This is a short post that's going to have to be expanded later. There are too many questions that a seasoned professional would ask about this model without having the background and scope of the model clearly defined. There are clearly shortcomings in this model as-is. However, it has also provided a fantastic simplified background for discussion to view security from more than one perspective, and to appreciate the breadth of controls that work together to provide information protection. Thank you Charles Benagh for your excellent help with this. It was during our conversations that this finally came together. (You can click on the image to expand it)
Specific to Solution Security, there is far too much than I have time for right now to address in any real detail. Here is an overview:
This blog is about understanding, auditing, and addressing risk in cloud environments. Systems and architectures are rapidly converging, hiding complexity with additional layers of abstraction. Simplicity is great for operations - as long as risks are understood and appropriately addressed.
Wednesday, August 31, 2011
Monday, August 22, 2011
Compliance for the Masses - Simplified Models
This functional illustration shows how standards and regulations correlate with specific requirements, policies, controls, and audit points. I created a version of this illustration for a group of RSA SEs learning Archer as a way to quickly bridge the gap between authority documents (standards and regulations) and audits while keeping important details.
Standards and regulations - Authorities - contain requirements which when documented become policies and procedures. That's simple enough. Controls are implemented to ensure policies are followed. Again - straight forward. Controls are then audited on a periodic basis to ensure controls align with policies and required compliance mandates. Make sense?
This is a simple compliance model. There is a different model and view of security of which this becomes a component.
PCI-DSS Example
Standards and regulations - Authorities - contain requirements which when documented become policies and procedures. That's simple enough. Controls are implemented to ensure policies are followed. Again - straight forward. Controls are then audited on a periodic basis to ensure controls align with policies and required compliance mandates. Make sense?
This is a simple compliance model. There is a different model and view of security of which this becomes a component.
PCI-DSS Example
- Authority: PCI-DSS is the authority document created by the PCI-SSC.
- Requirement: (10.6) Review logs for all system components at least daily.
- Policy: Monitoring Policy – States logs will be reviewed at least daily.
- Control: RSA enVision provides real-time monitoring for all system components.
- Audit: Auditor verifies RSA enVision is appropriately monitoring and alerting to actionable events. Audit results and evidence are stored as part of the audit.
Authorities to Audits |
Thursday, August 11, 2011
Federal Information Assurance: The DoD IA Policy Chart
DoD IA Policy Chart |
To the team of people to put this together: Awesome job. Thank you for the hard work.
Here is the list of resources used in the creation of the chart:
- ASD(N Il)/ASD(C3l)/DOD ClO http://cio-nii.defense.gov/
- CNSS/NSTISS http://www.cnss.gov/
- DISA http://www.disa.mil/
- DNI http://www.dni.gov/
- JCS http://www.jcs.mil/
- NIAP http://www.niap-ccevs.org/
- NIST http://www.nist.gov/
- NSA http://www.nsa.gov/
- OSD http://www.defense.gov/osd/
- STRATCOM http://www.stratcom.mil/
- USD(AT&L) http://www.acq.osd.mil/
- USD(C) http://comptroller.defense.gov/
- USD(P) http://policy.defense.gov/
- USD(P&R) http://prhome.defense.gov/
Thursday, August 4, 2011
Security Topics of Interest – Check all that apply
I joined the InterSeC community some time ago because of a banner they have on ISC2's website. The registration process includes questions about your security interests across 62 topical areas.... Have you ever wondered why it's so hard to be an expert in everything? :)
Here are the 62 security topics listed on the InterSec website:
Access Control , Analysis & Monitoring , Anti Malware , Application Security , Audit , Authentication , Business Continuity & Disaster Recovery , Cloud Computing , Compliance Management , Computer Forensics , Configuration/Patch Management , Content Filtering , Cybercrime , Data Leakage Protection , Database Security , Denial of Service , DIACAP , Digital Certificates , Digital Forensics/E-Discovery , Digital Rights Management , DOD IA , Education/Training , Encryption/Key Management , Endpoint Security , Enterprise Security , Firewalls , Fraud , GRC (Governance Risk and Compliance) , HIPAA , Identity Management , Identity Theft , IDS/IPS (Intrusion Detection/Prevention Systems , Incident Response , Managed Security Services , Messaging Security , Mobile Security , Network Protocol Security , Password Management , PCI , Penetration Testing , Physical Security , PKI , Policy Management Enforcement , Privacy , Professional Certification , Provisioning , Remote Access , Risk Assessment & Management , Secure File Transfer , Secure Virtualization , Security Consulting , Security Metrics , SIEM , Single Sign On , Software Code Vulnerability Analysis , SOX , Storage Security or Secure Storage , VoIP Security , VPN , Vulnerability Assessment , Web Filtering , Wireless Security
Wednesday, August 3, 2011
The Best Kept SMB Secret: Cloud WAF
Allen Mohler's Gym... Kids learn discipline and work ethic. |
But can he take care of his website?
He's not focused on protecting his website. He's teaching boys how to be men. He needs a simple and cost effective solution to stop malicious attacks.
Proxied web application firewalls have been around for a few years now, but surprisingly few SMBs know about them, or know how cost-effective they can be to stop malicious attacks.
Enter the Dragon: Cloud services like Incapsula (SMB friendly) and Imperva (Commercial and Enterprise) drop malicious attacks before they hit your website. Incapsula even has a free service for websites that don't serve SSL traffic. Now, instead of having to worry about an appliance to take care of his web traffic... he can focus on taking care of his favorite students.
Subscribe to:
Posts (Atom)