http:// cat 02/05 copyright © 2002-2005, cirba, inc. all rights reserved. security and compliance:...
TRANSCRIPT
Copyright © 2002-2005, CiRBA, Inc. All Rights Reserved.
http://www.cirba.comCAT 02/05
Security and Compliance: Looking Beyond the File
Presented By:
Andrew HillierCTO, CiRBA Inc.
Copyright © 2002-2005, CiRBA Inc. All Rights Reserved. Slide 2
Abstract
Many organizations employ strategies that focus on file-level tracking to address specific system security and regulatory compliance issues.
At the same time, many organizations are undertaking initiatives to enhance IT service management through detailed tracking of system and application configurations.
Because security and compliance are affected by many of these same areas of configuration, a convergence in the IT infrastructure to address these areas is beneficial, and perhaps even inevitable…
Copyright © 2002-2005, CiRBA Inc. All Rights Reserved. Slide 3
Front End
Horizontal Scaling
Back End
Vertical Scaling
Information Convergence
The Problem: A gap exists between datacenter management disciplines and the ability to provide the information to fulfill on these mandates.
IT Data Center OperationsIT Data Center Operations MainframeProprietary
UNIXLINUX
WINDOWS
As
se
t &
In
ve
nto
ry
Ma
na
ge
me
nt
As
se
t &
In
ve
nto
ry
Ma
na
ge
me
nt
Co
nfi
gu
rati
on
M
an
ag
em
en
tC
on
fig
ura
tio
n
Ma
na
ge
me
nt
Ch
an
ge
Ma
na
ge
me
nt
Ch
an
ge
Ma
na
ge
me
nt
Re
lea
se
Ma
na
ge
me
nt
Re
lea
se
Ma
na
ge
me
nt
Ca
pa
cit
y M
an
ag
em
en
tC
ap
ac
ity
Ma
na
ge
me
nt
Pro
ble
m M
an
ag
em
en
tP
rob
lem
Ma
na
ge
me
nt
Bu
sin
es
s C
on
tin
uit
yB
us
ine
ss
Co
nti
nu
ity
Co
mp
lia
nc
e M
an
ag
em
en
tC
om
pli
an
ce
Ma
na
ge
me
nt
Se
cu
rity
Se
cu
rity
Copyright © 2002-2005, CiRBA Inc. All Rights Reserved. Slide 4
Front End
Horizontal Scaling
Back End
Vertical Scaling
Information Convergence
The Reason: In the past, these disciplines were considered in isolation, and solutions were implemented that addressed individual areas.
IT Data Center OperationsIT Data Center Operations MainframeProprietary
UNIXLINUX
WINDOWS
As
se
t &
In
ve
nto
ry
Ma
na
ge
me
nt
As
se
t &
In
ve
nto
ry
Ma
na
ge
me
nt
Co
nfi
gu
rati
on
M
an
ag
em
en
tC
on
fig
ura
tio
n
Ma
na
ge
me
nt
Ch
an
ge
Ma
na
ge
me
nt
Ch
an
ge
Ma
na
ge
me
nt
Re
lea
se
Ma
na
ge
me
nt
Re
lea
se
Ma
na
ge
me
nt
Ca
pa
cit
y M
an
ag
em
en
tC
ap
ac
ity
Ma
na
ge
me
nt
Pro
ble
m M
an
ag
em
en
tP
rob
lem
Ma
na
ge
me
nt
Bu
sin
es
s C
on
tin
uit
yB
us
ine
ss
Co
nti
nu
ity
Co
mp
lia
nc
e M
an
ag
em
en
tC
om
pli
an
ce
Ma
na
ge
me
nt
Se
cu
rity
Se
cu
rity
Copyright © 2002-2005, CiRBA Inc. All Rights Reserved. Slide 5
Front End
Horizontal Scaling
Back End
Vertical Scaling
Information Convergence
IT Data Center OperationsIT Data Center Operations MainframeProprietary
UNIXLINUX
WINDOWS
As
se
t &
In
ve
nto
ry
Ma
na
ge
me
nt
As
se
t &
In
ve
nto
ry
Ma
na
ge
me
nt
Co
nfi
gu
rati
on
M
an
ag
em
en
tC
on
fig
ura
tio
n
Ma
na
ge
me
nt
Ch
an
ge
Ma
na
ge
me
nt
Ch
an
ge
Ma
na
ge
me
nt
Re
lea
se
Ma
na
ge
me
nt
Re
lea
se
Ma
na
ge
me
nt
Ca
pa
cit
y M
an
ag
em
en
tC
ap
ac
ity
Ma
na
ge
me
nt
Pro
ble
m M
an
ag
em
en
tP
rob
lem
Ma
na
ge
me
nt
Bu
sin
es
s C
on
tin
uit
yB
us
ine
ss
Co
nti
nu
ity
Co
mp
lia
nc
e M
an
ag
em
en
tC
om
pli
an
ce
Ma
na
ge
me
nt
Se
cu
rity
Se
cu
rity
As
se
t D
isc
ov
ery
As
se
t D
isc
ov
ery
Fil
e
Sc
an
nin
gF
ile
S
ca
nn
ing
Re
so
urc
e
Tra
ck
ing
Re
so
urc
e
Tra
ck
ing
So
ftw
are
D
isc
ov
ery
So
ftw
are
D
isc
ov
ery
Ma
nu
al
Ins
pe
cti
on
Ma
nu
al
Ins
pe
cti
on
Ho
me
gro
wn
S
cri
pts
Ho
me
gro
wn
S
cri
pts
The Result: A fragmented solution space and a proliferation of technologies that is not sustainable across all platforms and process areas.
Copyright © 2002-2005, CiRBA Inc. All Rights Reserved. Slide 6
Front End
Horizontal Scaling
Back End
Vertical Scaling
As
se
t &
In
ve
nto
ry
Ma
na
ge
me
nt
As
se
t &
In
ve
nto
ry
Ma
na
ge
me
nt
Co
nfi
gu
rati
on
M
an
ag
em
en
tC
on
fig
ura
tio
n
Ma
na
ge
me
nt
Ch
an
ge
Ma
na
ge
me
nt
Ch
an
ge
Ma
na
ge
me
nt
Re
lea
se
Ma
na
ge
me
nt
Re
lea
se
Ma
na
ge
me
nt
Ca
pa
cit
y M
an
ag
em
en
tC
ap
ac
ity
Ma
na
ge
me
nt
Pro
ble
m M
an
ag
em
en
tP
rob
lem
Ma
na
ge
me
nt
Bu
sin
es
s C
on
tin
uit
yB
us
ine
ss
Co
nti
nu
ity
Co
mp
lia
nc
e M
an
ag
em
en
tC
om
pli
an
ce
Ma
na
ge
me
nt
Se
cu
rity
Se
cu
rity
Information Convergence
The Solution - One common approach for the entire enterprise
Tracking what systems and applications you have, how they are configured, how they are being used, and how they are being changed
IT Data Center OperationsIT Data Center Operations MainframeProprietary
UNIXLINUX
WINDOWS
Copyright © 2002-2005, CiRBA Inc. All Rights Reserved. Slide 7
Information Requirements by Discipline
Configuration
Mgmt
Asset
Mgmt
Security
Mgmt
Compliance
Mgmt
Hardware Config
VM Partitioning
OS Configuration
Patch Levels
File Attributes
SW Inventory
Application Config
Middleware Config
Database Config
Environment Config
Copyright © 2002-2005, CiRBA Inc. All Rights Reserved. Slide 8
Implications for Security Management
File and network-level security solutions are relatively common but only focus on specific aspects of security
With a consolidated approach that encompasses all areas of configuration this can be taken much further:
• Database account and access control changes
• Status of security patches
• Changes in network shares
• Hardware removal
• USB Drive use
• Etc.
The result is a “bear hug” on all vital security aspects of IT infrastructure
Copyright © 2002-2005, CiRBA Inc. All Rights Reserved. Slide 9
Implications for Regulatory Compliance
For Sarbanes-Oxley, a consolidated approach provides a comprehensive mechanism for assuring and demonstrating a commitment to integrity at all levels:
• Tracking of physical assets and shared resources• Credential changes that may compromise systems• Activity affecting information integrity or privacy
Copyright © 2002-2005, CiRBA Inc. All Rights Reserved. Slide 10
Configuration-Centric View of System Changes
A configuration-centric view of change activity is typically geared toward change reconciliation and
fault isolation
A configuration-centric view of change activity is typically geared toward change reconciliation and
fault isolation
Copyright © 2002-2005, CiRBA Inc. All Rights Reserved. Slide 11
Security-Centric View of System Changes
A security-based view of configuration change activity can
leverage the same underlying information to identify potential
vulnerabilities and assure compliance
A security-based view of configuration change activity can
leverage the same underlying information to identify potential
vulnerabilities and assure compliance
Copyright © 2002-2005, CiRBA Inc. All Rights Reserved. Slide 12
Security-Centric View of System Changes
By isolating the subset of configuration information that is truly security-related, one infrastructure can effectively service
multiple IT management disciplines
By isolating the subset of configuration information that is truly security-related, one infrastructure can effectively service
multiple IT management disciplines
Copyright © 2002-2005, CiRBA Inc. All Rights Reserved. Slide 13
Information Security - Database Configuration
Detailed tracking of the configurations of databases
reveals changes that have direct impact in security. Many SOX strategies focus mainly on file-level security and ignore this critical aspect of compliance
Detailed tracking of the configurations of databases
reveals changes that have direct impact in security. Many SOX strategies focus mainly on file-level security and ignore this critical aspect of compliance
Copyright © 2002-2005, CiRBA Inc. All Rights Reserved. Slide 14
Information Security - Schema Changes
Tracking and comparing schemas not only assures compliance between
internal environments (such as UAT and Prod) but also uncovers changes
that may affect application security
Tracking and comparing schemas not only assures compliance between
internal environments (such as UAT and Prod) but also uncovers changes
that may affect application security
Copyright © 2002-2005, CiRBA Inc. All Rights Reserved. Slide 15
System Security - Credential Changes
Tracking permissions granted to users is the first step is assuring
compliance and information security, as proper maintenance of credentials
is the primary defense against unauthorized access and tampering
Tracking permissions granted to users is the first step is assuring
compliance and information security, as proper maintenance of credentials
is the primary defense against unauthorized access and tampering
Copyright © 2002-2005, CiRBA Inc. All Rights Reserved. Slide 16
User Security - Directory Service Changes
Detailed scrutiny of directory services uncovers suspicious activity and provides and audit trail of noteworthy events. In
this example an account is being locked out due to too many bad
password attempts.
Detailed scrutiny of directory services uncovers suspicious activity and provides and audit trail of noteworthy events. In
this example an account is being locked out due to too many bad
password attempts.
Copyright © 2002-2005, CiRBA Inc. All Rights Reserved. Slide 17
Physical Security - Hardware Changes
Even at the hardware asset level specific changes have a direct security
impact. In this example a USB drive has been removed from a server,
potentially taking sensitive data with it.
Even at the hardware asset level specific changes have a direct security
impact. In this example a USB drive has been removed from a server,
potentially taking sensitive data with it.
Copyright © 2002-2005, CiRBA Inc. All Rights Reserved. Slide 18
Information Security - Tracking Key Assets
Protecting the integrity of data is somewhat futile if you don’t even know all the places where
data is stored. Effective software asset tracking is
critical to information security.
Protecting the integrity of data is somewhat futile if you don’t even know all the places where
data is stored. Effective software asset tracking is
critical to information security.
Copyright © 2002-2005, CiRBA Inc. All Rights Reserved. Slide 19
Looking Beyond the File:The Business Value of Convergence
Compelling business-level considerations• Convergence = Cost Savings• Benefits of business case that leverages multiple disciplines• Consolidated approach addresses SOX while at the same time
benefiting Operations, ITIL projects and other initiatives
Allows service-oriented view of security• By leveraging service models being developed in configuration
management initiatives (e.g. CMDBs), security information can also be aligned with business services
Provides a common language• Common technology provides a common language for
communication between Security, Compliance, Change Management, Problem Management and other key groups
Copyright © 2002-2005, CiRBA Inc. All Rights Reserved. Slide 20
“You can observe a lot just by watching.”
Yogi Berra
322 King Street West . Suite 200Toronto . ON . CANADA . M5V 1J2
t. +1 416.260.8462 w. www.cirba.com f. +1 416.260.5921 e. [email protected]
Presented By:Andrew HillierCTO, CIRBA [email protected]