Trusted Systems in an Outsourced Environment - PowerPoint PPT Presentation

1 / 26

About This Presentation

Title:

Trusted Systems in an Outsourced Environment

Description:

support for system administrator and operator functions ... Role Based Access Control (RBACPP); Controlled Access (CAPP) Assurance Level EAL4 ... – PowerPoint PPT presentation

Number of Views:41

Avg rating:3.0/5.0

Slides: 27

Provided by: informat1893

Category:

more less

Transcript and Presenter's Notes

Title: Trusted Systems in an Outsourced Environment

1
Trusted Systems in an Outsourced
Environment Professor William J (Bill) Caelli,
AO Assistant Dean Strategy
Innovation Faculty of Information
Technology Queensland University of
Technology Brisbane, Qld. 4000 Australia
2
Trusted Systems in an Outsourced Environment
Research for this presentation has been supported
by a grant (DP0449644) from the Australian
Research Council (ARC)
3
Trusted Systems in an Outsourced Environment

Emerging Requirements for Security
Differing nature of requirements
Trusted systems background
B means Business Mapping the need
Deploying trusted systems
Future trends.

4
Trusted Systems in an Outsourced Environment

Emerging Requirements for Security
Differing nature of requirements
Trusted systems background
B means Business Mapping the need
Deploying trusted systems
Future trends.

5
Survey, 5 weeks ending 12 Sept 2004/USA
6
Survey, 5 weeks ending 12 Sept 2004/USA
Nature of Data Security Breaches
69
7
Trusted Systems in an Outsourced Environment

Emerging Requirements for Security
Differing nature of requirements
Trusted systems background
B means Business Mapping the need
Deploying trusted systems
Future trends.

8
Trusted Systems in an Outsourced Environment
DEPARTMENT OF DEFENSE STANDARD DEPARTMENT OF
DEFENSE TRUSTED COMPUTER SYSTEM EVALUATION
CRITERIA, DECEMBER 1985
DoD 5200.28-STD December 26, 1985
In general, secure systems will control, through
use of specific security features, access to
information such that only properly authorized
individuals, or processes operating on their
behalf, will have access to read, write, create,
or delete information.
9

POLICY
Security policy
Marking
ACCOUNTABILITY
3. Identification
4. Accountability
ASSURANCE
5. Assurance
6. Continuous protection

TCSEC 1983 / 1985
10
ASSURANCE 5. Assurance 6. Continuous protection
hardware/software mechanisms that can be
independently evaluated to provide sufficient
assurance that system enforces security
requirements continuously protected against
tampering and/or unauthorized changes
11
TRUSTED SYSTEMS - AN EMERGING OUTSOURCING
REQUIREMENT
TCSEC DIVISION C DISCRETIONARY
PROTECTION Classes in this division provide for
discretionary (need-to-know) protection and,
through the inclusion of audit capabilities, for
accountability of subjects and the actions they
initiate. The class (C1) environment is
expected to be one of cooperating users
processing data at the same level(s) of
sensitivity.
12
TRUSTED SYSTEMS - AN EMERGING OUTSOURCING
REQUIREMENT
TCSEC DIVISION B MANDATORY PROTECTION The notion
of a TCB that preserves the integrity of
sensitivity labels and uses them to enforce a set
of mandatory access control rules is a major
requirement in this division. Systems in this
division must carry the sensitivity labels with
major data structures in the system. CLASS
(B1) LABELED SECURITY PROTECTION Class (B1)
systems require all the features required for
class (C2). an informal statement of the
security policy model, data labeling, and
mandatory access control over named subjects and
objects must be present.
13
TRUSTED SYSTEMS - AN EMERGING OUTSOURCING
REQUIREMENT

CLASS (B2) STRUCTURED PROTECTION
TCB ( Trusted Computing Base)
clearly defined and documented formal security
policy model
discretionary and mandatory access control
enforcement (B1) extended to all subjects and
objects in the ADP system.
defined policy model, labelling
protection-critical / non-protection-critical
elements
interface well-defined
more thorough testing and review.

14
TRUSTED SYSTEMS - AN EMERGING OUTSOURCING
REQUIREMENT

CLASS (B2) STRUCTURED PROTECTION
General
authentication mechanisms strengthened,
trusted facility management provided
support for system administrator and operator
functions
stringent configuration management controls
covert channels are addressed
relatively resistant to penetration.

15
COMMON CRITERIA
Protection Profiles Labeled Security (LSPP)
Role Based Access Control (RBACPP) Controlled
Access (CAPP) Assurance Level EAL4
THE EMERGING MINIMUM FOR OUTSOURCING
ICT SYSTEMS AND SERVICES
16

Windows 2000 .. once in kernel mode,
operating system and
device driver code
has complete access to system space memory and
can bypass Windows 2000 security..
the bulk of the Windows 2000 operating system
code runs in kernel mode

D Solomon M Russinovich Inside Microsoft
Windows 2000 (Third Edition)
17
15 March 2004

18
Trusted Systems in an Outsourced Environment

Emerging Requirements for Security
Differing nature of requirements
Trusted systems background
B means Business Mapping the need
Deploying trusted systems
Future trends.

19
COMPLIANCE WITH LEGAL REQUIREMENTS

USA
Sarbanes-Oxley Act 2002 (Sect 404),
Gramm-Leach-Bliley Act
HIPAA
FISMA
AUSTRALIA / EUROPE
IS 17799 (outsourcing contracts)
Privacy Act 1988 (Aust)
AS 18152005 (Aust) ICT Governance
ASX Principle 7 (Aust)

COBIT Methodology
20
USA NISTFISMA Implementation Project
Protecting the Nations Critical Information
Infrastructure
Computer Security Division Information Technology
Laboratory
21
Risk Management Framework
22
Trusted Systems in an Outsourced Environment

Emerging Requirements for Security
Differing nature of requirements
Trusted systems background
B means Business Mapping the need
Deploying trusted systems
Future trends.

23
DEPLOYING TRUSTED SYSTEMS
MARKETPLACE
SUN Microsystems Trusted Solaris 8 LINUX / NSA
Project Onwards SELinux (Basic Kernel) RedHat
Fedora 3/ES 4 Novell SUSE 9
etc. Microsoft Beyond Longhorn
24
Trusted Systems in an Outsourced Environment