deploying trusted systems
  • Future trends.

8
Trusted Systems in an Outsourced Environment
DEPARTMENT OF DEFENSE STANDARD DEPARTMENT OF
DEFENSE TRUSTED COMPUTER SYSTEM EVALUATION
CRITERIA, DECEMBER 1985
DoD 5200.28-STD December 26, 1985
In general, secure systems will control, through
use of specific security features, access to
information such that only properly authorized
individuals, or processes operating on their
behalf, will have access to read, write, create,
or delete information.
9
  • POLICY
  • Security policy
  • Marking
  • ACCOUNTABILITY
  • 3. Identification
  • 4. Accountability
  • ASSURANCE
  • 5. Assurance
  • 6. Continuous protection

TCSEC 1983 / 1985
10
ASSURANCE 5. Assurance 6. Continuous protection
hardware/software mechanisms that can be
independently evaluated to provide sufficient
assurance that system enforces security
requirements continuously protected against
tampering and/or unauthorized changes
11
TRUSTED SYSTEMS - AN EMERGING OUTSOURCING
REQUIREMENT
TCSEC DIVISION C DISCRETIONARY
PROTECTION Classes in this division provide for
discretionary (need-to-know) protection and,
through the inclusion of audit capabilities, for
accountability of subjects and the actions they
initiate. The class (C1) environment is
expected to be one of cooperating users
processing data at the same level(s) of
sensitivity.
12
TRUSTED SYSTEMS - AN EMERGING OUTSOURCING
REQUIREMENT
TCSEC DIVISION B MANDATORY PROTECTION The notion
of a TCB that preserves the integrity of
sensitivity labels and uses them to enforce a set
of mandatory access control rules is a major
requirement in this division. Systems in this
division must carry the sensitivity labels with
major data structures in the system. CLASS
(B1) LABELED SECURITY PROTECTION Class (B1)
systems require all the features required for
class (C2). an informal statement of the
security policy model, data labeling, and
mandatory access control over named subjects and
objects must be present.
13
TRUSTED SYSTEMS - AN EMERGING OUTSOURCING
REQUIREMENT
  • CLASS (B2) STRUCTURED PROTECTION
  • TCB ( Trusted Computing Base)
  • clearly defined and documented formal security
    policy model
  • discretionary and mandatory access control
    enforcement (B1) extended to all subjects and
    objects in the ADP system.
  • defined policy model, labelling
  • protection-critical / non-protection-critical
    elements
  • interface well-defined
  • more thorough testing and review.

14
TRUSTED SYSTEMS - AN EMERGING OUTSOURCING
REQUIREMENT
  • CLASS (B2) STRUCTURED PROTECTION
  • General
  • authentication mechanisms strengthened,
  • trusted facility management provided
  • support for system administrator and operator
    functions
  • stringent configuration management controls
  • covert channels are addressed
  • relatively resistant to penetration.

15
COMMON CRITERIA
Protection Profiles Labeled Security (LSPP)
Role Based Access Control (RBACPP) Controlled
Access (CAPP) Assurance Level EAL4
THE EMERGING MINIMUM FOR OUTSOURCING
ICT SYSTEMS AND SERVICES
16
  • Windows 2000 .. once in kernel mode,
  • operating system and
  • device driver code
  • has complete access to system space memory and
  • can bypass Windows 2000 security..
  • the bulk of the Windows 2000 operating system
    code runs in kernel mode

D Solomon M Russinovich Inside Microsoft
Windows 2000 (Third Edition)
17
15 March 2004

18
Trusted Systems in an Outsourced Environment
  • Emerging Requirements for Security
  • Differing nature of requirements
  • Trusted systems background
  • B means Business Mapping the need
  • Deploying trusted systems
  • Future trends.

19
COMPLIANCE WITH LEGAL REQUIREMENTS
  • USA
  • Sarbanes-Oxley Act 2002 (Sect 404),
  • Gramm-Leach-Bliley Act
  • HIPAA
  • FISMA
  • AUSTRALIA / EUROPE
  • IS 17799 (outsourcing contracts)
  • Privacy Act 1988 (Aust)
  • AS 18152005 (Aust) ICT Governance
  • ASX Principle 7 (Aust)

COBIT Methodology
20
USA NISTFISMA Implementation Project
Protecting the Nations Critical Information
Infrastructure
Computer Security Division Information Technology
Laboratory
21
Risk Management Framework
22
Trusted Systems in an Outsourced Environment
  • Emerging Requirements for Security
  • Differing nature of requirements
  • Trusted systems background
  • B means Business Mapping the need
  • Deploying trusted systems
  • Future trends.

23
DEPLOYING TRUSTED SYSTEMS
MARKETPLACE
SUN Microsystems Trusted Solaris 8 LINUX / NSA
Project Onwards SELinux (Basic Kernel) RedHat
Fedora 3/ES 4 Novell SUSE 9
etc. Microsoft Beyond Longhorn
24
Trusted Systems in an Outsourced Environment
  • Emerging Requirements for Security
  • Differing nature of requirements
  • Trusted systems background
  • B means Business Mapping the need
  • Deploying trusted systems
  • Future trends.

25
FUTURE
  • Mapping real business/commercial government
    needs to mandatory security systems
  • Manager friendly MAC/DAC mapping systems
  • Education training for management and
    ICT professionals
  • Market development NIIP needs
  • R D next generation OS / middleware structu
    res

26
THANK YOU
Write a Comment
User Comments (0)
About PowerShow.com