Security Management under Control

This is being achieved by the deployment of IT technology to the extent that most organisations are now critically dependent upon their IT infrastructure to function.

Ensuring the security of this infrastructure poses a severe challenge and yet many organisations have taken a piecemeal approach to security management. This has resulted in higher costs than necessary, while at the same time poorly implementing controls.

The increasing amount of data held has led governments and regulatory bodies to respond with directives relating to the privacy and confidentiality. The result? Organisations find themselves squeezed between cost control and regulatory compliance.

This paper discusses the business and technology challenges faced by organisations and proposes a new philosophical approach, where business and technology intersect, to address this challenge. This new security management model supports the business imperatives of financial discipline, assuring business continuity, managing operational risk and regulatory compliance.

The model focuses on managing the existing security technologies more effectively rather than adding to or replacing them.

Business Challenges
The key business drivers that make security management important are financial discipline, operational risk and compliance with legal and regulatory requirements.

Financial Discipline
The competitive business environment makes financial discipline a priority for organisations.

Financial discipline is not just about saving costs but also about doing things smarter. Organisations that succeed in achieving financial discipline will be those that survive and grow by providing their products and services more efficiently and more effectively than their competitors.

Financial discipline means managing operations more effectively, making employees more efficient and reducing administrative overheads. For example, in a typical organisation, password and account lockout problems can represent a large proportion (often over 50%) of the help desk load. The need to individually sign-on to multiple applications wastes time. The costs and delays involved in providing access for new employees can be a significant problem in industries with high staff turnover (call centres and retail are good examples).

Operational Risk
Organisations survive in the face of many risks, including market risk and operational risk. Market risk includes for example, investing in products that do not meet the needs of the customers or where competitors provide better or cheaper products. Operational risk covers aspects such as processes being vulnerable to theft, fraud, disruption or mismanagement.

One particular concern is maintaining continuity of critical business services. This is shown in Figure 1 which illustrates the results of a survey of 1209 respondents by Quocirca Ltd on attitudes to IT security [1]. Organisations depend upon their IT infrastructure to operate and this infrastructure is vulnerable in many ways.

These range from simple hardware failure, through mis-operation and mis-configuration to malicious attacks by hackers and computer viruses and the like. In spite of the fact that these risks are well known many organisations do not manage technical vulnerabilities and threats as well as they could - leaving the process under the control of technical staff without a clear understanding of the business priorities. Organisations need to have a well regulated risk management process that focuses on business priorities and includes the IT infrastructure.


Figure 1 - Business Drivers for IT Security

Although hacker and virus attacks are well publicised, the insider remains an important threat to an organisation in terms of potential to cause financial loss [1] - see figure 2 below. One of the main reasons for this is that the insider understands the organisation's systems and is hence able to spot and exploit any weaknesses. Another is that they have physical access to systems and this is often poorly managed.


Figure 2 - Perceived Major Causes of Risk

Regulatory Compliance
A further aspect concerns compliance with regulation and the law. In some sectors there is now regulation relating to the security of information and information systems. This includes, for example the banking industry (Basel II), the Graham Leach Billey Act (GBLA) and the Health Insurance Portability and Accountability Act (HIPAA) in the USA.

In the case of Basel II this provides a relationship between the risk (including operational risks) assessed for a bank and the amount of working capital that needs to be set aside to cover that risk. Hence reducing the assessed risk releases capital and so Basel II provides an incentive for banks to assess and reduce risk.

In the case of HIPAA health information providers are required by the law to ensure that patient information is kept confidential. Since much of the patient information is held electronically there is a clear need to authenticate and control who is able to access the data. Over 45 countries have comprehensive national data protection laws.
(Notable exceptions are China and the USA.)

In Europe the EU Directive 95/46/EC provides some of the world's toughest rules governing how companies and governments may deal with personal data. EU Directive 2002/58/EC Directive on Privacy and Electronic Communications governs how the providers of publicly available electronic communications services must safeguard the security and confidentiality of communications on their services.

Managing who is able to access what information is critical to complying with these regulations as well as reducing risk. Improving the identity management process, including the provisioning, authentication and access control processes, can reduce costs and improve efficiency. Opening up the organisation to allow partners and customers to access information and to securely purchase products can provide competitive advantages and worthwhile improvements in efficiency.

Technology Issues

Web Services
Web Services is one of the industry's hottest technologies. The promise of Web Services is to deliver a standards-based vehicle to address one of the most vexing problems facing the IT industry today - how to make heterogeneous systems talk to each other.

At the business level, Web Services seeks to enable the integration of customers, employees and partners via the Internet. Much of the media coverage on Web Services has focused on using Web Services in consumer-focused solutions. However, most IT organizations intend to leverage the power of Web Services to integrate internal systems and processes, then extend these solutions to trusted business partners.

Web Services have special security requirements not found in enterprise computing. Both service consumers and service providers may possess distributed identities. There could be several identities from different security domains (e.g. public: Microsoft Passport, Liberty Alliance, etc.; corporate: LDAP, Windows Domain account, NIS account, Portal user account, etc.). A consumer uses an identity to gain access to the service it needs.

A provider and consumer may use their identities to encrypt and sign messages that they exchange. Provider and consumer may exchange identity credentials within a context of initial messages (handshake). This is used to allow further trusted interactions.

Service provider's identity is optional, and it is perfectly possible to implement a business service without an identity if it always acts on behalf of a client. Not having a client's identity translates into anonymous access which is rarely allowed for business services.

Every major platform vendor has endorsed the formal standards involved in Web Services, reflecting a unique convergence of interests in the industry. There are several key standards related to this area:


• XML - extensible Markup Language, the universal format for structured documents and data on the Web.

• SOAP - Simple Object Access Protocol, a lightweight protocol for exchange of information in a distributed environment.

• WSDL - Web Services Definition Language, the XML format describing network services.

• UDDI - Universal Description, Discovery and Integration, an industry initiative to enable businesses to quickly, easily, and dynamically find and interact with web services [2].

• SAML - Security Assertion Markup Language [3] is used to assert statements and conditions against a security authority and policies that it manages. SAML can be used in interactions between security authorities as well.

• SPML - Service Provisioning Markup Language [4] can be used to interface with a security agent or a platform itself to allow control and configuration of security.

IT security technology should support the deployment of these standards.

Utility or On-Demand Computing
In today's economic climate, businesses are carefully examining all IT expenditures. Many firms are finding that their IT infrastructure is too inefficient and unresponsive to meet the needs of a dynamic business and is not aligned with business needs.

The concept of on-demand computing is to provide IT with the tools to apply computing resources more like a utility (electricity, telephone, water, etc). In this service-driven model, computing resources are dynamically allocated to meet demand, and systems are increasingly self-managed to maximize flexibility and ease of administration.

Security is a critical component of any business infrastructure. In the on-demand computing environment, where servers are dynamically reconfigured and deployed, it is even more important to ensure that security policies are properly deployed and maintained. In this environment it is critical to assure that user identities are properly provisioned and users have convenient, secure access to their applications.

Convergence of Physical and IT Security
Physical access control is fundamental to security and increasingly implemented using microcomputer technology. As a consequence the problems of provisioning, authentication, monitoring, reporting and de-provisioning now include physical access as well as IT systems access.

Employees and contractors need access to a wide range of corporate assets, from office buildings and secured test labs to computer systems, files, directories, databases and PCs. In addition, they may be assigned laptops, mobile phones, calling cards and corporate credit cards.

It is also useful if a single credential can be utilized for authentication for both physical resources and cyber access. Specifications, such as ISO 7816, are trying to deliver on the promise of platform-independent smart card applications. Organizations need to manage the digital identity across entire organizations, authenticating to all corporate assets with a single credential, provisioning all IT systems, Web services, devices and entrance badges and securing access to files, directories and databases while monitoring all these activities. The Open Security Exchange (OSE) [5] is an organisation promoting open standards for converging physical and IT management.

Information Security Management
A common approach is needed to enable organisations to manage operational risk and help to achieve compliance with security related regulations. Managing IT security needs to fit within a complete information security management strategy. Organisations are increasingly using BS 7799 [6] or ISO 17799 [7] as the standard upon which to base information security management. IT security solutions need to support this approach.

BS 7799-1 was first produced in 1995 to provide a comprehensive set of controls comprising best practices in information security. This was subsequently revised in 1999, and in December 2000 Part 1 was adopted by ISO/IEC as the International Standard ISO/IEC 17799:2000. In 1998 Part 2 complemented BS 7799 Part 1, and while Part 1 gives guidance on controls Part 2 describes an Information Security Management System to manage those controls. In 2002, BS 7799 Part 2 was drastically revised and now contains guidance on implementation and complies with the OECD guidelines on information security.


Figure 3 - Information Security Management

An Information Security Management System is a documented, working process that covers all activities in planning, implementation and review. This process, which is illustrated in Figure 3, is based around a security policy. The process involves performing a risk assessment to identify the valuable assets and the vulnerabilities and threats related to these.

Then, depending upon the organisation's approach to risk, and the degree of assurance required, the processes and tools required to manage these risks are defined. Finally the way in which the application of these processes will be monitored and reviewed is specified.

Measuring compliance is important; the British Standards Organisation has published a series of books [8] including one on auditing the BS7799 controls but does not describe an audit framework. The European Accreditation Organisation [9] however does provide guidance on how to perform such audits. Also Cobit [10] audit guidelines for DS5.2 (Identification, Authentication and Access) are helpful to perform an audit of BS7799 compliance.

Security Management in Context
IT security management needs to be appropriate for the business and so needs to be organised to support business objectives within a business context.

However, in many organisations the IT and security departments choose the security solutions without fully being aware of the factors driving the business towards its goals. As a consequence more technology gets added. This leads to an increase in complexity and a worsening of the ability to manage the environment, control risk and add measured value back to the business or organisation.

One of the significant problems in the information security field involves fragmented and inconsistent efforts. Too often one department will be supportive of information security efforts, while another department within the same organization will be resistant.

To the extent that these departments share resources there is a strong need for co-operation. Although it is neither feasible nor desirable to make everyone in an organization familiar with the complexities of information security, it is important that there is a common agreement on a baseline policy.

The diagram Figure 4 shows how security strategy can be related to business objectives, taking into account risk assessment and risk appetite as well as technology.


Figure 4 - Security Management in Context

The Key Components of Managed Security
Organisations depend upon their IT infrastructure to operate, and so IT security is important to ensure business continuity as well as to enable e-business. IT security is necessary to ensure:


• Protection of critical assets from malicious code, such as viruses and worms.


• Proactive risk mitigation by reducing vulnerabilities.


• Enforcement of security policies.


• Automated provisioning and maintenance of digital identities.


• Convenient, secure access to applications by all users based on their role.


• Centralized control of the extended security infrastructure from all vendors.


• Regulatory compliance.

The new model for on-demand security management solutions delivers the flexibility required to align every aspect of the organization's security issues with its business needs by automating, simplifying and streamlining processes. In addition, it should provide real-time visibility into the multitude of security events that occur daily in your business environment - enabling the right response at the right time.

Integrating the key components of security management [1] - identity and access management, threat management and security information management - into a proactive solution helps you achieve operational efficiencies and regulatory compliance, as well as contain costs, mitigate risk and ensure continuous business operations.


Figure 5 - How should IT Security be Managed

Identity and Access Management
Organizations are evolving to become more accessible to customers, partners, vendors, suppliers and employees. However controls, where what you can do is based on who you are, are fundamental to managing risk.

The title of 'Identity Management' has developed over time to describe the processes and technologies involved in implementing these controls. In fact 'Identity and Access Management' is a more appropriate title since it is essential to control access based on the management of identity.

The ideal identity and access management solution is complete, integrated and open. It combines provisioning, policy enforcement and end-to-end auditing to help ensure that all aspects of the identity life cycle are securely and efficiently managed - including the impact of identity activity on access to business-critical assets. Tying together a collection of point products is expensive, includes overlapping functionality and could potentially result in security loopholes.

An integrated solution reduces costs, eases deployment and administration, accommodates and correlates multiple identity directories, and helps ensure cohesive auditing of all identity and access-related activities. Openness is needed to ensure that the solution can be built upon existing infrastructure and components.

The key features needed in an identity and access management solution are: role- and rule-based provisioning of employees, partners and customers; role-based access control from the mainframe to the Web; and auditing of administration, account activity and access privileges. The integrated solution should include open interfaces for integration with the existing infrastructure. No changes to existing applications or systems should be needed.


Figure 6 - Identity and Access Management Architecture

Threat Management
The infrastructure that supports the information systems is itself vulnerable to attack. This threat can take many forms such as computer viruses and other forms of malicious code. These threats often exploit known vulnerabilities (weaknesses in system software like operating systems). The result of a successful attack is to render this vital infrastructure unavailable or unusable and so depriving the organisation of the tools it needs to function.

Threat management helps to keep the information systems infrastructure available. It prevents viruses, worms, spam and malicious content from infiltrating and infecting the network, email and business applications. It provides the means for security personnel to identify a threat to, or weakness in, the infrastructure, and help take immediate actions - preventing incidents before they have a negative impact on assets. Threat management solutions also confront content security challenges by keeping corporate content confidential and holding malicious content at bay.

Threat management poses a number of problems over and above the technology used:


• The first of these is maintaining an accurate inventory of the assets that need to be protected. Many organisations are exposed simply because they do not have an up to date inventory and become exposed when new devices are introduced to the network by without the knowledge of the IT security. These uncontrolled devices are often not properly patched, protected or updated.


• Then there is the issue of keeping up to date with the newly discovered vulnerabilities and threats. This is a highly skilled task and one which many organisations cannot afford to staff on the needed 24x7 basis.


• When a new threat (like a virus) is discovered it is essential to get the protection from that deployed as quickly as possible. Many vendors rush to publish signature updates before they have been properly tested. What really matters is how quickly the correct signature can be deployed.


Figure 7 - Complete Vulnerability Management


• When new vulnerabilities are discovered it is important to be able to quickly and accurately identify which systems within the organisation have these exposures. Then it is necessary to decide the relative risks of patching (which may destabilise operational systems) against leaving the exposure open. If the decision is to patch, a swift and reliable mechanism is needed to automate the process of deploying the patch.


• Finally managing content opens up privacy and compliance issues. In some countries there are strict rules governing the right of employers to access emails send to or by their employees. Threat management solutions should be flexible enough to cater for these rules.

Security Information Management
Organisations depend critically upon their IT infrastructure. Because of its importance this infrastructure now includes multiple layers of security technology and controls to protect against malice and misuse. This 'defence in depth' approach has led to security information overload and reduced information security readiness. A new philosophical approach, where business and technology intersect, is needed to address this challenge.

A typical organisation will have firewalls, network intrusion detection systems, anti virus, secure content management as well as servers and applications.

Each of these systems monitors security and logs events. Adding layer upon layer of security monitoring has created a massive tide of security related data. So much so that, for many organisations, it is not practical to analyse the data locally, transmitting the data for central analysis would risk saturating the network and storing it as possible evidence presents a real difficulty.


Figure 8 - Security Information Management Architecture

The challenge is one of management - to refine this raw data using intelligence to detect real threats, where they exist, and produce security information that is relevant to the business operation.

Then, where appropriate, to advise on or automatically take the necessary action.
The security information management architecture consists of a Presentation Layer, a Process Layer and a Technology Layer. The Process Layer establishes the linking control of objects, activities, schedules and events to corporate security policy and procedures. Intelligent compliance monitoring and rules help ensure that vulnerability risks are mitigated and corrective actions are initiated.

The Technology Layer integrates the networks, security, hardware, software and other IT processes. The Presentation Layer provides a security dashboard that gives role based access to the information required by the various security actors.

Let us consider an example: suppose that we have received a security alert that a worm virus is in circulation. This worm is known to attack SQL Server installations that have not been patched to correct a known vulnerability. When we receive this information we need to apply a number of tests to decide whether and how we need to act.

Firstly do we have any SQL Server installations? If we don't then we need take no action. If we do then we need to know whether these SQL Server installations have been correctly patched? If not then we may need to take action; if the servers support important business applications then we should immediately isolate the servers from possible sources of the virus and then apply the necessary patches. This is clearly a much more considered and intelligent approach than monitoring all network traffic or simply closing the network perimeter.

So how do we achieve this intelligence? One approach would be to employ skilled people to monitor the situation and react appropriately. This is likely to be expensive since people with this kind of skill are hard to find and therefore would only likely be justified for large organisations. To improve cost effectiveness would be possible for suitably qualified service providers to offer it as a service. Even so, the sheer volume of raw data is too large for this to be practical without technology to assist.


Figure 9 - Security Event Processing

So what is needed is technology that can be configured to take into account data flows from multiple sources and conditionally apply multiple independent tests to this data in a sequential manner to refine, aggregate, correlate and hence produce useful information.

This technology also needs to be able to take account of the external factors such as the physical security information for example building access by personnel, as well as contextual factors such as security 'status'. Finally this technology should be capable of suggesting and automatically taking intelligent courses of action.

Using this technology will allow organisations to manage and to take control of the multiple layers of security technology in place today. It will empower the management to focus on protecting the critical business processes rather than the technology employed. What is needed is better management not more security technology.

Conclusions
The new security management model supports the business imperatives of financial discipline, assuring business continuity, managing operational risk and regulatory compliance. This model focuses on managing the existing security technologies more effectively rather than adding to or replacing them.

It covers the disciplines of identity and access management, threat management and the newly emerging security information management. It supports information security management processes like BS7799/ISO17799 and provides a complete, integrated and open solution.

Identity and Access management covers the management of who can access what. It ensures that identities are quickly and accurately provisioned and de-provisioned across all the information systems. It enforces role based access control, when what you can do is based on your function within the organisation. It ensures that all administrative and user activity is audited.

Threat management ensures business continuity by protecting the information systems infrastructure from cyber threats. It helps to identify and manage the remediation of system software vulnerabilities. It provides protection from computer viruses and other forms of malicious code. It helps to manage content received and transmitted across the organisation's network perimeter in a flexible way taking into account privacy legislation.

Security information management provides a solution to manage the plethora of security event data that is now emanates from the many IT security technologies that are deployed. It provides the means to screen, filter and correlate this to produce useful information. It delivers this information in a personalised way and provides a common interface into the many IT security management processes.

For more than 28 years, Computer Associates International, Inc. (CA) has delivered a broad range of world-class management solutions. CA's eTrust™ Security Management solutions meet the requirements of the new security management model by providing a complete, integrated and open security management package.