Copyright © 2002-2005, CiRBA, Inc. All Rights Reserved.

http://www.cirba.comCAT 02/05

Security and Compliance: Looking Beyond the File

Presented By:

Andrew HillierCTO, CiRBA Inc.

Copyright © 2002-2005, CiRBA Inc. All Rights Reserved. Slide 2

Abstract

Many organizations employ strategies that focus on file-level tracking to address specific system security and regulatory compliance issues.

At the same time, many organizations are undertaking initiatives to enhance IT service management through detailed tracking of system and application configurations.

Because security and compliance are affected by many of these same areas of configuration, a convergence in the IT infrastructure to address these areas is beneficial, and perhaps even inevitable…

Copyright © 2002-2005, CiRBA Inc. All Rights Reserved. Slide 3

Front End

Horizontal Scaling

Back End

Vertical Scaling

Information Convergence

The Problem: A gap exists between datacenter management disciplines and the ability to provide the information to fulfill on these mandates.

IT Data Center OperationsIT Data Center Operations MainframeProprietary

UNIXLINUX

WINDOWS

As

se

t &

In

ve

nto

ry

Ma

na

ge

me

nt

As

se

t &

In

ve

nto

ry

Ma

na

ge

me

nt

Co

nfi

gu

rati

on

M

an

ag

em

en

tC

on

fig

ura

tio

n

Ma

na

ge

me

nt

Ch

an

ge

Ma

na

ge

me

nt

Ch

an

ge

Ma

na

ge

me

nt

Re

lea

se

Ma

na

ge

me

nt

Re

lea

se

Ma

na

ge

me

nt

Ca

pa

cit

y M

an

ag

em

en

tC

ap

ac

ity

Ma

na

ge

me

nt

Pro

ble

m M

an

ag

em

en

tP

rob

lem

Ma

na

ge

me

nt

Bu

sin

es

s C

on

tin

uit

yB

us

ine

ss

Co

nti

nu

ity

Co

mp

lia

nc

e M

an

ag

em

en

tC

om

pli

an

ce

Ma

na

ge

me

nt

Se

cu

rity

Se

cu

rity

Copyright © 2002-2005, CiRBA Inc. All Rights Reserved. Slide 4

Front End

Horizontal Scaling

Back End

Vertical Scaling

Information Convergence

The Reason: In the past, these disciplines were considered in isolation, and solutions were implemented that addressed individual areas.

IT Data Center OperationsIT Data Center Operations MainframeProprietary

UNIXLINUX

WINDOWS

As

se

t &

In

ve

nto

ry

Ma

na

ge

me

nt

As

se

t &

In

ve

nto

ry

Ma

na

ge

me

nt

Co

nfi

gu

rati

on

M

an

ag

em

en

tC

on

fig

ura

tio

n

Ma

na

ge

me

nt

Ch

an

ge

Ma

na

ge

me

nt

Ch

an

ge

Ma

na

ge

me

nt

Re

lea

se

Ma

na

ge

me

nt

Re

lea

se

Ma

na

ge

me

nt

Ca

pa

cit

y M

an

ag

em

en

tC

ap

ac

ity

Ma

na

ge

me

nt

Pro

ble

m M

an

ag

em

en

tP

rob

lem

Ma

na

ge

me

nt

Bu

sin

es

s C

on

tin

uit

yB

us

ine

ss

Co

nti

nu

ity

Co

mp

lia

nc

e M

an

ag

em

en

tC

om

pli

an

ce

Ma

na

ge

me

nt

Se

cu

rity

Se

cu

rity

Copyright © 2002-2005, CiRBA Inc. All Rights Reserved. Slide 5

Front End

Horizontal Scaling

Back End

Vertical Scaling

Information Convergence

IT Data Center OperationsIT Data Center Operations MainframeProprietary

UNIXLINUX

WINDOWS

As

se

t &

In

ve

nto

ry

Ma

na

ge

me

nt

As

se

t &

In

ve

nto

ry

Ma

na

ge

me

nt

Co

nfi

gu

rati

on

M

an

ag

em

en

tC

on

fig

ura

tio

n

Ma

na

ge

me

nt

Ch

an

ge

Ma

na

ge

me

nt

Ch

an

ge

Ma

na

ge

me

nt

Re

lea

se

Ma

na

ge

me

nt

Re

lea

se

Ma

na

ge

me

nt

Ca

pa

cit

y M

an

ag

em

en

tC

ap

ac

ity

Ma

na

ge

me

nt

Pro

ble

m M

an

ag

em

en

tP

rob

lem

Ma

na

ge

me

nt

Bu

sin

es

s C

on

tin

uit

yB

us

ine

ss

Co

nti

nu

ity

Co

mp

lia

nc

e M

an

ag

em

en

tC

om

pli

an

ce

Ma

na

ge

me

nt

Se

cu

rity

Se

cu

rity

As

se

t D

isc

ov

ery

As

se

t D

isc

ov

ery

Fil

e

Sc

an

nin

gF

ile

S

ca

nn

ing

Re

so

urc

e

Tra

ck

ing

Re

so

urc

e

Tra

ck

ing

So

ftw

are

D

isc

ov

ery

So

ftw

are

D

isc

ov

ery

Ma

nu

al

Ins

pe

cti

on

Ma

nu

al

Ins

pe

cti

on

Ho

me

gro

wn

S

cri

pts

Ho

me

gro

wn

S

cri

pts

The Result: A fragmented solution space and a proliferation of technologies that is not sustainable across all platforms and process areas.

Copyright © 2002-2005, CiRBA Inc. All Rights Reserved. Slide 6

Front End

Horizontal Scaling

Back End

Vertical Scaling

As

se

t &

In

ve

nto

ry

Ma

na

ge

me

nt

As

se

t &

In

ve

nto

ry

Ma

na

ge

me

nt

Co

nfi

gu

rati

on

M

an

ag

em

en

tC

on

fig

ura

tio

n

Ma

na

ge

me

nt

Ch

an

ge

Ma

na

ge

me

nt

Ch

an

ge

Ma

na

ge

me

nt

Re

lea

se

Ma

na

ge

me

nt

Re

lea

se

Ma

na

ge

me

nt

Ca

pa

cit

y M

an

ag

em

en

tC

ap

ac

ity

Ma

na

ge

me

nt

Pro

ble

m M

an

ag

em

en

tP

rob

lem

Ma

na

ge

me

nt

Bu

sin

es

s C

on

tin

uit

yB

us

ine

ss

Co

nti

nu

ity

Co

mp

lia

nc

e M

an

ag

em

en

tC

om

pli

an

ce

Ma

na

ge

me

nt

Se

cu

rity

Se

cu

rity

Information Convergence

The Solution - One common approach for the entire enterprise

Tracking what systems and applications you have, how they are configured, how they are being used, and how they are being changed

IT Data Center OperationsIT Data Center Operations MainframeProprietary

UNIXLINUX

WINDOWS

Copyright © 2002-2005, CiRBA Inc. All Rights Reserved. Slide 7

Information Requirements by Discipline

Configuration

Mgmt

Asset

Mgmt

Security

Mgmt

Compliance

Mgmt

Hardware Config

VM Partitioning

OS Configuration

Patch Levels

File Attributes

SW Inventory

Application Config

Middleware Config

Database Config

Environment Config

Copyright © 2002-2005, CiRBA Inc. All Rights Reserved. Slide 8

Implications for Security Management

File and network-level security solutions are relatively common but only focus on specific aspects of security

With a consolidated approach that encompasses all areas of configuration this can be taken much further:

• Database account and access control changes

• Status of security patches

• Changes in network shares

• Hardware removal

• USB Drive use

• Etc.

The result is a “bear hug” on all vital security aspects of IT infrastructure

Copyright © 2002-2005, CiRBA Inc. All Rights Reserved. Slide 9

Implications for Regulatory Compliance

For Sarbanes-Oxley, a consolidated approach provides a comprehensive mechanism for assuring and demonstrating a commitment to integrity at all levels:

• Tracking of physical assets and shared resources• Credential changes that may compromise systems• Activity affecting information integrity or privacy

Copyright © 2002-2005, CiRBA Inc. All Rights Reserved. Slide 10

Configuration-Centric View of System Changes

A configuration-centric view of change activity is typically geared toward change reconciliation and

fault isolation

A configuration-centric view of change activity is typically geared toward change reconciliation and

fault isolation

Copyright © 2002-2005, CiRBA Inc. All Rights Reserved. Slide 11

Security-Centric View of System Changes

A security-based view of configuration change activity can

leverage the same underlying information to identify potential

vulnerabilities and assure compliance

A security-based view of configuration change activity can

leverage the same underlying information to identify potential

vulnerabilities and assure compliance

Copyright © 2002-2005, CiRBA Inc. All Rights Reserved. Slide 12

Security-Centric View of System Changes

By isolating the subset of configuration information that is truly security-related, one infrastructure can effectively service

multiple IT management disciplines

By isolating the subset of configuration information that is truly security-related, one infrastructure can effectively service

multiple IT management disciplines

Copyright © 2002-2005, CiRBA Inc. All Rights Reserved. Slide 13

Information Security - Database Configuration

Detailed tracking of the configurations of databases

reveals changes that have direct impact in security. Many SOX strategies focus mainly on file-level security and ignore this critical aspect of compliance

Detailed tracking of the configurations of databases

reveals changes that have direct impact in security. Many SOX strategies focus mainly on file-level security and ignore this critical aspect of compliance

Copyright © 2002-2005, CiRBA Inc. All Rights Reserved. Slide 14

Information Security - Schema Changes

Tracking and comparing schemas not only assures compliance between

internal environments (such as UAT and Prod) but also uncovers changes

that may affect application security

Tracking and comparing schemas not only assures compliance between

internal environments (such as UAT and Prod) but also uncovers changes

that may affect application security

Copyright © 2002-2005, CiRBA Inc. All Rights Reserved. Slide 15

System Security - Credential Changes

Tracking permissions granted to users is the first step is assuring

compliance and information security, as proper maintenance of credentials

is the primary defense against unauthorized access and tampering

Tracking permissions granted to users is the first step is assuring

compliance and information security, as proper maintenance of credentials

is the primary defense against unauthorized access and tampering

Copyright © 2002-2005, CiRBA Inc. All Rights Reserved. Slide 16

User Security - Directory Service Changes

Detailed scrutiny of directory services uncovers suspicious activity and provides and audit trail of noteworthy events. In

this example an account is being locked out due to too many bad

password attempts.

Detailed scrutiny of directory services uncovers suspicious activity and provides and audit trail of noteworthy events. In

this example an account is being locked out due to too many bad

password attempts.

Copyright © 2002-2005, CiRBA Inc. All Rights Reserved. Slide 17

Physical Security - Hardware Changes

Even at the hardware asset level specific changes have a direct security

impact. In this example a USB drive has been removed from a server,

potentially taking sensitive data with it.

Even at the hardware asset level specific changes have a direct security

impact. In this example a USB drive has been removed from a server,

potentially taking sensitive data with it.

Copyright © 2002-2005, CiRBA Inc. All Rights Reserved. Slide 18

Information Security - Tracking Key Assets

Protecting the integrity of data is somewhat futile if you don’t even know all the places where

data is stored. Effective software asset tracking is

critical to information security.

Protecting the integrity of data is somewhat futile if you don’t even know all the places where

data is stored. Effective software asset tracking is

critical to information security.

Copyright © 2002-2005, CiRBA Inc. All Rights Reserved. Slide 19

Looking Beyond the File:The Business Value of Convergence

Compelling business-level considerations• Convergence = Cost Savings• Benefits of business case that leverages multiple disciplines• Consolidated approach addresses SOX while at the same time

benefiting Operations, ITIL projects and other initiatives

Allows service-oriented view of security• By leveraging service models being developed in configuration

management initiatives (e.g. CMDBs), security information can also be aligned with business services

Provides a common language• Common technology provides a common language for

communication between Security, Compliance, Change Management, Problem Management and other key groups

Copyright © 2002-2005, CiRBA Inc. All Rights Reserved. Slide 20

“You can observe a lot just by watching.”

Yogi Berra

322 King Street West . Suite 200Toronto . ON . CANADA . M5V 1J2

t. +1 416.260.8462 w. www.cirba.com f. +1 416.260.5921 e. info@cirba.com

Presented By:Andrew HillierCTO, CIRBA Incahillier@cirba.com