ICT Security Architecture - University of...
Transcript of ICT Security Architecture - University of...
![Page 1: ICT Security Architecture - University of Belgradecbp.rcub.bg.ac.rs/wp-content/uploads/2015/03/... · Security architecture principles • Risk assessments • System owner is responsible](https://reader033.fdocuments.in/reader033/viewer/2022050612/5fb2d86aa87547679d65cd09/html5/thumbnails/1.jpg)
ICT Security Architecture
Øivind Høiem CISA, CRISC, ISO27001 Lead Implementer
Senior Advisor Information Security
UNINETT, the Norwegian NREN
![Page 2: ICT Security Architecture - University of Belgradecbp.rcub.bg.ac.rs/wp-content/uploads/2015/03/... · Security architecture principles • Risk assessments • System owner is responsible](https://reader033.fdocuments.in/reader033/viewer/2022050612/5fb2d86aa87547679d65cd09/html5/thumbnails/2.jpg)
20. mars 2015 SLIDE 2
About Øivind
![Page 3: ICT Security Architecture - University of Belgradecbp.rcub.bg.ac.rs/wp-content/uploads/2015/03/... · Security architecture principles • Risk assessments • System owner is responsible](https://reader033.fdocuments.in/reader033/viewer/2022050612/5fb2d86aa87547679d65cd09/html5/thumbnails/3.jpg)
20. mars 2015 SLIDE 3
About UNINETT
Corporate social responsibilityTransparency
Technology enthusiasm
![Page 4: ICT Security Architecture - University of Belgradecbp.rcub.bg.ac.rs/wp-content/uploads/2015/03/... · Security architecture principles • Risk assessments • System owner is responsible](https://reader033.fdocuments.in/reader033/viewer/2022050612/5fb2d86aa87547679d65cd09/html5/thumbnails/4.jpg)
20. mars 2015 SLIDE 4
The Norwegian HE Sector’s Secretary for Information Security
![Page 5: ICT Security Architecture - University of Belgradecbp.rcub.bg.ac.rs/wp-content/uploads/2015/03/... · Security architecture principles • Risk assessments • System owner is responsible](https://reader033.fdocuments.in/reader033/viewer/2022050612/5fb2d86aa87547679d65cd09/html5/thumbnails/5.jpg)
• Information Security Management Systems
• Policies, frameworks and methodologies
• Risk and vulnerability assessments
• Business impact assessments
• Continuity and disaster recovery plans
• Audits
• Templates and information material
• Information about the threat landscape
• Information security awareness
• Organize security conferences
• Security portal and blog
• International cooperation
20. mars 2015 SLIDE 5
What we do…
![Page 6: ICT Security Architecture - University of Belgradecbp.rcub.bg.ac.rs/wp-content/uploads/2015/03/... · Security architecture principles • Risk assessments • System owner is responsible](https://reader033.fdocuments.in/reader033/viewer/2022050612/5fb2d86aa87547679d65cd09/html5/thumbnails/6.jpg)
The goal of this Campus Best Practice-document is to serve as a guide for the implementation of ICT security architecture that will enable HE organizations to appropriately protect their information
20. mars 2015 SLIDE 6
Document goal
![Page 7: ICT Security Architecture - University of Belgradecbp.rcub.bg.ac.rs/wp-content/uploads/2015/03/... · Security architecture principles • Risk assessments • System owner is responsible](https://reader033.fdocuments.in/reader033/viewer/2022050612/5fb2d86aa87547679d65cd09/html5/thumbnails/7.jpg)
• Overall requirements
• The security architecture
• Authentication and access control
• The services and systems in the zoned network
• Definitions and references
20. mars 2015 SLIDE 7
Content in the document
![Page 8: ICT Security Architecture - University of Belgradecbp.rcub.bg.ac.rs/wp-content/uploads/2015/03/... · Security architecture principles • Risk assessments • System owner is responsible](https://reader033.fdocuments.in/reader033/viewer/2022050612/5fb2d86aa87547679d65cd09/html5/thumbnails/8.jpg)
• Adequate protection of information assets
• Information security policy
• Regulatory requirements and directives
• The institution’s objectives
• Agreements with third parties
• Appropriate capacity
• Robustness in the event of failure
• Quality
20. mars 2015 SLIDE 8
Overall requirements
![Page 9: ICT Security Architecture - University of Belgradecbp.rcub.bg.ac.rs/wp-content/uploads/2015/03/... · Security architecture principles • Risk assessments • System owner is responsible](https://reader033.fdocuments.in/reader033/viewer/2022050612/5fb2d86aa87547679d65cd09/html5/thumbnails/9.jpg)
• The network must be subdivided into zones and security classes
• Separation between servers and clients
• Servers and clients must be placed in relevant security classes based on risk assessments
• Access to services must be controlled by appropriate security barriers
20. mars 2015 SLIDE 9
Security architecture principles
![Page 10: ICT Security Architecture - University of Belgradecbp.rcub.bg.ac.rs/wp-content/uploads/2015/03/... · Security architecture principles • Risk assessments • System owner is responsible](https://reader033.fdocuments.in/reader033/viewer/2022050612/5fb2d86aa87547679d65cd09/html5/thumbnails/10.jpg)
• Risk assessments
• System owner is responsible
• Zones is an underlying principle for the security architecture
• A zone defines a minimum level of security
• Security barriers between zones
• Each zone contains one or more network segments
20/03/2015 10
Subdivision into zones and segments
![Page 11: ICT Security Architecture - University of Belgradecbp.rcub.bg.ac.rs/wp-content/uploads/2015/03/... · Security architecture principles • Risk assessments • System owner is responsible](https://reader033.fdocuments.in/reader033/viewer/2022050612/5fb2d86aa87547679d65cd09/html5/thumbnails/11.jpg)
The security barrier may consist of one ore more of the following elements:
• Firewall/firewall functionality in a router
• Packet filter
• Application gateways, such as proxies and terminal servers
• Authentication and access control
• VPN systems/SSL Gateways
• Client requirements
• Server requirements
20. mars 2015 SLIDE 11
Security barrier elements
![Page 12: ICT Security Architecture - University of Belgradecbp.rcub.bg.ac.rs/wp-content/uploads/2015/03/... · Security architecture principles • Risk assessments • System owner is responsible](https://reader033.fdocuments.in/reader033/viewer/2022050612/5fb2d86aa87547679d65cd09/html5/thumbnails/12.jpg)
It is recommended to organize the zones as follows:
• Secure zone for sensitive data and critical systems
• Internal zone - internal network segments
• Open zone for everything else
20. mars 2015 SLIDE 12
Zone assignment
![Page 13: ICT Security Architecture - University of Belgradecbp.rcub.bg.ac.rs/wp-content/uploads/2015/03/... · Security architecture principles • Risk assessments • System owner is responsible](https://reader033.fdocuments.in/reader033/viewer/2022050612/5fb2d86aa87547679d65cd09/html5/thumbnails/13.jpg)
20. mars 2015 SLIDE 13
Implementation of zones and security barriers
Security barrierPacket filters
FirewallAntispam
Security barrierPacket filters
FirewallAntispam
AuthenticationVPN
Terminal server
Security barrierPacket filters
Firewall
AuthenticationTerminal server
![Page 14: ICT Security Architecture - University of Belgradecbp.rcub.bg.ac.rs/wp-content/uploads/2015/03/... · Security architecture principles • Risk assessments • System owner is responsible](https://reader033.fdocuments.in/reader033/viewer/2022050612/5fb2d86aa87547679d65cd09/html5/thumbnails/14.jpg)
• Open zoneRequirements related to good system administration, such as patching and the disabling of unnecessary services, security hardening and central logging
• Internal zoneThe same requirements as for the Open zone
• Secure zoneThe same requirements as for the Open zone
Consider additional measures such as integrity checks, host-based intrusion detection, data encryption and security hardening
20. mars 2015 SLIDE 14
Requirements for dedicated servers
![Page 15: ICT Security Architecture - University of Belgradecbp.rcub.bg.ac.rs/wp-content/uploads/2015/03/... · Security architecture principles • Risk assessments • System owner is responsible](https://reader033.fdocuments.in/reader033/viewer/2022050612/5fb2d86aa87547679d65cd09/html5/thumbnails/15.jpg)
Clients should be separated from dedicated servers and located in different network segments
• Open zoneNo requirements or requirements determined by the institution
• Internal zone Clients must be administered centrallyClients must comply with the institution’s standards for operating systemsAntivirus software and other protection measuresNo private clients
• Secure zone No clients in the secure zoneAccess by clients from the internal zoneSpecial care for remote access
20. mars 2015 SLIDE 15
Requirements for clients
![Page 16: ICT Security Architecture - University of Belgradecbp.rcub.bg.ac.rs/wp-content/uploads/2015/03/... · Security architecture principles • Risk assessments • System owner is responsible](https://reader033.fdocuments.in/reader033/viewer/2022050612/5fb2d86aa87547679d65cd09/html5/thumbnails/16.jpg)
The term access control describes a security barrier that a client must pass in order to gain access to resources hosted in a specific zone and security class.
The following general principles apply:
• Access shall be granted on a “need-to-have” basis only
• Adequate mechanisms must be in place to enable logging and traceability
20. mars 2015 SLIDE 16
Authentication and access control
![Page 17: ICT Security Architecture - University of Belgradecbp.rcub.bg.ac.rs/wp-content/uploads/2015/03/... · Security architecture principles • Risk assessments • System owner is responsible](https://reader033.fdocuments.in/reader033/viewer/2022050612/5fb2d86aa87547679d65cd09/html5/thumbnails/17.jpg)
• Access control for wireless networks should be implemented using eduroam or equivalent implementations
• A separate arrangement must be put in place for guests who are not participants in eduroam
• Eduroam or equivalent authentication procedures must also be employed in a wired open zone, such as in auditoria and meeting rooms
20. mars 2015 SLIDE 17
Authentication and access control – Open zone
![Page 18: ICT Security Architecture - University of Belgradecbp.rcub.bg.ac.rs/wp-content/uploads/2015/03/... · Security architecture principles • Risk assessments • System owner is responsible](https://reader033.fdocuments.in/reader033/viewer/2022050612/5fb2d86aa87547679d65cd09/html5/thumbnails/18.jpg)
• All equipment connected to the network must be authenticated
• All users should be authenticated against a central user database
• Systems that do not support central authentication must be given special protection
20. mars 2015 SLIDE 18
Authentication and access control - Internal zone
![Page 19: ICT Security Architecture - University of Belgradecbp.rcub.bg.ac.rs/wp-content/uploads/2015/03/... · Security architecture principles • Risk assessments • System owner is responsible](https://reader033.fdocuments.in/reader033/viewer/2022050612/5fb2d86aa87547679d65cd09/html5/thumbnails/19.jpg)
• Users wishing to gain access to the secure zone from the internal zone must be re-authenticated
• Special care must be taken if remote access is permitted to a secure zone
20. mars 2015 SLIDE 19
Authentication and access control - Secure zone
![Page 20: ICT Security Architecture - University of Belgradecbp.rcub.bg.ac.rs/wp-content/uploads/2015/03/... · Security architecture principles • Risk assessments • System owner is responsible](https://reader033.fdocuments.in/reader033/viewer/2022050612/5fb2d86aa87547679d65cd09/html5/thumbnails/20.jpg)
The system owner of a given service is responsible for determining the zone in which the service will be located and the type of protection it will be allocated
20. mars 2015 SLIDE 20
The services and systems in the zoned network
![Page 21: ICT Security Architecture - University of Belgradecbp.rcub.bg.ac.rs/wp-content/uploads/2015/03/... · Security architecture principles • Risk assessments • System owner is responsible](https://reader033.fdocuments.in/reader033/viewer/2022050612/5fb2d86aa87547679d65cd09/html5/thumbnails/21.jpg)
20. mars 2015 SLIDE 21
Services and systems in zones
Open informationGuest networksStudent services
External websitesDMZ
Internal informationNonsensitive personal data
Administrative systemsData storage
System services (AD, DHCP, DNS…)Client administration systems
Monitoring services
Confidential informationSensitive personal data Mission-critical systems
![Page 22: ICT Security Architecture - University of Belgradecbp.rcub.bg.ac.rs/wp-content/uploads/2015/03/... · Security architecture principles • Risk assessments • System owner is responsible](https://reader033.fdocuments.in/reader033/viewer/2022050612/5fb2d86aa87547679d65cd09/html5/thumbnails/22.jpg)
20. mars 2015 SLIDE 22
Access to zones via terminal servers and/or VPN
![Page 23: ICT Security Architecture - University of Belgradecbp.rcub.bg.ac.rs/wp-content/uploads/2015/03/... · Security architecture principles • Risk assessments • System owner is responsible](https://reader033.fdocuments.in/reader033/viewer/2022050612/5fb2d86aa87547679d65cd09/html5/thumbnails/23.jpg)
20. mars 2015 SLIDE 23
Multiple zones
![Page 24: ICT Security Architecture - University of Belgradecbp.rcub.bg.ac.rs/wp-content/uploads/2015/03/... · Security architecture principles • Risk assessments • System owner is responsible](https://reader033.fdocuments.in/reader033/viewer/2022050612/5fb2d86aa87547679d65cd09/html5/thumbnails/24.jpg)