SlideShare ist ein Scribd-Unternehmen logo

A Case for Multi-tiered Security_WP_(EN)_web

SafeNet
SafeNet
1 von 5
Downloaden Sie, um offline zu lesen
A Case for Multi-tiered Security WHITE PAPER Introduction Perimeter network defense alone is insufficient to combat the full range of enterprise security threats. A defense-in-depth approach focused on protecting the confidentiality and integrity of data, while providing authenticated access to computing resources, is necessary to mitigate today’s risks. Paradigm shifts, such as cloud computing, software-as-a-service, and remote data warehousing, add significant challenges, as does the proliferation of sophisticated botnets and small, inexpensive, high-capacity portable storage devices. This paper outlines a balanced approach to enterprise security—defending the perimeter while protecting interior services and critical data. The Advancing Threat Environment Business or mission impacts result when threats exploit vulnerabilities through an access vector to affect targets, as shown in Figure 1. The relationship between these attack components is many-to-many, with a large Threat number of combinations yielding a vast set Vector of threads against which the enterprise Target Impact must be protected. Unk it no x plo wn According to Gartner’s 2008 For the purpose of illustration, we have yE Te g In te rn ch igin o report on IT Security Threats1, used very coarse groupings; however, a ol Data At Res no t hn lO log r ec cyber threats continue to evolve further decomposition of threats, vectors, nT y ns E xp tio Data Loss/ and are driven by technology and targets would reveal even more Know ica Compromise n ppl External Origi loit Dat Compliance changes, as well as increased threads of potential vulnerability. This User A a In Motion Violation/ Mission/ Liability user trust and/or complacency. property, in which an attacker may exploit Business Disruption Loss of ploit Confidence/ multiple targets through multiple vectors Increased Reputation Com Operating y Ex in an attempt to produce a given impact, Costs ms S oc s ra I ce i nf log st rv reinforces the need for defense-in-depth to ru Se ial ctu g utin o re Comp hn /P protect critical assets. ro ec es T c s c Ex Hybrid hi plo orp According to Gartner’s 2008 report on IT it Polym Security Threats1, cyber threats continue Figure 1. Attackers use a range of exploits through multiple to evolve and are driven by technology access vectors to impact targets and damage the enterprise changes, as well as increased user trust A Case for Multi-tiered Security White Paper 1
and/or complacency. Motivated by financial gain, attacks are becoming more focused and sophisticated as targets have shifted from vulnerable PCs to websites and user data. Highly ranked vulnerabilities on the common vulnerability scoring system continue to soar, more than tripling from 2007 to 2008. Web and social networking sites are compromised with malware payloads, while spear phishing techniques are used to deploy botnets over email. Data from Microsoft Corporation’s Malicious Software Removal Tool indicates that, since late 2006, the fastest-growing category of malware is botnet clients. Serious incidents involving data compromise and loss, both deliberate and accidental, are also on the rise. Portable storage, especially universal serial bus (USB) devices, enables uncontrolled movement and modification of large volumes of data, resulting in information theft and loss. Additionally, these storage devices provide another convenient means to bypass network-based security and inject malware into the enterprise that can spread quickly to wired and wireless technologies. Serious incidents involving Figure 2 summarizes these challenges in the context of a typical enterprise. Threats exploit data compromise and loss, all vectors, including witting and unwitting insiders. They include poor physical security, lack both deliberate and accidental, of user security awareness, malicious downloads, weak authentication, limited or no security are also on the rise. Portable monitoring, unauthorized access to applications, and even the supply chain to infiltrate an storage, especially universal enterprise. Once in, threats propagate, multiply, steal, disrupt, and, above all, attempt to avoid serial bus (USB) devices, detection and remain persistent in the network. enables uncontrolled movement and modification of large volumes of data, resulting in Data In Data At information theft and loss. Motion Rest Enterprise Virtual “Cloud” Data At Data In Computer Rest Business & Use Computing Data In Mission Systems/ Use Data Servers Repositories Data In Public External Threats Use Threats End User Network(s) Systems Data In Threats Motion Users Data At Data In Data At Rest Communications Portable Motion Rest Infrastructure Assets Mobile Systems Data In Use Users Figure 2. The enterprise is threatened from both internal and external sources targeting data, technology, and users. Countermeasure Analysis Perimeter defense is a fundamental component of an enterprise defense-in-depth solution. Designed primarily to mitigate external threats, these approaches include network-based firewalls, intrusion detection, and intrusion prevention systems. The technology can be signature-based or attempt to detect traffic anomalies through statistical traffic and/or log analysis. Implementations range from basic header filtering to stateful deep packet inspection. A Case for Multi-tiered Security White Paper 2
As shown in Figure 3, typical deployments of perimeter defenses first aggregate external connections through common gateways to limit the number of protection points. Public/ Perimeter External Defense Network(s) System(s) Enterprise C Threats Border Enterprise B Gateway Real-time Enterprise A Inspection Signatures Thresholds Systems & Resources Policy/ Data Statistics Rules Users Figure 3. Perimeter defense systems focus on keeping external threats from penetrating the enterprise Protection is then applied at the aggregate, high-speed demarcation point into the public or transport network. While this is a prudent approach to reducing risk, its effectiveness is dependent upon a defined and functioning set of security policies governing the entire network using the external connection. If the external connection is servicing multiple networks with differing policies (for example, acceptable user applications), establishing the real-time rules and statistics needed by the perimeter defense technology will be problematic. The traditional perimeter- Complicating matters, today’s applications (and malware) use tunnels, masquerading, spoofing, centric security philosophy and encryption to bypass network-based controls and hide in normal traffic. The larger and more assumes that perimeter heterogeneous the enterprise becomes, the higher the “noise floor” becomes, making it more defenses “keep the bad guys difficult to distinguish normal behavior from threat behavior, and to identify covert channels. out” and ensure that sensitive Cloud-computing services, such as those offered via Google and Amazon, store and process data is only accessed by trusted data on virtual machines located beyond the client’s enterprise. This growing trend, promising users within the enterprise. increased reliability, availability, and lower cost, has been hailed as the next big step in computing. However, from a security perspective, it reduces the applicability perimeter defense as it blurs the line defining the “perimeter.” In this paradigm, any assumption of privacy or confidentiality is naive and users are advised to adopt technologies such as encryption, identity management, and controlled access. The traditional perimeter-centric security philosophy assumes that perimeter defenses “keep the bad guys out” and ensure that sensitive data is only accessed by trusted users within the enterprise. While the perimeter provides one layer of protection, as depicted in Figure 4, sensitive data continues to escape the enterprise at an increasing frequency. As described on the National Institute of Standards and Technology’s (NIST’s) National Cyber Security Fact Sheet2: “Many of today’s tools and mechanisms for protecting against cyber attacks were designed with yesterday’s technology in mind. Information systems have evolved from room-size computer workstations shut off from the rest of the world to ubiquitous mobile devices interconnected by a global Internet. In this diverse ecology of communication devices, no cyber security solution works on all operating systems and can protect every type of computer and network component.” In fact, today’s enterprise networks include so many teleworkers, branch offices, network capable smartphones, and removable media platforms that traditional security solutions designed to protect network systems are no longer adequately protecting the data. In addition, a perimeter-based approach does not address insider threats or the real-world problem in which a breach of the perimeter defense provides unauthorized parties free access to the data. A Case for Multi-tiered Security White Paper 3
E ICAL S CUR YS ASTRUC ITY PH INFR TUR E RK AN D ACCESS MA NA D TY O G E F EN T TW TI EN EM EN NE SE ID Sensitive Data ks ection Fire TO wa ll , t K O ENS, PKI, SS De An tru ti-V ion oc irus, Intrus S ctu res, Barriers, L Figure 4. Sensitive data is escaping despite state-of-the-art perimeter defenses Additional security layers are needed to protect the enterprise from unauthorized connections within the network. This includes security technologies such as user authentication, device authentication, network access control, and comprehensive wireless security. It is imperative to also protect the data itself using strong encryption and key management technologies to prevent inadvertent loss, intentional theft, or malicious injection of data. To highlight the benefits of a multi-tier security approach, consider the following scenario. An attacker, or unwitting user, introduces self-propagating malware (i.e., worm) from a USB portable storage device directly into the enterprise network via a host USB port. The worm contains a bot client designed to search for data of interest and exfiltrate the data slowly over time using various covert channels. In this scenario, unless this botnet is well-known and has been analyzed, perimeter defenses are highly unlikely to detect its first communications with the bot-herder or master. It is likely that the bot will operate for some time before detection, especially if it is polymorphic – changing its signature regularly – or if the duration between communication to the bot-herder is spaced in an undetectable pattern. Upon suspicion of a compromise, perimeter defenses would be focused and fine-tuned in an attempt to detect and disrupt the covert channel. However, by the time perimeter defenses are successful, considerable data will likely have been compromised. Three principal countermeasures should be applied to protect against this scenario. 1. Technical enforcement of policy governing controlled use of all external interfaces on host computers. Since this scenario involves deliberate misuse, administrative controls and physical security are not sufficient, and interfaces need to be either disconnected or logically controlled by software. 2. Data at rest should be encrypted. This would not prevent the exfiltration, but it would prevent compromise as the data would not be exposed. 3. Critical data and access to resources should be protected using multi-factor authentication. This would limit access to the data and resources that the worm could access, even if it is capable of capturing user names and passwords. A Case for Multi-tiered Security White Paper 4
Figure 5 illustrates these concepts, as well as several other prudent measures. Perimeter defenses are used to protect the enterprise gateway. Within the enterprise, perimeter defense technologies are applied to protect high-value resources—forming protective enclaves. Data at rest and in motion is encrypted, both in the enterprise and “in the cloud.” Mobile systems boot to encrypted hard drives and use encrypted communications to connect to the enterprise. Tokens are used to augment user name and password credentials, communication and processing devices such as routers and servers are hardened, and end-user systems and portable assets are placed under tight configuration control with current antivirus and endpoint protection software. Enterprise Data In Data At Motion Rest Data At Data In Virtual Rest Business & Use “Cloud” Computing Computer Mission Systems/ Data Data In Servers Repositories Use Protected Enclave Protected Enclave Perimeter Defense Data In Public/ External Use System(s) Network(s) End User Systems Config Auth Data In Ctrl Token Motion Users Data In Data At Motion Rest Communications Portable Data At Infrastructure Assets Rest Mobile Systems Data In Use Auth Token Users Figure 5. A multi-tiered security approach protects enterprise data and resources within and beyond the perimeter Conclusion As organizations focus considerable resources on deployment of advanced perimeter defenses, care should be taken to avoid relying too heavily on this single approach. Increasingly sophisticated and focused attacks, the insider threat, and uncontrolled user behavior, as well as changes in Internet services and computing architectures themselves, pose challenges that cannot be addressed at the perimeter alone. Effective enterprise security applies a defense-in-depth approach—implementing security policies, system monitoring, incident response, and user awareness training alongside diversified technical solutions combining perimeter defense with data and resource protection. SAIC - Cyber PMO +1 (703) 676-8381 SafeNet Federal office + (703) 647 8400 Contact Us: For all office locations and contact information, please visit www.safenet-inc.com Follow Us: www.safenet-inc.com/connected ©2011 SafeNet, Inc. All rights reserved. SafeNet and SafeNet logo are registered trademarks of SafeNet. All other product names are trademarks of their respective owners. WP (EN)-03.02.11 A Case for Multi-tiered Security White Paper 5

Empfohlen

eIDAS Reference Guide
eIDAS Reference GuideeIDAS Reference Guide
eIDAS Reference GuideSafeNet
 
Whose Cloud is It Anyway - Data Security in the Cloud
Whose Cloud is It Anyway - Data Security in the CloudWhose Cloud is It Anyway - Data Security in the Cloud
Whose Cloud is It Anyway - Data Security in the CloudSafeNet
 
Whose Cloud Is It Anyway: Exploring Data Security Ownership and Control
Whose Cloud Is It Anyway: Exploring Data Security Ownership and ControlWhose Cloud Is It Anyway: Exploring Data Security Ownership and Control
Whose Cloud Is It Anyway: Exploring Data Security Ownership and ControlSafeNet
 
Cyber Security Management in a Highly Innovative World
Cyber Security Management in a Highly Innovative WorldCyber Security Management in a Highly Innovative World
Cyber Security Management in a Highly Innovative WorldSafeNet
 
Not Going Quietly: Gracefully Losing Control & Adapting to Cloud and Mobility
Not Going Quietly: Gracefully Losing Control & Adapting to Cloud and MobilityNot Going Quietly: Gracefully Losing Control & Adapting to Cloud and Mobility
Not Going Quietly: Gracefully Losing Control & Adapting to Cloud and MobilitySafeNet
 
ProtectV - Data Security for the Cloud
ProtectV - Data Security for the CloudProtectV - Data Security for the Cloud
ProtectV - Data Security for the CloudSafeNet
 
Cloud Monetization: A Step-by-Step Guide to Optimizing Your SaaS Business Model
Cloud Monetization: A Step-by-Step Guide to Optimizing Your SaaS Business ModelCloud Monetization: A Step-by-Step Guide to Optimizing Your SaaS Business Model
Cloud Monetization: A Step-by-Step Guide to Optimizing Your SaaS Business ModelSafeNet
 
SafeWord 2008 Migration Bundle Building a Fully Trusted Authentication Enviro...
SafeWord 2008 Migration Bundle Building a Fully Trusted Authentication Enviro...SafeWord 2008 Migration Bundle Building a Fully Trusted Authentication Enviro...
SafeWord 2008 Migration Bundle Building a Fully Trusted Authentication Enviro...SafeNet
 

Empfohlen

eIDAS Reference Guide
eIDAS Reference GuideeIDAS Reference Guide
eIDAS Reference GuideSafeNet
 
Whose Cloud is It Anyway - Data Security in the Cloud
Whose Cloud is It Anyway - Data Security in the CloudWhose Cloud is It Anyway - Data Security in the Cloud
Whose Cloud is It Anyway - Data Security in the CloudSafeNet
 
Whose Cloud Is It Anyway: Exploring Data Security Ownership and Control
Whose Cloud Is It Anyway: Exploring Data Security Ownership and ControlWhose Cloud Is It Anyway: Exploring Data Security Ownership and Control
Whose Cloud Is It Anyway: Exploring Data Security Ownership and ControlSafeNet
 
Cyber Security Management in a Highly Innovative World
Cyber Security Management in a Highly Innovative WorldCyber Security Management in a Highly Innovative World
Cyber Security Management in a Highly Innovative WorldSafeNet
 
Not Going Quietly: Gracefully Losing Control & Adapting to Cloud and Mobility
Not Going Quietly: Gracefully Losing Control & Adapting to Cloud and MobilityNot Going Quietly: Gracefully Losing Control & Adapting to Cloud and Mobility
Not Going Quietly: Gracefully Losing Control & Adapting to Cloud and MobilitySafeNet
 
ProtectV - Data Security for the Cloud
ProtectV - Data Security for the CloudProtectV - Data Security for the Cloud
ProtectV - Data Security for the CloudSafeNet
 
Cloud Monetization: A Step-by-Step Guide to Optimizing Your SaaS Business Model
Cloud Monetization: A Step-by-Step Guide to Optimizing Your SaaS Business ModelCloud Monetization: A Step-by-Step Guide to Optimizing Your SaaS Business Model
Cloud Monetization: A Step-by-Step Guide to Optimizing Your SaaS Business ModelSafeNet
 
SafeWord 2008 Migration Bundle Building a Fully Trusted Authentication Enviro...
SafeWord 2008 Migration Bundle Building a Fully Trusted Authentication Enviro...SafeWord 2008 Migration Bundle Building a Fully Trusted Authentication Enviro...
SafeWord 2008 Migration Bundle Building a Fully Trusted Authentication Enviro...SafeNet
 
A Single Strong Authentication Platform for Cloud and On-Premise Applications
A Single Strong Authentication Platform for Cloud and On-Premise ApplicationsA Single Strong Authentication Platform for Cloud and On-Premise Applications
A Single Strong Authentication Platform for Cloud and On-Premise ApplicationsSafeNet
 
Securing Digital Identities and Transactions in the Cloud Security Guide
Securing Digital Identities and Transactions in the Cloud Security GuideSecuring Digital Identities and Transactions in the Cloud Security Guide
Securing Digital Identities and Transactions in the Cloud Security GuideSafeNet
 
Securing Network-Attached HSMs: The SafeNet Luna SA Three-Layer Authenticatio...
Securing Network-Attached HSMs: The SafeNet Luna SA Three-Layer Authenticatio...Securing Network-Attached HSMs: The SafeNet Luna SA Three-Layer Authenticatio...
Securing Network-Attached HSMs: The SafeNet Luna SA Three-Layer Authenticatio...SafeNet
 
Introduction to PKI & SafeNet Luna Hardware Security Modules with Microsoft W...
Introduction to PKI & SafeNet Luna Hardware Security Modules with Microsoft W...Introduction to PKI & SafeNet Luna Hardware Security Modules with Microsoft W...
Introduction to PKI & SafeNet Luna Hardware Security Modules with Microsoft W...SafeNet
 
Cloud Computing and the Federal Government: Maximizing Trust Supporting the M...
Cloud Computing and the Federal Government: Maximizing Trust Supporting the M...Cloud Computing and the Federal Government: Maximizing Trust Supporting the M...
Cloud Computing and the Federal Government: Maximizing Trust Supporting the M...SafeNet
 
Hardware Security Modules: Critical to Information Risk Management
Hardware Security Modules: Critical to Information Risk ManagementHardware Security Modules: Critical to Information Risk Management
Hardware Security Modules: Critical to Information Risk ManagementSafeNet
 
Strong Authentication: Securing Identities and Enabling Business
Strong Authentication: Securing Identities and Enabling BusinessStrong Authentication: Securing Identities and Enabling Business
Strong Authentication: Securing Identities and Enabling BusinessSafeNet
 
Building Trust into eInvoicing: Key Requirements and Strategies
Building Trust into eInvoicing: Key Requirements and StrategiesBuilding Trust into eInvoicing: Key Requirements and Strategies
Building Trust into eInvoicing: Key Requirements and StrategiesSafeNet
 
A Question of Trust: How Service Providers Can Attract More Customers by Deli...
A Question of Trust: How Service Providers Can Attract More Customers by Deli...A Question of Trust: How Service Providers Can Attract More Customers by Deli...
A Question of Trust: How Service Providers Can Attract More Customers by Deli...SafeNet
 
Payment Card Security: 12-Steps to Meeting PCI-DSS Compliance with SafeNet
Payment Card Security: 12-Steps to Meeting PCI-DSS Compliance with SafeNetPayment Card Security: 12-Steps to Meeting PCI-DSS Compliance with SafeNet
Payment Card Security: 12-Steps to Meeting PCI-DSS Compliance with SafeNetSafeNet
 
E-Passport: Deploying Hardware Security Modules to Ensure Data Authenticity a...
E-Passport: Deploying Hardware Security Modules to Ensure Data Authenticity a...E-Passport: Deploying Hardware Security Modules to Ensure Data Authenticity a...
E-Passport: Deploying Hardware Security Modules to Ensure Data Authenticity a...SafeNet
 
SafeNet DataSecure vs. Native SQL Server Encryption
SafeNet DataSecure vs. Native SQL Server EncryptionSafeNet DataSecure vs. Native SQL Server Encryption
SafeNet DataSecure vs. Native SQL Server EncryptionSafeNet
 
Building Trust into DNS: Key Strategies
Building Trust into DNS: Key StrategiesBuilding Trust into DNS: Key Strategies
Building Trust into DNS: Key StrategiesSafeNet
 
Charting Your Path to Enterprise Key Management
Charting Your Path to Enterprise Key ManagementCharting Your Path to Enterprise Key Management
Charting Your Path to Enterprise Key ManagementSafeNet
 
Secure PIN Management How to Issue and Change PINs Securely over the Web
Secure PIN Management How to Issue and Change PINs Securely over the WebSecure PIN Management How to Issue and Change PINs Securely over the Web
Secure PIN Management How to Issue and Change PINs Securely over the WebSafeNet
 
An Enterprise Guide to Understanding Key Management
An Enterprise Guide to Understanding Key ManagementAn Enterprise Guide to Understanding Key Management
An Enterprise Guide to Understanding Key ManagementSafeNet
 
4 Steps to Financial Data Security Compliance Technologies to Help Your Finan...
4 Steps to Financial Data Security Compliance Technologies to Help Your Finan...4 Steps to Financial Data Security Compliance Technologies to Help Your Finan...
4 Steps to Financial Data Security Compliance Technologies to Help Your Finan...SafeNet
 
Securing the Smart Grid with SafeNet HSMs
Securing the Smart Grid with SafeNet HSMsSecuring the Smart Grid with SafeNet HSMs
Securing the Smart Grid with SafeNet HSMsSafeNet
 
Authentication_Best_Practices_WP(EN)_web
Authentication_Best_Practices_WP(EN)_webAuthentication_Best_Practices_WP(EN)_web
Authentication_Best_Practices_WP(EN)_webSafeNet
 
Perpetual Information Security - Driving Data Protection in an Evolving Compl...
Perpetual Information Security - Driving Data Protection in an Evolving Compl...Perpetual Information Security - Driving Data Protection in an Evolving Compl...
Perpetual Information Security - Driving Data Protection in an Evolving Compl...SafeNet
 

Weitere ähnliche Inhalte

Mehr von SafeNet

A Single Strong Authentication Platform for Cloud and On-Premise Applications
A Single Strong Authentication Platform for Cloud and On-Premise ApplicationsA Single Strong Authentication Platform for Cloud and On-Premise Applications
A Single Strong Authentication Platform for Cloud and On-Premise ApplicationsSafeNet
 
Securing Digital Identities and Transactions in the Cloud Security Guide
Securing Digital Identities and Transactions in the Cloud Security GuideSecuring Digital Identities and Transactions in the Cloud Security Guide
Securing Digital Identities and Transactions in the Cloud Security GuideSafeNet
 
Securing Network-Attached HSMs: The SafeNet Luna SA Three-Layer Authenticatio...
Securing Network-Attached HSMs: The SafeNet Luna SA Three-Layer Authenticatio...Securing Network-Attached HSMs: The SafeNet Luna SA Three-Layer Authenticatio...
Securing Network-Attached HSMs: The SafeNet Luna SA Three-Layer Authenticatio...SafeNet
 
Introduction to PKI & SafeNet Luna Hardware Security Modules with Microsoft W...
Introduction to PKI & SafeNet Luna Hardware Security Modules with Microsoft W...Introduction to PKI & SafeNet Luna Hardware Security Modules with Microsoft W...
Introduction to PKI & SafeNet Luna Hardware Security Modules with Microsoft W...SafeNet
 
Cloud Computing and the Federal Government: Maximizing Trust Supporting the M...
Cloud Computing and the Federal Government: Maximizing Trust Supporting the M...Cloud Computing and the Federal Government: Maximizing Trust Supporting the M...
Cloud Computing and the Federal Government: Maximizing Trust Supporting the M...SafeNet
 
Hardware Security Modules: Critical to Information Risk Management
Hardware Security Modules: Critical to Information Risk ManagementHardware Security Modules: Critical to Information Risk Management
Hardware Security Modules: Critical to Information Risk ManagementSafeNet
 
Strong Authentication: Securing Identities and Enabling Business
Strong Authentication: Securing Identities and Enabling BusinessStrong Authentication: Securing Identities and Enabling Business
Strong Authentication: Securing Identities and Enabling BusinessSafeNet
 
Building Trust into eInvoicing: Key Requirements and Strategies
Building Trust into eInvoicing: Key Requirements and StrategiesBuilding Trust into eInvoicing: Key Requirements and Strategies
Building Trust into eInvoicing: Key Requirements and StrategiesSafeNet
 
A Question of Trust: How Service Providers Can Attract More Customers by Deli...
A Question of Trust: How Service Providers Can Attract More Customers by Deli...A Question of Trust: How Service Providers Can Attract More Customers by Deli...
A Question of Trust: How Service Providers Can Attract More Customers by Deli...SafeNet
 
Payment Card Security: 12-Steps to Meeting PCI-DSS Compliance with SafeNet
Payment Card Security: 12-Steps to Meeting PCI-DSS Compliance with SafeNetPayment Card Security: 12-Steps to Meeting PCI-DSS Compliance with SafeNet
Payment Card Security: 12-Steps to Meeting PCI-DSS Compliance with SafeNetSafeNet
 
E-Passport: Deploying Hardware Security Modules to Ensure Data Authenticity a...
E-Passport: Deploying Hardware Security Modules to Ensure Data Authenticity a...E-Passport: Deploying Hardware Security Modules to Ensure Data Authenticity a...
E-Passport: Deploying Hardware Security Modules to Ensure Data Authenticity a...SafeNet
 
SafeNet DataSecure vs. Native SQL Server Encryption
SafeNet DataSecure vs. Native SQL Server EncryptionSafeNet DataSecure vs. Native SQL Server Encryption
SafeNet DataSecure vs. Native SQL Server EncryptionSafeNet
 
Building Trust into DNS: Key Strategies
Building Trust into DNS: Key StrategiesBuilding Trust into DNS: Key Strategies
Building Trust into DNS: Key StrategiesSafeNet
 
Charting Your Path to Enterprise Key Management
Charting Your Path to Enterprise Key ManagementCharting Your Path to Enterprise Key Management
Charting Your Path to Enterprise Key ManagementSafeNet
 
Secure PIN Management How to Issue and Change PINs Securely over the Web
Secure PIN Management How to Issue and Change PINs Securely over the WebSecure PIN Management How to Issue and Change PINs Securely over the Web
Secure PIN Management How to Issue and Change PINs Securely over the WebSafeNet
 
An Enterprise Guide to Understanding Key Management
An Enterprise Guide to Understanding Key ManagementAn Enterprise Guide to Understanding Key Management
An Enterprise Guide to Understanding Key ManagementSafeNet
 
4 Steps to Financial Data Security Compliance Technologies to Help Your Finan...
4 Steps to Financial Data Security Compliance Technologies to Help Your Finan...4 Steps to Financial Data Security Compliance Technologies to Help Your Finan...
4 Steps to Financial Data Security Compliance Technologies to Help Your Finan...SafeNet
 
Securing the Smart Grid with SafeNet HSMs
Securing the Smart Grid with SafeNet HSMsSecuring the Smart Grid with SafeNet HSMs
Securing the Smart Grid with SafeNet HSMsSafeNet
 
Authentication_Best_Practices_WP(EN)_web
Authentication_Best_Practices_WP(EN)_webAuthentication_Best_Practices_WP(EN)_web
Authentication_Best_Practices_WP(EN)_webSafeNet
 
Perpetual Information Security - Driving Data Protection in an Evolving Compl...
Perpetual Information Security - Driving Data Protection in an Evolving Compl...Perpetual Information Security - Driving Data Protection in an Evolving Compl...
Perpetual Information Security - Driving Data Protection in an Evolving Compl...SafeNet
 

Mehr von SafeNet (20)

A Single Strong Authentication Platform for Cloud and On-Premise Applications
A Single Strong Authentication Platform for Cloud and On-Premise ApplicationsA Single Strong Authentication Platform for Cloud and On-Premise Applications
A Single Strong Authentication Platform for Cloud and On-Premise Applications
 
Securing Digital Identities and Transactions in the Cloud Security Guide
Securing Digital Identities and Transactions in the Cloud Security GuideSecuring Digital Identities and Transactions in the Cloud Security Guide
Securing Digital Identities and Transactions in the Cloud Security Guide
 
Securing Network-Attached HSMs: The SafeNet Luna SA Three-Layer Authenticatio...
Securing Network-Attached HSMs: The SafeNet Luna SA Three-Layer Authenticatio...Securing Network-Attached HSMs: The SafeNet Luna SA Three-Layer Authenticatio...
Securing Network-Attached HSMs: The SafeNet Luna SA Three-Layer Authenticatio...
 
Introduction to PKI & SafeNet Luna Hardware Security Modules with Microsoft W...
Introduction to PKI & SafeNet Luna Hardware Security Modules with Microsoft W...Introduction to PKI & SafeNet Luna Hardware Security Modules with Microsoft W...
Introduction to PKI & SafeNet Luna Hardware Security Modules with Microsoft W...
 
Cloud Computing and the Federal Government: Maximizing Trust Supporting the M...
Cloud Computing and the Federal Government: Maximizing Trust Supporting the M...Cloud Computing and the Federal Government: Maximizing Trust Supporting the M...
Cloud Computing and the Federal Government: Maximizing Trust Supporting the M...
 
Hardware Security Modules: Critical to Information Risk Management
Hardware Security Modules: Critical to Information Risk ManagementHardware Security Modules: Critical to Information Risk Management
Hardware Security Modules: Critical to Information Risk Management
 
Strong Authentication: Securing Identities and Enabling Business
Strong Authentication: Securing Identities and Enabling BusinessStrong Authentication: Securing Identities and Enabling Business
Strong Authentication: Securing Identities and Enabling Business
 
Building Trust into eInvoicing: Key Requirements and Strategies
Building Trust into eInvoicing: Key Requirements and StrategiesBuilding Trust into eInvoicing: Key Requirements and Strategies
Building Trust into eInvoicing: Key Requirements and Strategies
 
A Question of Trust: How Service Providers Can Attract More Customers by Deli...
A Question of Trust: How Service Providers Can Attract More Customers by Deli...A Question of Trust: How Service Providers Can Attract More Customers by Deli...
A Question of Trust: How Service Providers Can Attract More Customers by Deli...
 
Payment Card Security: 12-Steps to Meeting PCI-DSS Compliance with SafeNet
Payment Card Security: 12-Steps to Meeting PCI-DSS Compliance with SafeNetPayment Card Security: 12-Steps to Meeting PCI-DSS Compliance with SafeNet
Payment Card Security: 12-Steps to Meeting PCI-DSS Compliance with SafeNet
 
E-Passport: Deploying Hardware Security Modules to Ensure Data Authenticity a...
E-Passport: Deploying Hardware Security Modules to Ensure Data Authenticity a...E-Passport: Deploying Hardware Security Modules to Ensure Data Authenticity a...
E-Passport: Deploying Hardware Security Modules to Ensure Data Authenticity a...
 
SafeNet DataSecure vs. Native SQL Server Encryption
SafeNet DataSecure vs. Native SQL Server EncryptionSafeNet DataSecure vs. Native SQL Server Encryption
SafeNet DataSecure vs. Native SQL Server Encryption
 
Building Trust into DNS: Key Strategies
Building Trust into DNS: Key StrategiesBuilding Trust into DNS: Key Strategies
Building Trust into DNS: Key Strategies
 
Charting Your Path to Enterprise Key Management
Charting Your Path to Enterprise Key ManagementCharting Your Path to Enterprise Key Management
Charting Your Path to Enterprise Key Management
 
Secure PIN Management How to Issue and Change PINs Securely over the Web
Secure PIN Management How to Issue and Change PINs Securely over the WebSecure PIN Management How to Issue and Change PINs Securely over the Web
Secure PIN Management How to Issue and Change PINs Securely over the Web
 
An Enterprise Guide to Understanding Key Management
An Enterprise Guide to Understanding Key ManagementAn Enterprise Guide to Understanding Key Management
An Enterprise Guide to Understanding Key Management
 
4 Steps to Financial Data Security Compliance Technologies to Help Your Finan...
4 Steps to Financial Data Security Compliance Technologies to Help Your Finan...4 Steps to Financial Data Security Compliance Technologies to Help Your Finan...
4 Steps to Financial Data Security Compliance Technologies to Help Your Finan...
 
Securing the Smart Grid with SafeNet HSMs
Securing the Smart Grid with SafeNet HSMsSecuring the Smart Grid with SafeNet HSMs
Securing the Smart Grid with SafeNet HSMs
 
Authentication_Best_Practices_WP(EN)_web
Authentication_Best_Practices_WP(EN)_webAuthentication_Best_Practices_WP(EN)_web
Authentication_Best_Practices_WP(EN)_web
 
Perpetual Information Security - Driving Data Protection in an Evolving Compl...
Perpetual Information Security - Driving Data Protection in an Evolving Compl...Perpetual Information Security - Driving Data Protection in an Evolving Compl...
Perpetual Information Security - Driving Data Protection in an Evolving Compl...
 

A Case for Multi-tiered Security_WP_(EN)_web

  • 1. A Case for Multi-tiered Security WHITE PAPER Introduction Perimeter network defense alone is insufficient to combat the full range of enterprise security threats. A defense-in-depth approach focused on protecting the confidentiality and integrity of data, while providing authenticated access to computing resources, is necessary to mitigate today’s risks. Paradigm shifts, such as cloud computing, software-as-a-service, and remote data warehousing, add significant challenges, as does the proliferation of sophisticated botnets and small, inexpensive, high-capacity portable storage devices. This paper outlines a balanced approach to enterprise security—defending the perimeter while protecting interior services and critical data. The Advancing Threat Environment Business or mission impacts result when threats exploit vulnerabilities through an access vector to affect targets, as shown in Figure 1. The relationship between these attack components is many-to-many, with a large Threat number of combinations yielding a vast set Vector of threads against which the enterprise Target Impact must be protected. Unk it no x plo wn According to Gartner’s 2008 For the purpose of illustration, we have yE Te g In te rn ch igin o report on IT Security Threats1, used very coarse groupings; however, a ol Data At Res no t hn lO log r ec cyber threats continue to evolve further decomposition of threats, vectors, nT y ns E xp tio Data Loss/ and are driven by technology and targets would reveal even more Know ica Compromise n ppl External Origi loit Dat Compliance changes, as well as increased threads of potential vulnerability. This User A a In Motion Violation/ Mission/ Liability user trust and/or complacency. property, in which an attacker may exploit Business Disruption Loss of ploit Confidence/ multiple targets through multiple vectors Increased Reputation Com Operating y Ex in an attempt to produce a given impact, Costs ms S oc s ra I ce i nf log st rv reinforces the need for defense-in-depth to ru Se ial ctu g utin o re Comp hn /P protect critical assets. ro ec es T c s c Ex Hybrid hi plo orp According to Gartner’s 2008 report on IT it Polym Security Threats1, cyber threats continue Figure 1. Attackers use a range of exploits through multiple to evolve and are driven by technology access vectors to impact targets and damage the enterprise changes, as well as increased user trust A Case for Multi-tiered Security White Paper 1
  • 2. and/or complacency. Motivated by financial gain, attacks are becoming more focused and sophisticated as targets have shifted from vulnerable PCs to websites and user data. Highly ranked vulnerabilities on the common vulnerability scoring system continue to soar, more than tripling from 2007 to 2008. Web and social networking sites are compromised with malware payloads, while spear phishing techniques are used to deploy botnets over email. Data from Microsoft Corporation’s Malicious Software Removal Tool indicates that, since late 2006, the fastest-growing category of malware is botnet clients. Serious incidents involving data compromise and loss, both deliberate and accidental, are also on the rise. Portable storage, especially universal serial bus (USB) devices, enables uncontrolled movement and modification of large volumes of data, resulting in information theft and loss. Additionally, these storage devices provide another convenient means to bypass network-based security and inject malware into the enterprise that can spread quickly to wired and wireless technologies. Serious incidents involving Figure 2 summarizes these challenges in the context of a typical enterprise. Threats exploit data compromise and loss, all vectors, including witting and unwitting insiders. They include poor physical security, lack both deliberate and accidental, of user security awareness, malicious downloads, weak authentication, limited or no security are also on the rise. Portable monitoring, unauthorized access to applications, and even the supply chain to infiltrate an storage, especially universal enterprise. Once in, threats propagate, multiply, steal, disrupt, and, above all, attempt to avoid serial bus (USB) devices, detection and remain persistent in the network. enables uncontrolled movement and modification of large volumes of data, resulting in Data In Data At information theft and loss. Motion Rest Enterprise Virtual “Cloud” Data At Data In Computer Rest Business & Use Computing Data In Mission Systems/ Use Data Servers Repositories Data In Public External Threats Use Threats End User Network(s) Systems Data In Threats Motion Users Data At Data In Data At Rest Communications Portable Motion Rest Infrastructure Assets Mobile Systems Data In Use Users Figure 2. The enterprise is threatened from both internal and external sources targeting data, technology, and users. Countermeasure Analysis Perimeter defense is a fundamental component of an enterprise defense-in-depth solution. Designed primarily to mitigate external threats, these approaches include network-based firewalls, intrusion detection, and intrusion prevention systems. The technology can be signature-based or attempt to detect traffic anomalies through statistical traffic and/or log analysis. Implementations range from basic header filtering to stateful deep packet inspection. A Case for Multi-tiered Security White Paper 2
  • 3. As shown in Figure 3, typical deployments of perimeter defenses first aggregate external connections through common gateways to limit the number of protection points. Public/ Perimeter External Defense Network(s) System(s) Enterprise C Threats Border Enterprise B Gateway Real-time Enterprise A Inspection Signatures Thresholds Systems & Resources Policy/ Data Statistics Rules Users Figure 3. Perimeter defense systems focus on keeping external threats from penetrating the enterprise Protection is then applied at the aggregate, high-speed demarcation point into the public or transport network. While this is a prudent approach to reducing risk, its effectiveness is dependent upon a defined and functioning set of security policies governing the entire network using the external connection. If the external connection is servicing multiple networks with differing policies (for example, acceptable user applications), establishing the real-time rules and statistics needed by the perimeter defense technology will be problematic. The traditional perimeter- Complicating matters, today’s applications (and malware) use tunnels, masquerading, spoofing, centric security philosophy and encryption to bypass network-based controls and hide in normal traffic. The larger and more assumes that perimeter heterogeneous the enterprise becomes, the higher the “noise floor” becomes, making it more defenses “keep the bad guys difficult to distinguish normal behavior from threat behavior, and to identify covert channels. out” and ensure that sensitive Cloud-computing services, such as those offered via Google and Amazon, store and process data is only accessed by trusted data on virtual machines located beyond the client’s enterprise. This growing trend, promising users within the enterprise. increased reliability, availability, and lower cost, has been hailed as the next big step in computing. However, from a security perspective, it reduces the applicability perimeter defense as it blurs the line defining the “perimeter.” In this paradigm, any assumption of privacy or confidentiality is naive and users are advised to adopt technologies such as encryption, identity management, and controlled access. The traditional perimeter-centric security philosophy assumes that perimeter defenses “keep the bad guys out” and ensure that sensitive data is only accessed by trusted users within the enterprise. While the perimeter provides one layer of protection, as depicted in Figure 4, sensitive data continues to escape the enterprise at an increasing frequency. As described on the National Institute of Standards and Technology’s (NIST’s) National Cyber Security Fact Sheet2: “Many of today’s tools and mechanisms for protecting against cyber attacks were designed with yesterday’s technology in mind. Information systems have evolved from room-size computer workstations shut off from the rest of the world to ubiquitous mobile devices interconnected by a global Internet. In this diverse ecology of communication devices, no cyber security solution works on all operating systems and can protect every type of computer and network component.” In fact, today’s enterprise networks include so many teleworkers, branch offices, network capable smartphones, and removable media platforms that traditional security solutions designed to protect network systems are no longer adequately protecting the data. In addition, a perimeter-based approach does not address insider threats or the real-world problem in which a breach of the perimeter defense provides unauthorized parties free access to the data. A Case for Multi-tiered Security White Paper 3
  • 4. E ICAL S CUR YS ASTRUC ITY PH INFR TUR E RK AN D ACCESS MA NA D TY O G E F EN T TW TI EN EM EN NE SE ID Sensitive Data ks ection Fire TO wa ll , t K O ENS, PKI, SS De An tru ti-V ion oc irus, Intrus S ctu res, Barriers, L Figure 4. Sensitive data is escaping despite state-of-the-art perimeter defenses Additional security layers are needed to protect the enterprise from unauthorized connections within the network. This includes security technologies such as user authentication, device authentication, network access control, and comprehensive wireless security. It is imperative to also protect the data itself using strong encryption and key management technologies to prevent inadvertent loss, intentional theft, or malicious injection of data. To highlight the benefits of a multi-tier security approach, consider the following scenario. An attacker, or unwitting user, introduces self-propagating malware (i.e., worm) from a USB portable storage device directly into the enterprise network via a host USB port. The worm contains a bot client designed to search for data of interest and exfiltrate the data slowly over time using various covert channels. In this scenario, unless this botnet is well-known and has been analyzed, perimeter defenses are highly unlikely to detect its first communications with the bot-herder or master. It is likely that the bot will operate for some time before detection, especially if it is polymorphic – changing its signature regularly – or if the duration between communication to the bot-herder is spaced in an undetectable pattern. Upon suspicion of a compromise, perimeter defenses would be focused and fine-tuned in an attempt to detect and disrupt the covert channel. However, by the time perimeter defenses are successful, considerable data will likely have been compromised. Three principal countermeasures should be applied to protect against this scenario. 1. Technical enforcement of policy governing controlled use of all external interfaces on host computers. Since this scenario involves deliberate misuse, administrative controls and physical security are not sufficient, and interfaces need to be either disconnected or logically controlled by software. 2. Data at rest should be encrypted. This would not prevent the exfiltration, but it would prevent compromise as the data would not be exposed. 3. Critical data and access to resources should be protected using multi-factor authentication. This would limit access to the data and resources that the worm could access, even if it is capable of capturing user names and passwords. A Case for Multi-tiered Security White Paper 4
  • 5. Figure 5 illustrates these concepts, as well as several other prudent measures. Perimeter defenses are used to protect the enterprise gateway. Within the enterprise, perimeter defense technologies are applied to protect high-value resources—forming protective enclaves. Data at rest and in motion is encrypted, both in the enterprise and “in the cloud.” Mobile systems boot to encrypted hard drives and use encrypted communications to connect to the enterprise. Tokens are used to augment user name and password credentials, communication and processing devices such as routers and servers are hardened, and end-user systems and portable assets are placed under tight configuration control with current antivirus and endpoint protection software. Enterprise Data In Data At Motion Rest Data At Data In Virtual Rest Business & Use “Cloud” Computing Computer Mission Systems/ Data Data In Servers Repositories Use Protected Enclave Protected Enclave Perimeter Defense Data In Public/ External Use System(s) Network(s) End User Systems Config Auth Data In Ctrl Token Motion Users Data In Data At Motion Rest Communications Portable Data At Infrastructure Assets Rest Mobile Systems Data In Use Auth Token Users Figure 5. A multi-tiered security approach protects enterprise data and resources within and beyond the perimeter Conclusion As organizations focus considerable resources on deployment of advanced perimeter defenses, care should be taken to avoid relying too heavily on this single approach. Increasingly sophisticated and focused attacks, the insider threat, and uncontrolled user behavior, as well as changes in Internet services and computing architectures themselves, pose challenges that cannot be addressed at the perimeter alone. Effective enterprise security applies a defense-in-depth approach—implementing security policies, system monitoring, incident response, and user awareness training alongside diversified technical solutions combining perimeter defense with data and resource protection. SAIC - Cyber PMO +1 (703) 676-8381 SafeNet Federal office + (703) 647 8400 Contact Us: For all office locations and contact information, please visit www.safenet-inc.com Follow Us: www.safenet-inc.com/connected ©2011 SafeNet, Inc. All rights reserved. SafeNet and SafeNet logo are registered trademarks of SafeNet. All other product names are trademarks of their respective owners. WP (EN)-03.02.11 A Case for Multi-tiered Security White Paper 5