• No results found

RES Software and Security

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "RES Software and Security"

Copied!
8
0
0

Loading.... (view fulltext now)

Download now ( 8 Page )

Full text

(1)

RES Software

and Security

Realizing asset-centric and

user-centric approaches to security

(2)

IT, the way you need it

www.ressoftware.com

www.ressoftware.com

Executive Summary...3

Security, why does it matter?...4

Availability...4

Focus on assets...4

The user is no longer bound to any single device...5

New challenges: confidentiality...5

Confidentiality...6

(3)

exeCuTIve Summary

In the rush to meet regulatory or customer mandates, organizations have spent

millions of dollars implementing security and compliance measures either issue

by issue or regulation by regulation. This has resulted in an asset-centric security

approach, where we focus on the IT infrastructure and make sure that this is secure.

However, in the current versatile user community, a user is no longer bound to any

single device. So, although assets still need to be kept secure, the need arises for a

user-centric security approach, where security rules are aligned with the use of those

assets.

This white paper presents an overview of both the asset-centric and the user-centric

approaches to security. These approaches will be mapped towards the standard for

Information Security: ISO 17799.

(4)

IT, the way you need it

www.ressoftware.com

www.ressoftware.com

Information is an important asset in the current market. As a result, businesses want to manage this asset, but at the same time they are evolving towards collaboration with other companies in order to fulfill customer needs more quickly. This approach has increased the pressure on IT departments: on the one hand, they need to make information available for more users; and on the other hand, they need to keep this information secure and share it only with the appropriate organizations.

So security matters, and any approach will have to focus on two things:

• Availability: making sure that information is available for

use.

• Confidentiality: making sure that only authorized people

can access it.

Currently, an important job for many administrators is to

ensure that authorized users have access to information and the associated assets when required. This usually results in two approaches towards the issue:

focus on assets

Currently, the most common approach is to focus on assets.

This approach originates from a risk management approach: In a Microsoft Windows environment, this means that the fol-lowing tasks that need to be performed on a regular basis:

• Scanning machines for vulnerabilities, i.e. querying installed

operating system patches and installed software, querying NTFS and share right assignments, querying service prop-erties, and running MBSA queries.

• Taking counter measures for certain risks, i.e. installing

patches, changing service parameters, changing NTFS and share rights assignments.

These standard, frequently repeated tasks can be easily automated with a solution for IT Run Book Automation for Windows, such as RES Wisdom.

Countermeasures

vulnerabilities

assets

risks

Threats

risk analysis

risk management

(5)

The user is no longer bound to

any single device

The question arises whether this asset-centric approach, in which threats are perceived as external forces, is enough. Does this approach ensure availability of the service? In the current user environment, users no longer have their own desktop (asset) on which they use their services. In today’s IT world, a user can have a laptop or desktop for use at the office during the day, and a desktop made available via Server

Based Computing for use from home or from any other place

outside the office. This results in new challenges for IT depart-ments, because the main focus is on ensuring availability of a user’s services.

Users want their services (applications plus their settings) to be available whatever the method of delivery, and they want changes made in one environment to be reflected in all the others automatically. This results in the next approach to avail-ability: the user-centric approach, which is reflected in User Workspace Management. In this approach, all user settings are disconnected from the underlying application delivery so-lution, and are applied when a user starts an application. This gives the user a unified workspace independent of application delivery solution.

new challenges: confidentiality

Focusing on the availability of services to users, both in the office and outside the office, enhances user productivity and business performance.

However, this approach does pose new challenges to the IT department, and these challenges need to be addressed. A user now has access to the company network from outside the office too, but some services and their corresponding resourc-es should not be available from outside the office.

Once we have established the availability of a service to a user, we need to make sure that this service is only available for those who are authorized. This is confidentiality, the focus of the next part of this whitepaper.

(6)

IT, the way you need it

www.ressoftware.com

www.ressoftware.com

To ensure that information is accessible only to those who are authorized to access it, is a challenging task in the current environment. If a user is not bound to one single workstation, it is no longer possible to allow or disallow access based on the workstation (asset). The asset-centric approach, though important, is not sufficient. A user-centric approach is needed as well, so that a user can get access to the services, but only after the following checks:

• Who is the user? This question is answered using authenti -cation based on username and password.

• Where is the user? This is important, because where a user

starts a service can determine whether that service (such as the application plus its settings and resources) should be available.

• What time is it? Some services may have scheduled mainte -nance windows during which they are not available.

• Does the user have the necessary token? In some cases,

you may want to base access to a service on additional levels of authentication, because the application contains too much sensitive information.

Besides the internal user, business is starting to collaborate with other companies. These collaborative initiatives will need to share information, and so they need to be supported by IT. The asset-oriented approach tries to make sure that external threats don’t come in. This is not possible in a collaborative enterprise: people from other companies do need to get in-side your network, but you only want to grant them access to those services they need. This requires a different approach, one that starts from the inside and works out, instead of the other way round. This is what you deliver with a user-centric security approach.

You grant a user access to a service, namely the application with its settings. Based on this access, you can then grant the user access to related:

• Files and folders • Local storage • Removable storage • Network resources

n

e

t

work

r

es

o

u

r

ce

s

r

emo

v

able S

to

r

a

ge

l

oca

l St

o

rag

e

f

il

e

s

a

nd

f

ol

d

e

r

s

applications

(services)

(7)

ConCluSIon

The ISO 17799 standard is related to information security. This standard defines

information as an asset that may exist in many forms, and that has value to an

organization. The goal of information security is to protect this asset suitably, so

that business continuity is ensured, business damage is minimized, and return on

investments is maximized. According to ISO 17799, information security is characterized

as the preservation of:

Integrity: safeguarding the accuracy and completeness of information and of

protection methods.

Availability: ensuring that authorized users have access to information and

associated assets when required.

Confidentiality: ensuring that information is accessible only to those authorized to

have access.

As discussed in the previous paragraphs, there are two approaches in Information

Security: asset-centric and user-centric. The asset-centric approach ensures that the

infrastructure is available, and helps protect it against external threats.

But in the current versatile user environment, this approach by itself is not enough to

make services available to users. Because the user is working from multiple desktops

both in and out of the corporate network, a user-centric approach is needed as

well. Combining these approaches will result in a better availability, but, even more

importantly, will greatly improve the confidentiality as described by ISO 17799.

The user-centric security approach is delivered through the use of User Workspace

Management. This gives the desired availability of the services to end users, without

compromising the necessary security policy.

(8)

Copyright © 1998-2009 RES Software. V2001-01

We achieve this by involving our customers in the development and

enhancement of our products. Currently more than 2,500 organizations

worldwide have purchased products from the RES Software portfolio. RES

Software products are exclusively delivered through a network of certified

partners.

References

Download now ( PDF - 8 Page - 224.84 KB )

Related documents

Automatic method for the dermatological diagnosis of selected hand skin features in hyperspectral imaging

As for imaging in visible light, a group of methods which enable morphometric mea- surements or profiled methods of image analysis and processing are used, for ex- ample, to

Assessment of Cruise Ship and Ferry Wastewater Impacts in Alaska

From the period of June through September 2003, ADEC conducted WET testing on the following large vessels: Norwegian Wind, Sun Princess, Carnival Spirit, and Ryndam. These

Two Alternative Approaches to Modelling the Nonlinear Dynamics of the Composite Economic Indicator

Wkh uhvxowv ri wkh frpsdulvrq ri lq0vdpsoh iruhfdvwlqj shuirupdqfh ri wkh wkuhh qrqolqhdu prghov duh suhvhqwhg lq Wdeoh 91 Wkh vhfrqg froxpq glvsod|v wkh TSV vwdwlvwlf/ zkloh wkh

Terminology for Evolving Design Artifacts

incorporate versions of artifact types such as the Unified Foundational Ontology (UFO) [60] into their artifact. Furthermore, they describe that they implemented an eclipse

The difference between 5×5 doubly nonnegative and completely positive matrices

Similarly these normalized rank-1 CP matrices together with the normalized extremely bad matrices constitute the extreme points of ( 23 ).. We prove

Homework 1 STA2101F 2020

Here, the variance of the standardized residuals does appear to increase when the fitted values increase showing a sign of heterscedasticity (however, this visual inspection must

A history and analysis of the efforts of the Ahtna people of South-Central Alaska to secure a priority to hunt moose on their ancestral lands

Key words: Ahtna Athabascans, Community Subsistence Harvest, subsistence hunting, GMU 13 moose, Alaska Board o f Game, Copper River Basin, natural resource management,