Policy Management in a COA

Size: px

Start display at page:

Download "Policy Management in a COA"

Ella Barton
10 years ago
Views:

1 Policy Management in a O John rnold hief Security rchitect, UK apgemini The ig Picture for usiness Technology apgemini 2009 ndy Mulholland 1

2 De-Perimeterised Organisations People Devices Movements between organisations are built-in Policies Organisation Information Risks ontracts & Processes The ig Picture for usiness Technology apgemini 2009 ndy Mulholland 2

Organisation Information Risks ontracts & Processes

3 Security Policy - Terminology Human Readable Security Policy is a security policy that is intended to be interpreted by humans in making security decisions. E.g. a security procedure Machine Readable Security Policy is a security policy that is intended to be interpreted by computer programs in making security decisions. E.g. an L Governance Policy is a policy that describes how a human or machine readable policy is determined or agreed. E.g. Most ISO27001 security policies. In collaboration with lient or Partner logo DOUMENT TITLE opyright apgemini 2008 ll Rights Reserved 3

a security procedure Machine Readable Security Policy is a security policy that is intended to be interpreted by computer programs in making

4 urrent security policy approaches and the problems with them Machine readable policies tend to be lists rather than rules Machine readable policies are designed to be enforced by infrastructure rather than applications Machine readable policies not linked to business requirements pplication security policies are embedded into application code Organisations assume their policies are their own Use of Ls per resource Difficult to change as business needs change. One size fits all approach; cannot relate policies to business benefit Policies do not implement requirements properly and it is not clear how to change them May not meet business requirements. Difficult to change as business needs change Untrue where organisations handle information on behalf of someone else, the original information owner is a stakeholder in the policy Enormous number of Ls to manage In collaboration with lient or Partner logo DOUMENT TITLE opyright apgemini 2008 ll Rights Reserved 4

own Use of Ls per resource Difficult to change as business needs change.

5 Handling policies better a new policy enforcement architecture User gent redentials/ Identity ccess Request/ ccess Response Policy Enforcement Point Decision Request/ Decision Response uthentication Service ttributes ttribute & uthentication uthority ttributes Policy Decision Point Policies Policy dministration Point Policies Policy uthority In collaboration with lient or Partner logo DOUMENT TITLE opyright apgemini 2008 ll Rights Reserved 5 22 nd 5

ttribute & uthentication uthority ttributes Policy Decision Point Policies Policy dministration Point Policies

6 Handling policies better rich policy language Replace Ls by a machine readable policy expressed in a rich policy language rich policy language expresses access decisions in terms of the relevant contract states, e.g. this asset can be accessed by a direct employee of grade 4 and above, or any employee of a joint venture of a particular type There is a standard for expressing security policies: XML benefit of using standard security policies a policy for an asset can be specified once, then actioned by many different organisations as they pass the asset around The ig Picture for usiness Technology apgemini 2009 ndy Mulholland 6

this asset can be accessed by a direct employee of grade 4 and above, or any employee of a joint venture of a particular type There is a standard for

7 Handling policies better more realistic governance patterns Security policy governance is the process whereby security policies are specified, tested and agreed. Some common patterns: reator control Subject ontrol N-man rule ontent based control ccountability orporate record Many information assets have more than one stakeholder and hence more than one policy stakeholder. The ig Picture for usiness Technology apgemini 2009 ndy Mulholland 7

Some common patterns: reator control Subject ontrol N-man rule ontent based control ccountability orporate

8 Handling security policies better - security policy as a service Most organisations arent capable, or motivated, to develop their own security policies It would be better for suitably qualified organisations to specialise in creating standard security policy services to cover areas such as ompliance Hardening Product-specific policies This requires standardisation of the policy decision and query language (e.g. XML) but also of the enforcement hooks to be put into applications. The ig Picture for usiness Technology apgemini 2009 ndy Mulholland 8

cover areas such as ompliance Hardening Product-specific policies This requires standardisation of the policy decision and query language

IM and Presence. Skype for Business 2015 users. Legend. Skype for Business 2015 users. Active Directory Domain Services.

IM and Presence. Skype for Business 2015 users. Legend. Skype for Business 2015 users. Active Directory Domain Services. TP: 443 HTTP: 80 SIP/TLS: 5061 SIP/TLS: 5061 HTTPS: 443 IM and Presence SIP traffic: signaling and IM XMPP traffic HTTPS traffic MSMQ traffic LS traffic HTTPS: 4443 Director proxies Web traffic to destination