Securing information is the focus of our security planning services as opposed to securing the information infrastructure. Protecting the information system, which includes all of the network nodes and communication channels used for storing and communicating information, can be seen as an outward facing fortification. This fortification provides a strong defense that protects computing environments, but does not protect the information once the attacker is inside the fortification. Insider attacks account for 70% of all network breeches.
To really keep information secure, our security model holds information at the core. Layer upon layer of defenses are implemented to create significant barriers between the information and unauthorized access. These layers constitute our defense in-depth scheme:
Cryptography
Cryptography is the first and most important layer of defense, because it provides a protective coat for the information. Encryption can keep information secure even when a security breach occurs. The encrypted information remains safe because the unauthorized user does not know the cryptographic key used in the encryption process.
Authentication / Verification
The Authentication / Verification layer determines if the information is real or fake, and verifies the authorized identity of the user. Authentication techniques determine if the information has been altered or corrupted. Verification checks the authentication with a third party and reports on the status of the authorization.
OS Hardening
The OS Hardening layer locks down the operating system by shutting down unnecessary services, restricting access, and closing programming holes. By hardening the system, we minimize the amount of entry points an attacker can penetrate, thus limiting the chance of the information being compromised.
Information System Architecture
The Information System Architecture and Design layer deals with the architecture and configuration of all the components in the information system. The information system is usually operating in an open environment, so patching all vulnerabilities is close to impossible. Through the use of configuration techniques, such as user permissions, event monitoring, traffic screening, and cryptographic methods, the amount of vulnerabilities in the information system can be limited.
Web Services
The Web Services layer secures services such as browsing for information, files transfer, name and address resolution, secure funds transfer, transaction processing, and private use of the web.
8 P’s
The 8 P’s layer helps the user community adhere to the security model by focusing on the people, planning, policy, procedure, process, product (hardware, software, and tools), perseverance, and pervasiveness involved with the security plan.
|
