Logging en Monitoring - privacy, beveiliging en compliance Enkele praktijkvoorbeelden

Transcription

1 Logging en Monitoring - privacy, beveiliging en compliance Enkele praktijkvoorbeelden Pascal Oetiker Security Management Solutions Novell EMEA poetiker@novell.com

2 Privacy- en compliance-druk PCI-DSS NEN 7510 Basel II Sarbanes-Oxley Privacywetgeving NEN 7513 Solvency II 2

3 Balans tussen flexibiliteit en veiligheid Flexibiliteit ICT houdt snel veranderende behoeften bij Lage kosten en moeite Veiligheid Data beschermd Compliancy behaald Controls en Processen beinvloedt beschikbaarheid, integriteit en vertrouwelijkheid van gegevens 3

4 ICT beveiliging en compliance vraagstukken Garanderen dat de juiste personen autorisaties voor gebruik van gevoelige gegevens hebben Het herleiden van wie gebruik maakt van accounts met administrator-privileges Het herleiden van de activiteiten van personen die toegang hebben tot deze accounts 4

5 Logging belangrijke component Herleiden van Wie doet wat? Toegang verschaffen tot gegevens Gebruik van gegevens Welke gegevens? Persoonsgegevens Bedrijfsgegevens Autorisaties? Mag dit? Hoe effectief werkt het ICT beveiligingsbeleid in de praktijk? Monitoring 5

6 Voorbeeld: NEN zorg Een norm voor het vastleggen van gegevens en kenmerken van de acties die feitelijk hebben plaatsgevonden op een patiëntdossier Betreft alle systemen die gegevens bevatten die deel uitmaken van een patiëntdossier Achteraf onweerlegbaar vast te stellen welke gebeurtenissen hebben plaatsgevonden op een patiëntdossier Doel: Een betrouwbaar overzicht te kunnen leveren van de gebeurtenissen waarbij zorggegevens over een persoon zijn verwerkt. 6

7 Voorbeeld: Italiaanse privacywet Regelgeving m.b.t. bedrijfsmatig gebruik van persoonsgegevens Organisaties dienen een compleet overzicht bij te houden van alle interactie met systemen die persoonsgegevens opslaan of verwerken Monitoren van de business user en de beheerders (systemen, databases, etc..) 7 Concreet: rapportage over logins/logouts/failed logins via interne en externe toegang

8 Sony Italia Sony Corporation is one of the world's leading electronics companies Producing a vast array of advanced Consumer and Professional technologies Across computing, audio-visual devices, semiconductors and electronic components. The corporation operates on a global basis, employing approximately 147,000 people in total. Sony Italia, headquartered in Milan, employs approximately 250 people. Source: Paolo Barna, Manager, Operations & Security Systems at Sony Italia 8

9 Challenge The government passed new legislation aimed at regulating the corporate use of personal data Requirements Keep a complete record of all interactions with computer systems that contain data on employees, customers, suppliers and so on. Monitor not only business users who might access such data as part of their job function but also systems administrators and database managers. Show a record of logins and logouts to all relevant systems, as well as a record of failed logins, both from internal and external sources. Source: Paolo Barna, Manager, Operations & Security Systems at Sony Italia 9

10 10 Solution Requirement: low cost of acquisition, simplicity, ease-of-use, and scalability and flexibility of deployment and management Requirement: solution based on existing hardware all we needed to do was install a virtual Linux appliance. Sony Italia worked with its regular Partner H4T to deploy the new solution, which took just one week from start to finish. "We really wanted to have a smooth implementation process that wouldn't distract us from core business issues. H4T took care of everything, and did an excellent job as usual. Sony Italia is using the solution to monitor multiple heterogeneous servers, running a mixture of UNIX, Sun Solaris, SUSE Linux Enterprise Server and Windows Server It also monitors a variety of Cisco routers and switches, pulling all relevant data into a single database for easy reporting. Source: Paolo Barna, Manager, Operations & Security Systems at Sony Italia

11 Results A single tool for monitoring activities to all the different types of servers and routers on its network. The solution enables the company to comply with the new Italian privacy legislation with minimal effort. Sony Italia can rapidly create new custom reports to meet the requirements of any internal or external audits, and can be confident that it is in complete compliance with the new privacy legislation. "We currently use the solution simply to meet our legal requirements, but if we ever need to log other types of activity, there will be no need to upgrade or change the solution. Also, we can easily add new servers into the monitoring regime as we add them to our network." Source: Paolo Barna, Manager, Operations & Security Systems at Sony Italia 11

12 Voorbeeld: GCSX Code of Connection Regelgeving m.b.t. aansluiten op het Engelse e-government netwerk (GCSX) GCSX stands for Government Connect Secure Extranet. It is a secure, private, Wide Area Network (WAN) which enables secure interactions between connected local authorities and other GSi connected organisations. The GCSX Code of Connection (CoCo) is a list of security controls with which ALL local authorities must be compliant before their GCSX circuit can be activated. This applies to local authorities who are taking a direct connection, or who are connecting via an aggregated gateway. 12

13 London Lambeth Council One of London's most densely populated boroughs, with 275,000 people living in an area of just over ten square miles. Provides a wide range of online services to its citizens, and prides itself on being a leader in public sector IT adoption while also maximising value for money. As a result of its highly successful IT strategy, the Society of Information Technology Management has recognised Lambeth as having the lowest IT costs of any London council. Source: Mary Cotterell, Technology Programme Manager at Lambeth Council 13

14 Challenge Lambeth Council needed to be able to respond to a new policy from the UK Department of Work and Pensions (DWP): from 30th September 2009, the exchange of all restricted or sensitive personal data between the DWP and local government organisations would take place via a new secure IT channel, the Government Connect Secure Extranet (GCSX). To use GCSX, all local authorities would have to achieve compliance with a Code of Connection (CoCo) specifying 127 different security controls - including everything from site security and employee training through to IT monitoring and audit requirements. "GCSX CoCo compliance is only relevant for UK local authorities, so there weren't many solutions on the market that were specifically designed to meet its needs," Source: Mary Cotterell, Technology Programme Manager at Lambeth Council 14

15 15 Solution "We decided on a different approach: choosing a more generic solution that was flexible enough to adapt to our immediate needs. This would also have the advantage of giving us a platform for meeting other requirements in future: for example, the Council offers a number of payment card-related services, so we may need to consider PCI-DSS compliance in the near future. Within 30 days, we had designed the solution, installed the software, and rolled it out across the server estate. As a result, Lambeth achieved GCSX CoCo compliance ahead of the deadline, and is now able to communicate seamlessly and securely with key central government systems. The software is now being rolled out to the rest of the infrastructure, and will soon provide a comprehensive log management solution. Source: Mary Cotterell, Technology Programme Manager at Lambeth Council

16 Results From an operational perspective, the log management solution will transform the way Lambeth Council handles IT security issues such as virus infections and tracking file access. The solution gives us a single point of control where all logs are collected and analysed, providing a much more efficient way to handle security-related incidents, "Currently, the potential time-savings are only to be guessed at - but I would be surprised if our next significant malware/hacking event isn't identified, traced and triaged within hours. Source: Mary Cotterell, Technology Programme Manager at Lambeth Council 16

17 17

18

19 Unpublished Work of Novell, Inc. All Rights Reserved. This work is an unpublished work and contains confidential, proprietary, and trade secret information of Novell, Inc. Access to this work is restricted to Novell employees who have a need to know to perform tasks within the scope of their assignments. No part of this work may be practiced, performed, copied, distributed, revised, modified, translated, abridged, condensed, expanded, collected, or adapted without the prior written consent of Novell, Inc. Any use or exploitation of this work without authorization could subject the perpetrator to criminal and civil liability. General Disclaimer This document is not to be construed as a promise by any participating company to develop, deliver, or market a product. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. Novell, Inc. makes no representations or warranties with respect to the contents of this document, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. The development, release, and timing of features or functionality described for Novell products remains at the sole discretion of Novell. Further, Novell, Inc. reserves the right to revise this document and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes. All Novell marks referenced in this presentation are trademarks or registered trademarks of Novell, Inc. in the United States and other countries. All third-party trademarks are the property of their respective owners.