1. Field of the Invention
The present invention relates to systematic techniques for assessing security and privacy concerns for an enterprise, and deals more particularly with techniques for determining one or more information technology products and/or services that may be leveraged to mitigate security and privacy risks for the enterprise.
2. Description of the Related Art
Any enterprise, whether it is a commercial business, a government or military entity, an educational or charitable institution, or another type of enterprise, faces risks as part of conducting its operations. As used herein, the term “risk” or “business risk” denotes the possibility that something negative or undesirable will happen, and more particularly, denotes the possibility that something negative or undesirable will happen to the enterprise, its customers, or some asset or entity on which the enterprise depends. Typically, business risks are quantified in economic terms, such as a possibility of lost revenue, lost wages, or damage to the enterprise's reputation. An enterprise's reputation is also referred to herein as the enterprise's “brand” or “brand image”.
An enterprise may deal with business risks in a variety of ways.
As shown in
For example, before a financial institution allows its automated teller machines (“ATMs”) to dispense cash to a person presenting an ATM card, the institution typically requires the person to type in a password that is intended to be known only by the legitimate cardholder. The entered password is then compared to a password that is stored, in association with this ATM card's number, in a data repository. If the entered password does not match the stored password, then no cash will be dispensed. A number of other security techniques may be employed to further mitigate risks in this environment, such as encrypting transmission of the entered password as it travels from the keypad to the location where the comparison is performed.
In some enterprises, privacy of certain information must be protected, and therefore privacy techniques are typically implemented. The term “personally-identifiable information” or “PII” is often used in this context, referring to information held by an enterprise about people such as customers or employees. One way of protecting PII is to modify data values, thereby ensuring that an individual's PII becomes anonymous, before the data values are made available outside the enterprise or outside selected organizational units of the enterprise (such as the payroll department or human resources organization). Another way of protecting PII is to completely suppress the PII in transmissions outside the enterprise or selected organizational units.
Security and privacy solutions may be provided as products comprising hardware, software, firmware, or some combination thereof. Security and privacy products are typically not a “one size fits all” solution. Instead, these products are often directed toward solving specific problems in specific environments. Designing an appropriate security solution is often a daunting task, and in the current art, products in an enterprise's security solution are typically selected using an ad hoc “point technology” approach (i.e., where a product is selected to address a particular risk, without regard to how that product affects other risk factors or interacts with other security products or systems of the enterprise). As a result, many enterprises end up with an assortment of products that are costly, ineffective, and/or inefficient for mitigating risks.
Accordingly, what is needed are techniques for assessing security and privacy risks for an enterprise, and deriving a security solution that addresses those risks, in a systematic manner.
An object of the present invention is to provide techniques for assessing security risks for an enterprise.
Another object of the present invention is to provide techniques for deriving a security solution for the enterprise, in view of its particular security risks.
A further object of the present invention is to provide techniques for systematically evaluating an enterprise, using predetermined criteria and attributes, with a view toward mitigating security risks of the enterprise.
Yet another object of the present invention is to provide techniques for systematically evaluating privacy concerns of an enterprise and addressing these privacy concerns in a solution adapted for that enterprise.
Still another object of the present invention is to systematically address security and/or privacy concerns that arise due to activities conducted by an enterprise over electronic media.
Other objects and advantages of the present invention will be set forth in part in the description and in the drawings which follow and, in part, will be obvious from the description or may be learned by practice of the invention.
To achieve the foregoing objects, and in accordance with the purpose of the invention as broadly described herein, the present invention defines techniques for systematically assessing security concerns of an enterprise. In preferred embodiments, an enterprise's security risks are assessed in view of a set of security patterns (and optionally, a set of sub-patterns). Each pattern that is applicable to the enterprise's operation is considered against the backdrop of a set of common attributes that are used, in turn, to further distinguish each pattern from a risk and security solution perspective. Using the disclosed techniques, specific security risks can be identified and appropriate security products can be selected to address those risks in a systematic manner, thereby assisting information technology decision makers across a wide variety of enterprises in deriving security solutions.
The present invention may also be used advantageously in methods of doing business, as will be described in more detail with reference to preferred embodiments.
The present invention will now be described with reference to the following drawings, in which like reference numbers denote the same element throughout.
The present invention provides techniques for assessing security and privacy concerns for an enterprise in a systematic manner. Techniques are disclosed for identifying information technology (“IT”) products that may be leveraged to provide a solution that mitigates security and privacy risks for the enterprise. By selecting products systematically as described herein, a more effective and efficient security solution can be realized, typically at lower cost, than using prior art ad hoc techniques.
Privacy concerns of an enterprise are often mitigated using techniques similar to those that mitigate security risks, as will be described in more detail below. Therefore, for ease of reference, the term “security” as used hereinafter should be interpreted as including both security and privacy considerations unless the context of the reference indicates otherwise.
Efficient and effective security is an integral part of an enterprise delivering value. Enterprises require security for their own operations as well as for their interactions with customers and partners. Identifying and understanding the relationships between the risks inherent in a particular enterprise process and the security products or services that best address those risks is key to deriving an appropriate security solution.
Of particular importance to the present invention are those risks which are involved when an enterprise conducts activities over electronic media. For example, an enterprise might make data publicly available over a network such as the Internet by establishing a Web presence (e.g., by setting up a Web site where information can be viewed by the public). Another example of conducting activities over electronic media are the so-called “B2B” and “B2C” (i.e., business-to-business and business-to-consumer) forms of electronic commerce that have become prevalent in recent years, whereby an enterprise may conduct transactions with business partners and consumers over a communications network such as the Internet.
The risks involved with conducting activities over electronic media depend on various factors associated with the enterprise. Therefore, according to preferred embodiments of the present invention, an enterprise is first classified as to one or more “enterprise security patterns” that best represent the enterprise's activities which involve electronic media. Five predominant enterprise security patterns, referred to equivalently herein as “security patterns” or simply “patterns”, have been defined for use in preferred embodiments. (Alternatively, an implementation of the present invention may use fewer or more than five patterns, and those patterns may be defined with characteristics that differ from those disclosed herein, without deviating from the scope of the present invention.)
The five security patterns used in preferred embodiments are referred to herein as “Web Presence”, “Business to Consumer” or “B2C”, “Business to Business” or “B2B”, “Operational Security”, and “High Assurance”.
To evaluate the risks associated with a particular security pattern, preferred embodiments use eight attributes as decision points. (Alternatively, an implementation of the present invention may use fewer or more attributes, and those attributes may be defined with characteristics that differ from those disclosed herein, without deviating from the scope of the present invention.) When evaluating a security pattern, use of these attributes enables one to better understand risk characteristics of that pattern. The eight attributes discussed herein pertain to risk-management considerations involving key business needs, system elements, and assets that require security. The specific attributes of a particular security pattern enable identifying the countermeasures that an enterprise may take to reduce risk to an acceptable level (as will be described in more detail below). Sub-patterns are disclosed herein for several of the security patterns, as will be described in more detail below, and these eight attributes may also be used with the sub-patterns. The eight attributes used in preferred embodiments are directed toward answering the following questions:
These eight attributes, and their characteristics, are presented in
1) Who—the degree of confidence the enterprise has in the identity of the other transacting party.
2) Access Point—the degree of confidence the enterprise has in the integrity of the entry point into the transaction.
3) Access Method—the degree of confidence the enterprise has in the confidentiality, integrity, and authenticity of the communication path between the transacting parties.
4) Access Portal—the degree of protection the transition point provides between the enterprise and the untrusted external environment.
5) Collateral Access—the degree to which access to a particular resource can enable other unauthorized resource actions.
6) Data Value—the degree of granularity required for access control to the data, or the value of the data itself.
7) Privacy—the business risks associated with maintaining and using PII and/or maintaining the confidentiality of other proprietary information (for example, confidential information of the enterprise or its business partners).
8) Enterprise Assurance Level—the degree to which the brand value of the enterprise can be affected by modification, disclosure, or destruction of assets or the unauthorized unavailability thereof. Also included is the level of assurance required by the enterprise that exposures will not occur.
Each enterprise security pattern is used to describe an aspect of one or more enterprise activities that have a level of associated risk, and in preferred embodiments, the enterprise activities of interest are those involving electronic media, as noted above. An enterprise's risk parameters are described in terms of the risk attributes, for each security pattern that is applicable to the enterprise. This information can then be mapped into organized structures that provide a template for effectively implementing a security solution. In this manner, use of enterprise security patterns and risk attributes, as disclosed herein, provides a powerful methodology for identifying and understanding relationships between the risks an enterprise encounters when conducting activities over electronic media and the components of a security solution for that enterprise, thereby enabling the enterprise to maximize the value of its security investment.
The manner in which the security patterns, risk attributes, and grid are used in preferred embodiments will now be described in more detail.
Referring now to
An enterprise generally has little control over who accesses the enterprise's Web presence, or the access points they use. Usually, the access points are Web browsers running on traditional personal computing devices or on pervasive devices such as personal digital assistants (“PDAs”) and Internet-capable cell phones, as shown in the lower left portion of
To ensure that an enterprise's Web presence presents limited opportunity for attackers, the portal used for dissemination of Web presence data should be protected from write operations of those accessing the site (as noted in the “Access Portal” cell in
Preferred embodiments further divide the Web Presence pattern into two sub-patterns, which are referred to herein as “Isolated from Core Business” and “Integrated with Core Business”. The “Collateral Access” cell in
If an enterprise's Web presence is appropriately isolated from the enterprise's core business (e.g., there is no connectivity from the Web presence to the enterprise's intranet), then access to other collateral data (e.g., data used by the enterprise's other systems) does not exist. The primary concern is then the integrity and availability of the data being presented, as discussed above. On the other hand, if the Web presence enables connectivity to the enterprise's intranet or other systems (and is therefore considered as “integrated” with the enterprise's core business), then security vulnerabilities may lead to unintended network and/or systems access, which is termed “collateral access” herein. This collateral access potential leads to additional exposures, and therefore the “Collateral Access” cell of
Because the information provided through an enterprise's Web presence is public information, there are generally no privacy issues involved, and thus the “Privacy” cell in
Finally, the “Enterprise Assurance Level” cell in
By reviewing the entries in the eight cells in
Preferred embodiments use a grid or chart, illustrated in
Selecting which generic security components are appropriate for addressing the enterprise's risks then facilitates selection of one or more “specific security products” (row 610). Security products leveraged by the present invention may be embodied in hardware, software, firmware, or some combination thereof. (Furthermore, references herein to security products should be interpreted as also including security services where appropriate, such as out-sourced monitoring operations. For example, an enterprise might contract with a third party to analyze audit data captured as users access enterprise systems. In addition, in some cases, non-technical countermeasures may provide appropriate risk mitigation, and these non-technical approaches may be included as potential components of a security solution. As one example, use of contracts containing specific terms and conditions may be appropriate risk-mitigation techniques in a B2B environment. References herein to selecting security products are also intended to encompass these non-technical countermeasures.)
In an actual implementation of the present invention, a set of specific security products is preferably identified for the cells in row 610, where the entry in each cell specifies a pre-determined product or products that provide(s) at least some portion of the function represented by the generic security components for the corresponding column. A sample product, “Acme User Authenticator, Version 1”, is identified in column 630 of row 610 as a specific product for performing user authentication. When the remaining cells in row 610 are filled in with specific security products as well, the IT decision makers can easily and systematically select products to provide a security solution for the enterprise.
It may happen that a particular security product addresses risks in multiple security patterns and/or risks among multiple attributes. For example, “user authentication” is a generic security component appearing in column 630 and column 650, and “provisioning” is a generic security component appearing in column 630 and column 660. Therefore, a particular authentication product might be listed in columns 630 and 650, and a provisioning product might be listed in both columns 630 and 660. An enterprise may be able to reduce the cost (as well as the complexity) of its security solution by selecting such “cross-listed” products.
In some cases, the “Enterprise Assurance Level” attribute does not map directly to components and products. Instead, this attribute may be used as a type of overriding factor or wildcard, whereby the IT decision makers of an enterprise apply discretion in selecting generic security components and/or specific security products in view of the Enterprise Assurance Level attribute.
When IT product developers undertake development of a new security product or enhancements to an existing product (or, alternatively, development of a requirements list therefor), the cell-by-cell analysis approach disclosed herein may be used to succinctly identify functional requirements for the new or enhanced product. Preferably, a chart such as that shown in
Whether using the chart in
Returning now to the discussion of evaluating a security solution, a set of “multi-element security components” may optionally be provided in this chart (as illustrated in row 620). Components identified in this set address security risks that are applicable across multiple attributes. For example, row 620 indicates that security-enhanced operating systems, security-enhanced application servers, systems management products, and selected networking hardware and infrastructure components may be leveraged to provide protection against risks. An additional row (not shown) may also be provided in the grid of
When provided, the multi-element security components and specific multi-element security products are also preferably considered by the IT decision makers when developing an enterprise's security solution.
Preferred embodiments use the chart shown in
As one example of how the chart in
As another example of how the chart in
Note that the entries in the chart in
Returning now to discussion of the five security patterns, the next of these patterns is the “B2C” pattern, which is represented by
B2C operations of an enterprise may enable individuals to engage in on-line commerce. Other activities which are considered as being within the realm of the B2C pattern include using networked systems to manage personal data such as accounts, e-mail, collaboration, and employee benefits. Examples of enterprises characterized by the B2C pattern are Web retailers, financial service enterprises, enterprises providing benefits administration, and subscription-based services such as providers of e-mail telematics (i.e., a combination of telecommunications and computing), personalized information, and so forth. Providers of data with long-term value, such as games and movies, are also considered to be within the B2C pattern.
Preferred embodiments therefore define four sub-patterns that further divide the B2C pattern, which are referred to herein as “Store Front”, “Subscription-Based Services”, “Purpose-Optimized Devices”, and “Employee-to-Business”. These sub-patterns are depicted by the grid in
As noted in
A characteristic of the B2C pattern is that the enterprise's customers are typically identified to the B2C function using a self-registered account setup (as indicated in the “Who” cell in
The “Access Point” cell in
Generally, there is a moderate risk due to collateral access in the B2C activities (as indicated in the “Collateral Access” cell of
Lastly, the “Enterprise Assurance Level” cell of
Turning now to the task of selecting products to mitigate risks in the B2C pattern, the particular characteristics of the pattern (as exemplified in
The assets to be secured in this B2C pattern are generally PII, account access information, information presented to the consumer, and links that enable the access between the consumer and the enterprise. Major threats in the B2C pattern are impersonation of legitimate users by imposters, collateral access to an enterprise's systems, and misuse of personal data. Attacks based on these threats may originate from inside or outside the enterprise. Referring generally to
Turning now to
An enterprise characterized as having a “store front” sub-pattern (see row 810 of
An enterprise characterized as offering “subscription-based services” (see row 820 of
The “Enterprise Assurance Level” cell in row 820 indicates that an enterprise generally requires relatively “high assurance” that it is protected against exposures in this subscription-based B2C sub-pattern.
An enterprise may provide B2C transactions via “purpose-optimized devices” (see row 830 of
When customers use a purpose-optimized device as their access point, their ability to access other enterprise systems is typically limited because the access points are often “fixed-function” devices. Accordingly, the “Collateral Access” cell in row 830 indicates that there is a low to moderate risk involved with collateral access. For example, a bank teller might use a fixed-function computing device for performing transactions on behalf of a bank's customers, preventing the teller from having general access to the bank's computing systems. Or, an employee in a manufacturing environment might use a particular type of device for interacting with plant floor operations, where this device presents only a limited number of functions to its operator. (The physical protection of a purpose-optimized access device is a separate security concern.)
In an enterprise that provides functions in the employee-to-business sub-pattern (see row 840 of
The third enterprise security pattern used in preferred embodiments, which is represented in
The values in the cells of
The “Who” cell in
Accuracy of data exchanged between the parties must be protected, and similarly, any “private” data of the communicating entities (such as trade secrets or other confidential information, including details of the B2B transactions themselves) must be protected as well. As indicated in the “Data Value” and “Privacy” cells of
Preferred embodiments define three sub-patterns that further divide the B2B pattern, and those sub-patterns are referred to herein as “Simple Supplier”, “Trusted Supplier”, and “Partnership”. Each of these sub-patterns will now be described with reference to
An enterprise characterized as having a simple supplier relationship with another communicating entity, as represented by row 1010 of
When an enterprise communicates with others as a trusted supplier (see row 1020), the sensitivity of the data increases. As an example, a hospital communicating sensitive medical data to an insurance company about a patient operates in a trusted supplier mode. A secure to highly-secure access method is therefore typically needed, and privacy concerns regarding the communicated data are generally high (and may be controlled by specific contractual terms). During a trusted-supplier transaction, one enterprise may need to access data on a system belonging to another enterprise, and risks due to collateral access are therefore moderately high. The enterprise may choose to allow access only through an access portal that provides specific functions which are dedicated to the scope of the trusted supplier relationship. As indicated in the “Enterprise Assurance Level” cell of row 1020, risks to an enterprise operating in this sub-pattern are relatively high.
Types of general security components (see
When operating in the partnership sub-pattern (see row 1030), data becomes shared data between the communicating entities. Therefore, a secure to highly-secure access method is typically used, and the access portal may allow transactions with the communicating entities to operate as integrated business processes. As a result, risks due to access of collateral systems are generally high to very high. Privacy concerns in this sub-pattern are generally high, and may be controlled by specific contractual terms. The data sharing and collaboration encountered in this sub-pattern lead to increased security exposures for the enterprise, and its risks are characterized in the “Enterprise Assurance Level” cell of row 1030 as “Very High”.
The B2B sub-patterns generally lead to common security exposures, which are present with varying degrees of risk. Generic security components that can be used as countermeasures to mitigate the risks include intrusion detection systems, firewalls, authorization and access control systems, and separation-of-content tools. The increasing sensitivity of data in the trusted supplier or partnership sub-patterns may escalate the need for security measures such as Virtual Private Networks (“VPNs”), secure e-mail, and independent third-party audits.
Operational security is the fourth security pattern used in preferred embodiments, and is represented generally in
Operational security concerns encompass generally all of the internal information technology components—software, platforms, network infrastructure, etc.—that an enterprise uses to execute its day-to-day operations. A primary goal in the operational security pattern is to ensure that an enterprise's internal systems and infrastructures meet required levels of security. Key drivers for operational security often include geographic, regulatory, and employee needs, along with tiered access to information. Another primary goal of this pattern is protection of the enterprise's brand from internal and external threats in a cost-effective manner.
The users in this pattern are generally known to the enterprise, typically by employee type, as indicated in the “Who” cell of
The generic security components that may be well suited for mitigating operational security risks in a particular enterprise include tools for controlling group access (e.g., ensuring that only users within a specified group or groups are allowed to access certain functions, where appropriate), tools for controlling internal and external access, and data segregation tools.
Referring now to
Users in the personal systems sub-pattern are considered to be inside the enterprise infrastructure, whether their physical location is remote from the enterprise or they are traditional in-house desktop users. As indicated in row 1210, the computing devices used as access points by these users are generally characterized as “personal systems”. Typically, these users have access to sensitive data, are unaware of software updates, are unskilled at security-related administration, and they are often members of multiple workgroups with varied privileges that must be managed. An enterprise may deploy its access portal so as to provide access to employees organized by identity. Privacy concerns in this sub-pattern are generally moderately high to very high. Risks to the enterprise from activities in this pattern may generally range from low to high.
Risks associated with users range from loss or theft of platforms/data (such as notebook computers or files) to maliciousness such as sabotage or corporate espionage. Threats and vulnerabilities include improper configuration of personal systems, introduction of viruses and threats from downloadable software (such as Trojan horses), and so forth. In addition, personal systems often contain a mix of personal and corporate data, and may provide the opportunity for non-employee access if the system is removed from the enterprise's premises, thereby further increasing the risk of exposure of sensitive or confidential enterprise information.
As used herein, the decentralized, or “branch office”, infrastructure (see row 1220) refers to a combination of network, server, and desktop systems that are not necessarily directly managed by the enterprise's IT security staff. These systems typically involve data that is specific to a particular enterprise or segment thereof, and tend to contain some aggregation of data without the strict controls of a data center. Access points are often an employee terminal device, which may connect to an access portal using an access method that ranges from moderately secure to ultra secure. Privacy concerns generally range from moderate to high, and there is generally a moderate to high risk to the enterprise from activities in this sub-pattern.
Typically, the risks involved in this branch office sub-pattern include unauthorized access to data, improper physical access to the systems, less timely system upgrades, unsecured wireless access, and poor controls on data separation and access.
Data centers (see row 1230) manage data that is of the highest value to the enterprise. Typically, they are centrally managed and are usually placed behind additional physical and logical barriers. Access points used in the data center sub-pattern are often employee workstations or system administrator consoles. Access methods may range from moderately secure to ultra secure, and direct access to the systems of the data center may be allowed (as noted in the “Access Portal” cell). Privacy concerns are typically moderately high to high, and risk to the enterprise in this sub-pattern is generally characterized as ranging from moderately high to very high.
Systems in the data center sub-pattern typically require tight security, as noted above, and when properly secured, the risk of unauthorized access or modification to data is small. Lack of data separation or sufficient access controls can result in catastrophic risk to the brand value by loss, exposure, and misuse of competitive secrets or private data.
“Network systems”, as the term is used herein, refers to various networking systems and related software that provide communications capability for the enterprise. These elements may be addressed separately from data centers, forming a distinct sub-pattern for each if desired, although they have been combined for purposes of illustration in
The optional manufacturing sub-pattern deals with security concerns in an in-house manufacturing infrastructure (whether that infrastructure is owned by the enterprise or leased) that is dedicated to the production of tangible objects. (Security concerns pertaining to outsourced manufacturing, where manufacturing is done at a location other than the enterprise's location, is considered part of the B2B pattern.) Operations may be 24 hours per day, 7 days per week, and operational control systems pertaining to manufacturing are often connected to the enterprise's infrastructure (e.g., to provide asset management and control, access management, and so forth). Value to the enterprise of its manufacturing operations can be extremely high, since the manufacturing line often contains elements of trade secrets, intellectual property, and/or key operational data. A major risk involved with this type of operational infrastructure is disruption of the manufacturing line and the monetary consequences. Accordingly, products addressing risks inherent in this sub-pattern may be selected for incorporation in the enterprise's overall security solution.
Another security concern that may be dealt with under the operational security pattern is physical security. This term traditionally refers to protecting an enterprise's assets with “guns, guards, and gates”. Logical security may also be dealt with under this security pattern, and refers to techniques such as using access, authorization, and audit controls (often in conjunction with network monitoring systems). The convergence of physical and logical security may be enabled through technologies such as Radio Frequency Identification (“RFID”), biometric identification, and complex surveillance to control and/or monitor system access.
Countermeasures deployed to deal with risks to operational security may include: audit capabilities, software provisioning and version management, maintaining up-to-date anti-virus capabilities, protection of shared computing resources, intrusion detection, isolation of and recovery from security failures, as well as management of user access, authorization, and identities.
The last of the five security patterns used in preferred embodiments is the “High Assurance” pattern, which is represented in
High assurance systems exist where it is necessary to be confident in the security and availability of critical systems. A more formal definition of a high assurance system, from the Carnegie Mellon Software Engineering Institute International Workshop on Requirements for High Assurance Systems 2002, is “a system where compelling evidence is required that the system delivers its services in a manner satisfying certain critical properties.” Government entities are often characterized by the high assurance pattern. Examples of high assurance systems include national security systems, air traffic control systems, stock exchanges, and international and national banking systems.
System users in the high assurance pattern are typically known to the system by their identity, and user access points are generally known by device. Ultra-secure access methods are typically used, and access points into high assurance systems are generally well protected (which may include locking down the access portals). Risks involved with collateral access are generally very high. Data value must generally be protected through per-identity and per-organization secrecy, and privacy concerns require PII to be strictly secure. An enterprise in this pattern generally needs a high assurance level that it is protected against exposures. While availability of high assurance systems may vary somewhat, risks to the enterprise are generally very high in this pattern.
General characteristics of a high assurance system include the following:
1) The system is secure: It prevents unauthorized disclosure, modification, and withholding of sensitive information.
2) The system is real-time: It delivers results within specified time intervals.
3) The system is survivable: It continues to fulfill its mission in the presence of attacks, accidents, or failures.
4) The system is fault-tolerant: It guarantees a certain quality of service despite faults, such as hardware, workload, or environmental anomalies.
5) The system is safe: It prevents unintended events that result in death, injury, illness, or damage to property.
The need for higher levels of assurance of protection against exposures in this pattern may arise from the sensitivity or value of the assets entrusted to an information system. The need may also (or alternatively) arise from the consequences of a system failure. With few exceptions, high assurance systems will be a small subset of an enterprise's total set of information systems. (Note also that security products developed for a high-assurance environment may eventually be deployed in other environments which do not strictly require such high assurance. Typically, this will happen if the product cost is reduced to a level that is affordable in those other environments.)
Multiple methods can be, and usually are, used to assure the integrity and availability of critical systems in this pattern. These include conformance testing, security evaluations, formal development methodologies, careful evaluation of an enterprise's prior experience or history, and contractual methods such as warranties. The specific assurance requirements and methodologies used will generally vary from one enterprise to another. There is typically a much higher cost to achieving the required levels of security, availability, and so forth, which is justified by the value of the assets at risk. That is, the cost of failure in high assurance systems is much greater than the cost of failure in other systems. Whereas risk in the previous security patterns was generally measured in economic terms, risk in the high assurance pattern may be measured in terms of human lives or injury to humans, loss or damage to physical systems, failure to deliver critical services in a timely manner (or to deliver them at all), compromise of national security, and/or significant economic losses.
Three sub-patterns are defined herein for the high assurance systems pattern, and these sub-patterns are referred to as “Enclave Environment”, “Bounded Organization”, and “Unbounded Organization”. Each of these sub-patterns will now be discussed with reference to
In an enclave environment (row 1410), all security services are contained within a single “Trusted Computing Base.” A Trusted Computing Base, or “TCB”, is a tamper-evident or tamper-resistant, non-bypassable collection of hardware and software that enforces a defined security policy. Access points used in this sub-pattern are generally known by device as well as by location. For accountability, communicating pairs of applications preferably perform mutual authentication to guard against risk, and all resources are typically classified for sensitivity/value. All operations on classified resources are preferably recorded in secure logs (for example, in tamper-resistant or tamper-evident data repository). There is no network connection outside the trust boundary, so integrity and confidentiality of communicated data are not issues in this sub-pattern. However, with “trust nothing” as a root paradigm, in many cases, data will be protected in transit and in its permanent repositories. Privacy concerns are therefore indicated in row 1410 as low to moderate.
An enclave system may be a Multi-Level Secure (“MLS”) system, as defined by the Trusted Computing System Evaluation Criteria (“TCSEC”). The system may be evaluated under the “Common Criteria” defined in International Standard ISO/IEC 15408 (1999), “Information technology—Security techniques—Evaluation criteria for IT security”.
A bounded organization environment (see row 1420) comprises multiple trusted systems (e.g., multiple enclaves) linked by an isolated, trusted network. Because a network is connecting multiple trusted systems, a trusted third party may be introduced to provide mutual authentication and “over the wire” data protection (e.g., for integrity and confidentiality) of the network. The access points used in this sub-pattern are generally known by device, and risk to an enterprise is generally moderate to high.
In addition to the assurance methodologies discussed for the enclave environment, countermeasures appropriate for use in this sub-pattern include technology and procedures for verifying the network component, including intrusion detection systems, physical examination of the networks, and so forth.
Unbounded organization environments (row 1430) comprise bounded environments connected to public networks such as the Internet, which are presumed to contain untrusted users and systems in a non-secure environment. Access points used in the sub-pattern are generally known by authentication device, and collateral access concerns often involve compartmentalized data. Privacy concerns in this sub-pattern are often high.
Trusted segments of the unbounded network must defend themselves against attacks originating in untrusted segments. Security measures that may be leveraged for this purpose include use of firewalls, anti-virus utilities, cryptographic tunnels, intrusion detection/response, and other mechanisms.
A particular enterprise may have bounded and enclave environments that remain decoupled from the untrusted network.
Turning now to
Note that for those patterns having sub-patterns, the evaluation preferably comprises first identifying one or more of the sub-patterns that is/are applicable. By way of illustration,
Programmatic tools may be used to assist in evaluating an enterprise's activities, where these programmatic tools preferably prompt a user for input and thereby lead the user through the steps shown in
It should be noted that while discussions herein refer to grids and cells, this is merely one form in which the present invention may be used. Alternatively, information may be represented using simple lists or other forms. In addition, when programmatic tools are used, the user may be presented with information from the GUI without that information appearing in a grid or cell format.
It may happen, in some cases, that a security solution derived using techniques disclosed herein includes products with overlapping functionality. For example, the Access Portal, Data Value, Collateral Access, and Privacy attributes may be embodied in different products that each implement authentication, authorization, and access control, and these different products require integration within the security solution in order to interoperate. (For example, such products may include Web servers, Web application servers, databases, directories, access management solutions, messaging and collaboration software, and other IT components.) In this situation, while the security solution provides effective countermeasures, its efficiency is not often optimized. The IT decision makers for the enterprise preferably include such considerations when selecting among the specific products that will form the enterprise's security solution. (Note also that the areas addressed by the Access Portal, Data Value, Collateral Access, and Privacy attributes are areas where an enterprise may have more control than in areas such as the Access Point attribute. Accordingly, the enterprise may be able to use this higher degree of control for optimizing efficiency.)
Timely management of identity life-cycle changes (whether in the organizational status of customers, partners, or employees) is key to a more effective security implementation. For example, if certain functions within an activity are to be limited to users having a particular classification, it is imperative that this classification information is kept up-to-date so that only those users presently having the required classification are able to access the function. Efficiency in this area can be improved by choosing (or developing) products where authentication, authorization, and access control are well-structured to manage identities of users, groups, and/or communities in a uniform manner across multiple patterns. An integrated approach across the patterns simplifies the user experience, as well as improving efficiency.
Referring now to
In this scenario, Widgets, Inc. is a leading supplier of widgets to the worldwide market. As shown in
To assume leadership in the widget industry as a key provider of services and products, Widgets uses a combination of security patterns when evaluating whether its security solution properly manages its business risk.
As shown at element 1810, Widgets provides a Web presence for the world to obtain access to data about the company. This Web presence includes information for customers, investors, and prospective employees. The Web presence projects a valuable image for the company, and Widgets wants to ensure that the image presented over the network is protected. The IT decision makers of Widgets, Inc. note during their Web presence evaluation that providing security measures for the availability and integrity of the Web presence data is important to protecting the brand image.
Now suppose that a potential customer starts interacting with Widgets at element 1810, through Widgets' Web presence. After evaluating the product selection and choosing particular items, the customer (virtually) moves to element 1820, where he begins interacting with Widgets using a B2C pattern. Widgets provides this B2C interface for small quantities of product where no formal contract exists. (A B2B interface is provided for large-scale business interactions.) As part of Widgets' growth plans, its planners see an unrealized opportunity for sales at gas stations where they can, via a kiosk model (i.e., using a purpose-optimized device), make ordering of widgets possible while consumers wait for their tanks to fill. Another aspect of B2C, used by Widgets in helping its employees manage their retirement accounts, medical benefits, payroll deductions, and other benefits, is depicted at element 1830. Widgets uses this access point for all employee activities. The IT decision makers for Widgets note, during their B2C evaluation, that all of these B2C transactions require data protection and separation.
Further suppose that Widgets, Inc. is the just-in-time manufacturing supplier for several large business partners. At element 1840, Widgets provides an interface whereby large customers can use a B2B pattern to interact with Widgets. Through this B2B interface, Widgets supplies its product in bulk, thereby allowing closer relationships to grow with its business partners. The B2B interface activities are managed by way of contracts, and provisions are made for dynamic changes in terms such as quantity and shipping schedules, as well as for other on-demand kinds of processes. This allows Widgets to react quickly as customers' needs change. Widgets has also established, as shown at element 1850, trusted-supplier relationships with some of its suppliers, enabling engineers to collaborate on designs and processes. Widgets IT decision makers note during their B2B evaluation that securing these key business processes protects the companies and allows for close relationships to exist with reduced risks.
As with any company, Widgets needs to manage its internal IT infrastructure. As shown generally at element 1860, Widgets provides operational security for employees' machines, their access capabilities, the network, data center, and so forth. This becomes both a competitive and productivity issue for employees. Element 1870 identifies the manufacturing floor, where Widgets' tightly-constrained capacity requires continuously-operating manufacturing processes. Any failure of these processes leads directly to irreversible revenue losses. These systems fall under much stricter controls than the normal operational systems. Widgets' IT decision makers conclude that today, an implementation of a high assurance pattern would be cost prohibitive. However, they foresee a time when higher levels of security functions will need to be deployed for mission-critical systems. As the security evaluations are iteratively performed over time, countermeasures for these mission-critical systems will be repeatedly reviewed.
Using techniques disclosed herein, the IT decision makers for Widgets, Inc. identify generic security components and specific security products to address the risks for the company's varying business aspects. Using a composite set of security patterns enables the decision makers to isolate risks involved with varying types of activities that form a complex enterprise, and to derive a security solution that meets the total security needs of the company.
As has been demonstrated, preferred embodiments assess an enterprise's security risks in view of a set of security patterns. The five security patterns described herein represent a broad segmentation of enterprise processes, business needs, and system elements. Each pattern that is applicable to the enterprise's operation is considered against the backdrop of a set of common attributes that are used, in turn, to further distinguish each pattern from a risk and security solution perspective. Using the disclosed techniques, specific security risks can be identified and appropriate security products can be selected to address those risks in a systematic manner, thereby assisting IT decision makers across a wide variety of enterprises in deriving security solutions. These security solutions will typically be more effective and efficient from a functional perspective, as well as being more cost-effective, than security solutions created using prior art ad hoc approaches.
The disclosed techniques may also be used advantageously in methods of doing business. In one aspect, these techniques may be leveraged in a third-party security evaluation service. For example, an enterprise's IT decision makers may be consulted by third-party evaluators on matters such as which patterns and sub-patterns best characterize the enterprise's activities, any enterprise-specific deviations from the general characterizations illustrated by
As will be appreciated by one of skill in the art, techniques of the present invention may be embodied as methods, systems, or computer program products, and an implementation of techniques disclosed herein may take the form of a computer program product which is embodied on one or more computer-readable media (including, but not limited to, disk storage, CD-ROM, optical storage, and so forth) having computer-usable program code embodied therein.
While preferred embodiments of the present invention have been described, additional variations and modifications in those embodiments may occur to those skilled in the art once they learn of the basic inventive concepts. Therefore, it is intended that the appended claims shall be construed to include preferred embodiments as well as all such variations and modifications as fall within the spirit and scope of the invention.