Security Management Document, Papers of Applications of Computer Sciences

Download Security Management Document and more Papers Applications of Computer Sciences in PDF only on Docsity!

Running head: SECURITY MANAGEMENT DOCUMENT Computer Systems Security Foundations (CS651 -1603A -02) Security Management Document Valencia T. Johnson Colorado Technical University July 28, 2016

Abstract Network expansion attracts evaluation of all IT security related matters at organizational level, including compliance with the existing laws and regulations, review of access controls, security controls, and update of technical procedures. Moving part of the offered services into cloud environment also requires the redesign of Risk Assessment process for maintaining the security risks below the tolerated level. At the same time it is needed to have clear image of the security challenges faced by Integrated Software Solutions with respect to customers’ data and protection of their privacy. In addition, LAN security remains among priorities and it is necessary some strengthening of the existing security mechanisms. Wi-Fi spread and BYOD adoption have introduced more flexibility for the employees, but also additional risks in what regards monitoring and data manipulation over less secure communication channels. Since Integrated Software Solutions takes regulatory compliance seriously, the presentation of the most suitable security standards directly applicable to this scenario becomes mandatory. The technical solution from the end presents suitable network infrastructure able to satisfy the security requirements of modern environments; it is built based on the recommendations made within each of the previous sections for both technical and business viewpoints.

Security Management Document Any organization has information assets which must be protected accordingly in order to satisfy the established security objectives. After the identification of these assets it is required to document, develop, implement, and maintain policies and procedures compliant with existing security laws. The organizations group these actions under the umbrella of Security Management and Regulatory Compliance. The current project is mainly structured on two pillars: review of the current security posture and safe expansion of the IT infrastructure using proactive defense strategies and mitigation of security risks (or hazards). Project Outline and Requirements Organization Description Integrated Software Solutions is a private company located in Houston, Texas which provides to their customers customized applications able to serve various IT needs and business requirements (e.g., management, financial, databases, security). One of the main objectives of the organization is to integrate the built applications into existent IT infrastructures residing on clients’ end. In general, the clients are small or middle-sized organizations for which it is more convenient to outsource IT services. The current number of employees from Integrate Software Solutions has reached 250 and the top-management has decided to extend the capacity and capabilities of the IT infrastructure in order to successfully support the regulatory compliance and security challenges posed by cloud environment. This change of the organizational approach was also decided from the need of simplifying the increasing requirement for computing and network resources.

Many of the consultants from Integrated Software Solutions spend significant part of their working time on customers’ sites and communicate with their colleagues across public insecure networks like the Internet. In addition, the information exchanged through traditional communication channels is exposed all the time due to security attacks and weaknesses of networks met across the path. The desired expansion of the IT infrastructure targets both technical and business features like flexibility, privacy of communication, scalability, security objectives, and manageability. Project Requirements For overcoming the major concern of jeopardizing the security of customers’ data and the privacy of communication between consultants, the Risk Management Team has designed a security management plan which covers various IT security domains like security (vulnerability) assessment, access controls, security mechanisms, network and OS security, and regulatory compliance. Beyond splitting the security requirements to be met among these fields, Integrated Software Solutions has plotted several mandatory key goals like: (a) evaluate the current risks using quantitative and qualitative methods, (b) map the current “state-of-art” of IT security to legal requirements according recognized acts and standards like Sarbanes-Oxley Act, ISO 27, Series, COBIT, and Privacy Act, (c) identify the necessary changes derived from moving IT services into cloud environment, (d) adapt the existing access control methods to newly identified security challenges, (e) evaluate the network modifications, (f) design and test ISMS (stands for Information Security Management Systems), (g) implement updated Security Model based on the ISMS, and (h) maintain proactive defense strategy for preserving data security (“in- transit” and “in-motion”) in accordance with security and business goals. Also the identification of the most common causes of data breaches contributes on reaching the established goals from

of data breaches were identified as being: hacking-driven activities, insider threat, physical theft/loss, insecure security policy, and fraud (Symantec, 2010). It can be easily noted these root causes are entirely applicable for Integrated Software Solutions; hence the countermeasures and risk mitigation strategies must be developed in accordance with these findings. Security Challenges of Allowing Consultants to Work On-Site It is crucial to review the current security policies and business objectives which are impacted by the desired modification of IT infrastructure. SSO can simplify the way how system authentication is dealt, but its implementation poses additional security challenges. The consultants working on-site are able to use the SSO benefits as long as overall security is not decreased. The legacy applications and the management software which does not allow integration of the authentication mechanism into broader context must be either removed or replaced. Another challenge is represented by the usage of the appropriate communication channels; the chosen propagation methods have to ensure that privacy of the communication and data confidentiality are preserved. The choice of PKI (stands for Public-Key Infrastructure) can satisfy the security requirements and current cryptographic constraints. Besides the technical and physical security controls, it is also required to review the existing administrative controls (e.g., training and awareness, separation of duties, accounting policies, disaster preparedness and recovery plans, business continuation strategies) from Integrated Software Solutions. IPO Implications on Organizational IT Infrastructure The compliance with Sarbanes-Oxley Act from 2002 is compulsory for Integrated Software Solutions. This act is crucial because it ensures successful audit and management from financial perspective. The Information Security Governance and Risk Management are two considerations which are directly impacted by this act because the organization needs careful

budget planning and infrastructure extension. The sections 404 and 409 regard the enhanced financial disclosure to the public and target the “information on material changes in their financial condition or operations” (Addison-Hewitt Associates & B2B Consultancy, 2003). In addition, section 802 of the act is close related to law enforcement since it highlights the “criminal penalties for altering documents” (Addison-Hewitt Associates & B2B Consultancy, 2003). From security posture this section can be seen as direct application of integrity constraints. The certification to ISO/IEC 27001:2013 is crucial for reassuring customers and top- management that security provisions were correctly followed and implemented. Its implications on IT infrastructure are huge because the ISMS which must be built regards each layer of IT Security. In the context of moving some of the consultancy services into cloud, its recommendations (although not mandatory) get more weight for Integrated Software Solutions because part of the security control is transferred to CSP (Cloud Service Provider). Beyond the compliance with the chain-of-trust (which must be satisfied between organization, CSP and law enforcement), the implementation of ISMS remains the central point since it involves “people, processes and IT systems by applying a risk management process” (ISO, ISO/IEC 27001 - Information security management, 2016).

environment determines another high security risk. On the other hand, the lack of segregation of the network by information assets leads to the impossibility of controlling the group security efficiently. Since the current network is not divided into different subnets according to a prioritized mechanism, the entire configuration is equally-weighted exposed to both inside and outside security threats. In this context all network resources have the same degree of vulnerability regardless if they are servers or hosts. The current configuration is based on two- legged firewall configuration where the DMZ area is fully-exposed to the Internet and no IPS devices or roles are enabled. On top of these the social engineering techniques arise as real threats because the weaker users’ awareness and training. Newly Introduced Risks Most of the newly introduced risks are identical with the traditional security risks within cloud environment. Even if the organization decided to move some of the network services and IT operations in private cloud environment, the security risks must not be overlooked. New security challenges derive from the following:  Hypervisor vulnerabilities, since virtualization becomes the prevalent technology in this scenario; this finding strengthens the importance of patch policy and update management even in private cloud infrastructure; the IT Department needs to consider the trade-off with computing resources like memory, storage, and network bandwidth;  Adjustment of network access controls, because some of the services will be offered from outside the local network environment and this change leads to redesign;  Communication between virtual machines, since network traffic suffers changes compared to the local environment where protection against Internet attacks is dealt

differently; at this point it becomes mandatory to design Network Level Authentication policies for reducing this security risk;  Isolation of the host OS from all virtual machines contained within it (Shinder & Tiwari, 2013), because otherwise hidden communication channels become available and this jeopardizes overall security of the cloud;  The greatest majority of traditional security risks from non-cloud environments also apply for private cloud configurations. Risk Management Plan For the provided scenario it is recommended to design the risk management plan based on the following key columns: identified risks and their consequences, impact, probability, priority and mitigation strategies (Dacosta & McDonough, 2015). It can be noted that single risk can accept multiple mitigation actions, while the same mitigation strategy might be applicable for more than one security risk. At this point data inventory and preparation of project were completed; the risk analysis must be based on a built Threat Model resulted from the evaluation of the previously identified security risks. The Risk Management Plan will be entirely based on both current and newly identified risks. Each entry from the table receives unique ID and it is assigned a priority based on the security threat which is determined. The impact and probability values are given based on the statistics provided by security vendors and provisions of security standards. Before elaborating the corresponding mitigation strategies it is also necessary to include the system vulnerabilities identified during Risk Analysis phase. Risk Mitigation The mitigation strategies aim to bring the risk below the established tolerated value. For Integrated Software Solutions this objective partially depends on the capabilities of CSP (stands

Access Controls and Security Mechanisms The top-management from Integrated Software Solutions has understood the importance of Access Control model “in terms of protecting system resources against inappropriate or undesired user access” (Ferraiolo, Hu, & Kuhn, 2006, p. 3). Since application security must be integrated into this model, it is required to analyze the authentication and authorization mechanisms used for the software protection in order to identify further improvements. Establishing the Access Control Mechanisms represents the foundation of technical controls which are enabled later during implementation phase; at the same time the usage of Access Control Mechanisms requires (1) policy support and (2) policy’s update, if applicable. The compliance with the existing security recommendations from applicable standards is another objective of the current section. This goal results from the proposal of the technical solutions which solve two matters: (1) secure remote login and (2) proper access to required resources. Access Control Mechanisms for Existing Applications Each application requires review before deciding the integration with global authentication and authorization mechanism. However, since the software used at Integrated Software Solutions can be divided into several groups, based on the purpose, it is simpler to present the access control mechanisms for each category. The broad groups are desktop (local) applications, client software, public applications, and CSP’s software. In summary, the proposal for access control mechanisms is as follows:  Local applications are integrated in Active Directory policies for asset/resource identification and authentication purposes; the suitable authorization scheme is RBAC (stands for Role-Based Access Control);

 Client software is integrated in Enterprise SSO technology with respect to authentication and also uses RBAC for authorization purposes;  Public applications use the authentication schemes proposed by their vendors; hence they do not enable neither AD nor SSO technologies; the prevalent authorization mechanisms are DAC (stands for Discretionary Access Control) and MAC (stands for Mandatory Access Control);  CSPs software will be highly-integrated into both AD and SSO authentication schemes; at the moment it is not decided on any authorization mechanism. But it is likely to be part of RBAC type after expanding the network from logical considerations. Access Control Mechanisms for Expanded Network Infrastructure In the context of moving part of the offered services and assets into cloud environment, the security management from Integrated Software Solutions must be adapted with respect to access control methodologies and mechanisms introduced by this major change. In addition, extending the current Wi-Fi capabilities according to BYOD (stands for Bring Your Own Device) policy is mandatory for ensuring the compliance with recommended access control settings. LAN environment must be logically organized based on segregation into different segments. This approach achieves isolation and more control over each functional network unit. Main recommendation for authentication mechanisms is to deploy either Citrix Server or Kerberos server. Both solutions can be integrated with Microsoft Active Directory database for obtaining compatibility and access to afferent technologies (e.g., LDAP). It is recommended that prevalent authorization model to be RBAC, since it offers the ability of configuring the access to resources based on the already defined (or updated) roles and responsibilities (Harris, 2013, p. 277).

One of the crucial matters to be addressed in this context is the secure remote access to resources and the management of applications within this distributed environment. Because the private cloud hosts the software applications accessed most frequently, the remote authentication can be implemented either using SSO or to configure SSL VPN. The first option is manageable using a product like Citrix server, while the second choice requires additional setup on provider’s devices. SSO technology is currently found on the market under three types of services, namely Windows integrated, extranet, and intranet. The first SSO category allows the connection to multiple applications within the network using some common authentication mechanisms. The second SSO type is useful when the prevalent operation is to access resources residing over the Internet. This goal is achieved using a single set of user credentials. Finally, the Enterprise SSO requires credential database, a master secret server, and one or more Single Sign-On server (Microsoft, 2015). The implementation of SSL VPN allows the system users to securely access the internal applications using encryption of the exchanged traffic. However it is also possible to implement IPSec VPN when it is intended to securely connect specific hosts to the network. For instance, it is possible for synchronization purposes to need connecting some stations from LAN to servers residing in the cloud. This shows the importance of IPSec for internal connections, but also for external connections against malicious users residing in public networks. Any of these two VPN mechanisms protects against proven security threats. If Citrix authentication server is preferred, then it is needed to know that Password Manager tool will deal with the users’ account management for implementing SSO technology. A great advantage of Citrix is represented by integration capability with Active Directory; since

this will be in use on Integrated Software Solutions expanded network, Citrix must be seriously considered for enhancing SSO in what regards users residing on both sides of the enterprise firewall. Another suitable option for implementing SSO with Microsoft Windows clients is Kerberos server. This authentication mechanism needs LDAP (stands for Lightweight Directory Access Protocol) for obtaining complete protection, since LDAP is responsible with authorization and users’ synchronization (Jive Software, 2015). Not last, Integrated Software Solutions can use in practice the combination between SSO and VPN for satisfying secure authentication over the network. Special devices like Cisco ASA series support both technologies and represent serious option for the physical design of the expanded network. These technical solutions aim to overcome the security challenges resulting from the usage of single set of credentials per user basis.

p. 5). This section can be applied in the context of COBIT guidelines for a broader range of controls and aspects of IT environment. ISO 27,000 Series currently represents powerful guidelines for any organization which intends to design, develop, implement, maintain, and certify its ISMS; the management of information security requires deep understanding of the IT security-related processes and existent controls. The documentation of this security standard covers all organizational areas and transforms the legal requirements into foundation for the necessary security policies to be implemented further. The organization needs to implement the continuous improvement approach based on the PDCA cycle (stands for Plan-Do-Check-Act) (Pelnekar, 2011). Other acts like COBIT and Privacy Act can be used as complementary documents for obtaining the completeness of IPO requirements. Each of them regards aspects of information security from different perspectives; for instance, Section 404 of Sarbanes-Oxley Act becomes eligible for implementation if COBIT is considered. This standard contributes on obtaining automation of IT processes in respect to the compliance with Section 404 of the Act. In addition, Privacy Act offers the appropriate level of awareness for how data protection can be achieved (e.g. confidentiality of customers’ data stored on company’s servers, regardless they are kept within LAN or CSP servers). Security Policies The role of security policies is to link (a) the provisions mentioned in the security standards and (b) the implemented security measures or controls. All policies must be designed in respect to the compliance with the regulatory aspects for IT processes. System users from Integrated Software Solutions need to be aware of these policies in order to obtain stronger security for the Information System as overall.

Acceptable Use Policy describes what resources can be used and under which conditions. This policy is usually accompanied by Non-acceptable Use Policy which shows what cannot be used and which are the forbidden conditions for usage. All users of the organization must adhere to the principles contained within this policy. Remote Access Policy covers the legitimate and secure conditions to be used by users who perform the daily activities outside the network perimeter of the organization. It contains the requirements for the necessary remote software and tools and their configuration settings. Not last, the policy describes the required protection mechanisms to be used for securing the communication (e.g. encryption, authentication) when connecting to company’s assets. Disaster Recovery Plan Policy introduces the processes to be followed by the assigned parties (internal or external) for recovering the affected systems and data when outages occur. It is focused on Business Continuity strategies and depends on other policies like Incident Response Management Plan and Backup Plan. The policy makes a prioritization of the services and systems based on their critical business components. Communication Policy covers the acceptable conditions for using well-established services and tools like Email, Internet, and messaging software. It also highlights for each service/tool which the unacceptable use of the communication methods is. It is developed in accordance with Data Protection standards. Software Security Policy enumerates the applications within the network perimeter to be protected according the existing security standards. In the current context it covers database security, LAN software, customers’ applications, and CSP’s proprietary software. In summary the policy contains a series of good practices to be followed for securely using the software during regular operations.