Information Security in the Public Environment

1
Information Security in the Public Environment
Joseph Santilli Information Security
Contingency Administrator City of Las Vegas
2
Information Security

• Due to the public nature of much of the
  information generated and stored by government
  agencies and municipalities data integrity
  sometimes becomes more crucial that security

3
Information Integrity

• Information integrity consists of two parts
• 1. Source quality The current model for
  information is to provide solely the information.
  The information user rarely knows who created the
  information nor the authenticity of that data.
• 2. Communications integrity The delivery of
  information from its source to the user can
  result in many transformations and risks. The
  information can be compromised on the networks
  that it traverses or on computers where it is
  stored. The information could also be merged with
  earlier or out-of-date version of information
  creating a less accurate hybrid.

4
Threat/Issues

• Viruses
• Hacking
• Loss/Theft of equipment or media
• Inappropriate access
• Insider
• Social Engineering

5
Regulations

• HIPAA
• PCI
• SOX
• GLB
• Homeland Security

6
Additional Challenges

• Increased Mobile Society
• Need to share across agencies
• Requirement to know who is accessing what
• Development of secure software
• Finding secure COTS applications
• Public access needs
• Lack of Security Training
• Accountability

7
Solutions

• Virus Software at the desktop and Server
• Security at all access points
• Identity management systems that control access
  and rights to data and applications
• Automatic provisioning and deprovisioning
• Increased and mandatory training

8
Solutions

• Control of the type of data that can be
  downloaded onto mobile devices
• Encryption of data on mobile devices
• Increased security for mobile devices
• Restricted use of thumb drives/media

9
Joes Ideal State

• Every individual is identified via a two or three
  factor identification process (biometric, smart
  card, passport) and are provisioned based on that
  identity and their need
• Every system/application validates the user via a
  common interface
• Every individual is setup automatically based on
  their need and a predetermined profile
• All state and municipal entities have a trust
  relationship based on a shared/common security
  model
• Individuals receive access to only information
  needed to complete their mission
• Sensitive records are well defined and encrypted
  or securely stored

10
Identity Management

• Each User has a data repository
• User account and data is managed
• Roles and privileges are defined and managed
• Account creation, termination, and modification
  is automated
• Role provisioning and deprovisioning is automatic
  
• Passwords are synchronized
• Password self-service is available
• Auditing and reporting is activated
• Security policy is enforced

11
Joes Ideal System

• On startup the user would get a browser interface
  or logon for their authentication. They would
  never authenticate again for anything during
  their session. Each program, file share or other
  access would validate their credentials and
  accept or reject them based on the confirmed
  identity

12
Contact Information

• Joseph Santilli
• jsantilli_at_lasvegasnevada.gov
• 702-229-2410