Infrastructure

Safeguarding Assets is an IT Project Management Issue – Part I

Technology-based systems and infrastructure do not occur accidentally. They come into being only after appropriate planning, comprehensive organizing, judicious resource expenditures, and effective managerial support. Top management usually delegates responsibility for analyzing and developing technology-based systems and infrastructure to a designated technology-oriented function. Where top management has not done so; typically, few IT assets have been deployed.

Trans-border Communication Protection - Part IV

The primary distinguishing feature between IPSec and SSL is their respective OSI reference model protocol communication tier levels. IPSec operates at the network layer of the OSI reference model while SSL operates at the transport layer. Protection mechanism utilization should be determined by information sensitivity. IPSec or SSL can be combined with a VPN to limit data interception, manipulation, and redirection. Standards exist for encryption systems, such as SSL and IPSec, which ensure compatibility among various hardware and software platforms. Comparatively, regarding trans-border privacy issues, SSL VPN can be considered a viable alternative to stand-alone IPSec deployment.

“View Part I of the Trans-border Communication Protection series here“

Trans-border Communication Protection - Part III

Generally, a VPN is recognized as a confidential data plexus that employs the public telecommunication infrastructure while maintaining privacy through the utilization of a tunneling protocol and security procedures. A VPN can provide remote offices and telecommuters with secure access to the connected local or wide area networks. When a VPN is introduced to the secure protocol privacy protection equation, IPSec and SSL technologies require mobile users to deploy client software on specific computers for utilization enablement.

Concerning secure access, virtual private networking requires a carrier as well as encapsulating protocol to provide tunneling functionality. Therefore, encryption, authentication, and data packaging usually are incorporated in a SSL VPN. Furthermore, below the OSI transport layer, a VPN can provide additional privacy data protection. This has many manifestations, the most popular being IPSec, typically implemented as a protected ‘tunnel’ between two gateway routers. An IPSec ‘vanilla’ VPN only uses the Encapsulating Security Payload (ESP) header record. However, ESP protects against IT communication eavesdropping, forgery, or replay risks.

“View Part I of the Trans-border Communication Protection series here“

Peer-to-Peer Networking - Part 2

Maybe, experientially, the small branch office with a P2P network has escaped a security incident since deployment. Even so, a functional P2P network unintentionally presents itself as a potential target waiting for someone capable of pulling the threat trigger to introduce a potent security disaster. For instance, at the infrastructure level, attacks can originate from hackers taking advantage of a P2P enabled application to assist spyware or malware in slipping past perimeter defenses and lodging in the background of user devices. In particular, a P2P-agent utilized in communications software can include or hide spyware that collects information about the target system as well as user, then subsequently send compromised information to unauthorized individuals without the legitimate owner’s knowledge. High-Level Data Link Control, Frame Relay, and X.25 protocols have P2P communication modes that can be spyware enabled. Consequently, a P2P network should not be deployed unless effective compensating and mitigating security controls are implemented.

As operational baseline countermeasures to P2P risks, management should document and monitor P2P file-sharing technology to ensure that this capability is not utilized for unauthorized information distribution, display, processing, or reproduction. Furthermore, management should ensure the appropriate encryption is implemented to sustain an adequate telecommunications defense. Lastly, meticulous proactive security risk assessments of P2P networks can prevent inherent IT vulnerabilities from becoming threats requiring incident response resolution.

Peer-to-Peer Networking - Part 1

There are a variety of networking architectures available for deployment. Potential candidates include Peer-to-Peer, Client/Server and Master/Slave. However, Peer-to-Peer (P2P) architectures present unique governance issues to the information security manager when comparable network configurations are considered. Flawed implementations, poor legacy security standards, limited user awareness, as well as lax technical security and administrative practices can form especially lethal combinations that may decimate a positive assertion regarding P2P network access protection.

Focusing solely on access vulnerabilities, as most information security professionals are acutely aware, P2P is normally restricted to share-level security (also known as Password-Protected Share). Archetypical share-level assigned password security provisions two mutually exclusive access attributes (read-only and full) to a file, printer or other network object. Share-level security also normally lacks centralized access control capabilities. Specifically, a user ‘access matrix’ is usually absent from P2P architectures for granular authentication or authorization arbitration. Therefore, increased security risks are inherent with P2P deployment compared to other adoptable network configurations.

Access Control Convergence - Part 2

Integrated policies improving access control are needed to increase safeguarding capabilities. Furthermore, due to technological and operational diversity, it is critical to have standard processes to control access that will permit economies of scale. Potential candidates for access control convergence include Tokens, Biometrics, Smart Cards and Tracking Systems. When physical and logical penetration protection mechanisms are converged under a unified access control policy, the resulting combination can operate as a baseline, customized to redress entity-centric needs for effective threat countermeasures. Beneficially, regarding operational complexity, access control convergence can simplify security administration. To enable organizational coexistence with technological convergences, an entity’s security function should assume responsibility for implementing and sustaining blended physical and logical controls.

Physical information security is a critical aspect to adequate perimeter and interior controls. Yet, physical controls alone cannot ensure that information assets are protected. For this reason, it is important to establish logical security controls that rebuff information confidentiality, integrity, and availability threats. Both control types should have as their primary objective appropriate asset protection, particularly information in electronic form. Consequently, where feasible, entities should deploy cost-effective processes for protecting the network infrastructure through converged physical and logical security controls.

Access Control Convergence - Part 1

Computer technology continues to advance toward a tiered decentralized world of distributed platforms for entering, processing, and retrieving information. Technological implementations are diverse and complex; however, all IT deployments should be protected from unauthorized usage utilizing suitable information asset access controls. Given IT interconnectivity, entities should also protect information assets from unauthorized manipulation to safeguard investments from risks associated with resource misuse. Consequently, information assets access control is typically viewed from two abstraction perspectives: physical and logical security.

Physical security provides tangible assets protection whether an item is at rest or in transit. Sub-categorically, information physical security involves reducing technological vulnerabilities, usually by limiting access to the buildings and rooms where information assets are housed, or by installing mechanical locks on devices. However, physical access controls should address not only the area containing hardware, but also wiring locations utilized to connect system elements, supporting services, backup media, and other items required for IT operational effectiveness.

Distinctively, logical security focuses on safeguarding intangible assets whether data is at rest or in transit. Logical access controls are the manual and electronic policies, procedures, and organizational structures deployed to safeguard symbolic objects. Essential elements for adequate logical access control are identification, authentication, authorization, and accountability.