HP Security Handbook

The HP Security Handbook

Vice President, HP Security OfficeTony Redmond

HP Security Handbook LeadJan De Clercq

Layout, Illustrations, Graphics and Production LeadKillian McHugh

Primary Content Editors and StrategistsGovernance and Compliance: Stuart Hotchkiss (Lead)Proactive Security Management: Keith Millar (Lead)Identity Management: Jan De Clercq (Lead), Mark CrosbieTrusted Infrastructure: Boris Balacheff (Lead), Iver Band, Archie Reed, Mark Schiller, Bill WearInnovation in Security: Simon Shiu (Lead), Joe Pato

Additional Content Contributors

Governance and Compliance:Lois Boliek, John Carchide, Frederic Gittler, David Graves, Jim Hoover, Cheryl Jackson, Paul Jeffries, BillKowaleski, Tari Schreider, Saida Wulteputte, Mike Yearworth

Proactive Security Management:Hayden Brown, John Carchide, Tracy DeDore, Paul Jeffries, Montserrat Mane, Jim O'Shea, ChristopherPeltz, Sarah Porten, Yann Vermast, Brian Volkoff, Doug Young

Identity Management:Sai Allavarpu, Jean-Michel Argenville, Carolyn Bosco, Pete Bramhall, Christian Fischer, Ronald Luman,Marco Casassa Mont, Robert Neal-Joslin, Jason Rouault, Scott Swist, Ibrahim Wael, Manny Novoa

Trusted Infrastructure:Enrico Albertin, Shivaun Albright, Sunil Amanna, Mike Balma, Ron Carelli, Lynne Christofanelli, PaulCongdon, Joanne Eames, Janusz Gebusia, Gary Lefkowitz, Shab Madina, Sunil Marolia,John Rhoton, Steve Scott, Rick Supplee, Tom Welsh, Chris Whitener

Innovation in Security:Adrian Baldwin, Richard Brown, Chris Dalton, Bill Horne, Ed McDonnell, David Pym, Martin Sadler, SteveSimske, Richard Smith

The HP Security Handbook is available online at www.hp.com/go/security/securityhandbook.For feedback, please e-mail [email protected] additional printed copies, please see your HP Sales Representative.

About HPHP is a technology company that operates in more than 170 countries around the world. We explore howtechnology and services can help people and companies address their problems and challenges, andrealize their possibilities, aspirations, and dreams. We apply new thinking and ideas to create more sim-ple, valuable, and trusted experiences with technology, continuously improving the way our customers liveand work.

No other company offers as complete a technology product portfolio as HP. We provide infrastructure andbusiness offerings that span from handheld devices to some of the world's most powerful supercomputerinstallations. We offer consumers a wide range of products and services from digital photography to digi-tal entertainment and from computing to home printing. This comprehensive portfolio helps us match theright products, services, and solutions to our customers’ specific needs.

HP focuses on simplifying technology experiences for all of its customers - from individual consumers to thelargest businesses. With a portfolio that spans printing, personal computing, software, services and ITinfrastructure, HP is among the world's largest IT companies, with revenue totaling $104.3 billion for thefour fiscal quarters ended Oct. 31, 2007. More information about HP is available at www.hp.com.

Fast facts• HP was incorporated in 1939.• Corporate headquarters are in Palo Alto, California.• Mark Hurd is president and CEO.• HP is a US Fortune 14 and a Global Fortune 41 company, with revenue totaling $104.3 billion for thefiscal year ended Oct. 31, 2007.• HP has 150,000 employees doing business in more than 170 countries around the world.

Technology leadershipHP's three business groups drive industry leadership in core technology areas:

• The Personal Systems Group: Business and consumer PCs, mobile computing devices, and workstations• The Imaging and Printing Group: Inkjet, LaserJet and commercial printing, printing supplies, digital pho-tography, and entertainment• The Technology Solutions Group: Business products including storage and servers, managed services,and software

ContributionHP strives to be an economic, intellectual, and social asset to each country and community in which wedo business. Key areas of contribution are electronic waste, raising standards in our global supply chainand increasing access to information technology.

GrowthHP is focused on three technology shifts that have the power to transform our customers' lives and busi-nesses:

• Next-generation data center• Always on, always connected mobile computing• Ubiquitous printing and imaging

For more information, visit www.hp.com.

About HP's Security PracticeHP takes a holistic approach to security that includes the people, process and technology to ensure theeffectiveness of the security solution. HP Services assists in defining a security strategy specifically tailoredto the customer's environment and business processes. As a leader in IT management, and more specifi-cally IT service management, HP Services brings tremendous breadth and depth of management expertiseto every consulting engagement. Our expert security staff includes Certified Information Systems SecurityProfessionals (CISSPs) and certified Sysadmin, Audit, Network, Security (SANS) individuals who bringextensive experience in multi-vendor platforms including HP-UX, IBM AIX, Sun Solaris, OpenVMS,Microsoft Windows, and Linux. As a member of the Information Technology Information Sharing andAnalysis Center (IT-ISAC), HP's security services team stays abreast of the latest information on cybersecurity issues and utilizes proven best practices and methodologies such as BS 7799/ISO 17799.

Table of contents

Introduction Note . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . iIntroduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . iiThe Security Landscape . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . iiHP’s Security Framework . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . iiiBusiness Context . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . iiiGovernance and Compliance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . iiiProactive Security Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ivIdentity Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ivTrusted Infrastructure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ivSecurity Handbook Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vBringing the HP Security Strategy to Market: HP Secure Advantage. . . . . . . . vi

Chapter One: Governance and Compliance

1. Definition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-12. Purpose . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-23. Why Have Governance? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-34. The Importance of Information Assets . . . . . . . . . . . . . . . . . . . 1-35. Information Security Defined . . . . . . . . . . . . . . . . . . . . . . . . . . 1-35.1. Board of Directors’ Responsibilities . . . . . . . . . . . . . . . . . . . . . . . . . . 1-45.2. IT Responsibilities. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-46. Regulatory Standards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-46.1. International Standards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-56.2. When to Use the International Standards . . . . . . . . . . . . . . . . . . . . . 1-66.3. Best-Practice Legislation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-76.4. Privacy Aspects and Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-77. The Governance and Risk Management Lifecycles . . . . . . . . . 1-87.1. Process Steps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-97.2. Gap Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-97.3. Risk Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-107.4. Security Control Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-127.5. Security Implementation Architecture . . . . . . . . . . . . . . . . . . . . . . . . 1-147.6. Implementation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-157.7. Support, Manage, and Operate . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-157.8. Audit and Test . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-157.9. Review and Update . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-158. Managing Governance in Practice - Information SecurityService Management (ISSM) . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-16

8.1. ISSM Control Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-179. Moving to Continuous Compliance . . . . . . . . . . . . . . . . . . . . . 1-209.1. Comparison of Standard and Continuous Compliance . . . . . . . . . . . 1-209.2. Continuous Compliance Example . . . . . . . . . . . . . . . . . . . . . . . . . . 1-219.3. The Efficiency of Continuous Compliance . . . . . . . . . . . . . . . . . . . . 1-2110. Using Models and Model-based Technologies to SupportSecurity Governance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-22

11. The Economics of Security: An Example . . . . . . . . . . . . . . . . 1-2312. Key Performance Indicators and Metrics . . . . . . . . . . . . . . . 1-2513. New Model-based Analysis Approaches to Support RiskAnalysis - Trust Economics . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-26

14. HP Governance Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-2615. Security and HP's Vision . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-2716. Governance Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-28

Chapter Two: Proactive Security Management

1. Definition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-21.1. Managing Protection Proactively and Reactively . . . . . . . . . . . . . . . . . 2-21.2. Responding to Changing Business Models . . . . . . . . . . . . . . . . . . . . 2-21.3. Integrating with IT Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-31.4. Maintaining Acceptable Security and Risk Levels . . . . . . . . . . . . . . . . 2-3

2. Purpose . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-32.1. Protecting Against Increasing Threats . . . . . . . . . . . . . . . . . . . . . . . . 2-32.2. Enabling Changing Trust Models . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-42.3. Managing Increased Process Complexity . . . . . . . . . . . . . . . . . . . . . 2-42.4. Complying with Changing Regulations . . . . . . . . . . . . . . . . . . . . . . . 2-52.5. Purpose of Proactive Security Management Depends on More ThanTechnology. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-5

2.6. IT Management Trends and Security Management. . . . . . . . . . . . . . . 2-53. HP Proactive Security Management Framework . . . . . . . . . . 2-63.1. Compliance, Security Monitoring and Reporting. . . . . . . . . . . . . . . . . 2-73.2. Vulnerability Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-73.3. Content Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-73.4. Identity Management Integration . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-83.5. Host Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-83.6. Intrusion Detection and Prevention . . . . . . . . . . . . . . . . . . . . . . . . . . 2-93.7. Problem Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-103.8. Investigations and IT Forensics . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-103.9. Security Program Administration. . . . . . . . . . . . . . . . . . . . . . . . . . . 2-103.10. Incident Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-113.11. Risk Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-113.12. IT Administration Integration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-114. HP Proactive Security Management Offerings . . . . . . . . . . . 2-124.1. HP Proactive Security Management Services. . . . . . . . . . . . . . . . . . . 2-124.2. HP Proactive Security Management Products . . . . . . . . . . . . . . . . . . 2-195. Proactive Security Management Summary . . . . . . . . . . . . . . 2-28

Chapter Three: Identity Management

1. Definition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-12. Purpose . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-13. What is a Digital Identity? . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-24. Identity Management Components . . . . . . . . . . . . . . . . . . . . . 3-44.1. Data Repository Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-44.2. Security Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-44.3. Lifecycle Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-54.4. Consumable Value Components . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-54.5. Management Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-54.6. The Effect of Policies on Management Components . . . . . . . . . . . . . . 3-55. Key Elements of Identity Management Solutions . . . . . . . . . . 3-65.1. Identity Management Standards . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-65.2. Deployment Models . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-75.3. Complexity and Competing Demands . . . . . . . . . . . . . . . . . . . . . . . 3-75.4. Safe Digital Identity Management . . . . . . . . . . . . . . . . . . . . . . . . . . 3-85.5. Product and Solution Interoperability Challenges . . . . . . . . . . . . . . . . 3-86. Identity Management Trends . . . . . . . . . . . . . . . . . . . . . . . . . . 3-86.1. Identity Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-86.2. Business-driven Identity Management . . . . . . . . . . . . . . . . . . . . . . . . 3-96.3. Identity-Capable Platforms and Device-based Identity Management. . . 3-97. Summary of Identity Management Concepts . . . . . . . . . . . . 3-10

8. HP Identity Management Products and Solutions . . . . . . . . 3-108.1. Identity Repositories. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-118.2. Security Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-128.3. Privacy Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-188.4. Identity Lifecycle Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-218.5. Federated Identity Management. . . . . . . . . . . . . . . . . . . . . . . . . . . 3-218.6. HP's National Identity System . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-239. Successfully Approaching Identity Management . . . . . . . . . 3-279.1. Review and Envision Phase . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-279.2. Definition Phase. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-279.3. Design and Implementation Phase . . . . . . . . . . . . . . . . . . . . . . . . . 3-279.4. Identity Management Success Factors. . . . . . . . . . . . . . . . . . . . . . . 3-2710. HP Identity Management Services . . . . . . . . . . . . . . . . . . . . 3-2811. Identity Management Summary . . . . . . . . . . . . . . . . . . . . . . 3-29

Chapter Four: Trusted Infrastructure

1. Definition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-12. Purpose . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-12.1. Perimeter Security: Keep the Bad Guys Out . . . . . . . . . . . . . . . . . . . . 4-22.2. Trusted Infrastructure: Let the Right People In andthe Right Devices On… . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-3

2.3. Ongoing Evolution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-33. Infrastructure Technology Directions . . . . . . . . . . . . . . . . . . . . 4-33.1. Network Security Developments . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-33.1.1. From the Fortress Enterprise to the Adaptive Edge . . . . . . . . . . . . . . . 4-33.1.2. Network-enforced Security Compliance . . . . . . . . . . . . . . . . . . . . . 4-43.2. Host Security Developments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-43.2.1. Operating Systems. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-43.2.2. Hardware Platforms. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-53.3. Encryption and Key Management Developments . . . . . . . . . . . . . . . . 4-54. HP's Strategic Focus . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-64.1. Achieving Security through Open Standards . . . . . . . . . . . . . . . . . . . 4-64.2. Trusted Computing for Trusted Infrastructures . . . . . . . . . . . . . . . . . . . 4-64.3. Network Access Control (NAC) . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-104.4. Secure Development. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-135. Host Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-155.1. Environment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-155.2. Principles of Design for the Enterprise . . . . . . . . . . . . . . . . . . . . . . . 4-175.3. Implementing Secure Platforms . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-185.4. HP Host Security Products and Solutions . . . . . . . . . . . . . . . . . . . . . 4-285.5. Host Security Summary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-446. Network Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-456.1. Environment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-456.2. Network Security Analysis and Planning. . . . . . . . . . . . . . . . . . . . . 4-466.3. Principles of Design . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-496.4. Securing Network Perimeters and Managing Network Access. . . . . . 4-506.5. Securing Wireless Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-536.6. IPv6 Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-56

6.7. Best Practices for Secure Networks . . . . . . . . . . . . . . . . . . . . . . . . . 4-596.8. HP Network Security Products and Solutions . . . . . . . . . . . . . . . . . . 4-656.9. HP Partner Secure Network Offerings . . . . . . . . . . . . . . . . . . . . . . . 4-716.10. Network Security Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-717. Storage Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-717.1. Environment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-717.2. Principles of Risk Mitigation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-727.3. Secure Storage Priorities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-747.4. HP Secure Storage Solutions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-747.5. Storage Security Summary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-758. Imaging and Printing Security . . . . . . . . . . . . . . . . . . . . . . . . 4-758.1. HP's Imaging and Printing Security Framework . . . . . . . . . . . . . . . . . 4-768.2. Secure the Imaging and Printing Device . . . . . . . . . . . . . . . . . . . . . 4-768.3. Protect Information on the Network . . . . . . . . . . . . . . . . . . . . . . . . 4-788.4. Effectively Monitor and Manage . . . . . . . . . . . . . . . . . . . . . . . . . . 4-798.5. HP Secure Print Advantage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-808.6. Imaging and Printing-related Certification and Standardization . . . . . 4-818.7. Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-839. HP Trusted Infrastructure Services . . . . . . . . . . . . . . . . . . . . . 4-8310. Trusted Infrastructure Summary . . . . . . . . . . . . . . . . . . . . . . 4-84

Chapter Five: Innovation in Information Security

Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-11. Trust Economics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-32. Identity Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-42.1. Content Aware Access Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-42.2. Role Discovery. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-53. Trusted Infrastructure. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-54. Assurance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-75. Threat Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-76. Quantum Cryptography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-97. Memory Spot Technology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-108. Trusted Printing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-119. Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-11

Conclusion. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-1

Appendix A: Principles of Design for Network Security . . . . . . A-1

Appendix B: Types of Firewalls and Open Systems Interconnection(OSI) Layers of Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B-1

Appendix C: Authentication, Authorization and Auditing (AAA)Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . C-1

"The HP Security Framework covers the range ofsecurity, governance and risk management subjectsrequired of a truly professional security programme.Security is not just a technology issue, neither is it justa single-point problem. Only by stepping back andseeing the whole risk picture can good security bemade to work, and I applaud the authors of theSecurity Handbook in getting this message across."-Dr Paul Dorey, CISO, BP plc, and Chairman of theInstitute of Information Security Professionals (IISP)

Apart from being the world's largest IT company, in many other ways, HP is a unique IT company. Noother company develops the same breadth and depth of technology across all market segments - fromconsumer to enterprise, from small and midsize businesses to the public sector - spanning so many types ofcomputing devices, protocols, standards, and applications. Security is and will remain a prime focus forHP across our complete portfolio because customers expect that everything that they buy from HP is secure.

The HP Security Handbook provides a view of all the different threads of security in which HP works. Weplan to update the content regularly; the handbook is an evolving document that tracks new developments,adds new information as it becomes available, and presents industry standards and initiatives important tosecurity as they mature. Much of the content focuses on the three pillars of HP's security strategy - identitymanagement, proactive security management, and trusted infrastructures. These are all "big plays", placeswhere HP believes that we can make a real difference in the way that people use technology.

I cannot think of a bigger challenge than building truly trustworthy infrastructures composed of new hard-ware architectures, new operating systems, and new applications. Federated identity management will helpto liberate users from the tyranny and insecurity of multiple user name and password pairs. And proactivesecurity management is HP's way of declaring to the security industry that it's time to stop reacting tothreats and begin building intelligence in servers and other network components to better resist unautho-rized intrusions. Because HP is such a large company, we have a special responsibility and role within theIT industry to help chart the future, and that's what the HP security strategy sets out to do. Big plays don'thappen overnight - but these plays form the core of our strategy because they are worthwhile and willmake a difference.

In addition to describing HP's security strategy, this handbook illustrates the broad sweep of security activi-ty across the range of the company's offerings, from services to the fundamental security features incorpo-rated in HP operating systems. It also describes the work of the Trusted Systems Laboratory and how HPresearchers look at future security challenges. Commentators often say that the only guarantee regardingtechnology is change; this is especially true for security technology. HP's investment in research has alreadyprovided great benefits, and we expect this trend to continue.

Tony RedmondVice President, HP Security Office

i

IInnttrroodduuccttiioonn NNoottee

Tony Redmond

IntroductionInformation security is a fundamental necessity andenabler for modern business. Because informationtechnology infrastructures provide the ability for enter-prises to automate, adapt, and accelerate their busi-ness strategies, information security is essential forsafeguarding business continuity. Whether enablingsecure sharing and collaboration with partners, pre-venting or detecting insider attacks, or defendingagainst indiscriminant vandalism by unseen and ran-dom network attackers - information security is a keyelement of any IT infrastructure.

Security, however, is not a simple commodity that canbe ordered by weight and bolted on to an IT infra-structure. Security considerations should permeateevery aspect of IT - from the design of applicationsand infrastructure to the mechanisms for managingtheir deployment; from discrete components that pro-tect specific functions to the design of business objec-tives and the governance of corporate policy; from themanagement of technology to the management ofpeople.

Measuring security is also difficult - how safe are weat any point? Unlike processor speed or storagecapacity, we do not measure security in simple units -except after an incident when we can objectivelydemonstrate that the deployed security mechanisms areinadequate. As a result, enterprise security is tradition-ally mired in a cycle of reactive crises.

The Security Landscape

Enterprises face a rapidly changing environment thatdemands a proactive stance for information security.Key factors driving this change include:

• Unrelenting presence of security incidents throughout the industry

• Ever-increasing sophistication of attack

• Government regulation

• Changes in IT infrastructure to accommodatechanging business

Continuing presence of security incidents

High-profile security breaches have made networksecurity one of the most important concerns for corpo-rate and government networks. In the recent past, therate of security incidents grew at a tremendous rate.More recently, the rate of attacks has leveled off, butmany attacks now target specific victims or resourcesrather than the indiscriminate attacks prevalent earlierin the decade. As reported in the 2007 edition of CSIComputer Crime and Security Survey, the averagereported annual loss from security incidents doubledfrom the previous year.

Increasing sophistication of attacks

The emergence of targeted attacks is coupled with anincrease in sophistication of attack. Not only are spe-cific victims selected for attack, but unrelated organi-zations or individuals are also selected for attack toserve as staging points for stealthy attacks. An under-ground economy has emerged for access to compro-mised systems for direct exploitation or for use to stagesubsequent attacks.

Government response through regulation

Governments have not ignored the increasing threat tocommerce. Many governmental entities have enactedor are preparing legislation to require business atten-tion to information security issues.

ii

Figure i-1Sample regulations affecting security

Regulatory mandates such as the Sarbanes-OxleyAct of 2002, the California Database Protection Actof 2001, the Gramm-Leach-Bliley Act (GLB), theHealth Insurance Portability and Accountability Act(HIPAA), and the Basel II Accord are an additionalcatalyst for applying due diligence in the securitydecision and implementation process. These lawsimpose strict requirements on enterprises to establish,identify, document, test, and monitor necessaryinternal control processes. Because information tech-nology supports most, if not all, of these processes,these laws significantly affect companies' securitystrategies. These new regulations drive securitydesigners and architects to impose and maintain theproper security controls throughout their enterprise.

Changing business objectives and streamliningprocesses

The need for business agility is driving the develop-ment of proactive security capabilities. Ad-hoc secu-rity implementations often interlock the various com-ponents of a business application, which limits theoverall ability to adapt, increases the cost to oper-ate, and often leads to diminishing protectionthrough an application's lifetime. Enabling rapidflexibility requires an overall process for managingand evolving an organization's IT security.

HP's Security Framework

Delivering a safer enterprise IT environment alignedto defined levels of security and risk requires aframework for rapid and effective response to threatsand corporate business objective changes. HP'ssecurity framework, shown in Figure i-2, enables aholistic way to proactively define and deliver securityacross the enterprise.

The key areas represented in this model include thethree areas in which HP is investing to create inno-vation and differentiation: identity management,proactive security management, and trusted infra-structure. The fourth area, governance, includes thesupporting services and tools that HP delivers toensure that IT security solutions meet business objec-tives.

Business Context

The top level of the security framework consists ofthe key drivers, including business objectives, opera-tional risk, and regulatory and legal compliance.Businesses and organizations have a set of majorobjectives or missions that drive their existence. Inaddition, they must manage operational risk andmeet regulatory and legal compliance. All of thesefactors have direct security implications that drive theoverall security strategy of a business or organiza-tion.

From the security perspective, examples of threatsthat directly affect the highest levels of a company oran organization include:

• Theft of intellectual property or digital assets

• Disruption of critical services or infrastructure thatleads to lost revenues, contractual breaches, or reg-ulatory violations

• Public disclosure of sensitive information, whichnegatively impacts brand identity or competitiveadvantage

Governance and Compliance

Governance refers to the controls and policies thattranslate high-level business objectives, operationalrisks, and regulatory needs into the directives,objectives, and policies that drive security mecha-nisms. Governance is a strategic component of everytechnology optimization initiative. It includes businesslogic, business procedures, managerial processes,and operational processes that are all supported byspecific, lower-level policies for IT operations andsecurity.

ProactiveSecurityM

anagement

Business Objectives

RegulatoryCompliance

Trusted Infrastructure

OperationalRisk

IdentityM

anagement


Figure i-2HP’s security framework

iii

Proactive Security Management

Proactive security management focuses on managingsecurity functions in support of business and organi-zational goals and processes. The fundamental goalof this area is to ensure that protection mechanismsoperate appropriately during setup, operation, anddecommissioning of various IT services. Proactivesecurity management:

• Manages the protection of data, applications, sys-tems, and networks, both proactively and reactively

• Supports changing business and organizationalmodels and responds to a changing threat environ-ment

• Maintains the level of security and operational riskdefined by a company or organization

Identity Management

Identity management is the ability to identify everyuser, application, or device across an organization orbusiness. It provides flexible authentication, accesscontrol, and auditing while respecting privacy andregulatory controls.

Delivered via a set of processes and tools for creating,maintaining, and terminating a digital identity, identitymanagement allows administrators to manage largepopulations of users, applications, and systems quicklyand easily. The tools permit selective assignment ofroles and privileges, which facilitates compliance withregulatory controls and contributes to privacy-sensitiveaccess controls.


Trusted infrastructures are composed of hardwareplatforms, together with their operating environmentsand applications, which behave in an expected andpredictable way for their intended purpose. Trustedinfrastructures must support the IT applications under-lying the most critical business processes. When ITinfrastructure technologies fail to keep pace withemerging threats, we no longer trust them to sustainthe applications we depend on in both business andsociety.

A trusted infrastructure reliably manages and controlsaccess to information assets while delivering thepower required for critical business processes. It helpsimplement appropriate technologies to secure the end-to-end IT infrastructure of a company or organization,worldwide - including data centers, networks, produc-tivity tools, end-user desktops, and wireless devices.

The need for a trusted IT infrastructure flows from ourincreasing reliance on IT systems to do everythingfrom running our business to running our society'sutilities. Just as our dependence on IT permeates allaspects of society, security capabilities must permeateall aspects of IT infrastructure. Security must be built in,not bolted on, at the platform level, at the networklevel, and in the very processes used for developingsystems.

iv

Security Handbook Contents

HP recognizes the complexity of large, distributed IT environments and takes a proactive approach to enter-prise security. We secure the Adaptive Enterprise with planning and preparation, rather than simply reactingto changes in the landscape. This handbook outlines HP's strategy for information security and summarizesthe products, solutions, and services that address the security needs of enterprise customers. It focuses on thethree pillars of HP's security strategy: proactive security management, identity management, and trustedinfrastructures. Along with overarching governance considerations, these three areas bring organizationsand companies a safer IT environment that can respond to changing threats and business objectives.

This edition of the handbook introduces a section on innovation in information security pursued at HPLaboratories, HP's central research organization. Uncoupled from product and services organizations, HPLabs' mission is to deliver breakthrough technologies that create opportunity beyond HP's current strategies.Some of the work performed at HP Labs has generated new capabilities which are reported throughout thehandbook. This chapter addresses aspects of the longer-term challenge in information security and the workpursued by HP Labs to overcome them.

This handbook is intended for CIOs, security administrators, and other staff who are responsible for theirorganization's IT security and infrastructure. Each chapter begins with the definition and purpose of thetopic before moving on to discuss details such as the threat environment, related trends, underlying tech-nologies, and challenges. Each chapter concludes with information about solutions that address the securityneeds discussed.

v

Bringing the HP Security Strategy toMarket: HP Secure AdvantageSecurity today is higher on the CIO/CTO agenda than itever was before. They believe that security is a fundamen-tal necessity and enabler of business outcomes. They wantto be able to use HP products and plug them togethereasily in a secure manner. HP Secure Advantage is theframework under which this will take place. Imagine dataprotected from desktop to data center, from laptop toprinter, throughout the network with no gaps; no placeswhere the data has to be decrypted and re-encrypted totransition to another product. Imagine being able todemonstrate to internal and external auditors that youhave a trusted infrastructure and that your data in anyform is protected so that you can easily add the peopleprocesses to meet your compliance demands; that is thepromise of Secure Advantage.

As this Security Handbook illustrates, HP has a uniquebreadth of products, from laptops to servers and storageand software to printers, using HP network components.This is why HP created the Secure Advantage frameworkand a portfolio of products and services to meet our cus-tomer's needs for secure data and infrastructure protection.Fortunately, HP has a 35 year history in security and isleveraging this expertise to deliver the HP SecureAdvantage portfolio. This is especially important today ascustomers adopt the 24 by 7 next-generation data centermodel that enables the shift of high-cost IT silos to low-cost, pooled IT assets in order to optimize infrastructures toreduce cost, increase agility, and improve quality of

service. Security is a key enabler of HP's AdaptiveInfrastructure (AI) offering that provides the platform for thenext-generation data center and a linkage of Security toother AI enablers such as IT Systems and Services, Powerand Cooling, Management, Virtualization andAutomation.

Since security and compliance are an absolute necessityfor businesses today the HP Secure Advantage portfolio isdesigned to enable enterprises to fully automate, optimizeand accelerate their IT infrastructures securely with propervalidation in order to achieve better business outcomes bymitigating risk. In order to accomplish this goal across theEnterprise, HP is establishing leadership for solutions ininformation security, key management and compliance.

The HP Secure Advantage vision builds on today's securitytechnologies to create a more manageable way for cus-tomers to leverage encryption and key management toprotect their resources and data, and validate they arecompliant with a growing set of government and industrymandates.

The HP Secure Advantage portfolio takes a layered andintegrated approach and helps you extend the value ofyour enterprise by the following steps - as illustrated inFigure i-3 and explained in the following paragraphs:

Figure i- 3HP Secure Advantage overview

Project Resources By improving availability and

protecting your networks, systems, applications, software and DBMS, using trusted platforms

Protect data In all its forms: Data at rest Data in transit Data in use

Provide validation Establish a secure audit

trail across the organization as proof for compliance for internal and external auditors, with real-time alerts

Minimize disruptions due to security breaches with a trusted and hardened infrastructure

Use encryption and identity management, in combination with other proactive security management techniques

Encryption and key management, working with integrated compliance solutions across organization

1 2 3

HP Secure Advantage solutions mitigate riskYour secure end-to-end business advantage

Technology People and process

vi

Protect your resources by improving availability and protecting your networks, systems, applications, soft-ware and DBMS using trusted platforms. Minimize IT disruptions due to security breaches with a trustedand hardened infrastructure:

• Multiple OS platforms with the highest level of certification provide maximum proactive protection.• Configuration and patch management provide continuous protection in changing environment.

Protect your data in all its forms: data at rest, data in transit, and data in use. Use encryption and IdentityManagement in combination with other proactive security management techniques such as Security Eventand Information Management:

• Encryption of critical data at rest, in use or in motion increases protection.• HP Extends this protection from desktops to servers and printers with focused Key Management.

Provide validation to you by establishing a secure audit trail across the organization as proof for compli-ance for internal and external auditors with real-time alerts. Utilize encryption and Key Management,working with integrated compliance solutions across organizations.

• Validate at necessary audit points to enable audit trails for compliance to industry regulations.• Future integration of encryption and Key Management across an organization will provide end-to-endprotection.

These elements are more integrated under the Secure Advantage portfolio framework and can be cus-tomized to your unique needs by HP Services through our Information Security Service Management(ISSM) Reference Model which establishes a rational basis for security decision-making, ensuring securitycontrols align, and helping optimize business outcomes.

Table i-1 provides a set of examples of key HP Secure Advantage products and services. The table alsoshows the corresponding HP Security Handbook chapters, sections and pages that provide more detail onthese HP Security Advantage offerings.

vii

Table i-1 HP Secure Advantage products and services examples and HP Security Handbook links

HP Secure Advantage Product/Service HP Security Handbook Link

Protect your Resources

HP Configuration Management Chapter 2 - Proactive Security Management: Section 4.2.3.3.1, page 2-23

HP Proliant Essentials Vulnerability and Patch Management Pack Chapter 2 - Proactive Security Management: Section 4.2.3.3.2, page 2-24

Protect your Data

HP Compliance Log Warehouse Chapter 4 - Trusted Infrastructure: Section 7.4.3, page 4-73

HP Secure Print Advantage (SPA) Chapter 4 - Trusted Infrastructure: Section 8.5, page 4-78

HP StorageWorks Secure Key Manager Chapter 4 - Trusted Infrastructure: Section 7.4.2, page 4-72

HP ProtectTools Chapter 3 - Identity Management: Section 8.2.2.1, page 3-16 Chapter 4 - Trusted Infrastructure: Section 5.4.1, page 4-28

HP- UX 11i security Chapter 4 - Trusted Infrastructure: Section 5.4.3.1, page 4-31

Linux security enhancements Chapter 4 - Trusted Infrastructure: Section 5.4.3.3, page 4-36

HP NetTop Chapter 4 - Trusted Infrastructure: Section 5.4.2, page 4-30

HP Application Security Center Chapter 2 - Proactive Security Management: Section 4.2, page 2-19 Chapter 4 - Trusted Infrastructure: Section 5.4.6, page 4-42

HP ProCurve Identity Driven Manager Chapter 4 - Trusted Infrastructure: Section 6.8.2.2, page 4-65

HP Trusted Compliance Solution for Energy (TCS/e) Chapter 4 - Trusted Infrastructure: Section 5.4.5, page 4-42

Provide Validation

HP Services Information Security Service Management (ISSM) Chapter 1 - Governance and Compliance: Section 8, page 1-16

Chapter 1 Governance and Compliance

"Directors’ responsibilities to shareholders andcorporate governance legislative guidelinescannot be met unless internal control is basedupon rigorous risk assessment, security andsecurity management and is established byassessing the business impact of loss."-John McCain, Senior Vice President, HP Services

The role of governance has never been more critical. Corporate leaders are required to move from a best-practices approach to a legislated approach to asset protection, and IT departments are firstly charged withdelivering business value while also reducing operational risk through the establishment of effective businesscontrols, all while providing continuous compliance, state attestation and reporting. HP recognizes thisdilemma and has developed a security framework for governance that provides the overall structure forimplementing business objectives, complying with regulations, adhering to risk strategies, and protectinginformation assets. Security governance supplies a critical link between business management and IT.

This chapter begins by defining governance and the responsibilities of company officers in meeting legisla-tive requirements. It details the recommended governance lifecycle and the steps that need to occur toachieve the objectives of compliance with business and regulatory requirements. The chapter ends with areview of how to move from a static to an operational view of governance and continuous compliance.

1. DefinitionGovernance refers to the controls and policies that translate high-level business objectives, operational risks,and regulatory needs into the directives, objectives, and policies that drive security mechanisms.

Governance is a strategic component of every business technology optimization initiative. It contains busi-ness logic, business procedures, and managerial and operational processes, which are supported by morespecific, lower-level policies for IT operations and security. Governance is often classified and tiered as cor-porate governance, IT governance, and security governance.

Corporate governance is the process by which a company's board of directors achieves two objectives forshareholders:

• The efficient use of business assets and resources• The availability of assets for new business to maximize shareholder return

Corporate governance achieves these objectives by defining the risk profile of the company's businessesand investing in appropriate controls to allow the organization to function effectively with minimal opera-tional disruptions within their regulated requirements. It explicitly defines the risk appetite of the enterpriseand the mitigation methods for anticipated and unforeseen risks. These mitigation methods are developedby functional staff (including IT), but the board of directors should review, understand, and agree to them.

Various regulations formalize corporate governance, either specifying adherence to the recognized industrybest practices or dictating a very prescriptive process, such as Sarbanes-Oxley. However, complying withregulations does not guarantee good governance. Noncompliance with regulations, on the other hand, is afairly sure sign of poor governance.

Figure 1-1Governance and Compliance

1-1

ProactiveSecurityM

anagement

Business Objectives



OperationalRisk

IdentityM

anagement

Governance and ComplianceGovernance and ComplianceCorporate Security IT

"Due diligence isthe objective,

governance is theprocess used to

achieve theobjective and

compliance is theway you measureachievement of the

objective." -Stuart Hotchkiss,

HPS Consulting andIntegration

The intent of most regulatory acts such as Sarbanes-Oxley is to remove subjectivity from governance. Inthe past, codes of practice and best practices havebeen common methods for demonstrating suitablegovernance and auditing has been used to provecontrol. This has been acceptable as long as theresults were satisfactory and fraud was not proven.However, regulatory compliance is often perceived asthe most important issue. This masks the fact thatregulatory compliance is designed to be an indicatorof good governance - not good governance in andof itself.

Security governance is a component of corporategovernance. It is the requirement of company direc-tors to demonstrate due diligence in handling infor-mation assets on behalf of stakeholders. Securitygovernance is composed of all the processes anddecisions that affect company assets in terms of theirvalidity, confidentiality, integrity, and availability forbusiness. Without security governance, corporategovernance objectives cannot be met simply becausethere can be little faith in the internal control systems.

In this context, security governance encompasses allassets and their threats. Therefore, physical buildingsecurity and transport security, for example, are partof this process. When assessing risk, the threats to allassets should be reviewed. Some mitigation plans,consequently, will include IT components and somewill not. In this sense, security governance is wider inscope than IT governance, as shown in Figure 1-2.

As with corporate governance, mitigation plans forsecurity governance fall within the bounds of the riskappetite as expressed by the board of directors in thecompany objectives. Likewise, the board shouldexplicitly approve the final choice of mitigation plansand the controls for each.

IT governance ensures that IT supports businessrequirements and that it does so efficiently and flexi-bly. This subject exists simply because IT and businessoften misunderstand each other. In particular, the dif-fering time scales, language, priorities, expectations,and contexts of IT and business can lead to a dis-connect. The IT Governance Institute (www.itgi.org) isa good source of information about best practices forIT governance and its alignment with security gover-nance. IT governance is directly affected by securitygovernance; IT cannot produce reliable results ifsecurity is inadequate.

IT systems, technologies, and processes are at thecore of most businesses. As such, they have twoimportant roles: to facilitate business efficiency and tomitigate business risks by implementing controls.Because they have differing impacts, it is important tounderstand these IT roles.

2. PurposeShareholders and legislators can require directors toprove that they have taken due care in the use ofcompany assets. A company asset is anything thatthe company owns and uses in business - from officechairs to information. A lack of security (IT or physi-cal) is usually caused by a lack of due care. To makeit easier for company directors to prove due care,every country has a number of legislative frameworksfor directors to adhere to - some are statements ofself-regulated best practices and others are very pre-scriptive. If due care cannot be demonstrated, direc-tors can be removed from office, fined, imprisoned,and subjected to the loss of personal property. Thisoccurs in every country in the world today, and itcame about long before the Enron scandal.

1-2

Figure 1-2Governance overlaps

Corporate Governance

IT Governance

Security GovernanceGovernance reporting and other issues not covered by business risk management

Risk not mitigated by IT

Efficiency

Governance and C

ompliance

3. Why Have Governance?Governance regulations and guidelines attempt toprovide a prescriptive management framework andan independent method of determining how wellbusinesses are managed. In addition, there is anincreasing need for companies to be comparableworldwide. The various stakeholders in a companyhave differing needs related to governance:

• Shareholders and regulators look for adherence tocorporate governance control frameworks and regu-lations to determine how well the company is man-aged.• Auditors and regulators refer to demonstratedadherence to security guidelines and control systemsto determine whether the company applies basicdue diligence and control.• Management follows a security managementlifecycle to ensure that business controls and IT gov-ernance needs are met.

4. The Importance of InformationAssetsOne of the most sensitive areas of modern businessis the exposure faced by information assets. In somecases, these assets make up the majority of a com-pany's capital, and their loss or damage can put acompany out of business. A graphic example is acredit card company that exposes all of its creditcard details such that massive fraud can occur. Suchan event exposes the company to legal liability, lostclients, and damages. It would undoubtedly shut thecompany down and lead to the sanctioning of thecompany directors for dereliction of duty.

Security governance is comprised of all the actionsthat directors need to undertake to avoid such eventsand to prove to authorities, business partners, staff,shareholders, and clients that they are treating com-pany assets in a secure manner. From another view-point, if information assets are insecure, IT cannotproduce reliable results. Therefore, company direc-tors cannot report accurately or manage assets cor-rectly. Reporting accurately is a key component ofSarbanes-Oxley, the Basel II Accord, and most cor-porate control frameworks.

In this context, the scope of security governance isthe security of operations relating to end products. Itis not the security inherent to the product in and ofitself. In a financial services business, for example, acredit instrument has the risk that the client willdefault. This risk falls under corporate governance.However, losing the credit instrument's details andfalsifying transactions are risks within the scope ofsecurity governance.

5. Information Security DefinedInformation security refers to the security of informa-tion assets. The most widely used characteristics ofinformation security are confidentiality, integrity, andavailability:

• Confidentiality means that only the user or theuser's delegates have access to the information.• Integrity means that the information is in theexpected state and that it has not been changedwithout knowledge or permission.• Availability means having the information when itis needed.

In reality, availability has the greatest impact. Ifinformation is not available and business must con-tinue, is outdated information used instead?Other characteristics that are commonly referencedinclude utility (whether information is in a usefulstate) and non-repudiation (someone who uses theinformation cannot deny it later). These characteris-tics are best viewed as consequences or applicationsof the three basic characteristics. For example, non-repudiation requires an application to use informa-tion that can remain confidential, unchanged, andavailable in a useful state.

When securing the confidentiality, integrity, andavailability of information assets, organizationsshould examine the entire information environment.This key part of information security is often forgot-ten. It is common for the IT part of the securityequation to be separated financially and organiza-tionally from the wider information security environ-ment, often with dire consequences. For example,information security cannot be guaranteed if:

• Information handling processes are not defined,including backup, restore, and off-site storage pro-cedures for sensitive or critical data.• Audits are not possible because a reliable currentstate does not exist.• Information-processing facilities do not have ade-quate physical security and protection, such asappropriate fire suppression systems.• Persons transporting (or with access to) systems ordata have not been vetted.• Information lifecycle policies and procedures -fromcreation to destruction - do not exist.• People, processes and technologies do not work inconcert.

These are only examples, and a framework forinformation security covers most areas. The key is toexamine threats to the entire environment and assignmitigation methods and sufficient resources to thetotality of the risks. This occurs during the riskassessment process, which should be ongoing.

1-3

5.1. Board of Directors’ ResponsibilitiesWithin all aspects of governance, a company's boardof directors is responsible for explicitly definingaspects of control and security. Legislation such asSarbanes-Oxley requires explicit sign-off. Thisrequirement, however, has existed in the complianceframeworks of most countries for many years, but itwas rarely enforced.

Specifically, the governance responsibilities of theboard of directors include:

• Understanding the subject of information security ingeneral• Setting direction and driving policy and strategy • Defining and agreeing to risk appetite for definedbusinesses and reviewing and accepting risk mitiga-tion proposals• Providing resources • Ensuring that individual roles, responsibilities, andauthority are clearly communicated• Delegating authority, but not responsibility• Approving security measures explicitly• Reviewing risk appetite and security measures peri-odically• Implementing an organization that enables securitygovernance, with the security department reportingdirectly to the board and not another business func-tion

The board can delegate these responsibilities, but it isheld accountable. For example, outsourcing IT orasset management does not alter the board's ultimateresponsibility for these functions.

5.2. IT ResponsibilitiesBy the same token, IT has a number of responsibili-ties. Its key function is to implement business controls.For this reason, IT should aim to fully understandbusiness objectives. If management and IT are not inalignment (and IT does not fully understand and sup-port the relevant business drivers and priorities), ITwill not have the appropriate context in which toframe and plan security architectures.Specific IT responsibilities for governance include:

• Participating in business impact analysis exerciseswith business managers• Proposing and gaining agreement for risk mitiga-tion strategies• Developing architectures that implement current andpotential control requirements• Identifying threats and analyzing vulnerabilities inproposed technical components, and staying currentwith updates, patches, and new threat vectors• Implementing monitoring and incident responsemethods• Conducting periodic reviews with audits• Ensuring application security during developmentand when acquiring applications externally• Ensuring awareness of the need to protect informa-tion and recommending relevant user training.

Due to differing time scales or rapidly changingneeds, IT projects may not synchronize with businessrequirements. Within this context, IT has the responsi-bility to inform the board of the limits and capabilitiesof IT and to help improve efficiency in line with busi-ness objectives.

6. Regulatory StandardsEvery country has legislation concerning the require-ments of directors with regard to due diligence andgovernance. Although some legislation and standardsare very specific, the majority are non-prescriptiveguidelines. As a result, most regulatory standardsoutline directors' responsibilities without explaininghow to accomplish them.

A common theme is an external audit of a controlsystem. The audit is usually of a financial nature toensure the accuracy of the numbers reported.However, using audit alone as a tool to improve acontrol system is probably not a good idea.Accounting standards and regulations can be appliedworldwide, for example, but they are influenced bylocal government tax policies. This makes it difficult tocompare results.

1-4

Governance and C

ompliance

Another issue with using audit only is the costassociated with control system failures. The costcan be accounted for in many ways, and themanner of accounting can impact an audit. Forexample, in the past, banks commonly accountedfor these failures as operations costs and passedthem on. Now banks have a clear obligation toseparately report any control system failures thatlead to operational losses, in a way that penalizesthe bank.

A final difficulty is that audit methods usually auditagainst a known or required state. If this state isnot defined correctly in the first place, audit is aweak tool for governance. Sarbanes-Oxley is thefirst framework and legislation that providesenough information for companies to establish aclear control system and track its performance. Thisis evidenced by older control frameworks such asSAS No. 70 where organizations audit themselvesagainst their own declared state.

Faced with these difficulties, the best course ofaction is to improve control systems from the bot-tom up. Conforming to international standardsaddresses the majority of control system problems.Organizations can then focus on the few remain-ing concerns.

6.1. International StandardsExamples that organizations use internationally todemonstrate or regulate governance include: theInternational Organization for Standardization(ISO), the Control Objectives for Information andRelated Technology (COBIT), and the Committee ofSponsoring Organizations of the TreadwayCommission (COSO).

6.1.1. The ISO/IEC 27000 Standard FamilyThis is the generic name for a whole series ofintended information security related standards.The ISO 27001 standard was published inOctober 2005, essentially replacing the old BS7799-2 standard. It is the specification for anISMS, an Information Security ManagementSystem. BS 7799 itself was a long standing stan-dard, first published in the nineties as a code ofpractice.

The ISO 27002 standard is the renaming of theexisting ISO 17799 standard, ISO 17799 being acode of practice for information security.

ISO 27003 is a proposed development to providehelp and guidance in implementing an ISMS. Thiswill include focus upon the PDCA method, withrespect to establishing, implementing reviewingand improving the ISMS itself.

As an example, best practices state that a firewallshould protect a network perimeter and that abusiness continuity plan (BCP) should addressinformation availability. However, a code of prac-tice does not address how to manage the firewall,when to update the firewall, or what process touse. Similarly, it does not define how to develop ormanage a BCP. The reason for this is clear - eachcompany has its own view about the assets toprotect and the acceptable risks. ISO 27001 givesa specification of a management system which canbe used. Although, like all standards, it can neverdefine exactly what to do for the risk appetite of aparticular company since this is a managementjudgment.

6.1.2. Control Objectives for Informationand Related Technology (COBIT)COBIT was developed by the Information SystemsAudit and Control Foundation (www.isaca.org)and the IT Governance Institute (www.itgi.org). Itprovides a broad control framework together withcontrol objectives for all of IT. COBIT splits IT into34 process areas within four domains. There is afour-step cycle from planning through monitoring,and the goal is to provide a control framework thatallows management to audit and evaluate howwell IT processes align with business.

Only a portion of COBIT focuses on informationsecurity, however. It also provides an excellentmeans of determining the degree of maturity of thecontrol systems within a company. Like ISO 17799,it defines what to do, but not how to do it. COBITadds the concepts of authenticity and non-repudi-ation as base requirements within informationsecurity, and it uses seven information criteria todefine what business requires from IT:

• Effectiveness• Efficiency• Availability• Integrity• Confidentiality• Reliability• Compliance

1-5

6.1.3. Committee of SponsoringOrganizations of the Treadway Commission(COSO)The COSO report defines internal control as aprocess, affected by an entity's board of directors,management, and other personnel. It is designed toprovide reasonable assurance regarding the achieve-ment of objectives in the following categories:

• Effectiveness and efficiency of operations• Reliability of financial reporting• Compliance with applicable laws and regulations

The COSO framework is mentioned in the Sarbanes-Oxley proposals as a framework suitable to satisfy itsrequirements, although others such as COBIT alsoqualify.

The original version of COSO (Internal Control-Integrated Framework) has been augmented by theaddition of the Enterprise Risk Management-Integrated Framework. It uses the same conceptualfoundations but offers a broad, risk-based approachto strategic control. For more details, see www.theiia.org.

6.2. When to Use the InternationalStandards

6.2.1. ISO 2700x SeriesISO 27002 defines best practices in fairly clear termsand covers ten main areas of business. Following thisstandard ensures that all areas of a business arereviewed. However, it does not ensure that security isgood or sufficient. An assessment against this best-practice framework covers the following ten areas:

• Security policy• Organization of information security• Asset management• Human resource security• Physical and environmental security • Communications and operations management• Access control• Information systems acquisition, development, andmaintenance• Business continuity management• Compliance

ISO 27001 defines a management system for security.An external audit can use this framework, but thereare important comparability issues. For example, thescope defines which part of a company is reviewed.Unless two companies use an identical scope, there isno comparability. In addition, the Statement ofApplicability (SOA) is the management assessment ofwhether a control is necessary or sufficient. Unless theSOAs are identical, comparability suffers.

6.2.2. COBITThis framework is ideal to review the needs andresponsibilities in IT governance from a wider per-spective than a pure security view. It takes the posi-tion that there are information requirements that alignIT with business. The starting point is defining an ITstrategic plan. Next, the plan is detailed and thenecessary components are acquired and implement-ed. Finally, the plan is delivered, supported, andmonitored.

Handling risk is an implicit understanding within theCOBIT framework. However, it does not specificallyexamine the risk to an information asset and the sub-sequent mitigation process used by IT. For example,COBIT does not examine the risk of losing an invoic-ing system at a cost of $10,000 per day or theresulting manual and IT mitigation process. Instead,COBIT examines the risk inherent in the IT methods,and using COBIT, a business owner can be sure thatan adequate, efficient control system is in place forthe IT environment. Note that COBIT is weaker ingeneral security and the process side of IT.

It is often helpful to use the control objectives ofCOBIT, but to report them within the framework struc-ture of ISO 2700x. For more information aboutCOBIT, visit www.isaca.org.

1-6

Governance and C

ompliance

6.2.3. COSOCOSO is a comprehensive and fundamental internalcontrol framework. As such, it is an excellent base forcorporate governance. For real applicability, howev-er, more specific frameworks and standards need tobe used, such as COBIT, ISO 2700x or other bestpractices that consider the impact of a control. As ageneral point, it is important to define the impact ofa control and determine whether to use it based onthe risk it helps mitigate.

Sarbanes-Oxley mentions COSO, but it is not a pre-requisite for compliance. Any control system thatdemonstrates reliable results and follows best prac-tices is suitable. The COSO control frameworkincludes:

• Control environment• Risk assessment• Control activities

• General controls (data center and software access)• Application controls (development methodologies and application controls like checksums)

• Information and communication• All types, but some focus on control information reports

• Monitoring• Continuous • Point

COSO is not sufficiently prescriptive to handle secu-rity in the broadest sense. There is a strong emphasison the organizational and cultural requirements toembed risk management and control into a company,but the strong and directive links between risk, riskmitigation, and the mechanisms required in both ITand general security controls have less emphasis.Failure of any part of the underlying security mecha-nisms that ensure data quality can invalidate theentire control system. A concerted effort is needed toensure the confidentiality, integrity, and availability ofall information assets involved in this equation. Formore information about COSO, visit www.coso.org.

6.3. Best-Practice LegislationThe most effective way to ensure that stakeholderssuch as legislators, auditors, clients, business part-ners, and staff recognize security governance is to comply with best-practice legislation. Many legisla-tive texts affect information security, but best-practicelegislation requires a complete security governanceprogram for reliable and permanent reporting toregulators.

There are a number of important legislative frame-works dealing with different domains and applica-tions, with common threads in terms of controls andbest practices:

• Sarbanes-Oxley Act of 2002• Basel II Accord• Health Insurance Portability and Accountability Act(HIPAA)• Gramm-Leach-Bliley Act (GLB)

These texts describe best practices and provideguidelines; however, they do not specify how tocomply with them. As an example, the Basel IIAccord clearly states the need for business continuity,but it does not provide details or propose the use ofa standard body of knowledge, such as the BusinessContinuity Institute or DRI International.Faced with this, it is difficult to know how to satisfyregulators. However, as a basis for compliance withbest-practice legislation, aiming to comply with theprovisions of ISO 2700x and COBIT provides thefoundation for compliance with all regulations andfor alignment of IT security with business needs.

6.4. Privacy Aspects and IssuesPrivacy management is a core concern for enterprisesand people, and it requires integration with gover-nance efforts. From an enterprise perspective, privacymanagement is a necessary aspect of regulatorycompliance because governments and corporateguidelines require it. Regulatory laws such asSarbanes-Oxley, GLB, HIPAA, and various govern-mental directives on data protection require enter-prises to implement complex processes to complywith related policies.

Specifically, much work has been done in terms ofprivacy legislation, often driven by local or geo-graphical needs. This includes European Communitydata-protection privacy laws, various U.S. privacylaws, and more specific national privacy initiatives.Guidelines are also available for protecting privacyand the flow of personal data, including theOrganization for Economic Co-operation andDevelopment (OECD) guidelines. The OECD guide-lines describe concepts such as collection limitation,data quality, purpose specification principles, andonline privacy policies. For more information aboutthe OECD, visit www.oecd.org.

Enterprises store large amounts of personal (confi-dential) data about their employees, customers, andpartners. Failure to comply with privacy policies canresult in serious consequences for the reputation andbrand of organizations as well as negative legal andfinancial impacts. Furthermore, a large enterprisewith a multi-national presence might need to complywith international privacy laws. Additional nations(such as South America and Japan, where privacylaw came into effect in 2005) are developing privacylegislation.

1-7

Privacy legislation contains common provisions for securely handling, storing, and disseminating information.The same underlying requirements of due diligence for security governance provide the right framework ofproof for this aspect of privacy legislation. Because privacy legislation is more closely monitored than gover-nance regulations (any client, employee, or supplier can file a complaint), these security governance practicesbecome mandatory.

7. The Governance and Risk Management LifecyclesIdeally, business needs drive the governance lifecycle. There are many key decisions that only the board ofdirectors or its delegates can make. The board needs to define objectives, identify the risk appetite, andexplicitly sign off on mitigation plans for business risks. It must also be aware of the operations of securityimplementations in terms of how the operations affect governance needs.

It is common for the process of security to be technically oriented and not driven from a business perspective.This causes two main problems. First, the security equation focuses on technical assets, rather than all theassets required to conduct business. The second problem is that the analysis often examines the cost of miti-gation methods (and usually chooses the least expensive) without balancing the cost with the potential busi-ness impact. This lack of synchronization often results from the perception that security is an IT problem orfrom a communication/organizational gap between business and IT. The need to provide evidence of gover-nance and due diligence via this process is a major requirement.

Another common oversight is to drive the process of security with security policy. This is a partial mistake.Security policy is derived from an analysis of business needs, and policies are only one of the tools necessaryto mitigate risks. Policy should be firmly placed within the mitigation area - if a business asset is of no value,then policies do not need to protect it. Business analysis must be performed to determine how much to spendon risk mitigation, because it corresponds to the business value of the resources and assets being protected.

Risk mitigation is driven by and accountable to the governance bodies of an organization. The governancebodies function in a two-tier system. First, the corporate and business governance bodies define the level ofrisk they are willing to accept. Second, the IT and risk management governance bodies take this input andinterpret the objectives. Figure 1 -3 illustrates the relationship of governance, risk management, and dailysecurity operations.

1-8

Figure 1-3The governance lifecycle

Governance and C

ompliance

The information security governance lifecycle corre-sponds to the processes that operate across thegovernance areas of corporate, business, IT, riskmanagement, and information security. The purposeof this lifecycle is to allow executive officers to exer-cise their risk management oversight responsibilities.It interfaces with the risk mitigation lifecycle by set-ting the objectives for risk mitigation, including thedefinition of risk appetite. Additionally, it interfaceswith the risk mitigation lifecycle by consuming dash-boards, Key Performance Indicators (KPIs), and auditreports. Beyond these specific interfaces, the twogroups interact regularly on a more or less formalbasis.

The risk mitigation lifecycle transforms the risk man-agement objectives set by the governance bodiesinto controls. It implements these controls and regu-larly reviews their effectiveness. This lifecycle clearlyseparates identification of risks (based on businessimpact, not technology), identification of controls,design of control implementation, and implementa-tion of controls through technology and process. Thislifecycle is typically iterated once a year.

Daily security operations function continuously; this iswhere the IT system delivers its services to the busi-ness. This set of processes produces a massive vol-ume of event data. The data is the base material forsecurity audits and reports to the governing bodies.

These lifecycles take place on the background ofoperations, where mitigation methods are executed.The majority of these methods use IT technologiesand processes. IT is responsible for efficiently imple-menting and managing operations, in line with ITgovernance principles. IT does not have soleresponsibility for any of the other process steps.However, IT is responsible for providing input andfeedback with respect to relevant policies and oper-ations (where appropriate). Continuous open com-munication and dialogue are keys to ensuring ITalignment with process goals.

7.1. Process StepsIn a new company, the ideal first process step is toperform a business risk analysis. Subsequent stepsmight rely on existing architectures and may causethem to be modified. If a business has new risks, forexample, it may require new policies or technologiesthat modify the existing security architecture. Theterm security architecture as used here implies all ofthe technology, people, and processes required toimplement the security governance objectives of abusiness and to align these objectives with therequirements of IT governance, due diligence, andlegislative compliance.

Existing organizations may choose to start elsewherein the cycle or with a gap analysis. However, atsome stage they must align with the cycle so that thedriver is business impact analysis (BIA). It is simplynot possible to determine how much money to spendor which mitigation methods are suitable until thepotential loss is assessed. The most common mistake,which leads to overspending or underspending, is todrive the lifecycle via technology.

Note that the lifecycle presented here is a generalguide; actions can vary and the content of the stepsshould be tailored to each organization. Some principles do apply; for example, good governancerequires monitoring, a minimum yearly review ofrisks, and control systems to mitigate those risks.ife

7.2. Gap AnalysisA business that does not have a security architectureor controls is usually characterized by regularspending on a yearly or project cycle basis. Fromthe outside, this looks like a set of remedial actions,rather than a coherent plan. In this case, it is best tostart the lifecycle by performing a gap analysis,which highlights the differences between the currentstate and the desired future state.

1-9

Many events can trigger the need to do a gapanalysis. For example:

• An audit reveals that policy was not followed.• An intrusion reveals that the network was badlyconfigured.• A business outage reveals that continuity plantraining was not followed properly.

It is not necessary for an event to trigger a gapanalysis. A desire to move to a standard can begin agap analysis against that standard. In addition, agap analysis can occur at any point during thelifecycle - it is not necessarily at the beginning.

Documentation of the current expected state is thecritical issue for a gap analysis. Gap analyses oftenshow that the expected state was not documented, orit was well documented some years ago and hasevolved since. A simple example is to define anddocument the current expected working environmentof the average PC.

There are many types of gap analyses, including:

• Standards framework: In this case, the organiza-tion's desired state is usually a framework such asISO 27001, COBIT, or COSO. A standards frame-work measures the state of conformance to the stan-dard. Defining or documenting a current state inorder to measure the conformance is not necessary.• Policy framework: Within this framework, an orga-nization's policies, standards, and guidelines aredefined and documented. The policy frameworkmeasures their implementation.• Audit results: After an audit, the lifecycle processbegins by correcting problems or issues identified inthe audit results. The audit can be of any kind,including an external audit, a vulnerability test audit,or an intrusion test audit.

7.3. Risk AnalysisRisk analysis is the key process step for the gover-nance lifecycle. As the normal starting point, riskanalysis identifies all business processes and docu-ments the applications and people processes foreach. Business management performs the risk analy-sis to ensure that the perspective is from a businessview, rather than from a technical or other view.

7.3.1. Identifying Business Processes and theImpact of LossThe first step in risk analysis is identifying and priori-tizing which business applications and processes areneeded to run the business. This makes it easier todefine the loss if, for example, a businessperson isasked to quantify an invoicing process or a goodsreceipt process. It is harder for a businessperson todefine the loss of a computer. In addition, doing thisfrom a business view clarifies potential losses and theamount of money required to prevent them.

This step is normally performed through a process offacilitation and questionnaires involving line man-agement of each business function and IT. The resultis a list of defined business processes, the lossesincurred if the processes are not available, and thetiming of the losses. The time factor is importantbecause it affects mitigation. When a businessprocess is lost, the monetary impact does not startimmediately. For example, the loss of e-mail has adelayed impact because there are other ways tocommunicate.

It is helpful to look at all sources of loss to either abusiness asset or a business process using a lossmatrix as illustrated in Table 1-1.

1-10

Governance and C

ompliance

For an impact analysis, this matrix can either contain quantitatively measured impacts that project financial val-ues of the loss, or qualitative assessments (e.g., high, medium, or low) that approximate impacts into generalcategories. The use of such a matrix ensures that all of the potential sources of loss are identified. It is easy toforget, for example, that embarrassment due to data modification can cause a real loss to a business.

7.3.2. Identifying Critical AssetsBusiness management should define the criticality of each business process or application. How long can thebusiness run without the process and, as a direct consequence, without the asset for the process? This ensuresthat business management drives the requirements and that IT management provides the input for the assetsneeded.

During this step, the assets used to run each business process are identified. Typically these are IT assets (e.g.,servers and networks), but they can also be people, processes, and tangible business assets such as buildingsand data centers. Certain assets may be required for multiple processes. The intermediate result here is identifi-cation of business criticality - either on a subjective scale (e.g., high, medium, low, or scored) or an objectivescale (e.g., $1,000 USD loss per hour). Objective figures may be available if a business manager can deter-mine the monetary loss when a process is not available.

7.3.3. Identifying Threats to AssetsFor each asset in each business process, the next step is to identify the potential threats to the asset and howoften (in probability) they may occur. For ease, it is common to rank the priority of each business asset and dealwith the most critical first. A major weakness in this area is that if objective probability data is not available,quantitative methods cannot be used. Qualitative methods should be used instead.

Table 1-1Sample loss matrix

Table 1-2Example risk analysis for invoicing system

1-11

Asset or Process Financial Loss User Disruption Legal Impact Confidentiality Embarrassment

Disclosure

Modification

Unavailability

Destruction

Business Process Impact of Loss Impact Starts Assets Threats

Invoicing system High. $30,000 per day After 2 days Data center Fire in the computer room

Network infrastructure Network intrusion

Windows mail serversDirectory serversApplication servers

System failure

Operations staff Critical staff missing

7.3.4. ResultThe end result of the risk analysis is a list of business processes, corresponding assets, and the threats to eachasset. Table 1-2 gives an example for an invoicing system. The key point here is agreement between businessmanagement and IT.

7.4. Security Control ArchitectureThis step attempts to determine the residual risk, which is the remaining risk after a mitigation plan is applied,for each threat. There are multiple ways of lowering the impact of a threat, ranging from avoidance to a miti-gation plan. Mitigation plans can be based on process or technology. Within the process and technologycategories, there are multiple mitigation options with differing effects and levels of residual risk. Table 1-3and Table 1-4 outline two examples of threats and the level of residual risk corresponding to the mitigationoptions for each.

1-12

Threat Probability Business Impact Mitigation Options Residual Risk and Cost

Controls

Intrusion into the network and loss of data confidentiality

Generally high Embarrassment, legal action if data is private, governance impact-overall high impact

Firewall at the perimeter

• Low cost but high residual risk• Requires regular updating and the use of good processes

Encryption of all data • High cost, low residual risk• Some application

Security policy on data use, labeling of data sources

Firewalls on all machines • High cost, medium residual risk

No access in or out permitted

• Low cost, high business impact

Network partitioning • Medium cost, medium residual risk• Requires new management tools

Threat Probability Business Impact Mitigation Options Residual Risk and Cost

Controls

Invoicing systems unavailable due to denial of service or failure

Medium Very high

Direct losses sustained due to inability to invoice

Impacts accounts receivable and direct sales opportunities

Manual invoicing system

Low residual risk but high cost of implementing and training

Hot swap system Medium cost but medium residual risk since it covers systems only

BCP including all related systems

High cost but zero residual risk and alignment with governance requirements

BCP plan rehearsals, successful completion of training for all staff

Table 1-3Example #1: Threats and residual risk after mitigation

Table 1-4Example #2: Threats and residual risk after mitigation

Governance and C

ompliance

Figure 1-4Types of control and use example

In these examples, there are multiple choices of mitigation and residual risk. The key point of using thismethodology is that business managers base their choices on their definition of acceptable residual risk.This is stressed because the choices are often technical decisions.

The output from this step is a set of mitigation choices per threat, an approved set of residual risks, and aset of controls that determine if the mitigation plans are working. In the examples given in Tables 1-3 and1-4 (see highlights), business management chooses:

• Example 1. Encryption of all data: High cost, low residual risk, and some application impacts.• Example 2. BCP including all related systems: High cost but very low residual risk and alignment withgovernance requirements.

Ideally, for each threat, the business impact, the risk mitigation costs, and the residual risk position shouldbe stated in monetary terms.

7.4.1. ControlsWhen choosing controls, it is common for organizations to have too few and to audit these only. The criticalissue is to quantify the impact of a control - either quantitatively (which is difficult due to a lack of data) orqualitatively (which is easier but imprecise). Ideally, each control option has an associated cost and impact.The choice made by business management is based on the cost of the control versus the loss (with no con-trol in place) and the acceptance of the residual risk.

There are many dimensions to controls. Missing just one can mean that the overall control system will notwork and security governance will fail. As an example, Figure 1-4 shows a variety of controls and threeexamples of their use.

In the case of the physical example, consider the controls necessary to stop someone from entering a build-ing. Normally there is a sign, a door, a lock on the door, an alarm if it is opened, guards behind the door,guards within the building, and if anyone is caught, some kind of sanction. The same set of control typescan (and should) be applied to all situations. The remaining examples show how to do this for processesand technical issues.

1-13

IT is part of the general concept of business control,because IT exists to implement it. As an example,prior to accounting systems, a business transactionwas made in cash or in kind. Control was exercisedimmediately and the sanction was often severe -especially if a promise was made and not kept. Later,accounting systems were introduced to record trans-actions. Auditing these transactions on behalf ofowners or shareholders followed. However, the basicconcept of an invoice to help control the transactionand to ensure payment remained throughout. Theadvent of invoicing faster and more efficiently by IThas not changed the underlying purpose, which is tocontrol loss. (No invoicing probably means a loss.)Therefore, the IT-enabled method of invoicing canand should be cost justified in terms of loss.

The same logic applies to e-mail. E-mail helps makebusiness work and implements control. As an exam-ple, if an invoice is in error we can use e-mail tocommunicate. Although it is hard to justify not havinge-mail, a different view is necessary when it comes todetermining business risks. A business impact analysisof e-mail generally reveals that it is not critical tobusiness because there are other ways to communi-cate for business purposes. After some time, the lackof e-mail may radically affect a business, but thisrarely occurs in the short term. This emphasizes theconcept that analyses should always consider thebusiness impact over time.

7.5. Security Implementation ArchitectureThe previous step defines the parameters for a securi-ty architecture. The outputs can be technical compo-nents, topologies, technical choices, training plans,continuity plans, security policies, process definitions,and job descriptions. All of the outputs must be bal-anced and implemented to ensure security gover-nance works as planned.

Business management should make all of the choicesup to this point. However, the implementation step ofthe lifecycle is a collaboration between operationaland IT staff to define the architecture that supports thebusiness choices. The architecture should also pro-duce the controls required for tracking.

At this stage, compromises that require feedback tobusiness management may be necessary, andunforeseen issues may arise that require businessdecisions. Similarly, some choices will annul others.As an example, a firewall that does not have admin-istration processes defined will soon become useless;the processes and associated costs should be identi-fied. A continuity plan that does not have a processfor rehearsing and maintaining it will also becomeuseless. Additional costs identified here can invalidateprevious decisions.

This step examines the requirements, defines theoverall architecture required, and produces a skeletonor high-level plan. It is important to note that thedecisions driving this are business-related, not techni-cal, and that the architecture is not fixed in time. Itshould be designed with an eye to the future. Withinthis step, it is very important to avoid designing anarchitecture that is self-defeating in terms of agilityand future requirements. For these reasons, definingand following key performance and goal indicators iscritical.

1-14

Governance and C

ompliance

7.6. ImplementationOperational staff and IT staff drive this step, whichtakes the output from the previous step and imple-ments it. This is usually a team effort and a multidis-ciplinary team should drive it. Operations peopleare principally involved in process design andimplementation together with training plan imple-mentation. IT staff implement the approved technicalarchitecture.

As always, additional discoveries may requirechanges to previous decisions. Under no circum-stances should changes be made without businessmanagement input. For example, it is common tofind residual risk changes at this point. If this occurs,the changes should be presented to business man-agement for a determination of the appropriatecourse of action. This loop is necessary to alignbusiness and IT actions - an essential (and often verydifficult) part of governance.

7.7. Support, Manage, and OperateAfter the overall implementation plan is complete, itis operated as planned. The function here is to exe-cute as agreed. This includes handling events andincidents, managing efficiently, and reporting anyissues that could improve efficiency and perform-ance. The objective is not to execute this function asthough it were a business with decision - makingpower of its own. Unfortunately, this improper formof operation frequently occurs.

7.8. Audit and TestThis step is actually developed during the previoussteps. The ability to test and audit should be identi-fied as one of the control choices. As an example,intrusion detection capability requires technicalchoices in terms of network topology, components,and machine agents. It is a separate control stepbecause regular action is required. Everythingshould be tested for intrusion and vulnerability atleast once a year, and audit requirements are oftenshorter. Common sense dictates a quarterly cycle.Compliance requirements differ based on the indus-try. In general, KPIs will have been chosen andshould be monitored or generally available. In afully agile company, KPIs should be available inclose to real time. Given that compliance drives therequirements in many cases, there should be a con-tinuous effort to produce performance reports thatsupport the needs of the approved complianceframework.

Most compliance frameworks have a high degree ofsubjectivity and tend to be based on best practicesand management judgment. For practical purposes,there are COSO, COBIT, and ISO 2700x. There arealso some specific guidelines per industry, but theonly one with some degree of prescription is theBasel II Accord, which applies to the finance indus-try and provides recommendations on operationalrisk and clear prescription of the need for continuityplans.

7.9. Review and UpdateThe security and governance framework should beformally reviewed and the results documented on aregular basis. A formal review should also occur fora major change in business structure or a new busi-ness venture. The documentation demonstrates twoobjectives: management approval and due diligenceto regulators. For this reason, the process should beformal and regular.

The process of review usually includes the risk posi-tion and the results of KPIs, audits, and tests. Theresults should be reviewed at this stage - not delayeduntil the next review cycle. Actions related to theresults of audits, KPIs, and tests should occur asquickly as possible, depending on the nature andseverity of the results.

Due diligence is the objective,governance is the process, andcompliance shows that theprocess was followed.

1-15

8. Managing Governance in Practice - Information SecurityService ManagementGiven the plethora of regulations and the generaltendency to provide guidelines or recommendationsrather than prescriptive advice, how can a businessimplement a corporate governance framework whichis easy to manage and fits their requirements? Thereis a tendency to rely upon achievement of some stan-dard (e.g., COBIT, ISO 2700x) or to demonstratecompliance to the requirements of a regulation (suchas Sarbanes-Oxley). In the best case, both of thesemethods provide only a snapshot of a business at apoint in time. They do not provide an operationalmanagement framework for continual compliance,nor do they naturally align with any standard man-agement tools. This makes governance programspotentially dangerous and expensive in practice sincethere is a tendency to ignore the underlying problemsonce the standard has been achieved.

HP's Information Security Service Management (ISSM)process is a comprehensive approach to designingand deploying an enterprise Information Security(INFOSec) program with a focus on business impact,control systems design, metrics reporting and opera-tional alignment. The ISSM Reference Model is theculmination of years of HP security consulting experi-ence gained through the design and deployment ofhundreds of security engagements. ISSM forms thefoundation of any corporate governance programand as such, directly defines controls in line withbusiness risk and provides a method of tracking howthese controls work in everyday business operations.A yearly review of the business impact and risk toler-ance position combined with control refinements andcontinuous and stringent everyday reporting providethe key elements of governance.

ISSM is a process-focused discipline for businesscontrols that prescribes capability maturity levels,governance, KPIs, enabling technologies, and servicemanagement, and is based on a set of fundamentalrequirements for any security program:

• Security should be standards-based• Security is a shared service• Security is deeply integrated within IT • Security controls should be highly structured• Security should be managed through KPIs• Security reduces operational risk • Security should be a continuously improvingprocess• Security should be linked to operations• Controls should be tracked by KPIs

Aligning controls with accepted risk is a fundamentalof all governance and compliance requirements. Twokey concepts of the ISSM approach are the use of amaturity model to look at the current and desiredfuture states and the basic use of the ISO frameworksas a guide but with one important difference. Whena normal ISO 2700x assessment is done, the controlsare looked at as being true or not true. In reality, acontrol can exist but not be well managed, so broad-ening the assessment criteria is essential to knowingwhether the control will actually work in practice.ISSM adopts the following model for assessment:

• P1: People: Assigned staff to oversee and managecontrols• P2: Policies and Procedures: Governance docu-mentation used to specify and manage controls • P3: Processes: Operational sequence of activities orevents designed to reduce risk• P4: Products: Defense-in-depth technologies/solu-tions used to manage or mitigate risk• P5: Proof: Metrics or validation methods used totrack control effectiveness

Only when looking at these five dimensions can onebe assured that a control is fit for a particular pur-pose and that it actually works. Combining thisapproach with maturity models provides a soundoperational base for the implementation of opera-tional governance of security and operational gover-nance of business controls.

1-16

Governance and C

ompliance

8.1. ISSM Control ModelFigure 1-5 shows the overall process cycle used in ISSM. A business impact analysis shows which areas areof concern and a risk assessment is done for these. Controls are then defined based on best practice fromthe reference guides and in line with the particular regulatory framework from the reference maps. The cur-rent and future view of implementation is defined according to a maturity model and the P5 criteria (above)followed by the development of KPIs for those areas needing tracking. Linking these KPIs to operationaldata sources completes the cycle.

The following major domains are addressed within ISSM:

Business Impact Analysis (BIA)Identifies the critical business functions and services and quantifies the impact of their loss to the business. The output from this stage is a BIA which gives a broad picture of how much should be spent to safeguardagainst risks.

Risk Assessment Without quantifying and knowing the risk in financial terms, a business fails in four areas - it does not fulfillany regulatory or due diligence requirements, it does not know whether to accept or reject the risk, it doesnot know the potential impact on its business, and it does not know how much to spend to mitigate the riskto an acceptable level. This step should be formal and for due diligence purposes, done yearly and signedand agreed by management.

The output from this stage is a risk assessment which simply shows the threats, vulnerabilities and risks abusiness faces and which complements the BIA to provide a complete picture of how much should be spentbut not where. A key element here is that the actual risk appetite of a business needs to be taken intoaccount since some risks can be accepted simply because their impact is low (or not material). Not all risksneed to be mitigated and not all need to be tracked.

Figure1-5ISSM process cycle

1-17

Reporting

KPI Development

Control Implementation and links to ITSM, PSM

Business Impact AnalysisBusiness Impact Analysis

Risk Assessment

Reference Guides

Reference Maps

PS & Maturity Modeling

Business Impact Analysis

Security Control Framework Definition This ensures that all domains are covered and thatwe use a standard model for defining securitydomains in which controls should exist - for example;asset management, physical security, etc. This step isessential to avoid the situation where an informationsecurity program only covers some of the domainsaffecting security or only covers IT, and as such miss-es the holistic approach to controls that is needed. Asa simple example, if an information security programfocuses on access control but does not look at humanresources, access could be granted to people undernotice or staff could be employed who represent arisk. Making sure all domains are covered and worktogether is the most difficult part of any security pro-gram and not taking this into consideration is thecause of most failures.

For each domain, the underlying disciplines andcontrol elements are reviewed, drawing heavily on thestructure of the ISO 2700x security standards. Pre-defined reference guides take into account otherstandards, legislative considerations and bestpractices.

To understand the required underlying controls, across reference which shows which ISO elementsapply to which framework is required. ISSM includesa set of guides mapping well-known industry frame-works to ISO elements. The purpose here is to ensurethat all areas of the target regulation are covered.These authoritative guides provide detailed deploy-ment knowledge for implementing compensatingcontrols. Reference guides are selected from leadingindustry and security standards bodies, making themuniversally accepted by all auditing and regulatoryentities. Each guide has been carefully researched forapplicability to each compensating control and pro-vides the depth of knowledge to be used in whole orpart depending on the desired maturity level of acompensating control.

The output from this stage is a control frameworkwhich shows which areas need to have controls tomitigate the known risks.

Control Definition For each ISO discipline there are many types of con-trols that could be put in place and these are specificto the business and the risk. To help in implementa-tion HP uses pre-defined control implementation tem-plates that show the typical controls that can be usedfor each discipline within each domain. It is verycommon for the controls applied to risks to be specif-ic to IT or to a particular technical domain. It is criti-cal, however, that there always be multiple controlsfor each risk and that these controls be a combina-tion of technical, managerial, process and accountingcontrols.

The control guides suggest ranges of controls for eachdiscipline. As a general comment, control should bechosen from the families and there should always bemore than one per risk:

• Directive: An order such as “private system”• Preventive: For example, access control• Detective: Such as an audit log or a checksum• Corrective: Such as a rollback mechanism• Recovery: Such as an audit system allowing recov-ery• Deterrent: Such as a sanction

The outputs from this stage are a Statement ofApplicability and the mitigating controls required forthe business risks and regulatory requirements.

1-18

Governance and C

ompliance

Measurement and Reporting With the foundations laid from the above steps, risksare reviewed, control areas are agreed and com-parisons made with best practices in terms of con-trols and regulatory requirements. Now an assess-ment and gap analysis can be executed which willshow the current state and the desired future state interms of control effectiveness and maturity. Duringthe assessment phase, KPIs should be developed totrack the implementation and performance of con-trols. This task is largely a question of managementjudgment. KPIs can be split into two groups - directand indirect.

A direct KPI could be the number of false loginattempts being below a certain threshold. An indi-rect KPI could be measuring the uptime of a systemas a means on inferring that the controls running onthat system are working and therefore that the con-trol works. This would be relevant to measure anapplication control, for example. Some KPIs couldbe manual and manually tracked and manuallyentered (such as the number of people checked intoa building).

Management should choose KPIs based upon thecriticality of the control and the available data totrack it. It is important to recognize that KPIs repre-sent tracking of the controls to mitigate business risksand that the number that can be sensibly trackedshould be limited to the number of business riskswhich are material to an enterprise. Having a KPI forevery risk and tracking every control in the ISO2700x standard can be a waste of effort if onlybecause the vast majority are not material.

Important Note: In this context, “material” meansthat the impact would not have a materially signifi-cant impact on the financial position of a company.

The output from this stage is the set of KPIs whichneed to be tracked.

Link to Operations In a typical control framework there is often a miss-ing link between sources of operational informationand the control system. This happens when the con-trol system is developed independently of the opera-tions side of a business. Typically, rich sources ofoperational data which are relevant to controls andrisk management can be found in areas such aschange management, continuity management,availability management etc. ISSM provides the linkto these areas using ITSM/ITIL v3 and provides aneffective operational implementation of risk controlproviding many benefits in terms of cost reductionand effectiveness.

As an example, a mitigating control could be anapplication running on a specific resource. If theresource is not available for a time period higherthan that planned, it can be deduced that the con-trol is not working and therefore the business risk isnot mitigated.

Other sources of control implementation and track-ing come from a security management system (cov-ered in detail in Chapter 2 of this book). A securitymanagement system should normally consolidate allof the information from the technology and processesmanaging security and synchronize actions betweenall of the functions in a company. In addition, asecurity management system should proactively actto avoid security problems before they impact acompany rather than just managing the damagethey cause. The HP Proactive Security Managementframework is a good example of this.

Lastly, some controls will need to be tracked manually. For example, for physical access it may berelevant to use entry logs as a KPI.

Linking the control cycle above to operations ensuresthat information feeds from existing or future busi-ness operations will be used to keep the control sys-tem up to date. For example, change managementshould be synchronized with the control system toensure that changes do not break the controls inplace.

It is important to remember that while mitigatingcontrols should be in place for all areas of risk, it isneither feasible nor necessary to link them all tooperations. Those linked to operations should bethose linked to mitigating the highest business risksand impacts (those which will have the greatestmaterial effect on financial results). Only theserequire continuous management attention.

The output from this stage is an Operational SecurityManagement framework where the linkages aremade to service management systems and securitymanagement systems.

1-19

9. Moving to ContinuousComplianceTraditionally, auditors review a control system on aregular basis, and a yearly report shows that finan-cial results are correct. Information is also producedto demonstrate regulatory compliance. Relativelyrecently, however, compliance regulations haverequired more objective demonstrations of controlsystems. In addition, Sarbanes-Oxley requires decla-rations of control system failures, with explicit man-agement approval of the existing control system ratherthan auditor approval.

Not all organizations and control systems are directlyaffected by the declarative nature of Sarbanes-Oxley.Most organizations operate in jurisdictions wherecontrol system failure is treated in a much morerelaxed manner. This will likely change regardless ofan organization's legislative framework, however.There is worldwide pressure (provoked by Sarbanes-Oxley) to conform to a more objective standard.

An opportunity now exists, under the guise of regula-tory requirements, to redesign control systems to pro-vide good control and compliance at a lower costand with early warning of failures and deviations. Toaccomplish this, control systems must move from tra-ditional, standard compliance methods to continuous,real-time assurance.

9.1. Comparison of Standard andContinuous ComplianceMost control systems tend to be static. For example, ina typical system:

• A process is designed to produce reliable resultsfor financial declarations.• The process and its implementation components areaudited to see that they work.• Checklists and statistical methods help to monitorthe control systems.• Results are gathered (often yearly) to enable adeclaration that the control systems are doing theirjob and that the financial results produced are cor-rect.• Process failures either occur as events during afinancial year or are noticed at audit and correctedthen.• Process failures tend to be due to people failure,and the results are often dramatic (with some excep-tions). Process redesign is rare.• An unspoken rule dictates questioning of the imple-mentation but not the control system itself.

By comparison, the primary objectives of continuouscompliance are to align risk with mitigation and toprovide early warning of risk and mitigation failure.In addition, instead of continually running throughchecklists or performing audits, early warning of fail-ure is derived from indicators that are assigned to thecontrol system. Table 1-5 compares characteristics ofstandard compliance and continuous compliance.

1-20

Table 1-5Comparison of standard and continuous compliance

Standard Compliance Continuous Compliance

• Static, cyclical reviews • Ongoing assurance

• Historical-based • Strategic

• Intrusive • Collaborative

• Point-in-time retrospective • Real-time transparency

• Unexpected fluctuations in the control environment • Sustained, adaptive governance

• Coverage-based • Risk-based

• Adherence to rules • Response to risk

Governance and C

ompliance

9.2. Continuous Compliance ExampleExamining a typical business function, such asaccounts receivable, can help to illustrate the align-ment of risk with early warning and mitigation usingcontrol system indicators. Accounts receivable is a setof financial processes. The processes use applications,and the applications run on machines in a businessnetwork. Performance indicators can be assigned toeach level of the accounts receivable function:

• Financial process. An inappropriate document typesuch as a cash receipt for a debit serves as a financialprocess performance indicator.• Application. Modification of customer credit terms isan application performance indicator.• Infrastructure. Uninstalled security patches and lackof system availability are infrastructure performanceindicators.

Determining whether the financial process uses inap-propriate document types is a direct measurement ofwhether the process is working properly. For example,a cash receipt is not normally issued for a debit, indi-cating that something is wrong. Monitoring whethercustomer credit terms are modified with an applicationis a direct measurement of financial impact. Foraccounts receivable, credit term modification is usuallya sign of client weakness. Frequent extension of creditterms reduces the reliability of the financial declarationof accounts receivable. Note that we do not need toreview the entire accounts receivable system to discov-er certain events that can affect financial results. This isan important distinction. The application or the appli-cation process can operate correctly, while the finan-cial system operates incorrectly. This is a criticallyimportant concept; it is the point at which we crossfrom security governance to compliance. In the exam-ple, the third level of measurement is infrastructureperformance. If we measure system availability, wehave an indirect measure or indicator of the health ofthe underlying infrastructure, which is part of this over-all business process. System availability can be meas-ured automatically and often.

9.3. The Efficiency of Continuous ComplianceGenerating performance indicators for measurementassumes that general best practices are in place. Inaddition, it changes the audit and compliance processfrom a point-in-time audit to a continuous processmethod that provides early warning of trends, risks,and corrective action. Checklists could be used forcompliance, but this presupposes that the checklists arecontinuously updated and are looking for trends. Useof checklists also presupposes that the underlying con-trol system mitigates the business risk fully and correct-ly, and that it can provide compliance data.

Compared to checklists or other static methods, moni-toring continuously is much more efficient. This requiresinput from multiple sources:

• Direct input. Direct input from applications usually requires application changes. Most applications havesimple checks like range checks or exceptions (such asinvalid customer account numbers). This data is pre-sented at application runtime, but it also needs to bepresented to a system that correlates all control checks.• Manual input. This type of input consists of manualprocess information such as results from audits.• Indirect input. System availability is a good exampleof indirect input. If a system in a control infrastructure isrunning as expected, one can assume that the controlsare also running as expected. If the system is moni-tored and unavailable, it is an indicator of potentialcontrol failure. Another example of a system that canbe monitored automatically is an intrusion detectionsystem.

In a normal process for continuous compliance, thefollowing items are identified:

• The acceptable level of error• The financial statements (sub accounts) that couldproduce the biggest errors• The applications that produce these sub accounts.• The infrastructure (in the broadest sense) that runs theapplications and processes• The controls currently in place• Whether the controls are designed and workingcorrectly to catch errors• How the controls are reported and correlated.• The indicators that lead to trends requiring actions toavoid misstatement

In compliance, we look at a control system to deter-mine the compliance impact. This equates to establish-ing which controls, if lost, would result in a materialmisstatement of results. The overall mitigation costshould be less than or equal to the level of materialmisstatement. In general terms, the materiality level isquite high. In the majority of corporations (millions ofdollars). This means that fairly large errors can occurbefore the governance and control system experiencesa failure which would impact compliance. The invest-ment in mitigation methods (IT controls, general con-trols etc) should be proportional to the potential lossand also proportional to the potential misstatement ofresults. For example, it could be that an asset is worthten thousand dollars and its loss could cause fiftythousand dollars of damage - at first glance it wouldappear that the mitigation cost could be fairly high ifthe asset could be easily damaged regularly. If there isa 30% chance of loss every year then the mitigationcost of fifteen thousand dollars is justified. However, ifthe materiality limit of the company is five hundredthousand dollars and this asset loss would never causesuch an impact, it may not be worth protecting theasset at all. The decision here is a management judg-ment based on risk appetite.

1-21

10. Using Models and Model-based Technologies to Support SecurityGovernanceTraditionally, best practice for assurance management employs a risk-associated "control" architecture for theIT environment. An associated lifecycle directs testing and adapting those controls as the environment isoperated and changed. Problems are monitored within the contexts of the control architecture and the effica-cy and interdependency of the controls. However, this is extremely difficult to achieve in an ever-changing,complex environment.

A more progressive way to deal with assurance management is to model the control framework. This imme-diately lifts the assurance lifecycle from a series of people-based processes (risk management, control designand implementation, audit and review) to one where model-based technology enhances, connects, and(where appropriate) automates the process. This brings the benefits of efficiency, consistency, improved com-munication, and ultimately more control and assurance.

One of the major issues in achieving this state is the fact that control systems exist in many forms.Inconsistencies are common, and some parts of the true control system are not considered. For example,physical access control to a building is in theory part of the financial accounting audit, but it is often omittedin practice.

To address the challenge of having many forms of control systems, a model-based assurance framework canprovide new information via a high-level view. Modeling provides experts (such as auditors, assessors, andsecurity architects) with an indication of completeness, a more thorough view of the interaction of controls,and more easily managed control indicators. For example, to mitigate the risk of people inappropriatelyaccessing applications, a process control ensures that each addition of a user or role is approved and fitswith security policies such as segregation of duty. The model captures the relevance of this control to theoverall control framework and the correct operation of the process, resulting in appropriate reporting ofexceptions and metrics.

HP Labs has developed a toolset to support a model-based approach. The components of the toolset include:

• A model development tool that allows security specialists, auditors, and/or risk officers to graphically buildup a model of the control framework.• An analysis engine that operates on top of an audit database where all of the specified information isgathered. The engine and model drive analysis that shows which controls (according to the model) are work-ing effectively and which are not.• A reporting engine that presents the results of the analysis as a navigable dashboard that highlights areasin the control architecture requiring attention.

A modeling approach can provide a continual view of risk or overall compliance. It can also automate muchof the auditors' fieldwork. This supports continual compliance much more significantly than merely checkingwhether technology is configured or working properly. It actually reports against controls that directly relate torisk, automating much of the people-based assurance loop.

1-22

Governance and C

ompliance

11. The Economics of Security:An ExampleIn theory, any money spent on security should bedirectly related to the risk. For a given risk and there-fore, a potential loss, the cost of its mitigation shouldnot be more than the potential loss over time or thevalue of the asset at risk. A suitable timeframe for riskdetermination is three years. Mitigation never elimi-nates risk entirely and any remaining residual riskshould be of a level which is within the risk appetite ofthe business. However, when calculating the potentialfor losses, the losses should incorporate the completeimpact on the business and not just the damage that isimmediately visible.

How Eonomical is Security?There are two non-avoidable problems in managingrisk. First, a business has the classic problem of notwanting to take too many risks and being unable orunwilling to express their desire to take on risk in termsof a risk appetite. Second, we have the problem ofgetting accurate and measurable data on the proba-bility that an event will cause a risk to materialize.

Even if a business can define its risk appetite in termsof business priorities, there remains the thorny problemof the residual risk implied by each of the mitigationoptions. There will always be one or more ways toreduce a risk to an acceptable level and eachapproach has, or should have, a different residual risk.

The economics of security can be illustrated in the waythat companies protect their PCs by securing them totables with cables. A cost/benefit analysis shows thisapproach might not be justified.

Let's say the PC costs $1,000 USD. (The figures used inthis example are examples but the method applies toall security decision making.) There are 500 PCs in theoffice and three are stolen or lost per year either fromthe office or when people travel. This means theannual loss expectancy is $3,000. However, this is notthe full story because this figure includes only the costto replace the hardware. To build a complete costpicture, there are also other costs to look at:

• Inconvenience: The person whose PC is lost or stolennow has no PC and must either borrow one or orderone to be able to continue working. In either case,there is lost productivity that can be calculated byassigning a monetary value to each hour of lost time.

• Recovery costs: When the new PC is delivered itneeds to be configured with an operating system andapplications and the user has to recover its data,assuming that the data is available in a backup.Again, the cost of the time required to configure thePC to a point where the user can become produtive can be expressed in terms of a number of hoursmultiplied by the cost of the user’s time.

• Loss of working time: The person either cannot workor works less efficiently. Each user is different and thecost depends on the tasks that the user performs andtheir level within the organization. The loss of a laptopused by an executive who is currently negotiating acritical deal is clearly more expensive than having toreplace an older desktop that is used by a more juniormember of staff.

• Loss of data: This could be fairly expensive eitherbecause no backups were made or because the datais worth something. The loss of confidential data mayimpact a company’s reputation, especially if that datarelates to customers.

• Reputation: If loss of a PC and data happens regu-larly, the company’s reputation will probably suffer.

• Liability: If reasonable actions for protection are nottaken, there are potential liability costs. For example, ifthe data loss concerns personal identifiable informa-tion (PII) or if data protection is required by govern-ment or industry regulations.

The latter two costs can be very high and are verydifficult to quantify.

What mitigation options are there in this scenario? Thethreat is mainly one of theft or accidental loss resultingin the physical non-availability of the device. In ourscenario, there are two options - a cable to attach thePC (not much use in a taxi and of limited use in ahotel or airport) and/or encryption software to protectthe data if it is lost or stolen (since data loss representsthe highest potential loss either to reputation or due tothe data value). There aren't really any other optionsto mitigate the risks and to reduce the losses due totheft. A backup solution is also needed to recover datain the event of loss.

Cables to secure PCs cost only $20 but their real costis much higher. If cables are purchased externally andthen distributed to users, there is process cost to man-age the purchase and distribution. If users ordercables personally then there are hidden process costssuch as the time required to complete, submit, andauthorize the expense claims for the cables. Both theseprocesses are actually expensive in terms of the timerequired to order, install, and manage the cables andit would not be unreasonable to use a figure of $300per cable since this represents a typical level ofaccounting control (or cost per transaction).

1-23

Encryption software costs roughly $80 per license perPC in volume. However, the real costs here are highertoo. There are costs associated with:

• Software purchasing and renewal• Software configuration• Support for users• Training for users• Key management

Even if it only takes a user one hour to load andunderstand how the encryption software works, theaverage cost to deploy the software is $150 for aprofessional. Taking everything together, it is notunreasonable to assume a total cost per PC of $400.

For backup, there needs to be some kind of central-ized system or a personal backup solution. A reason-able estimate for this could be $200 per user but canbe far higher depending on the software and hard-ware components used in the backup solution. It doesnot matter if this is the cost and time for the user todeploy their own backup solution or it is the cost todeploy centralized and automated systems plus thenecessary storage and administration for all users toaccess.

For a total of 500 PCs, we have the following costs:

• Cable cost per PC: $300• Encryption cost per PC: $400• Backup cost per PC: $200

Let us also suppose the solutions work for four yearsfor a single one-time mitigation cost. The costs areper user and needed for all 500 machines. To esti-mate recovery costs, we can assume that in practice,recovery takes 6 hours and that the loss of a PC usu-ally leads to a week of inconvenience and lost time.Using an hourly labor rate of $150, we have aninconvenience cost of $6,000 per week per PC lostor $18,000 for the three lost PCs per year.

Let’s also assume $10,000 in losses for data andreputation (each).

This brings the total mitigation cost to $650,000 for atotal loss expectancy of $275,000 (here we simplyuse the lifetime cost of the losses in the table above).

The results of this risk analysis would be:

• We are spending too much to mitigate the potentialloss.• The mitigation cost of losses due to theft and physi-cal loss (cables) far exceed any reasonable cost forthe potential loss.• The obvious solution is to deploy encryption since itprotects against the biggest losses.

This type of analysis should always be done whenlooking at risk and mitigation costs and sometimesthe answers are surprising. The obvious and visiblesolution to a problem does not always stand up toclose analysis when looked at from a risk point ofview.

Table 1-6The economics of security example: summary of costs (U.S. Dollars)

1-24

Loss item Yearly cost of loss Lifetime cost Mitigation method Mitigation cost total

PC hardware $3,000 $12,000 Cable $150,000

Data $30,000 (3) $90,000 Encryption $200,000

Reputation $30,000 (3) $90,000 Communications plan $200,000

Recovery $2,700 (1) $10,800 Backup $100,000

Inconvenience andloss of time

$18,000 (2) $72,000 Cable/backup Included above

Liability ? ? All

Totals $274,000 $650,000

Governance and C

ompliance

12. Key Performance Indicatorsand MetricsUsing metrics to measure the effectiveness of mitiga-tion methods can be fraught with danger. It canhappen, for example, that too many metrics aretracked, making it impossible to gain a completepicture of effectiveness, or that as a result of thisoverload of information, the top few metrics aretracked.

The danger here is clear. It is not possible to definethe top risks in any sensible way. If the top 50 aretracked, how does one know that number 51 will notbe the one that causes unmeasurable damage?Given the trend to zero-day technical attacks andattacks which have not previously been either seenor exploited, it is most likely that new technicalattacks will be of a previously unknown type.

If we suppose that we are tracking the top 50, whatis a good result? At what point should managementattention be raised? Are 48 out of 50 a good resultfor example?

A metric should more properly be referred to as aKey Performance Indicator or KPI. A KPI representsthe performance of a mitigating control or set ofmitigating controls which mitigate a risk which isperceived to have a high business impact. Onlythose KPIs relating to unacceptably high businessrisks should be tracked for management attention. Bydefinition, there are only a few business risks thatneed tracking, but the process of deciding whichones places the onus on business management andnot on technical management. However, both sets ofmanagement need to accept that risk exists anddamage occurs, but management attention shouldbe focused on business impact alone. The remainingrisks are better handled by simple best practiceimplementation of mitigating controls.

As an example, the business impact of the loss of aninvoicing system is seen to have a significant impact

on Days Sales Out (DSO) and on client confidence.For example, the invoicing system runs on threemachines, uses four staff, the network, an invoicingapplication and a room.

We can reduce this by deciding that the staff hascoverage from other parts of the company and theroom can be anywhere. This reduces the problem inthis case (but only in this case since very often themajor points of weakness are people and buildings)to one of machines, network and application.

The mitigations for these components could beredundant machines and network, rigorous changecontrol for the application, intrusion detection andanti-virus systems and some audit capability.Whatever the many and varied components used,the general case will be that if any one of thesebreaks, the invoicing system won't work.As KPIs for this set, we can choose:

• Unplanned application changes• Unplanned downtime• Missed anti-virus scans

Note that these KPIs are not of the type “number ofintrusion attempts”. There will always be occurrenceslike this but they don't necessarily impact anything.The KPIs above, however, are measurable combinedevents. This is very similar to driving a car. There arealways events such as the temperature rising in theradiator. Only at a certain point does this cause animpact. Separating the noise from the impact eventis the purpose of choosing a KPI rather than choos-ing to monitor the noise.

A KPI is entirely dependent on the impact beingtracked and should be seen in this light - the key isto map business process to a group of KPIs and totrack the group as a group.

1-25

13. New Model-based AnalysisApproaches to Support RiskAnalysis - Trust EconomicsAligning the security architecture which meets thesecurity governance objectives of the business withinthe overall requirements of IT governance is a chal-lenging task. Another starting point for analysis isbased on new research. In HP Labs which aims toaddress the two key challenges facing CxOs andCISOs with responsibility for information and systemssecurity:

• The poor economic understanding of how to for-mulate, resource, measure, and value security poli-cies.• The poor organizational understanding of the atti-tudes of users to both information and systems securi-ty and of their responses to imposed security policies.

The solution is to develop economically and mathe-matically rigorous systems technologies and tools withwhich these questions can be addressed.

A rigorous understanding of the behavior of the usersof a system (network), together with the economicvalue of the system's security measures, can be cap-tured within an extension of some established, math-ematics-based systems modeling techniques. To thisend, Trust Economics is the conceptual frameworkwithin which HP is pursuing the study of the econom-ics of information security policies, protocols, andinvestments. HP's perspective is one of “systemsthinking” and, critically, our aim is to seek to inte-grate the following three perspectives:

• Modeling the behavior of the users of systems, bothinternal (operators, staff) and external (customers,regulators), in the context of security policies andprotocols.• Mathematical modeling of systems, organizations,and networks, including the security policies andprotocols which govern access.• Economic modeling of the costs and value of secu-rity policies and values.

One of the key strengths of this process-driven mod-eling approach is that it generates executable modelsand thus generates data from simulations that enablehypothetical questions to be asked of the model.Ultimately, the performance and effectiveness of agiven security architecture will require exactingapproaches to solving the complex trade-off issuesarising between relative investment levels in people,processes and technology. For example, modelingpatching processes in a business might reveal weak-nesses in patch evaluation and deployment.

One solution might be to acquire technology toimplement more automated patching; another solutionmight be to increase or make better use of the peopleinvolved in the patching processes. The choice requires careful analysis and the ability tosimulate possible solutions prior to committing to achange project.

14. HP Governance ServicesDemonstrating security governance is a continuousprocess. Similar to auditing, most governance frame-works require proof to be presented yearly and insome cases, such as Sarbanes-Oxley, quarterly. HPprovides professional services (as well as the neces-sary hardware and software components whenneeded) for each step in the governance lifecycle. These services include:

Risk Analysis• Business impact analysis• Threat analysis• Training and facilitation• Physical security and environmental assessment

Security Control Architecture• Policy development• Business continuity planning• Compliance with control frameworks and legislation• Mitigation planning

Security Implementation Architecture• Process design and implementation• Technical design• Process design including IT Infrastructure Library(ITIL)• Training

Implementation• Systems/networks implementation• Process development• Training

Support, Manage, and Operate• IT Service Management (ITSM)• Incident management

Audit and Test• Framework gap analysis• Vulnerability tests• Intrusion tests• Compliance tests• Audit

For further information about HP Professional Servicesofferings related to governance, seewww.hp.com/go/security. 1-26

Governance and C

ompliance

15. Security and HP's Vision To take advantage of new business opportunities as they arise, corporate governance requires efficient assetmanagement and availability. One of the most striking features of today's business environment is itsdynamic nature. Successful companies capitalize on change, turning what is often unexpected and disrup-tive into a business advantage. The ability to respond to changes can be summarized into four primaryimperatives for business and technology: mitigate risk, maximize financial return, improve performance, andincrease agility. As shown in Figure 1-6, these four imperatives are interlocked; they simultaneously apply toall governance decisions.

A company cannot gain market agility and operate effectively without governing security as a key businessenabler. Conversely, those companies that fail to make the connection between agility and security cannotoperate efficiently or react in a timely manner to new business opportunities. This is not a choice. The roadto corporate governance and compliance with regulations requires that security governance is demonstrableand that adaptability is a reality.

The roadmap is maintained through the governance lifecycle, based on the objectives issued by the boardas well as the analysis of the current and future states.

One of the key elements in the transformational journey is to break down implementation silos. Ad hocsecurity implementations should be migrated to security services used horizontally across the enterprise andmanaged in a consistent, secure, and auditable manner. This applies to infrastructure and application con-trol points, for both the service delivery and the service delivery management environments. In particular,the process through which exceptions are managed should be carefully engineered and strictly followed;failure to do so impacts both the ability to adapt and the overall level of protection provided by the controlmechanisms in place. This is not just a question of technology; people and processes play a central role inthe implementation of the transformational journey.

Figure 1-6The CIO's balancing act

1-27

Maximize ReturnImprove business results; grow revenue, earnings, and cash flow; reduce operation costs

1-28

16. Governance SummaryBusiness objectives must drive security governance. Likewise, mitigation plans and the costs of such plansshould be based on business impact or loss potential. This ensures alignment of costs and time horizons withbusiness needs. Mitigation plans for business risks will always be a combination of technology, people, andprocess. And the majority of these plans are managed and implemented by IT. Because most mitigationmethods rely upon IT technologies and processes, joint teams from business operations and IT should deter-mine the mitigation plans to respond to business risks.

Achieving compliance with regulations calls for good control systems, in general. Building good control sys-tems requires organizations to lay the foundation correctly. Aligning with best practices such as COBIT andISO 27002 facilitates this process.

HP's Security Governance Services include a broad set of offerings delivered across the governance lifecycleto build an enterprise-wide policy foundation, a secure and agile architecture, process framework, and anorganizational structure. Together these services enable businesses to manage the risks associated with theirinformation assets.

Governance and C

ompliance

Chapter 2 Proactive Security Management

“Security considerations are required across allfunctions of IT. Only a proactive approach tosecurity can enable an IT function to meet itscommitments to protect the IT assets of an enter-prise from the many types of security threats intoday’s technology environment.”-Mike Baker, Vice President, Chief TechnologyOfficer for IT

Proactive Security Management is an important and integral part of an organization's security infrastructureand operations environment, ranging from network-wide controls security to physical security, taking intoaccount both the proactive and reactive aspects of security operations. HP has implemented a ProactiveSecurity Management framework focused on establishing, operating and maintaining security managementfunctions and procedures to support the business objectives while constantly protecting various businessservices and IT assets throughout their operation. The proactive emphasis for HP's approach to securitymanagement also ensures that threats are identified early and the required protection is robust, scalable,and flexible enough to anticipate and adapt to rapidly changing conditions.

In this chapter, we define proactive security management, review the conditions driving its need, and pres-ent HP's framework of technologies and services for proactive security management.

Note that while Identity Management is certainly part of the Proactive Security Management topic, HP haschosen to call out Identity Management separately due to its significance and complexity. It is discussed inChapter 3 of this publication.

1. DefinitionThe fundamental purpose of security operations management and security products is the protection ofbusiness assets. In this security context, protection means providing appropriate confidentiality, integrity, andavailability for a set of business assets. Therefore, proactive security management refers to the installationand operation of a set of processes, tools and services to establish and maintain a specified level of confi-dentiality, integrity, and availability of data, applications, systems, networks, and other IT assets.

To understand the broad scope of proactive security management, there are four parts that make up thewhole:

• Managing the protection of data, applications, systems, and networks, both proactively and reactively• Responding to changes in business and organizational models as well as the changing threat environ-ment• Integrating with IT infrastructure management and operations• Maintaining a level of security and operational risk as defined by the organization

2-1

1.1. Managing Protection Proactively andReactivelyWith the increased complexity of everyday opera-tional security management of IT infrastructure, thegrowing rate of vulnerability discoveries and the needfor regulatory compliance monitoring, it is apparentthat reactive security methods, although important,are no longer sufficient. Reactive mechanisms arecertainly required in IT environments, but they dealwith attacks or other security incidents once they arealready in progress - when damage might havealready been done and the associated cleanup andlost business costs may already be adding up.Therefore, proactive security management is the natu-ral complement to reactive technologies by providingmethods, technologies, and services with the follow-ing capabilities:

Reactive Security Management Capabilities:

• Blocking known bad behaviors• Isolating infected systems• Enforcing security policies• Automatically responding to known inappropriatebehavior with alarms/alerts for humans and/or pre-defined, decisive actions• Performing regular security assessments includingmanual or automated penetration testing of deployedapplications• Forensic investigations of security events• Incident management

Proactive Security Management Capabilities:

• Ensuring that everyday IT operations are carried outin accordance with internal security policies and external laws and regulations• Finding and fixing or mitigating vulnerabilitiesbefore they are exploited • Reviewing web service applications for securitydefects during their development and deployment • Automatically responding to suspected inappropri-ate behavior with cautionary responses to minimizeor contain potential damage, then with alarms/alertsfor humans• Modeling solution architectures and networks aswell as policies and governance structures to examineproposed changes and their effects on current securityand compliance states (and unintended conse-quences; such modeling is done *before* changesare put in place).

Reactive and proactive technologies cannot provide100% coverage from vulnerabilities and threats. Newvulnerabilities and threats are regularly discovered(and created). Therefore, we strive to optimize themanagement of the security infrastructure with acombination of reactive and proactive technologiesand methods which will build a most appropriate andeffective security infrastructure.

1.2. Responding to Changing BusinessModelsOnce a well designed and managed security infra-structure is in place, it must have the ability to adaptto the various threats that emerge and supportchanges in business models, both internally andexternally to the organization. Business modelchanges can come from organizational changes suchas reorganizations or mergers, or from new businessopportunities such as new online services. For exam-ple, the requirements of proactive security manage-ment during a merger might include integrating dif-ferent security technologies such as intrusion preven-tion systems and managing employee privilege andauthority changes, or a change in operationalprocess may be required. These transitions must hap-pen quickly, taking into account change manage-ment, release management, capacity management,as well as security management. Further, it is not hardto imagine that two companies merging would havedifferent policies on authenticating employees, forexample, with different authentication products beingused.

Proactive security management dictates that the secu-rity infrastructure be designed with the potential forsuch changes in mind, and that security mechanismsare:

• Adaptable to new models to insure complianceand adherence to security policy is maintained• Extendable to incorporate new security technolo-gies and respond to new threats or classes of vulner-abilities

1.3. Integrating with IT ManagementProactive security management is not an island untoitself - it is a piece of the whole IT and corporatemanagement picture. Therefore, changes in securityoperational management - whether dictated from achange in business models, laws, regulations, threatsor vulnerabilities - must be made to preserve the tightlinks between security and overall IT management.

For this reason, with HP, proactive security manage-ment is tightly linked with the Information TechnologyInfrastructure Library (ITIL), which is a framework ofbest practices that promote quality computing servicesin the information technology sector. Using this ITILframework, proactive security management candevelop all its operating process to manage thesecurity infrastructure and be linked in with the overallIT management structure. Security touches all portionsof IT infrastructure and must be integrated from both atechnology perspective and management perspective.

2-2

Proactive Security Managem

ent

Patch management, asset management and configu-ration management are three examples of IT tech-nologies that have an impact on security. If a criticalsecurity patch is not applied before a widespreadattack happens the overall security infrastructurefails. But you cannot simply apply any security-related patch without proper patch managementtechniques to perform testing, and systematic, audit-ed patch application, because that patch mightadversely affect performance or integrity or support-ability of some other IT component.

Further, if you have a security operations center thatis separate from a network operations center, thiscan lead to security decisions that are made withoutregard to business impact or IT decisions that violatesecurity policies and leave an organization open toattack. For example, what if an intrusion detectiontool sounds the alarm and a security decision ismade to shut down a vulnerable server? Sounds likea sensible thing to do. But what if that server hap-pened to be in the middle of a business criticaltransaction completing a huge order? Wouldn't it besmarter to apply alternate mitigating controls anddelay shutting down that vulnerable server until thehuge order is processed? You would want to know ifthe risk is acceptable to the business. This exampleattempts to illustrate the interdependencies betweensecurity and the rest of IT management. Proactivesecurity management can have a large impact onthe business, it relies on an integrated IT manage-ment approach and the ability to see and respondwith the big picture.

1.4. Maintaining Acceptable Security andRisk LevelsPerfect security is believed to be unattainable, andexperts recommend spending only as much moneyas necessary to obtain the appropriate level of pro-tection. The common question is “How much securityis enough?” The answer depends on the result of arisk calculation that factors in the value of the pro-tected assets, the known and reasonably anticipatedthreats against those assets, and associated vulnera-bilities. Security management, in this sense, becomesa tool for managing risk.

Maintaining an acceptable level of risk is thehighest-level business goal for proactive securitymanagement. The acceptable level of risk, however,varies for industries, organizations, and companies,and a functional proactive security managementsolution provides the correct levels of confidentiality,integrity, and availability to meet the individualorganization's acceptable level of risk.

2. PurposeThe purpose of proactive security management is toprotect business assets, enable business processes,and drive security costs down. To serve this purposein a cost-effective and efficient manner, proactivesecurity management is driven by several require-ments:

• Protecting against evolving threats• Enabling evolving and flexible trust models• Combating increasing process complexity andrelated expense and manageability challenges• Remaining compliant with internal security poli-cies, applicable laws, and changing regulations,including the regulatory complexity involved in inter-national transactions and business relationships

2.1. Protecting Against Increasing ThreatsThe threat environment is increasingly complex andrapidly evolving. Security incident reports are risingin frequency, viruses and other attacks are spreadingat faster rates, the complexity of attacks is ever moresophisticated, and relatively sophisticated tools forunsophisticated attackers (so-called "script kiddies")are widely available. This environment leads to anumber of security management challenges.

As the number of incidents increases and the natureof the threats constantly changes, distinct protectiontechnologies to prevent new attacks are deployed -for example, firewalls, anti-virus tools, and IntrusionDetection or Prevention Systems (IDS/IPS). In manyways, this can be viewed as an ongoing "armsrace" where the attackers come up with a newattack and the security industry comes up with anew defense.

And this "arms race" against attackers is not limitedto certain classes of attacks such as worms or virus-es. Attackers are studying the entire software stackfrom hardware to human, including physical hard-ware, operating system, applications and thebehavior of human users.

Not only are there more and different kinds ofthreats and vulnerabilities, but the speed of attackhas decreased to milliseconds from what used totake hours and days to spread. Old security man-agement processes that require humans to respondwith pagers, discussions and human-speed deci-sions, now must be enhanced with automatic systemsthat react in milliseconds to mitigate or slow downthe fastest attacks.

Proactive security management is here to deal withthis increasing threat environment with the latest setof technologies, methods and processes.

2-3

Some SecurityManagement

aspects must bekept separate - such

as a policyenforcement oraudit - but the

whole ITinfrastructure benefits from

ingrationbetween most

security functions and theother IT/network

operations

2.2. Enabling Changing Trust ModelsThe opening of business and organizational bound-aries has changed old security models. With anycombination of partnerships, mergers, dynamic sup-ply chains, online customer services, federations, andchanging user populations, it is very difficult to drawa line showing where an organization's intranet stopsand the Internet begins. The old concepts of inside(people inside the organization employees or con-tractors) and outside (everyone else) no longer hold.The reports of incidents involving insiders show thatthis old, single-wall model of security was grossly ill-conceived and is not adequate.

Proactive security management must now protect alarger set of users that change over time, including achanging set of privileges based on roles and a setof resources that can expand and contract. This pro-tection must match the speed of the changes. Forexample, when an employee joins or leaves anorganization, access to resources must be enabled ordisabled in a reasonably short time.

Globalization of organizations also has created achallenging set of changes for proactive securitymanagement to control: disparate organizations -whether two companies partnering or coalition mili-tary forces - come together and need to share specif-ic, sensitive IT resources based on particular trustrelationships, for a limited period of time. You canimagine how gaps in such relationships can preventjoint operations or even worse, compromise sensitiveIT resources.

With the evolution of trust models and boundaries,one newer field of security management has beenmaturing more recently - managing access to thenetwork. This field is a critical tool in protecting thetrust boundaries at the network. This is discussed inmore detail in the Network Security section of theTrusted Infrastructure chapter (Chapter 4) of thishandbook.

2.3. Managing Increased ProcessComplexityEach new protection technology or component intro-duces additional complexity in the organization. Asnew security technologies are purchased, they mustbe integrated and managed with the other existingsecurity technologies/processes deployed in the envi-ronment as well as integrated within the large ITinfrastructure.

For example, a corporate perimeter might use fire-walls, routers, and gateways-each with a complex setof rules to create and maintain. Behind that might besome bastion hosts, which are server-class machinesthat provide Internet services and serve as a buffer ordemilitarized zone between the open internet and anorganization's private intranets.

Other components of a company's IT infrastructuremight include an IDS, an IPS, honeypots and hon-eynets (servers or network segments acting as trapsfor attackers), an anti-virus program, and a securitypatch management system. From this quick example,the complexity of managing security technologiesbecomes apparent.

Correlating alarms and alerts, consolidating control,centralizing the reporting and management of theentire security operation, and developing in-houseexpertise for each of these components are signifi-cant, costly challenges.

Proactive security management solutions and servicescan simplify or largely offload the burden of thiscomplexity (if outsourced or out-tasked), by providingfunctions such as:

• Consolidation of security information from multiplesources for a central view of security state of net-works, systems and other IT resources• Simplification of the consolidated information tofacilitate higher level interpretation and decisionmaking • Decreasing costs of staffing specific tool expertiseand freeing IT Security staff from more mundane tasks(like maintaining firewall rule sets).• Enable higher-level controls on the specific, lower-level security tools that would allow policy baseddecisions to be automatically propagated anddecomposed into instructions and configuration com-mands for the lower-level tools. For example, policydecisions about which IT resources can be utilized bywhich employees would automatically trigger config-uration changes for routers, firewalls and anomalydetection systems to allow the correct access - nohuman work involved, and all done in a systematic,accountable process.

With such proactive security management capabili-ties, the security infrastructure gains the increasedprotection of new tools and methods, in an agile andresponse fashion, while maintaining compliance withsecurity policy and a consistent level of risk.

2-4


ent

Table 2-1A shift in IT thinking will change IT security program goals away from pure security or technology goals to those producing business out-comes.

Business Outcomes are Security Goals

• Confidentiality, integrity and availability of IT assets

• Ensure security controls investment appropriately matches asset values

• Optimize utilization of security controls and safeguards

• Reduce cost of achieving regulatory compliance

• Leverage security as a business enabler and market differentiator

• Achieve best-in-class security program to improve organizational reputation

2.4. Complying with Changing RegulationsProblems with privacy violations and lack of securitygenerate press and public attention and cause far-reaching changes in the way we interact with gov-ernments, businesses, and organizations. Legislativebodies, standards organizations, and industry-spe-cific groups have created laws, standards, and cer-tifications to guide or mandate how organizationscreate, store, use, and communicate information.

In the U.S., for example, the Sarbanes-Oxley Actrequires public companies to show that they preservethe integrity of corporate financial information andtake steps to protect that information from unautho-rized access. Another U.S. example is the HealthInsurance Portability and Accountability Act (HIPAA),which requires enterprises to take meaningful stepsto preserve the confidentiality of customer/patientinformation. Controls such as these drive the func-tionality of the security infrastructure and requireproof of compliance by methods of auditing andevent logs. In the EU and Japan, there is a lot ofprogressive work on privacy legislation and thesecurity of personal information.

Security management is the control point for the col-lection, transportation and storage of sensitive ITinformation and it is the focal point when things goawry or when the auditors come around.

Proactive security management addresses thisresponsibility with its controls and monitors whichwatch for variances, test for compliance, and pro-vide audit and logging controls to meet laws andregulatory requirements. Further, security manage-ment will become truly proactive with constant com-pliance capabilities to eliminate the time-consuming preparations for audits and flagnew configurations that violate security policies.

2.5. Purpose of Proactive SecurityManagement Depends on More ThanTechnologyAs an aside, it is important to note that securitytechnology alone is not the only piece to achieve thepurpose of proactive security management. In orderto balance security technology, people and process-es must not be overlooked. Continuously reinforcedawareness programs and ongoing end-user trainingare essential. The more end users can learn aboutthe actions they can and must take to mitigatethreats, the more secure the enterprise will become.Also, the more that the enterprise can capture andlearn from responses to threats and attacks, the moresecure the whole enterprise will become. Unknowingactions can undermine the best-managed securityinfrastructure.

2.6. IT Management Trends and SecurityManagementWith so much technology available, some argue thatlots of technology is used for technology's sake andhas lost sight of the goal: achieving business results.The shift from "Information Technology" to "BusinessTechnology" changes thinking from informationtechnology as a separate department to a modelwhere technology powers the business. With it, therole of the CIO changes to be measured on overallbusiness outcomes, rather than delivering only ontechnology service level agreements.

For security and privacy management this BusinessTechnology thinking means that security manage-ment must focus on enabling business and organi-zational goals. For example, instead of a focus onthe number of attacks repelled each month or thenumber of viruses detected, the CISO must now cre-ate metrics that demonstrate business outcomes.Table 2-1 has some examples of taking a businesstechnology approach in terms of Risk Managementand Compliance (rather than security for security’ssake):

2-5

With an establishedset of minimumfunctionality,

SecurityManagement, likeIT Management,must now maturebeyond security

and deliverbusiness objectives.

Figure 2-1High-level view of the categories or pieces that make up the proactive security management framework

3. HP Proactive Security Management FrameworkThere are many pieces to the security management program, including the process and people's roles as wellas the security and IT technologies which provide specific security management functions. In figure 2-1, wepresent a top -level perspective to give the reader a framework showing how individual pieces fit to form thewhole program. In general the diagram depicts two rings - an inner and outer ring. Categories on the outerring generally have much more interactions with the world outside an organization; the inner ring's categoriesgenerally stay more internally focused to an organization. There are color coded and underlined titles to des-ignate which pieces are generally considered reactive security management (yellow) and those that areregarded as proactive (white underlined). Both proactive and reactive components are required for the mostcomplete security management program. This circular framework diagram is chosen specifically to show thatthere is no hierarchical or chronological relationship between categories - each serves a specific function andcovers its part of the problem space. There are definitely overlapping tools and functions that serve in multiplecategories of this diagram; there are often tight links, interactions or dependencies between categories aswell.

2-6

Compliance & SecurityMonitoring & Reporting

SIM SEM

NIDSNIDS

HIDSHIDS

Anti-virus

Firewalls

Intrusion Detection

Hardening

TPM

Host Management

Patch &

Configuration

Management

NAC

Scanning

Analysis

Vulnerability Management

External Intelligence

IP Protection

Rights Management

Spam Filtering

Content Management

Identity Management

Threats Analysis& Response

Investigations &Forensics

Escalation & Crisis ManagementManagement

Program

Governance

Awareness

Education

SecurityProgram Admin.

Incident Response

Team

Modeling,

Reporting,

Business

Risk Management

ITIL v3

ITSM

IT Administration Integration

Legend

ReactiveProactiveExample

HP Proactive Security

ManagementFramework


ent

3.1. Compliance, Security Monitoring andReportingThe evolution of the people, processes, tools andtechnology to protect your infrastructure is analogousto creating a quilt. Over time, independent pieces ofsecurity technology and tools have been invented tocover specific aspects of securing an infrastructure orto address a new family of threats or vulnerabilities.Many security infrastructures add the new technolo-gy/tool to their existing architectures as soon aspractical, integrating it with existing systems as pos-sible-creating an ever larger “quilt” that cover's ITinfrastructure from a growing list of threats and vul-nerabilities. Figure 2-1 shows the main categoriesthat come together to form the latest set. With thisgrowing set of tools in place, organizations are nowreceiving security information from each tool, andeasily become overwhelmed: What do I do if onetool reports I'm safe and another tool reports analarm? Do I have to staff a team for each tool? Howdo I make sense out of what my firewalls are report-ing compared with what my intrusion detection sys-tem is reporting? Why does my anti-virus tool reportall is fine when my networks are clearly underattack?

So emerged the need to coordinate and correlateinformation from different security tools. First camethe correlation tool products that would receive alertsand information from different security tools andcorrelate the information to present in a single con-sole. The correlation tools then evolved to gatherand present tracking and workflow information soyou could not only identify an event, but also trackthe mitigation efforts and get status information asthe threat and mitigation work progressed. This cur-rent set of tools is labeled SecurityInformation/Incident Management (SIM) or SecurityEvent Management (SEM).

The current trends for SIM/SEM solutions are:

• Expand the scope of information collected toinclude integration with existing IT logs that havebeen collected for configuration and performancemanagement. IT logs contain security-pertinentinformation about patch levels, system configura-tions, accounts and audit records. • Reporting the status of compliance to specific cus-tomers set off by policies, laws and regulations. Asorganizations work to respond to current and futurelaws and regulations that require security and priva-cy mechanisms, it is very efficient and effective tohave a security management architecture that canconstantly check its own compliance and report onthat status for audits when required.

3.2. Vulnerability Management

A security vulnerability can be defined as a softwarebug or flaw that can be exploited deliberately forunintended results. The field of VulnerabilityManagement has emerged in security managementto focus on identifying such vulnerabilities or holes inexisting IT infrastructures and managing their reme-diation or mitigation. There are tools that perform aseries of tests that try to detect each known vulnera-bility and create a summary report stating howmany known vulnerabilities are likely to exist. Thesetools are referred to as scanners, penetration testingtools or vulnerability assessment tools. They dependon advance knowledge of what a vulnerability isand how to deduce if that vulnerability exists. Theyuse a database of known vulnerability descriptionsand produce reports which state results in quantita-tive terms such as "System was scanned for 4,000known vulnerabilities. Results: 106 vulnerabilitiesdiscovered with a priority breakdown of 27 critical,17 high, 42 medium, and 20 low priority".

The current trends for Vulnerability Managementsolutions include:

• Reducing the number of false positives and falsenegatives • Integration with the other IT functions of configu-ration management and system maintenance byincluding status reporting and workflow functions• Improving up-to-the-minute vulnerability informa-tion in vendor-provided, known-vulnerability data-bases, by utilizing other external intelligence sourcessuch as vulnerability research companies or vulnera-bility sharing groups• Expanding dynamic attack methodologies and/orfuzzing techniques which are used to discover previ-ously unknown vulnerabilities• Combining vulnerability status reporting withcompliance reporting

3.3. Content ManagementAs more and more of an organization's criticalinformation and intellectual property is created andstored in an electronic form, the security properties(confidentiality, integrity and availability), as well asthe privacy properties, become increasingly impor-tant aspects to manage. Also there is a lot of elec-tronic information that flows into organizations thatmust be managed carefully to again meet security,privacy and business conduct policies, laws andregulations.

2-7

Examples come from many different parts of a busi-ness, such as controlling who gets access to a com-pany's intellectual property (IP); ensuring that a sen-sitive document is not exposed in violation of a secu-rity or privacy policy; protecting critical financial datafrom accidental leak or intentional theft; blockingillegal content from entering your IT infrastructure;controlling unsolicited e-mails (aka “spam” or “junkmail”) from entering your e-mail system and addingunwanted costs for storage, bandwidth consumption,and wasted employee productivity.

The need for organizations to manage their electroniccontent that flows in and out of their company and ITinfrastructures has created the newer field withinSecurity Management known as “ContentManagement”.

There are products now available in categories suchas:

• Rights Management and IP Protection: these toolsmaintain/enforce property, copyright or usage rightsto the electronic “property”, such as IP, specific data,or software. Such tools are being initially deployed tocontrol access to music, movies, corporate data, indi-vidual users’ data, software programs or industrialsecrets. • Content Filtering: this is a set of tools that sit onnetworks, data centers and/or user's compute devicesand watch what's being sent and received.

Depending on an organization's security, business orprivacy policies, as well as laws and regulations,some content is illegal or in violation of some policyand must be carefully controlled, such as pornogra-phy, or violent or racist materials. Some network traf-fic content might contain attacks such as virus, worms,or other undesirable problems that are being spreadover network protocols or at a higher level in webapplications, such as web browsers. An emerging setof products called “Content Filtering” solutions willsearch/filter the traffic by signatures, patterns,keywords, behavior or other means to look for thesensitive content traveling in violation of policy, lawor regulation. These solutions allow you to block,delete and/or report such violations. Products in thisfield are known by other names such as "SpamFiltering" or "Content Protection". Products that filterweb content going in and out of web browsers arereferred to as “Web Content Inspection” or “WebSurfing Controls”.

3.4. Identity ManagementIdentity Management is the field of security manage-ment that encompasses the processes, tools, socialcontracts and the lifecycles of digital identities. It issuch an important aspect of security that it has arisenas a large field of security with many technologies,products, methodologies and applications. For HP'soverall security strategy, we have called out Identity

Management as a separate pillar; subsequently wehave dedicated an entire chapter to it in this docu-ment. For more information, please refer to Chapter3.

3.5. Host ManagementIn our Proactive Security Management Framework,“Host Management” refers to the field of installing,controlling and maintaining the configurations andcontrols that have security and privacy implicationsand are included with operating environments andapplications on various computers and devices. Suchcontrols and configurations include file permissions,access settings, security settings, security-relatedpatches, a computer's services availability, networksettings, operating system parameters and drivers.

As you might imagine there are many differentaspects to managing the security of a host systemand much progress and innovation has been done inthis field. Specific security market segments haveemerged with tools and solutions not only from theoperating environment vendors but from independentproduct companies as well.

Categories of Host Management aspects include:

• “Secure out of box” or “Secure by default”: Thesephrases refer to a paradigm shift by manufacturers tosend their products out with security-risky featuresturned off by default instead of making users activelyreconfigure a product to be safe. • Hardening: To make a system “hardened” meansto close all the known holes and turn off all unneces-sary services and accesses. There are tools that checkand set network, device and system settings to knownsafe settings - like closing open network ports that areunused or removing device drivers that will not beused - thereby reducing the amount of avenues forattack potential. • Chain of trust: Building a chain of trust for a com-puter system refers to creating a way to start from aknown trusted item and to add additional functions(or software) on top - each depending upon the pre-vious trusted item. For example if you wanted to knowthat your payroll program has not been tamperedwith, you would need to know that the operating sys-tem running your payroll program has not been tam-pered with. To trust the operating system, you wouldneed to know if the boot code was not tamperedwith, and that the hardware has not been tamperedwith either. This would be a chain of trust betweenthe hardware/boot code and your payroll program.Creating and maintaining such a chain of trust isanother part of managing host security. Trends inbuilding chains of trust and creating a trusted startingpoint are being led by the work of the TrustedComputing Group (TCG), which has developed anindustry standard for Trusted Platform Modules(TPMs).

2-8

A majority of electronic content

has primaryintended value andsecondary signifi-cance beyond itsintended purpose:

e-mails can becomeevidence, files canbecome Intellectual

Property, InstantMessages can

become a liability,a transaction canbecome sensitive

private data.


ent

• Patch and Configuration Management: If thehighest risks of attack come from unpatched softwareand misconfigured systems (e.g. a system configuredwith no password on a root account); then you canimagine how important testing, applying and verify-ing security related patches and configurations is tothe security of a host system. This importanceprompted a growth in tools and solutions to do thispatch and configuration management in a systematicand auditable fashion. As this aspect of HostManagement has evolved, it now links into auditand workflow systems to insure that changes aremade, auditing can be done efficiently and effec-tively, and compliance to policy can becollected/reported.

• An emerging field in Host Management is theconcept of performing system health checks todetermine if a host meets a minimum set of securitypolicies before letting that host connect to ITresources, like an intranet. There have been severalleading methodologies proposed, including TrustedNetwork Connect (TNC) from the Trusted ComputingGroup, Network Endpoint Assessment (NEA) fromthe Internet Engineering Task Force (IETF), NetworkAccess Protection (NAP) from Microsoft and NetworkAccess Control (NAC) from Cisco.

The above aspects of Host Management illustrate amanagement view of securing a host. HostManagement is one part of the bigger topic ofTrusted Infrastructure, which is covered in Chapter 5in this handbook. Please refer to that chapter formuch more detail and a complete discussion of theseHost Management aspects in the context of buildingtrusted infrastructures.

3.6. Intrusion Detection and PreventionThe last element of the outer ring of the ProactiveSecurity Management framework diagram (Figure 2-1) is the field of Intrusion Detection and Prevention.This field is focused on defining what constitutes“good” behavior on a system or network andassuming that any behavior observed which fallsoutside the definition of “good” must be mitigated.The definitions of good and bad behavior comefrom the particular type of detection and preventionmethodology being examined as there are severalaspects to this field that have been developed intoproduct categories in the security industry.

Here are a few examples:

• Network Intrusion Detection and PreventionSolutions (NIDS or IDP): Products in this categorytypically run on network elements (e.g. a networkswitch or router) or dedicated systems connected tomanaged networks. They examine the network trafficfor patterns of known, undesired behavior, or foranomalous behavior. They can react with alarms,alerts, logging and/or predefined reactions, such asdropping known-bad packets.

• Host-based Intrusion Detection and Prevention(HIDS or IDP): These products are similar to the net-work IDP, but instead of examining network traffic,they focus on the behavior of the host computerwhere they run locally. They look for known badbehaviors, like accessing protected files or manylogin attempts, and also look for anomalous activi-ties. These products can react with alarms, alerts,logging and/or predefined reactions, such as lock-ing accounts or blocking access to a resource.

• Anti-virus products: These were the original tech-nologies that looked for bad behavior. They useinformation (in databases, signature files or rule sets)of what “bad” is to identify attacks such as virusesand worms. They have also evolved with the IDPcategory of products to look for patterns of suspectbehavior as well as to scan whole file systems forinfected files or other telltale evidence of attacks.These products will send alarms and alerts, logevents and can take predefined reactions, such asblocking traffic from a suspect source, deletinginfected files or moving suspected bad files into aspecial quarantine area to prevent usage.

• Firewalls: These were the first and most popularintrusion prevention products to be deployedbecause they originally restricted access to accesspoints. Firewalls sit between networks and systems,examining network traffic and isolating traffic thatviolates security policy. Evolving from that initial sim-ple, but very effective function, firewalls haveincreased the level of traffic inspection to examinemore than just the connection request.

These examples above give a perspective of man-aging intrusions in this chapter's context of ProactiveSecurity Management. However, intrusion detectionand prevention solutions are integral in the architec-ture and construction of an effective security infra-structure and therefore are presented in the TrustedInfrastructure chapter of this handbook. Please referto Chapter 4 for more detail and discussion.

2-9

The following categories of Proactive SecurityManagement (Figure 2-1) make up the inner ring ofthe diagram. This inner ring represents those fields ofProactive Security Management that are generallymore internally focused in an organization or com-pany. There definitely are external links to the people,processes and technologies that are deployed forthese inner-ring categories, but the focus still is moreinternal than external.

3.7. Problem ManagementThe main purpose of problem management is therectification of errors in the IT infrastructure; its goal isto proactively minimize the impact of security issueson business and to prevent recurrence. A problem isoften identified on analysis of incidents, which havesome commonality in symptoms. However, problemscan also be identified by analysis of a singleresolved/closed incident of high impact with a possi-bility of recurrence. In either case, a business casewould then exist to justify the expenses that accom-pany root-cause analysis associated with problemmanagement. This is reactive problem management.

Problems can be identified by analyzing the IT infra-structure/reports, by using knowledge databases,interaction with developers/vendors on known errorswhen new products are launched, as well as meet-ings with the user community.

Once problem is identified, efforts are made to arriveat the root cause. Successful analysis of this rootcause identifies the “Known Error” condition in the ITinfrastructure. From that point forward, some kind ofcorrective action is defined and executed through acontrolled Change Management process.How are Problem Management and IncidentManagement different? Problem Management focuseson arriving at permanent solutions to known errors inthe infrastructure. The objective of IncidentManagement is to restore normal service operation,often through implementing workarounds such as atemporary fix or routing the service to the customerthrough another Infrastructure channel.

3.8. Investigations and IT ForensicsWhen events occur in violation of security and priva-cy policies, laws or regulations, part of managing acomplete response is to discover what happened andwhy it happened. This the mission of theInvestigations and IT Forensics category and is madeup of combinations of people, policies, processes andtools that are used to log, gather and present data inan investigation of security or privacy policy viola-tions to answer the questions about who did what,when, how and why.

As with most of Security Management, there arereactive and proactive components to the IT forensictools available for investigations:

• Reactive IT forensic tools are used during or afteran event. They are used to collect evidence of the event in question and can include everything from a forensic system used to image hard drives, or a cam-era to photograph physical evidence to forensic soft-ware products that perform imaging, passwordcracking, decryption and specific evidencepreservation processes.

• Proactive IT forensic tools and methods capture andprotect forensic data that exists before and during asecurity/privacy event. These are called proactivebecause they are active before events occur andtherefore are gathering data before and during whenan event of interest occurs. When an alarm is trig-gered, identifying an event to investigate, proactiveforensic tools provide additional useful data. Suchproactive IT forensic tools and methods include bothdedicated security forensic products and general ITsystem functions such as system event logs.

3.9. Security Program AdministrationAdministering an organization's security program is ageneral category referring to the activities that arerequired to create, run, enforce and maintain thesecurity program's policies and governance models.On the governance side for example, authorizationpolicies must be created, documented, communicat-ed, enforced and audited. Such authorization policiesmight stipulate who is allowed to access which ITresources, who is allowed to grant access, and whatprocess must be followed to grant and revoke accessrights. Security policies for an organization coulddefine the acceptable use of IT assets or the requiredsecurity configurations for a system connecting to amanaged network.

An adage that is repeated in security is that “securityis people, process and technology…in that order!”The key message is that technology alone will notcreate a complete security architecture, without awell-defined process and trained and willing peopleusing it. Security Program Administration includes therequired education and awareness components. Evenif the best security technology is in place, it can beinstantly nullified by a person writing down a pass-word on a piece of paper taped to a monitor. Also, awonderful security process to protect sensitive com-pany data will never be utilized effectively if less thanhalf of the employees know about it.

2-10


ent

3.10. Incident ManagementAs soon as an unintended security- or privacy-relat-ed event is detected, it can be identified as a secu-rity incident and Incident Management resourcesand processes must be activated. The objective ofIncident Management is to restore normal serviceoperation, often by implementing workarounds suchas a temporary fix or by routing the service to thecustomer through another infrastructure channel.Often teams are staffed to execute the IncidentManagement procedures and are referred to as theSecurity Incident Response Team or Computer ITSecurity Response Team. These teams have animportant responsibility to restore normal operationswhile at the same time preserving forensic evidenceand operating within the boundaries of their organi-zation's policies as well as other laws or regulations.Therefore they must have a predefined set of proce-dures that take into account business priorities, poli-cies, laws, options for defensive techniques, andorganizational escalation processes.

3.11. Risk ManagementAs was discussed in the introduction to this chapter,security has matured to a point where it is ready tomove from an independent IT security operation toan integrated IT component that serves to supportdesired business outcomes. The examples earliershowed how security objectives will be constructedto deliver business results such as cost effectivenessor maximizing utilization of security infrastructureswhile maintaining compliance to organizationalpolicies for security and privacy. When security ismanaged in order to achieve business objectives,security evolves from simply protecting IT assets tobecome a tool for managing risk.

It is difficult to measure the return on investment for asecurity infrastructure, as its goal is not to produce abusiness value but to enable other business activity.The true value of security comes from its ability tominimize or mitigate the risk interruption to businessservices. Since it is easy to overspend on any ITinfrastructure and security is no exception, how muchsecurity is enough and how much is too much? Theanswer comes from the recognition that a securityinfrastructure allows an organization to manage thelevel of acceptable risk. Installing all the availablesecurity tools and purchasing insurance for unfore-seen events would be very expensive and fiscallyirresponsible. At the other extreme would be to donothing - which would expose an organization andits officers to risk of damage, loss, litigation or pros-ecution. Further, there is no single security infrastruc-ture architecture that is correct or best for all organi-zations.

Therefore, the optimal way to manage a securityinfrastructure at a higher level is to create a security Infrastructure that provides a constant acceptablelevel of risk. Measuring, tracking, auditing andreporting that risk is part of the Risk Managementpiece of the Proactive Security Management frame-work.

Risk Management is a new field for the securityindustry and many models have been proposed butnone have achieved broad acceptance nor usage asof this writing. Risk Management will be a higherlevel of Proactive Security Management that will takeinto consideration such factors as business impacts,security risks, vulnerability states, and an organiza-tions true appetite for risk.

3.12. IT Administration IntegrationThe trend for future security management is to inte-grate with the other existing IT management disci-plines and give IT infrastructures the desired attrib-utes - functionality, performance, availability, integri-ty, confidentiality, trustworthiness and reliability - allmanaged at the same level of corporate manage-ment. For example, consider the following three ITevents: a critical server running out of disk space,the launch of a new sales portal resulting in a floodof online orders, and a security breach resulting inthe theft of confidential data. What if all three ofthose events were happening on the same servermachine at the same time?

If security management is completely separate fromother IT functions, you might end up with the follow-ing responses to the above scenario:

• Security management immediately isolates thecompromised system to contain the breach fromspreading further and freeze all forensic evidence toestablish a chain of evidence for theinvestigation…but this would immediately halt therevenue stream from the new sales portal.• IT Administrators would add disk capacity andreconfigure the server to handle additional capaci-ty…which might destroy forensic evidence and delaythe identification and mitigation of the attack, andwould also risk continued theft.• Network management sees the spike in order traf-fic and immediately opens more network ports tokeep the orders coming in…instantly exceeding diskspace on the server.

2-11

SecurityManagement is onetool to manage anorganization’s risk; it is typically usedin conjunction withother tools, such as

insurance oroutsourced services,

to achieve anacceptable level of

risk.

This example shows that a perspective above securitymanagement, IT administration and network man-agement is needed to be able to assess the currentstate of risk and urgency and to make a responsible,prioritized response to such a scenario. This is thecase for bringing security management into the sameplace as the other IT management functions, consolesand operation centers. There is some work to do toliterally integrate the plethora of tools and productsand it is happening slowly. The guidance and lead-ership on how to integrate the lower-level, technicaltools will come at the architectural levels.

There are several models that are emerging as prag-matic and widely accepted. One example isInformation Technology Service Management (ITSM)with Information Technology Infrastructure Libraries(ITIL).

• ITSM: This approach combines proven methodssuch as process management and known industrybest practices to enable an organization to deliverquality IT services that satisfy business needs andachieve performance targets specified with servicelevel agreements.• ITIL: This integrated set of best-practice recommen-dations is used to aid the implementation of a frame-work for ITSM. This framework defines how ServiceManagement is applied within any type of businessor organization that has a reliance on IT infrastruc-ture. ITIL covers areas such as Incident Management,Problem Management, Change Management,Release Management and the Service Desk.

By taking such a top-down approach in architectingan entire IT infrastructure including security manage-ment, an organization will have higher level visibilityacross the whole IT infrastructure to make the bestdecisions to support the desired IT attributes of func-tionality, performance, availability, integrity, confi-dentiality, trustworthiness and reliability.

4. HP Proactive Security ManagementOfferingsSecurity goals, risk profiles and IT infrastructurematurity levels are unique to each organization. HP'sproactive security management products and solutionshave been created to enable a modular approach tothoroughly customize proactive security managementsolution components to meet an organization's spe-cific security needs and budget. The primary elementsof HP's proactive security management offerings arethe HP Proactive Security Management servicesdelivered by HP Services and proactive security man-agement products provided by HP and HP partners.

4.1. HP Proactive Security ManagementServicesHP Services has a comprehensive portfolio of SecurityServices to help commercial companies and organi-zations establish and deploy a Proactive SecurityManagement program or design a complete SecurityOperations Center. These are the Proactive SecurityManagement Core Services based on the HPProactive Security Management framework presentedin the previous paragraphs.

A Proactive Security Management program takes intoaccount strategy, people, processes, tools, and tech-nology in a holistic and coordinated manner. Theprogram helps companies proactively manage infor-mation security threats, vulnerabilities, and incidentsin order to reduce their impact on the organization.

In addition to the HP Proactive Security CoreServices, HP Services offers:

• Quick Security Assessment and Health CheckServices which are linked to the VulnerabilityManagement component of the framework. For acomprehensive Security and Risk Managementassessment, please refer to the Governance andCompliance chapter of this publication: Chapter 1.• Managed Security Services for the HP Services IToutsourced customers from the HP Security OperationCenters, or outsourced security monitoring with theEnterprise Security Partnership service.

4.1.1. Security Assessment Services

4.1.1.1. Custom Security AssessmentThe objective is to help customers establish anddeploy a proactive security management program toeffectively manage threats and vulnerabilities whileminimizing the business impact of IT security inci-dents. Preventing security incidents from occurringrequires proactive steps. In addition, for those inci-dents that do occur, a proactive security managementprogram should:

• Restore normal service quickly and efficiently, withas little impact to the organization as possible• Ensure that all security incidents are identified andprocessed in a timely and consistent manner• Prioritize and provide direct support services wherethey are needed most• Provide accurate information about the securityincidents that occur to better plan and optimize exist-ing security systems• Identify, address, and correct or minimize anydamage to systems or data• Evaluate the effectiveness of response(s) and feed aknowledge management system (if available) to learnwhat worked well and what did not

2-12


ent

FFiigguurree 22-- 22 Overview of the HP proactive security management services

BenefitsWith a comprehensive proactive security manage-ment program in place, organizations can:

• Minimize downtime, exposure, and loss of criticalinformation caused by security attacks, thereby min-imizing damage to business, company brand, cus-tomer loyalty, intellectual property, and employeeproductivity.• Make security incident and crisis managementdecisions based on real-time assessments of threatsand vulnerabilities, with an associated audit trailand action record to validate proper response andderive strategies and tactics for improvement.• Prevent or minimize the spread of security attackswithin the enterprise and stop the propagation ofworms, viruses, and other pathogens.• Control internal information for compliance withregulations (for example, Sarbanes-Oxley and theBasel II Accord) and prevent liabilities under theregulatory mandates.• Focus on business rather than security incidentrecovery.• Control security investments by focusing on thebusiness impact of threats and vulnerabilities, thusinforming relevant procurement decisions and ensur-ing maximum benefit.

BarriersMinimizing downtime from security threats, vulnera-bilities, and incidents requires a comprehensiveresponse plan. Yet few enterprises have such a pro-gram in place. HP has found several real and per-ceived barriers. The most important barriers are:

• An overtasked security staff that is busy dealingwith the mundane. The staff may also lack basicsecurity automation tools such as patch manage-ment, group policy, configuration control, intrusiondetection, and proper training or support resources.

• Missing or poor coordination across businessunits, enterprise application owners, data centers,and help desks. Fractured budget and investmentpolicies discourage global, enterprise-wide invest-ment in favor of local quick fixes. These practicesresult in an overlapping patchwork of solutions thatcannot be managed effectively and may in fact workat cross purposes.• The lack of a security governance model forprompt incident response decisions, making ananalysis of the return on investment almost impossi-ble to formulate and justify.

4.1.1.2. Core Services Associated with theProactive Security ManagementFrameworkAt HP, we understand that organizations have anexisting IT infrastructure and some processes in placeto prevent and manage security incidents. Some ofthese processes are well suited to their purpose inthe context of an integrated view of the system, andthey can be carried through as part of a strength-ened and proactive security management program.Some processes need to evolve or change, othersshould be eliminated, and new processes areinevitably needed. Deploying an effective proactivesecurity management program is a transformationand an ongoing collaborative effort involving manyfacets of an organization.

The HP Proactive Security Program involves a delib-erate process driven by HP to help organizationsidentify their needs and implement effective solu-tions. As Figure 2-2 illustrates, HP uses a best prac-tices workshop approach to identify stakeholderneeds, the current state, and the desired future state.An architecture and planning process, in close col-laboration between HP and key stakeholders, resultsin the functional implementation of a proactive secu-rity management program.

Architectures & Planning

Threat Vulnerability Incident

Functional Implementation

Current State De!nitions

Future State De!nitions

Best PracticesWorkshop

2-13

1. The Best Practices Workshop Service helps the customer understand the benefits of adopting a proactivesecurity management solution approach.2. The Current State Definition Service defines the current state of the customer's security infrastructure, processand organization in order to establish a baseline on which to build a proactive security management solution.3. The Future State Definition Service defines the customers desired end state for proactive security manage-ment and a detailed roadmap to get there.4. The Planning and Architecture Service involves the production of a solution architecture for a ProactiveSecurity Management framework to encompass the specific future state defined for the customer together withimplementation plans to support its deployment.5. The Functional Implementation Service involves the design, implementation and integration of the individualproactive security management solution components required by the customer.

4.1.1.3. MethodologyHP has developed a highly structured process to design and deploy complex security solutions consistentlyand effectively - regardless of variations in organizations and IT architectures. The first phase of HP's method-ology is assessment and planning. This is followed by the design and implementation phase.

Assess and PlanThe first phase of the process is to gather information, assess it, and define a plan. The steps include:

• Identify stakeholders and work with them to define the specific business value drivers for the organization.• Perform a gap analysis between the current state of the IT infrastructure and the desired and appropriatefuture state.• Perform a business impact assessment to prioritize the risk that each gap represents.• Define a gap closure plan that identifies and prioritizes transformation projects.

Design and ImplementThe second phase of HP's structured process is to design and implement the proactive security managementprogram and associated tools. The steps HP undertakes include:

• Organize by establishing a project management structure, preparing project work plans, and setting objec-tives, milestones, and metrics by which to measure progress and success.• Set expectations and timelines for program metrics reports.• Design and document the program itself, and develop a handbook outlining roles and responsibilities,processes, and tools for implementation.• Report vulnerability correlation and incidents and implement program area tools.• Create and deliver training to build awareness.• Ensure that systems are in place to effectively capture lessons learned and facilitate a feedback mechanism.This helps organizations learn from experience and makes this information available to staff in a usable form.It also feeds the training program, as appropriate.• Develop and implement a maintenance plan.

2-14


ent

4.1.1.4. SummaryHP's methodology and structured process for proac-tive security management produces reliable andeffective results. By seeking to proactively identifysecurity threats, eradicate vulnerabilities, and rapidlyrespond to attacks when they do occur, the HPProactive Security Management Program protectsinformation assets, prevents application downtime,facilitates maximum network/system/applicationavailability, and helps to greatly reduce annualexpenses caused by viruses, worms, and other costlysecurity incidents.

The complexity of a best-in-class proactive securitymanagement program is directly related to the sizeand complexity of a company's IT infrastructure, itsgeographic reach, and its business needs. Many ofthe functions of an effective proactive security man-agement program are combined and owned by afew individuals within the organization. However,regardless of how many people are involved, thefunctions and processes need to be well defined andfollowed.

HP's Proactive Security Management Program hasbeen very successful. As a testimonial, the sameteam that helped develop and implement HP's inter-nal program also developed our worldwide consult-ing services offering. It is important to emphasizethat the entire cost of developing and implementingthe comprehensive HP Proactive SecurityManagement Program can be justified by comparingit to the cost of damage from a single security inci-dent.

4.1.2. Quick Security AssessmentThe cost of preventing a security breach is alwaysfar lower than the cost of recovering from one. That'swhy HP provides expert services to evaluate youroverall security strategy, identify the strengths andweaknesses of your current security posture, gaugethe risks to your mission-critical IT infrastructure andbusiness data, and show you how to address poten-tially damaging security vulnerabilities.

4.1.2.1. Custom Security AssessmentReceive an in-depth analysis of information securityrisks within your business-critical technology infra-structure. Tailored to your specific needs and envi-ronment, HP's Custom Security Assessment servicetakes a holistic approach to security managementacross multiple IT components. Coverage caninclude the status of your policies and procedures forsecurity management according to the BS 7799 (ISO17799) standard; the security posture of servers,storage, operating systems, applications, and data-bases; and the configuration and management ofthe physical environment.

Security deficiencies are uncovered through inter-views with key members of your technical staff,audits of compliance with your security policies,configuration audits, and an onsite review of yourphysical security safeguards.

HP Services security specialists work with you tomatch the assessment's scope and level to yourtechnical and business requirements. Deliverablesare spelled out in a detailed Statement of Work. Afinal security report highlights threats and vulnera-bilities, and offers recommendations for improve-ments.

4.1.2.2. Security Quick AssessmentHP's Security Quick Assessment Service gives you aconvenient, cost-effective way to gain an awarenessof potential vulnerabilities in your IT environment andget expert recommendations for remedying them. During a one-day workshop, HP security consultantsdirect key members of your staff through a facilitatedsecurity self-assessment. The consultants then analyzeyour responses and report back to you on anyweaknesses in your security management systems, aswell as suggested avenues for improvement.

Assessment criteria are based on industry best prac-tices such as ISO 17799, plus HP's wide experiencein security solutions design and support.

4.1.2.3. Security Vulnerability Assessmentfor Small to Medium Businesses Small and medium-sized businesses (SMB) face thesame security threats as enterprise companies.Security Vulnerability Assessment for SMB can helpby proving accurate, actionable information to startbuilding an effective security plan.

Security isn't just for large enterprises any more. Infact, a recent study by Forrester Research found that"75% of small and medium businesses (SMB) expectto make new security investments in the next twelvemonths."

There are two primary reasons for the growinginterest in, and need for, security among SMBs. Thefirst is the rapidly-growing number of viruses, Trojanhorses, hacker attacks, and other threats that todaytarget large and small companies and individualand corporate users alike. The second is the fact thatbusinesses of all sizes now rely extensively on their ITenvironments to meet their business goals.

2-15

Unfortunately, designing and implementing a securityplan that provides the best possible response tothreats, while also ensuring the most effective andfocused use of budgets and resources, is often amajor challenge for SMBs. That's exactly where theSecurity Vulnerability Assessment from HP can help.

This service provides access to a trusted partner withindustry certified credentials who can lead SMBsthrough the complex security field. In the strictestconfidence, HP security consultants prepare theaccurate, actionable information these companiesneed to identify specific network security vulnerabili-ties at the most affordable price in the industry. Theservice also includes expert assistance to help SMBsidentify the remedial solutions that will deliver opti-mum results in addressing their specific vulnerabili-ties.

The HP Security Vulnerability Assessment for SMBservice allows SMBs to obtain actionable informationto start building a security plan at the most afford-able price in the industry. The service has the follow-ing features and benefits:

• Comprehensive: Provides an impressive level ofanalysis, including penetration testing of perimetersystems, done by experienced HP SecurityConsultants. • Proactive: Identifies your business exposure totoday's IT security risks by locating vulnerabilities andweaknesses in your networking infrastructure before itimpacts your business. • Informative: Helps you understand your current ITsecurity measures and how they compare to industrybenchmark standards. • Performance-proven: Leverages HP's 25 years ofexperience and expertise in creating and deliveringsecurity solutions to customers worldwide. • Affordable: Designed and priced specifically forSMB realities and requirements. • Fast and easy to purchase. All essential elementsincluded in a single package. • Flexible: Two service levels available - Basic andEnhanced. You select the one that's the best matchfor your environment and its requirements. The basicand enhanced service levels both provide securityarchitecture and policy reviews, penetration testing ofperimeter systems, wireless security reviews, discoveryand recommendations reporting, and best practicessharing. The enhanced service level additionallydefines a security patch strategy.

4.1.3. HP Security Enhancement Services The HP Security Enhancement Services offer smalland mid-sized companies a much-needed newapproach to addressing the growing number ofsecurity threats that are now plaguing companies ofall types and sizes. This approach lets customerspurchase and use affordable HP Care Pack Servicesunits to access the specific services they need toaddress their environment's vulnerabilities and theirbusiness' security requirements. HP SecurityEnhancement Services for SMB can be used:

• To quickly follow up on the findings and recom-mendations of the HP Security VulnerabilityAssessment for SMB service. This assessment identi-fies exactly where a company is vulnerable and whatit can do to best address those vulnerabilities. • At any time to address any security-related concernor issue that requires specialized expertise.

HP Security Enhancement unit of this service isdesigned specifically to help small and mid-sizedcompanies access the capabilities and solutions theyneed to minimize threats, while also building a moresecure overall environment. It follows the recent intro-duction of the HP Smart Desktop ManagementService, another unique service that offers a completeapproach to security for multi-vendor networked PCsin one integrated, affordable off-the-shelf solutionthat any SMB can easily leverage.

4.1.4. Security Health ChecksHP Security Health Check Services provide quick yetcomprehensive exposure and risk assessments, zero-ing in on key components of your business-criticalinfrastructure.

An HP Services security professional consults withyour IT team to identify the configurations, systems,or databases to be checked, then scans and ana-lyzes them to uncover security weaknesses. Next, weprepare a detailed report outlining the results of theanalysis and offering recommendations on how toaddress high-risk security vulnerabilities. Finally, wereview the report with you and discuss a follow-upaction plan.

You also have the option to deploy the scanningsoftware for additional monitoring functions andmore frequent scans by HP or your staff.

2-16


ent

FFiigguurree 22-33 HP Global Security Centers bring different sources of threat and vulnerability information together to deliver a set of services.

4.1.4.1. Intranet Security Health CheckThis service provides a network-based vulnerability assessment of business-critical systems connected to yourcompany's intranet - including key servers, network switches, and routers. It uses comprehensive, automatednetwork security vulnerability detection and analysis to probe target systems and identify security holes. HPServices professionals help you understand your risks and identify the steps required to harden your infra-structure.

4.1.4.2. System Security Health CheckFocusing on the operating system level of your critical servers, this assessment uses a host-based approachto detect platform security weaknesses that are not visible to network scanning. Your system-specific securityrisks are identified, analyzed, and prioritized, and you receive expert recommendations for implementingappropriate corrective actions.

4.1.4.3. Database Security Health CheckObtain vital information for improving data integrity, availability, access control, and security management.Databases used by your critical business applications are scanned for security vulnerabilities without affect-ing your production environment. A summary report outlines recommendations in areas such as authentica-tion, authorization, and system integrity.

4.1.5. HP Managed Security Services

4.1.5.1. HP Services Global Security Centers HP Services Global Security Centers provide defined and custom solutions in areas ranging from securityawareness enhancement and security policy design to risk mitigation, security infrastructure development,security integration, and security training. They are located in locations such as Redmond, Washington;Hong Kong; and Grenoble, France. Figure 2-3 illustrates how the centers take information from many dif-ferent sources to deliver their set of services.

2-17

Internal & External Partners

hIDS/IPS nIDS/IPS AV Outbreak User Helpdesk

Security Event Management Vulnerability Scanning

Threat Monitoring and Alerting

Threat Analysis and Response

Security Incident Response

Intelligence SourceIntelligence Source

Vendors First OthersVendors First Others

Budfrog CERT/CC SecunigBudfrog CERT/CC SecunigIntelligence Source

Vendors - Bugtraq - CERT/CC - FIRST - Secunia - Others

Services available from the Global Security Centersinclude:

• Vulnerability assessments: Numerous aspects ofyour infrastructure are examined to determinewhether security gaps exist and how to correct them.

• eSecurity probe: Using the same tools and tech-niques commonly exploited by hackers, HP Servicesspecialists can safely challenge the effectiveness ofyour perimeter security safeguards. You get an accu-rate picture of your preparedness to defend againsta predefined set of common security threats.

• Express services: Fixed time and scope risk-mitiga-tion services target specific aspects of your infra-structure, including firewalls, Web servers, Webapplications, wireless networks, and telecom systems.

• eSecurity scan service: Vulnerability scanners com-bine with a proprietary HP methodology to provide aquick snapshot of your security vulnerability.

•Incident handling service: HP Services experts helpyou recover compromised systems in the shortestpossible timeframe, identify the sources of attacksand take appropriate measures to prevent them fromrecurring, and track down attackers via forensicsinvestigation.

• Infrastructure security design service: Deliver archi-tecture design recommendations and network topol-ogy evaluation.

• Security Training: Customizable courses and com-plete programs facilitate your establishment andenforcement of ongoing security measures.

• Pre-packaged security solutions: Pre-integratedcomponents, products, and services are leveraged tocut your time-to-results and keep your total costsdown. Final integration and implementation areaccomplished through custom services for your spe-cific infrastructure.

Examples of solutions that can be provided by theGlobal Security Centers include:

• PKI solutions: These solutions typically encompasssecurity policy, user registration authority, certificateissuing authority, certificate distribution system, andkey archiving and renewal.

• Smart card solutions: Services include providingBIOS security, drive lock, and data encryption onclient devices; personalizing smart cards with the HPsmart card management system; and managingsmart cards throughout their lifecycle.

• Enterprise Access Management Solutions: MakeWeb sites and collaborative relationships secure byproviding centrally managed access control with dis-tributed and delegated administration. Scalable tomillions of users, these solutions support heteroge-neous IT environments.

• Identity management and provisioning solutions:Provide a centralized means of managing identities,provisioning services, and implementing a consistentaccess control policy. Capabilities include user pro-visioning, self-service provisioning, self-serviceadministration, and role-based policy management.

4.1.5.2. The Enterprise Security PartnershipServiceHP Services offers the Enterprise Security Partnershipservice, which provides customers with a combinationof world-leading IT services and security intelligenceto address the ever-expanding security threat. Thisservice is delivered via the joint expertise of HP andSymantec. It provides consulting, resources, andtechnology that minimize the disruption securityattacks cause to businesses. The service helpsorganizations manage and defend their infrastruc-ture, reduce vulnerability, and optimize the integrityand availability of the IT infrastructure as a key busi-ness asset.

The Enterprise Security Partnership service accom-plishes this by providing:

• Real-time security monitoring and incident man-agement• Ongoing security management support • Proactive security planning and improvement

The Enterprise Security Partnership service providestailored services, including delivery of impact analy-sis reports for new and existing vulnerabilities andprovision of proactive patches. Businesses also ben-efit from continuously improving security policies andprocedures, regular reports on security threats andpotential business risks, and effective countermeasurerecommendations.

Symantec's extensive expertise within the securitymarketplace supplies industry-leading monitoring,intelligence, and analysis capabilities, protecting theinfrastructure against attack. Combined with HP'ssecurity services and solutions and IT service man-agement skills, organizations can improve securitygovernance and implement and sustain a strongdefensive posture to more effectively manage opera-tional risk.

2-18


ent

4.2. HP Proactive Security Management ProductsTo support the Proactive Security Management Program, HP offers a number of security monitoring andreporting products. They include solution components for incident response, security monitoring and eventmanagement, security reporting, patch management, and vulnerability remediation. HP (along with keypartners) completes the picture with security event filtering, aggregation and correlation, policy complianceand vulnerability assessment, and various network security components.

Host Management: Patch and Configuration. HP Configuration Management solutions enable IT to respondto these demands through automated deployment and continuous management of software, including oper-ating systems, applications, patches, content and configuration settings, on the widest breadth and largestvolume of devices throughout the lifecycle for compliance by ensuring only authorized software is main-tained on systems and policies are continually enforced.

Log Management. HP Operations Center provides a consistent system and fault management process andworkflow. Intelligent agents can detect any security failure, and can monitor system and application log filesfor security problems, with the aid of partner solutions.

IT Administration and Integration. HP ServiceCenter helps IT organizations quickly deploy consistent, inte-grated work processes based on the ITIL framework. It is designed to help evolve IT service managementorganizations through a series of logical steps, from establishing basic controls to a higher level of matura-tion where automating service delivery can help maximize the business value of your IT organization.

Vulnerability Management. The HP Application Security Center, formerly SPI Dynamics, delivers a compre-hensive and accurate suite of application security products and services that support the entire Web appli-cation lifecycle, from development and quality assurance to deployment, ongoing operations managementand auditing. With over 5,000 unique Web application-specific vulnerabilities, threats, and security checks,SPI Dynamics' vulnerability database, SecureBase, is the most comprehensive and accurate knowledge baseon the market. SPI Labs' hands-on experience in application penetration testing consulting, combined withextensive research to keep the database current, results in frequent updates.

Escalation and Crisis Management. The HP ServiceCenter Incident Management module automates theentire incident lifecycle, from the time a service disruption is reported through final service restoration. It cancapture and log security-related incidents, including routing and escalation workflows based on criteria suchas impact, urgency, or customer.

Security Event Management. HP Network Node Manager (NNM) provides the industry's leading SNMP-based environments, widely used by network-based security solutions to transmit security event information.HP Operations extends this with best-in-class system and application event management including log filemonitoring and analysis. Event Correlation Solutions (ECS) provides a flexible mechanism for rule-basedevent correlation and processing the real-time event flows. Partners are also essential to the HP securityevent correlation and management strategy. Numerous integrations exist between individual security solu-tions and Operations Center for monitoring the security devices or applications and collecting the associat-ed security events. This spans basic SNMP integration up through tested and certified Smart Plug-Ins (SPIs).For heterogeneous and comprehensive multi-vendor security event management, HP has partnerships withArcSight, eSecurity, and Symantec. ArcSight and eSecurity provide certified SPI integrations for HPOperations. Symantec is in the process of completing a SPI integration. All of these partners provide securitycorrelation capabilities that then forward correlated security events to Operations.

Compliance and Security Monitoring. HP Compliance Manager continuously monitors internal controls ofkey business processes, as well as their supporting applications and infrastructure, to measure effectivenessand mitigate risk. By aggregating and summarizing key metrics collected by HP Software tools and othercontrol sources, HP Compliance Manager software shows the risk to high-level business processes, high-lighting where there are control violations and emerging risk, enabling IT to quickly pinpoint and resolve theissue.

2-19

Configuration Management. HP ConfigurationManagement (CM) Patch Manager software elimi-nates known software vulnerabilities quickly and reli-ably by automating the patch management process -including acquisition, impact analysis, pilot testing,discovery, assessment, deployment, maintenance andcompliance assurance - ensuring that devices arealways configured correctly. Using this policy-basedsoftware, IT managers can accelerate the correctconfiguration of their software infrastructure and opti-mize the security and stability of managed systems.The HP CM Patch Manager provides value for busi-ness continuity and security initiatives, server provi-sioning and repurposing, and OS and applicationmigration. HP also offers a vulnerability and patchmanagement solution for HP ProLiant servers as wellas specific security-patching solutions for MicrosoftWindows, HP-UX, and Linux.

4.2.1. Security Event ManagementSecurity Event Management (SEM) is the ability tomonitor and manage security across the entire ITinfrastructure - from systems, applications, networkelements, and security devices to all of the communi-cations and transactions occurring within the infra-structure. SEM is a process embodied in the policies,network hardware, and specific SEM applicationsand services resident in the IT infrastructure. In total, itpresents a complete view of the entire range of ITsecurity elements.

4.2.1.1. ObjectivesA comprehensive SEM solution actively records,views, analyzes, and manages all of the securityevents that occur within enterprise IT infrastructures.SEM includes the correlation of security data frommultiple devices and systems across the enterprise tohelp facilitate security assessments and provideappropriate mitigation strategies and solutions.

An effective SEM solution aligns with the IT infra-structure so that security events can be judged in thecontext of the associated business risk. The capacityto determine the system's level of exploitability, anevent's impact on business service(s), and the weightof assets at potential risk all contribute to determiningthe criticality of a potential security incident.

4.2.1.2. EnvironmentThe major challenge facing the contemporary enter-prise goes beyond its own borders and carefullycontrolled wide-area linkages. Enterprises are oper-ating with multiple platform types and security prod-ucts and services in an environment that exhibits anever-widening array of connectivity requirementsacross partners, customers, and remote offices. Onlya centralized view can identify incidents that requireremediation and harden enterprise systems againstfuture attacks. A centralized view aggregates allsecurity events - no matter what, when, or where -andintelligently correlates the events with activity patterns.

Evolving government regulations and the regulatorychallenges posed by multi-national operations arereinforcing the need for an effective SEM solutionwithin an enterprise. Regulations now mandateorganizations to implement security controls, and theyhold organizations accountable, both legally andfinancially, for security incidents that compromise pri-vate information. These regulations drive architectsand developers of IT security infrastructures to find asolution that constantly monitors networks for vulnera-bilities. This has led to a number of toolsets, appli-ances, devices, and applications of increasingsophistication and scope, resulting in increasingcomplexity, integration, and management challenges.

4.2.1.3. BenefitsThe correct SEM solution (properly architected,implemented, and administered) significantly easesthe burden on overworked IT and security depart-ments. By quickly identifying and responding to secu-rity threats and changing from a reactive mode to aproactive, systematic methodology, an SEM solutionprovides a productivity boost and reduces the directcosts of security implementations over time. The neteffect is more efficient compliance with governmentregulations, protection of the corporate assets (andthus the bottom line), and smoother business opera-tions.

By integrating a complete solution for SEM with theoverall architecture of an incident management pro-gram an enterprise is able to:

• Insulate the higher-level incident managementprocesses from the dynamic, ever-changing details ofthe security profile of a typical enterprise network-anetwork that is not only heterogeneous (containing arange of technologies, applications, and vendor-spe-cific solutions) but also diverse in geography, timezone, use patterns, and languages down to the OSlevel.• Conduct event filtering at the correct level whileretaining sufficient audit and action records to vali-date any security oversights of critical componentsand information, if needed for legal or regulatoryreasons.• Manage the SEM system from a higher-level per-spective and easily adapt the system to changes inlocal infrastructure and network conditions (granularadaptation) as well as to changes in the overall threatlevel and profile on the worldwide network (globaladaptation).• Demonstrate due diligence if a regulatory agencyinvestigates the enterprise for compliance or if a legalaction related to a security incident arises.

2-20


ent

4.2.2. HP Software for Proactive SecurityEvent ManagementAn HP Software-based SEM solution enables enter-prises to detect and dynamically respond to chang-ing circumstances. It also helps to securely manageevolving IT environments, minimizing operationalimpact due to security events or operational burdensarising from security solutions and methods imped-ing normal system usage. Intelligent partner integra-tion, along with the best point solutions, provides anend-to-end global and local security managementsolution that proactively mitigates security incidents.

HP Software and security solutions from our partnerscan be integrated in to a broad Security EventManagement (SEM) solution. Such an SEM solutionis designed to centralize and manage all aspects ofa security event.

Detection of a security event can come from multiplesources: for example, IDSs, firewalls, and system logfile monitoring and analysis. Preventative notifica-tions of potential security incidents, including unusualusage patterns and unapproved configurationchanges, and early warning services can help miti-gate incidents before they do damage. HP's uniquePartner Integration Strategy achieves the highest levelof integration in the industry through the develop-ment of Smart Plug-ins (SPIs) that integrate with HPOperations.

SPIs collect and intelligently analyze alerts. Theycorrelate alerts as necessary, and forward them (ifappropriate) to a higher level in the managementhierarchy. SPIs also monitor the health, performance,and availability of the individual security applica-tions and devices. SPIs are the preferred integrationmethod for linking security devices and applicationsinto HP Business Technology Optimization (BTO)Software.

HP's Event Correlation Solutions (ECS) can correlateindividual event streams while also correlating eventsacross security, system, application, and networksources. ECS provides the flexible mechanism forrule-based event correlation and processing the real-time event flows. For network-based security man-agement, HP Network Node Manager provides theindustry's leading Simple Network ManagementProtocol (SNMP)-based system, including log filemonitoring and analysis.

HP's partner integration strategy achieves the fol-lowing:

• Unified fault management covering all subsystems,collected and reported in a centralized fashion• Unified reports covering specific incidents plusbroader usage trends• Configurable event filtering to shield operatorsfrom trivial matters, enabling them to focus on themost critical issues• Event correlation to deduce cause and effect fromseemingly dissimilar events• Automated actions in response to a security prob-lem, such as shutting down a process, paging anoperator, generating an incident trouble ticket, orinitiating a change management process (for exam-ple, to deploy patches)• True service-level management, where specificsecurity problems are immediately linked to thoseservices they may affect, so actions can be taken inline with broader business objectives

4.2.2.1. What HP Provides: HP and PartnerSolutionsHP Software provides a framework on which anenterprise can build a complete security manage-ment solution. A best-of-breed global managementsolution relies upon a collection of point solutionsintegrated into the HP architecture.

Creating the best of both worlds results in effectivesecurity management only if local solutions andglobal management are integrated to act as one.Such integration goes far beyond simply passingevents from one application to another. Excellentintegration takes full advantage of the local prod-ucts' understanding of the managed object, plus theglobal solution's understanding of the completeinfrastructure.

HP's approach relies on both internal expertise aswell as that of our partners, and it provides enter-prises with the ability to select the correct and mosteffective local solution for their situation.

2-21

4.2.2.2. HP's Partners and HP Software

Currently, HP Software offers SPI availability for thefollowing leading security solution partners:Symantec, ArcSight, BindView, Check Point, CiscoSystems, e-Security, Netegrity, NFR Security, Nokia,Perfigo, Sun Java System Identity Server, Solsoft, TopLayer Networks, St. Bernard Software, ISS, andTripwire. For an up-to-date list, seewww.hp.com/go/software.

4.2.2.3. Security Event ManagementSummaryHP has built a complete solution for an enterpriseSEM program that is exceptionally robust, sophisti-cated, flexible, and scalable. As a component inmanaging the Adaptive Enterprise, the HP solution isbased on three critical elements:

• The scalable, secure, and proven HP Softwareplatform• A set of underlying data collection and analysisapplications, running as SPIs to the HP Softwareplatform• Extensive and sophisticated processes and proce-dures that tie all components together with a robustand scalable platform and use additional HPSoftware components such as trouble ticket manage-ment to provide overall IT service management capa-bilities

The primary benefit of the HP Software approach isthat an enterprise can take a holistic view of its entireIT infrastructure over the complete lifecycle of theinfrastructure's individual components. As the net-works, systems, and applications build and adapt tothe changing requirements of the enterprise, so canthe HP Software solution.

Security event management becomes integrated withthe entire organization's approach to IT and networkmanagement. Components (such as firewalls, patchmanagement solutions, and IDSs/IPSs) that oncewere islands of individual solutions and tacticalapproaches to local problems become part of acomprehensive solution.

4.2.3. Security Configuration and PatchManagementSecurity configuration and patch management incor-porates security patches, correct configurations, andcurrent versions of software. Eliminating vulnerabilitiesbefore incidents can occur is the greatest defenseagainst attacks. By addressing a particular vulnera-bility, that threat is instantly and permanentlyremoved. Security patch management fits with thecompliance monitoring Solution component ofproactive security management.

4.2.3.1. ObjectivesSecurity patch management solutions should providequick and reliable automation of the patch manage-ment process. Policy-based solutions help managersensure that systems are current and that the securityand stability of systems are optimized. Updating net-work nodes with the latest security patch is only partof the battle. Knowing what security patches todeploy, the effects they are expected to have onrelated systems and processes, and when to deploythem are key parts of any security patch manage-ment solution.

4.2.3.2. EnvironmentAlthough the patches are available, their deploymentproves to be a challenge to enterprises. There aremultiple reasons for this:

• Frequency of vulnerabilities and patches: Themonthly rate of security vulnerability discovery andposting of patches has risen exponentially over thepast few years.• Quality versus speed during patch application:Testing and qualifying patches to ensure that they willnot adversely impact the overall operation of the sys-tem has always been a concern. The speed in whichsecurity patches need to be deployed make this test-ing and qualification process particularly challeng-ing.• Ability to audit patch implementation: The ability toaudit systems to ensure patch compliance has beenan ongoing challenge, especially in diverse, multi-operating system environments with desktops, servers,and mobile devices.• Number of mobile and remote users: Additionalmobile and remote users bring challenges to anenterprise's patch capability. Mobile and remoteusers miss critical notification if they are not connect-ed when an audit or scan takes place. Once notified,they may have limited bandwidth for accessing andinstalling patches. Finally, they may be exposed morequickly to attacks because they are located outsidethe protection of the enterprise.

2-22


ent

4.2.3.3. HP's Patch Management ProgramsHP Services combines the expertise of CertifiedInformation Systems Security Professionals (CISSPs)and Microsoft Certified System Engineers (MCSEs) torecommend and deploy the right security patchmanagement solution for an organization. Solutionscover a range of operating environments, includingMicrosoft Windows, Linux, and HP-UX. These solu-tions include HP Configuration Management,ProLiant Essentials Vulnerability and PatchManagement Pack, Microsoft Security PatchManagement tools, and HP-UX Patch Managementtools.

4.2.3.3.1. HP Configuration and PatchManagerHP Configuration Management solutions enable IT torespond to these demands through automateddeployment and continuous management of soft-ware, including operating systems, applications,patches, content and configuration settings, on thewidest breadth and largest volume of devicesthroughout the lifecycle for:

• IT efficiency to control management costs • Agility to deploy services faster and without userdisruption• Security and compliance by continually enforcingpolicies, patch compliance and software integrity

HP Configuration Management software providesautomation and control for every aspect of changeexecution with a suite of industry-leading tools asoutlined in the following paragraphs:

Discover software and hardware inventoryHP Enterprise Discovery software is a part of theConfiguration Management suite of products, foragent and agent-less discovery and inventory col-lection on hardware and software assets. Inventory,utilization and Windows Vista readiness reports canall be accessed directly through the EnterpriseManager console.

Streamline packaging and analyze configurationimpactHP Configuration Management Extensions forWindows Installer transforms any IT administratorinto an expert in the advanced features of MicrosoftWindows Installer. It has a unique, wizard-drivenprocess that enforces best practices, streamlines thepackage building process, speeds troubleshootingand tailors the package to the needs of the environ-ment. Impact analysis capabilities enable adminis-trators to test for possible conflicts, to anticipateproblems and help make new package rollouts runsmoothly.

Speed PC provisioning and migrationHP Configuration Management OS Manager auto-matically provisions and maintains the right operat

ing system for each device as prescribed by policies.It creates images, provisions them according to poli-cies and manages the operating systems throughoutthe entire lifecycle. In a PC environment, it workstogether with HP Configuration ManagementSettings Migration Manager for personalized set-tings migration on each PC to ensure productivityduring the migration process is maximized.

Deploy applications and content with easeHP Configuration Management ApplicationManager provides the control and reliabilityrequired to execute timely application deploymentsbased on business or IT needs. Everything can behandled with ease-emergency situations whenpatches or applications must be deployed immedi-ately, scheduled deployments where the applicationmust go live across the enterprise at the same timeor small targeted deployments for a select group ofend users. In a server environment, ApplicationManager utilizes Application Management Profiles(AMPs), which provide templates to ease thedeployment of complex server applications.

Enable self-service software managementHP Configuration Management Self-ServiceManager provides a self-service portal in a PC envi-ronment that users can access for downloading,repairing, updating and removing software. It pres-ents a personalized software catalog via the elec-tronic Definitive Media Library. This software libraryis generated dynamically according to the user'sidentity and role, the machine's configuration andthe entitlement policies set by IT.

Monitor software utilizationHP Configuration Management Application UsageManager monitors the utilization of every applica-tion on all of your desktops, notebooks and servers.With direct visibility into the location, frequency,version status and trends of software use, your ITorganization can reduce costs and mitigate risks.

Secure software from vulnerabilitiesHP Configuration Management Patch Manager pro-vides full lifecycle management of patches, servicepacks and hot fixes, including discovery, downloadand collection, testing, conflict analysis and vulnera-bility assessment, targeting, deployment and contin-uous enforcement. By automating patch manage-ment, deployment time is decreased from months todays, thereby reducing the risk of security vulnera-bilities.

Comprehensive reportingHP Configuration Management software brings thereporting elements from every tool in the solutiontogether for comprehensive and centralized opera-tional reporting.

2-23

You can also extend reports to include your own dataresources. Hundreds of reports and views are avail-able out of the box with flexible customization.Depending upon business needs, you can drill downfor greater levels of detail in problem areas, or getan executive dashboard for high-level IT operationsstatus.

Centralized policy management for complianceThe Enterprise Manager administrative console is aweb-based console for centralized policy administra-tion. Administrators can manage multiple directoryservices from a single console and quickly identifydirectory objects, including policy assignment foreach managed object. Enterprise Manager providesenhanced security with role-based administration andaccess controls by only defining access rights withinthe directory. In addition, all policy changes can betracked in a complete audit trail to document whatpolicy changes were made, at what time and bywhom, for compliance purposes. With centralizedand continuous management, entitlement policies areenforced to reduce the risk of unauthorized access tosystems. In addition, software is maintained anddeployed via an electronic Definitive Media Libraryaccording to ITIL best practices to ensure its integrity.

Part of a closed-loop change management solutionHP Configuration Management software is tightlyintegrated with HP ServiceCenter and HP AssetCenterto form a robust solution for closed-loop change andasset management. The change process, from requestthrough deployment and verification, can be man-aged through the HP ServiceCenter console and syn-chronized with HP Configuration Management soft-ware. In addition, tight integration with HPAssetCenter provides closed-loop asset managementand enables software license compliance. By provid-ing an automated, closed-loop solution, IT can delivernew services faster, more reliably and with greaterefficiency.

In summary, the HP Configuration and PatchManager provides the following features:

• Automated deployment: Efficiently, reliably andquickly deploy software changes across the largestnumber of devices, from hundreds to hundreds ofthousands to reduce management costs, time to mar-ket and risk.

• Security and compliance enforcement: Define andcentrally manage the policies governing softwareconfigurations across the enterprise, automate patchmanagement, maintain an audit trail for compliance and enable compliance through policy enforcementand software distribution based upon an electronicDefinitive Media Library.

• Continuous lifecycle management: Utilize a com-mon automation tool to manage heterogeneous and

distributed servers, desktops and notebooks for theirentire lifecycle - discovery, provisioning and deploy-ment, ongoing management and updates, and soft-ware removal and retirement.

• Windows Vista support: Reduce the time, cost andrisk of Windows Vista migrations, including WindowsVista readiness evaluation and reporting, conflictanalysis, and automated migration and deployment.

• Closed-loop change management: Integrates withHP ServiceCenter and HP AssetCenter to automatethe change process for IT efficiency and accelerationof service delivery.

4.2.3.3.2. ProLiant Essentials Vulnerabilityand Patch Management PackFor more specific security patch management, theProLiant Essentials Vulnerability and PatchManagement Pack integrates comprehensive vulnera-bility assessment and advanced patch managementfunctions with HP Systems Insight Manager. It identi-fies and resolves security vulnerabilities quickly, effi-ciently, and reliably. The pack can be used inde-pendently or integrated with a broader patch man-agement solution like the HP Configuration ManagerPatch Manager.

Features of the ProLiant Essentials Vulnerability andPatch Management Pack include:

• Combined vulnerability assessment and patchmanagement: A single tool seamlessly combines theassessment and the remediation of vulnerabilities,reducing the operational complexity that arises frommanaging separate tools.

• Integration with HP Systems Insight Manager:Integration enables use of existing functionality (suchas discovery, identification, scheduling, role-basedsecurity, notification, and group-based actions) toeliminate the need for users to recreate tasks in multi-ple tools for vulnerability assessment and patch man-agement.

• Comprehensive vulnerability assessment: Coverageof vulnerabilities reported in all leading vulnerabilitydatabases ensures comprehensive assessment.Powered by Harris STAT Scanner (the only scannerwith Common Criteria Certification, an internationallyaccepted security qualification), the assessment iden-tifies vulnerabilities reported in the CommonVulnerabilities and Exposures (CVE) list, the FederalComputer Incident Response Center (FedCIRC) vul-nerability catalog, the SANS Top 20 Internet SecurityVulnerabilities list, the CERT/CC advisories list, andthe U.S. Department of Energy Computer IncidentAdvisory Capability (CIAC) bulletins.

2-24


ent

• Acquisition, deployment, and enforcement ofpatches: The pack automatically collects new vulner-ability updates and patches directly from vendorsources, such as a vendor's web-based patchdepository. Patch manifests, which break down eachpatch into its component parts, are created auto-matically.• Centralized management: Schedulable patchdeployment, patented differencing (differencesbetween actual and expected configurations), andcheckpoint restarts (resuming processes at check-points due to interruptions) ensure that patches aredeployed with minimal impact on network resourcesand allow patches to be managed from a centralpoint.• Unique desired-state management: The systemautomatically and continuously ensures that patchesremain applied in their proper state. If patches arecorrupted in any way, they are automatically rein-stalled to bring the system to the desired patch level.• Server lifetime coverage: The license providescoverage for the lifetime of the server for softwareupgrades and vulnerability updates.

4.2.3.3.3. Microsoft Security PatchManagement ToolsMicrosoft Corporation provides several tools to helpwith security patch management:

• The Microsoft Baseline Security Analyzer (MBSA)• Automatic Updates (AU)• Windows Server Update Services (WSUS)• Systems Management Server 2003 (SMS 2003)and the Systems Management Server 2003Inventory Tool for Microsoft Updates

The MBSA tool can perform a general securityanalysis scan on Microsoft Windows NT 4.0 andlater versions of Microsoft Windows systems (the lat-est MBSA version 2.1is fully compatible withWindows Vista). MBSA can also scan the followingMicrosoft applications: Exchange Server, SQL Server,Microsoft Office and ISA Server. Besides a securityanalysis scan, MBSA also provides patch-scanningfunctionality. In addition, MBSA can be integratedwith WSUS. This means that MBSA can check theenterprise WSUS server for security updates insteadof checking the Microsoft Corporation web site.

AU is the client-side patching and update enginethat is integrated in the Windows client and serverOS platforms. AU can leverage either WSUS or theMicrosoft Update web service to obtain the latestsecurity patches.

The Microsoft Update, Windows Update andMicrosoft Office Update web services allowWindows users to easily download and install thelatest Microsoft OS and application patches.

The Windows Server Update Services (WSUS) giveenterprise administrators the ability to provideMicrosoft Update-based security patch services totheir users and systems in a controlled and securemanner. WSUS can be used to set up an enterpriseupdate server from which internal MicrosoftWindows clients and servers can download the lat-est patches.

Systems Management Server 2003 and the SystemsManagement Server (SMS) 2003 Inventory Tool forMicrosoft Updates (ITMU) are MicrosoftCorporation's most advanced security patch man-agement tools. The ITMU can determine securitypatch status and generate reports on patch status.ITMU integrates with SMS 2003 for distributing andinstalling patches.

4.2.3.3.4. HP-UX Security PatchManagement ToolsSecurity Patch Check (SPC) automatically downloadsthe latest security bulletin catalog and analyzes asystem or depot. It then generates a report of appli-cable security bulletins and identifies requiredactions, including required patches, updates, soft-ware removals, and manual actions. To performregular analyses, administrators can run it as part ofan automated process (for example cron on UNIXand UNIX-like OSs) or set up automatic runs viaBastille, an open-source lockdown tool.

The HP IT Resource Center (ITRC) patch downloadpage can be used in conjunction with SPC. It per-forms dependency analyses on the requested patch-es, ensuring the administrator has all needed patch-es.

4.2.3.3.5. Linux Security PatchManagement ToolsMost, if not all, Linux distributors provide highlygranular security patches on nearly a daily basis.Patching is part of a well balanced change-man-agement process which includes tools that list appli-cable patches and dependencies such that they canbe reviewed by application owners and systemstakeholders before they are applied. Linux systemshave a wide variety of these tools at their disposal,including APT, Yum, Yet Another Setup Tool (YaST),up2date, and HP Radia Patch Manager.

2-25

4.2.3.3.6. Summary of Patch ManagementSecurity patch management is paramount to main-taining a proactive stance against threats and vul-nerabilities. A number of tools available from HPhelp organizations to manage security independentlyand effectively across various OSs and platforms.For more effective business continuity and enterprise-level protection, security patch management toolscan be tied into the larger IT management functionvia integration with a general patch managementtool. In addition, HP's Proactive SecurityManagement Program identifies and prioritizes criti-cal patches. It conducts system audits to ensurecompliance and calculates business risks associatedwith newly identified vulnerabilities. HP can providethe right level of solution for any business require-ment.

4.2.4. Lockdown and HardeningTraditionally, systems have shipped with all of theirfeatures and capabilities turned on. If these capabil-ities are not in use, the system can be in a more vul-nerable state than necessary. Lockdown and hard-ening consists of turning off unneeded services andfeatures, configuring the remaining features andservices to restrict data flow to only those that needit, and finally configuring applications through secureprotocols to be more resilient to attack.

It might seem that locking down or hardening a sys-tem is a one-time task completed during initialinstallation; however, configurations can be altered-accidentally or maliciously. For this reason, harden-ing must be audited and regularly verified as part ofthe compliance monitoring component of an effectiveproactive security management program.

Hardening and lockdown methods are platform spe-cific. HP provides capabilities to lockdown systemsrunning on HP-UX, Linux, and Microsoft platforms.

4.2.4.1. HP-UX Lockdown and HardeningHP-UX Bastille is an open source, security-hardeningtool supported by HP for use on the HP-UX OS. It isthe first comprehensive lockdown tool to provide anintuitive, educational, wizard-style interface, makingit is easy to use for non-experts. HP-UX Bastilleallows inexperienced and experienced securityadministrators alike to quickly make appropriatesecurity decisions and tradeoffs.

Interactive elements in the user interface educate thesystem administrator about security issues. Bastillesaves users time and pain with its supported andtested configuration changes. Furthermore, Bastille's"ratchet" lockdown approach ensures that users donot accidentally "loosen" their system. The tool alsoprovides a revert feature as a safety net to quicklyremove the Bastille security configuration if needed.

HP-UX Bastille can operate:• Interactively with the wizard interface to harden thelocal host or to create a generic profile for use onmultiple hosts• At installation time via the install-time SecurityIgnite-UX interface

HP-UX Bastille performs a number of specific lock-down actions. These include:

• Removing risks associated with unused features byconfiguring system daemons, kernel, OS settings,network, and software• Lowering patch urgency for disabled products bydisabling unneeded services, such as echo and fin-ger• Providing additional security layers for Internetservices such as web and Domain Name Service(DNS) by creating chroot "jails"• Assisting patch currency by configuring SecurityPatch Check (SPC) to run automatically• Dramatically reducing the system's network expo-sure by configuring a simple, comprehensive, deny-all inbound IPFilter firewall

For more information about HP-UX Bastille, see www.hp.com/products1/unix/operating/security/index.html.

2-26


ent

4.2.4.2. Linux Lockdown and HardeningMany Linux OS distributions also contain lockdownapplications, including Bastille. Bastille examines thesystem and walks the user through a system-harden-ing process. It will not make assumptions or modifythe system without getting approval for each step.Bastille can be used to iteratively harden a system,while LogCheck, PortSentry, Tripwire, and AIDE canbe used independently as variable guides to deter-mine if a system is being (or has been) compro-mised. For more information, see www.bastille- linux.org.

Tiger Analytical Research Assistant (TARA), whichhas been extended to comply with HP's own ITSecurity Controlled Host Requirements, can scrub thesystem for anomalies that might compromise the sys-tem's integrity (such as anything that might make thesystem fail an audit). HP development engineershave extended TARA to encompass the IT SecurityLinux Controlled Host Requirements for Internet fac-ing network environments. With these and othertools, and an appropriate security review process,system administrators are able to significantlyincrease and maintain the security of newlydeployed systems.

4.2.4.3. Microsoft Windows Lockdown andHardeningMicrosoft provides a lot of guidance for lockingdown its OS platforms and applications. Goodexamples are the Windows XP Security Guide,Windows Vista Security Guide and Windows Server2003 Security Guide.

In Windows Server Active Directory (AD) domainenvironments, Windows platforms can be easilylocked down by following the guidance that is givenin the above security guides, and by using theSecurity Configuration Wizard (SCW - a built-insecurity lockdown tool for Windows servers andclients) and the Group Policy Object (GPO) securityand configuration settings.

In addition HP provides the following Windows OSand Microsoft application hardening services andsolutions.

HP Services provides hardening services forMicrosoft clients and the following server roles bun-dled with the Windows Server OS:

• Domain controller• Directory server (Active Directory (AD) or ActiveDirectory Application Mode (ADAM))• Dynamic Host Configuration Protocol (DHCP)server• Domain Name System (DNS) server• Windows Internet Naming Service (WINS) server• File server• Print server• Internet Information Server (IIS) (Microsoft's appli-cation server)• Internet Authentication Service (IAS) server (Microsoft RADIUS server)• Certificate server (for Public Key Infrastructureservices)• Network Access Protection (NAP) (Microsoft'sNetwork Admission Control (NAC) solution)

Specific server roles (not bundled with the WindowsServer OS and part of dedicated Microsoft softwareofferings):

• Exchange Server: Messaging server• Office Communications Server (OCS): Real-timecollaboration server• SharePoint Portal Server: Web portal server• SQL Server - Database server• Identity Lifecycle Manager (ILM): Identity manage-ment and provisioning server• System Center: Management server• BizTalk Server: Business integration and processmanagement server

HP also offers exclusive Microsoft Windows NT,Microsoft Windows 2000, Microsoft Windows XP,Windows Vista and Microsoft Windows Server2003 security solutions, called HP ProtectTools forMicrosoft Products. These solutions can, for example,replace the password hashing algorithms supplied inMicrosoft Windows with customer-specific algorithmsthat make brute force or dictionary password hack-ing much more difficult.

2-27

Proactive Security Management Solutions www.hp.com/go/security/proactive

Proactive Security Management Services www.hp.com/go/security Click HP security services link

Security Assessment Services www.hp.com/go/security Click HP security services link

SMB Security Services www.hp.com/sbso/services/security__vulnerability.html

Security Health Check Services www.hp.com/go/security Click HP security services link

Global Security Operations Centers www.hp.com/go/security Click HP security services link

Security and HP-UX 11 www.hp.com/go/hpux11isecurity

In the context of this discussion on Windows hardening, the following are relevant HP ProtectTools forMicrosoft Products solutions:

• HP ProtectTools Authentication Services: This product provides a number of features that enhance the stan-dard Microsoft authentication process. The central feature is enhanced password management, achieved byimplementing a CESG-approved password hashing and password generation system. Each organization isprovided with special CESG seed values to ensure each organization's system is unique. Where governmentalgorithms are not applicable, alternative commercial algorithms are used. The product also manageschange of administration passwords, provides last successful and unsuccessful login information, and can beconfigured for multiple login denial and timed auto-logout. The use of a unique password hashing mecha-nism for systems prevents access from unauthorized systems even when a valid username and password areused.

• HP ProtectTools Windows Mobile: Most organizations see mobile commuting as the next big opportunityfor achieving cost reductions while increasing business efficiency. Security has been the major concern pre-venting the take-up of this technology. HP has the capability to secure remote connections and protect thedata held on mobile devices such as laptops and PDAs. HP ProtectTools Windows Mobile ensures that prop-er authentication is undertaken, that all data is deleted if the system is lost or stolen and the password isincorrectly entered a predetermined number of times, and ensures that PDAs can only link with known andauthorized PCs.

5. Proactive Security Management SummaryIt is often joked that the most secure computer is one that is in a guarded, locked room…and is also turnedoff. The point of the joke is that there is no such thing as 100% security and the most secure system is onethat is not useful. The reality is that there is a set of trade-offs or variables to manage such as costs, assetvalues, security technologies, and people. Proactive Security Management is the science of managing thosevariables with people, processes and technology to support an organization's goals, and do so while main-taining an acceptable level of risk. The environment for our IT infrastructures includes an ever-changing stateof threats, an evolving set of vulnerabilities, and the basic, human-nature condition that if something hasvalue, then there's at least one person who might try to take it.

To be certain, Security Management has matured far beyond simply keeping the bad guys out or presentinga single console to corroborate security point tools. In order to achieve its stated goals, security managementmust: (1) Manage the protection of data, applications, systems, and networks, both proactively and reactively;(2) respond to changes in business and organizational models as well as the changing threat environment;(3) integrate with IT infrastructure management and operations; and (4) all the while, maintain a level ofsecurity and operational risk that is pre-defined by that organization.

For further information about Proactive Security Management products and solutions from HP, please see thefollowing URL locations:

2-28

Table 2-2HP proactive security management offering summary


ent

Chapter 3 Identity Management

"The increasingly distributed nature of corpo-rate networks, the proliferation of web-basedapplications, increased security awareness, andgovernment regulations such as Sarbanes-Oxley and HIPAA have contributed to makingidentity management a necessity for virtuallyevery business."-Roberta Witty, Research Director, Gartner, Inc.

Identity management is one of the three key securityareas in which HP is innovating. Within the HPsecurity framework, identity management provides aset of processes and tools that allow administratorsto manage large populations of users, applications,and systems quickly and easily. In addition, businesspolicies, regulatory compliance, and risk factorsshape the policies and practices that direct identitymanagement.

This chapter begins by providing the definition andpurpose of identity management. Next, it presentsthe identity management components, and key ele-ments of identity management solutions. The finalsection of the chapter discusses the specific identitymanagement capabilities that HP delivers.

1. DefinitionIdentity management is the set of principles,processes, tools, and social contracts surroundingthe creation, maintenance, and use of digital identi-ties for people, systems, devices and services. Itenables secure access to a set of systems and appli-cations. Identity management solutions and infra-structures include data repositories, security services,lifecycle management services, consumable value,and management components. Identity managementhas strong links to security, trust, and privacy man-agement. It also delivers components of risk man-agement.

Traditionally, identity management has been a corecomponent of system security environments. It is usedfor maintaining account information and controllingaccess to a system or limited set of applications.Control is usually the primary focus of identity man-agement. For example, an administrator issuesaccounts to restrict and monitor access to resources.More recently, however, identity management hasalso become a key enabler of electronic business.

2. PurposeIdentity management combines processes and tech-nologies to secure and manage access to an orga-nization's resources and assets. In addition, it identi-fies every user (even anonymous ones), application,service or device throughout and across organiza-tions, and over time. Identity management providesflexible authentication, access control, and auditingwhile respecting privacy and regulatory controls.Identity management systems are fundamental toestablishing accountability in business relationships,customizing the user experience, protecting privacy,and adhering to regulations.

The following list provides examples of the primarygoals that drive organizations to implement identitymanagement solutions:

• Reduce total cost of ownership (TCO) for all sys-tems, including the costs of administration, helpdesk, and technical support• Reduce management overhead• Provide competitive advantage by enablingautomation and streamlining optimization of busi-ness processes• Improve customer and employee service• Support the maintenance, the control and confi-dentiality of customer, supplier, and employee data• Reduce the time for employees, partners, cus-tomers, services, devices and others (e.g. contingentand emergency workers) to gain access to requiredorganizational resources• Reduce the risk of using incorrect information forbusiness processes• Reduce the risk of employees, partners, customers,services, devices and others retaining access toorganizational resources after their relationship withthe organization has changed (e.g. promotion of anemployee) or ended (customer ends service contract)• Support legal and compliance initiatives related toemployee and customer data, for example, theHealth Insurance Portability and Accountability Act(HIPAA), Sarbanes-Oxley, the EU Directive on DataProtection, the Basel II Accord, and the CanadianPrivacy Act

In short, the purpose of identity management is toprovide organizations the following key benefits:

• Enhanced enterprise agility and productivity• Improved end-user convenience• Increased IT management efficiency, including costreduction• Effective regulatory compliance

ProactiveSecurityM

anagement


Business Objectives


Consumables Management Policies

Data Repository Security Lifecycle

Identity Management


OperationalRisk

IdentityM

anagement

Figure 3-1Identity management

"Organizations areusing identity and

accessmanagement to

reduceadministrative costs,

increase user productivity,

tighten security andmake systems com-pliant with policiesand regulations."

-Carol Baroudi,Aberdeen Group,

"Identity and AccessManagement"

Report, March 2007

3-1

3. What is a Digital Identity?Identity is a complicated concept with many nuancesthat range from the philosophical to the practical. Inthe context of identity management, however, theidentity of an individual is the set of informationknown about that person. In the digital world, a per-son's identity is typically referred to as a digital iden-tity. Different contexts, roles, affiliations, and applica-tion environments can require different levels ofassurance and digital identities. Therefore, a personcan have multiple digital identities. These potentialmultiple identities are often referred to as personali-ties, profiles, guises, avatars and other similar terms.

Although digital identities are predominantly associ-ated with humans, they are increasingly being asso-ciated with non-human entities (services, systems, anddevices) that could act on behalf of people. Specificexamples include trusted platforms, next-generationmobile phones, identity-capable platforms and DigitalRights Management (DRM)-based devices.

Figure 3-2 illustrates the content of a digital identity.Identity consists of a person's unique profile data,identifier data, and authentication and authorizationdata. Each content piece can be linked to differentcontexts (company, web, and application) and theperson's role in that context. For example, a person’sidentity can be made up of a set of names, address-es, driver’s licenses, passports, field of employment,etc. This information can be used for identification,authentication and authorization purposes, for exam-ple:

• A name can be used as an identifier - it allows usto refer to the identity without enumerating all of theitems.

• A passport which can be used as an authenticator - they are issued by a relevant authority and allow us determine the legitimacy of someone’s claim to theidentity.

In different contexts, different unique identifiers canbe used. For example, in the above example thedriving license could be a relevant unique identifierfor interacting with the Department of Motor Vehicles;and name-surname-address is the unique identifierfor the post office or a delivery service, and so on. Itis also important to consider the information andpotential identifiers that can be derived or aggregat-ed from such data. For example, in many countries adriver’s license, while functioning as a privilege, mayalso contain other information such as a name,address and a photo allowing it to serve as an iden-tifier or authenticator. This information can be used tolink to other systems, going well beyond the functionof proving the privilege to drive.

Often data associated with an identity is usedimproperly. For example, the use of a birth certificateas an authenticator represents a particularly poorchoice, for there is generally nothing about the birthcertificate that allows an individual to be correlatedto the claims on the certificate. A better choice wouldbe to use a passport holding an individual’s photoID, or a smart card storing an individual’s fingerprint,or better still, multiple authenticators at the same time.Ultimately each of these documents is derived from aninitial claim of identity which is often established bypresenting a birth certificate.

Figure 3-2Identity content

"Digital identity isone of the funda-mental building

blocks for the nextgeneration of infor-

mation systems."- Tony Scott,

CTO, GeneralMotors

3-2

Identity Managem

ent

This is especially important during the identity verifi-cation phase, where an organization first establishesa relationship with an employee, partner, customeror otherwise. This process is a critical step in ensur-ing that future actions and processes are maintainedto an acceptable level of protection.

A high value is placed on authenticators that havegone through a rigorous vetting process prior toissuance. For example, despite the intention, andgovernment guidance, not to use the U.S.Government’s Social Security Number (SSN) as aunique identifier for anything other than financialinstitutions, many organizations do so. Because ofthe ubiquitous and generally accepted use of thisidentifier, its value as a unique personal identifierhas decreased as identity thieves look to takeadvantage of that ubiquity. The value of an identifieris directly related to how it is connected to an indi-vidual; the stronger the linkage the more valuablethe identifier.

Metadata (information about data) qualify all iden-tity data, and an organization's policies for identity,authentication, authorization, and privacy protectiondefine the metadata requirements. Policies aredefined by an organization's IT and business deci-sion makers - they are aligned with corporate gov-ernance rules, regulatory restrictions, and contractualobligations specific to the organization's operatingenvironment.

Identity information and related policies can changeover time. This means that identity management notonly deals with static information but also copes withchanges to identity data. The same is true for secu-rity policy management.

Multiple views can exist on an entity’s identity infor-mation. Each view defines a digital identity that is

valid and appropriate based on the context or pur-pose. Using multiple views within and across multi-ple contexts enables interactions and transactions.Examples of different views and contexts are illus-trated in Figure 3-3.

Different stakeholders can disclose, access, and usedigital identities in one or more contexts, includingpersonal, social, e-commerce, enterprise, and gov-ernment. The process occurs through a variety ofmeans including personal appliances, enterprisesystems, and web services.

From an identity subject’s point of view, there aremultiple perceptions of their identity information:

• Me Me is the part of identity information that thesubject is aware of and directly controls. An exam-ple is personal address information stored andmaintained in an organization's white pages direc-tory. It can also include personal or private informa-tion - such as a credit card number or SSN - that anindividual carefully protects and reveals only in par-ticular circumstances.• Known Me is the part of identity informationthat the subject is aware of and indirectly controls.An example is an individual's revenue data andassociated tax levels that are stored in the taxdepartment's database. Even though an individualprovides the revenue data to the tax department, heor she doesn't have direct control of the content inthe database.• Unknown Me is the part of identity informationthat the subject is not aware of and cannot control.Other stakeholders, which may be known by thesubject, can control this information. Examplesinclude Certification Authorities (CAs), authorized e-commerce sites, Trusted Third Parties (TTPs), andunknown third parties (for example, credit ratingagencies and identity thieves).

3-3"Unknown Me"

Government Contexts

Personal Contexts

Social Contexts

E-CommerceContexts(identity view) Work

Contexts(Enterprise)

"Me Me"

"Known Me"

Other Contexts

Figure 3-3Identity views and contexts (Subject’s perspective)

Management Components

UserManagement

Consumable Value Components Single Sign-On Personalization Self-Service

Authentication Authorization Auditing

Directories Meta-directories Virtual Directories Databases

Provisioning LongevityLifecycleComponents

SecurityComponents

Data RepositoryComponents

AccessManagement

PrivacyManagement

FederationManagement

4. Identity ManagementComponentsIdentity management solutions are modular and com-posed of multiple service and system components. Thissection outlines the components of a typical identitymanagement solution, as illustrated in Figure 3-4.

Components of identity management solutions exist atdifferent maturity stages. Components like authentica-tion and directories are very mature and are consid-ered consolidated technologies.

Provisioning, authorization, federation and single sign-on (SSO) components are rapidly consolidating.Others, such as the privacy management component,are still in a definition and research stage.

4.1. Data Repository ComponentsIdentity repositories deal with the representation, stor-age, and management of identity and profiling infor-mation. They provide standard Application ProgramInterfaces (APIs) and protocols for information access.Data repositories are often implemented as aLightweight Directory Access Protocol (LDAP)-accessibledirectory, meta-directory, or virtual directory. Otherrepositories that are used in the context of identitymanagement solutions are databases and XML-for-matted files. Policy information, which governs accessto and use of information in the repository, is generallymanaged and stored in these repositories as well.

4.2. Security ComponentsAuthentication providers, sometimes referred to asidentity providers, are responsible for performing theprimary authentication that links an individual to agiven identity. The authentication provider produces anauthenticator - a token allowing other components torecognize that primary authentication has been per-formed.

Primary authentication techniques are generally con-sidered in terms of:

• “Something you know”, such as a password, PIN orthe answer to an identifying question (e.g. mother’smaiden name).• “Something you have”, such as a mobile phone,credit card, an X.509 public-key infrastructure (PKI)certificate, smart card, or other hardware securitytoken.• “Something you are”, such as a fingerprint, a retinalscan, or other biometrics.• “Somewhere you are”, such as being within a givengeographical location, or within range of a knownbeacon.

Each identity may be associated with multiple authen-tication providers. In addition, the mechanismsemployed by each provider may be of differentstrengths. To accept the claim of a given identity, someapplication contexts may require a minimum level ofstrength.

Authorization providers enforce access control when anentity accesses an IT resource. Authorization providersallow applications to make authorization and otherpolicy decisions based on privilege and policy infor-mation stored in the data repository. An authorizationprovider can support simple access control manage-ment at the operating system (OS) level. It can alsosupport finer-grained role- and/or rule-based controlsat the application and service levels.

Auditing providers supply mechanisms to track howidentity information in the data repositories is created,modified, and used. They are an essential enabler offorensic analysis, which helps determine who circum-vented policy controls and howthe controls were evaded. 3-4

Figure 3-4Identity management components

Identity Managem

ent

4.3. Lifecycle ComponentsProvisioning is the automation of all the proceduresand tools used to manage the lifecycle of an identity.Provisioning procedures include:

• Creating the identity including an identifier• Linking to authentication providers• Setting and changing attributes and privileges• Decommissioning an identity

In large systems, provisioning tools generally permitsome form of self-service for creating and maintainingan identity. They frequently use a workflow or trans-actional system to verify data from an appropriateauthority. The tools may also propagate data to affil-iated systems that may not directly consume therepository.

Longevity tools create the historical record of anidentity. These tools allow the examination of theevolution of an identity over time. Longevity is linkedto the concept of attestation - the ability to determinewhich actors had access to which resources and inwhat timeframe (irrespective of whether they exercisedaccess, which is a matter of auditing).

4.4. Consumable Value ComponentsIdentity Management solutions can provide the fol-lowing value-added services for the users or con-sumers of an identity management system: SSO, per-sonalization and self-service.

SSO allows a user to perform a single primaryauthentication for access to the set of applicationsand systems in the identity management environment.

Personalization and preference management toolsassociate an identity with application-specific andgeneric information. These tools allow applications totailor the user experience, streamline the user inter-face, and target information dissemination for a busi-ness.

Self-service enables users to self-register for access tobusiness services and manage profile informationwithout administrator intervention. It also allows usersto manage their proper authentication credentials; forexample, assigning passwords, resetting passwords,and requesting X.509 PKI certificates. Self-servicereduces IT operation costs, improves customer service,and improves information consistency and accuracy.

4.5. Management ComponentsUser management provides IT administrators with acentralized infrastructure for managing user profileand preference information. User managementenables organizations to decrease overall IT coststhrough directory optimization and profile synchro-nization. User management tools provide user self-service capabilities and enhance the value of an organization's existing IT investments.

Access management provides IT administrators with acentralized infrastructure for managing user authenti-cation and authorization. An access control manage-ment service increases security, reduces complexity,and reduces overall IT costs by automating accesspolicies for employees, customers, and partners.

Privacy management assures that identity manage-ment solutions respect privacy and data protectionpolicies as defined in company, industry, and gov-ernmental regulations, while storing, accessing, pro-cessing and disclosing personal data.

Federation management establishes trusted relation-ships between distributed identity providers. This ofteninvolves sharing web service endpoints, X.509 PKIcertificates, and supported/desired authenticationmechanisms.

4.6. The Effect of Policies on ManagementComponentsPolicy controls govern and drive management com-ponents. Policies may cause events to be audited oran identity subject to be notified when information isaccessed. The following policies are typically involvedin an identity management solution:

• Identity policies control the format and lifetime ofan identity and its attributes.• Authentication policies control the characteristicsand quality requirements of authentication credentials.• Authorization policies determine how resources canbe accessed.• Privacy policies govern how identity informationmay be accessed, processed or disclosed.• Provisioning policies determine what resources areallocated to which identities and how the resourcesare allocated and de-allocated.

5. Key Elements of IdentityManagement SolutionsThere are many products and solutions available inthe identity management market. They generally pro-vide one or more of the identity management com-ponents and target different types of users and con-texts, including e-commerce sites, service providers,enterprises, and government institutions. Key IT indus-try players are currently focusing on creating identitymanagement suites that provide all of the componentsshown in Figure 3-4.

3-5

There is a considerable amount of overlap betweenthe different solution categories available on themarket. A good example is meta-directories and pro-visioning solutions. The role of meta-directories hasgradually shifted from pure data synchronization (arepository function) to lifecycle component functionsfor the creation of user entries (a provisioning func-tion).

Identity management solutions also involve otherstakeholders. These include authentication devices(smart cards, biometric devices, and authenticationtokens); anonymity services; and the standards out-lined in the next section.

The quality of identity management products andsolutions depends on how successfully they handle anumber of factors. Among other things, these factorsinclude keeping identity information in a consistentand up-to-date state, satisfying related managementpolicies and legal requirements, preserving privacyand trust, and ensuring that security requirements arefulfilled. The key elements to consider in an identitymanagement solution include:

• Adherence to identity management standards• Types of deployment models• Means of addressing complexity and competingdemands• Methods of safe digital identity management• Level of product interoperability

Organizations should also consider the followingidentity management trends when building an identitymanagement solution:

• Identity services• Business-driven identity management• Identity-capable platforms and device-based iden-tity management

We will explain these key elements and trends inmore detail in the following sections.

5.1. Identity Management StandardsStandards provide a common set of protocols,semantics, and processing rules that allow the variouscomponents of an identity management solution tointeroperate. Table 3-1 provides an overview of themost important current and emerging standards usedin identity management architectures and solutions.

Recently there has been an increase in the standardsthat are proposed by one or a few companies thatare very active in the identity management sector (asopposed to the traditional consortium-driven identitymanagement standards). Good examples are theOpenId initiative and the Microsoft CardSpace initia-tive (that leverages WS-*).

Type Relevant Standards More Information

Identity Repositories Lightweight Directory Access Protocol (LDAP) www.ietf.org

ISO/ITU x.500 www.itu.int

Privacy Standards Platform for Privacy Preferences (P3P) www.w3.org/P3P

Enterprise Privacy Authorization Language(EPAL)

www.zurich.ibm.com/security/enterprise-privacy/epal

Access Control eXtensible Access Control Markup Language (XACML)

www.oasis-open.org/committees/tc_home.php?wg_abbrev=xacml

Provisioning Authorities Service Provisioning Markup Language (SPML) www.oasis-open.org/committees/tc_home.php?wg_abbrev=provision

Federation Security Assertion Markup Language (SAML) www.oasis-open.org/committees/tc_home.php?wg_abbrev=security

Liberty Alliance Standards www.projectliberty.org

User-centric IdentityManagement

OpenID www.openid.net

Microsoft CardSpace www.microsoft.com/net/cardspace.asp

Higgins www.eclipse.org/higgins/

Supporting Standards WS-Security www.oasis-open.org/committees/tc_home.php?wg_abbrev=wss

WS-* (Roadmap) http://msdn2.microsoft.com/en.us/library/ms977312.aspx

Table 3-1Relevant standards for identity management architectures

3-6

Identity Managem

ent

5.2. Deployment ModelsIdentity management systems are primarily deployedin one of three models: silos, walled gardens, orfederations.

• Silos are the predominant model on the Internettoday. In this model, the identity management envi-ronment is established and operated by a singleentity for a fixed user and resource community. Agood example is a Microsoft Windows domaingoverned by a set of predefined administrators anddomain controller (DC) servers.

• Walled gardens represent a closed communityof organizations. A single identity management sys-tem serves the common user community of a collec-tion of businesses. Most frequently, this occurs inbusiness-to-business exchanges, and specific rulesgovern the entity operating the identity managementsystem. A good example is the Identrus PKI, whichbrings together individual bank-level PKIs into aclosed banking-community PKI.

• Federations and federated identity managementenvironments are emerging deployment models. Theyinclude systems like Liberty Alliance Project-basedfederations, federation systems built on the WebServices Security (WS-Security) and WS-Federation(WS-Fed) standards, and relatively recent user-cen-tric frameworks such as the OpenId and MicrosoftCardSpace initiatives.

The central difference between federated identitymanagement systems and walled gardens is that asingle entity operates a walled garden. By contrast,federated systems support multiple identity providersand a distributed and partitioned store for identityinformation. Clear operating rules govern the variousparticipants in a federation - both the operators ofcomponents and the operators of services rely on theinformation provided by the identity managementsystem. Most systems exhibit strong end-user controlsover the dissemination of identity information tomembers of the federation.

5.3. Complexity and Competing DemandsThe current identity management landscape is verycomplex because of the multiple interests, perspec-tives, concerns, and technologies that are involved.Identity management is important in different sce-narios, including enterprise, e-commerce, social net-working and government. It supports businessprocesses and services, and it enables digital inter-actions and transactions.

There are competing demands on what identitymanagement should provide, differing concernsabout its focus, and conflicting interests. Examples ofcompeting demands include enterprise focus versus consumer focus, mobility versus centralization, legis-lation versus self-regulation, subjects' control versus organizations' control, and privacy versus free mar-ket.

5.3.1. Numerous StakeholdersDemands are dictated by various stakeholders,which can include enterprises, e-commerce sites,service providers, government agencies, and identitysubjects (consumers). Stakeholders have differentobjectives and priorities when dealing with themanagement of digital identities:

• Enterprises are driven by their business objectivesand needs. They manage large sets of identity datato enable their businesses, rationalize their assets,simplify interactions with partners and customers,ensure regulatory compliance, and meet contractualobligations. Identity data also helps enterprisesmanage the information lifecycle of their workforceand manage access to enterprise resources.• E-commerce sites and service providers manageconsumers' identity information to achieve a varietyof goals, such as increasing sales, understandingcustomers' needs, customizing services, and sellinginformation to third parties.• Government agencies are concerned with thecontrol and protection of their citizens' personalinformation. They also seek strong and undeniableauthentication mechanisms and the automation andrationalization of their services via the Internet.• Consumers have different concerns and needsdepending on the role they play. They are in themiddle (or, depending on the point of view, thesource) of most of the competing demands previouslynoted. As employees or consumers, they want toaccess and use services in the simplest and mostefficient way. Private citizens' needs and concernsmight include privacy, distrust of institutions, and theaccountability of the involved parties.

This variety of interests and concerns, along withemerging technologies, increases the complexity ofidentity management. All of these aspects influenceeach other, via a spiral of potentially conflictingrequirements. For example, new legislation address-es citizens' needs for privacy; however, it constrainshow enterprises, service providers, and e-commercesites process personal information.

3-7

5.3.2. Multiple DomainsMultiple domains can also increase the complexity ofidentity management. Business tasks, digital interac-tions, and digital transactions can span multipledomains. In an e-commerce context, for example, adigital transaction might require the involvement ofidentity e-commerce sites and the exchange of iden-tity information among these sites. This exchange hasstrong implications for managing trust, privacy,authentication, authorization, and accountability.Business-to-business interactions and transactions within supply-chain communities face similar chal-lenges as a result of multiple domains.

5.3.3. Fragmented ImplementationFurther complexity derives from the challenge ofinstalling, configuring, administering, and integratingcurrent identity management products. This is mainlydue to the fragmentation of identity managementcomponents and the lack of interoperability andstandards. This complexity creates frustration anddelays the adoption of identity management solutionsin the IT environment.

5.4. Safe Digital Identity ManagementIdentity management systems bring great value to thedigital world. Federated identity environments, inparticular, hold promise for widespread deployment.As the distinction between real-world identity anddigital identity blurs, however, methods of safe digitalidentity management need to be considered:

• Authenticity of identity or Identity Assurance. Howis the accuracy and validity of identity informationmeasured and determined? What trust services oridentity proofing processes are necessary to generateconfidence in information in the identity managementsystem?• Longevity of information. Do identity managementsystems adequately track changes to identity infor-mation over time? Do they maintain the necessaryartifacts to support historical investigations? Howoften does identity proofing or re-proofing need totake place? How is information disposed of and howoften must the disposal occur?• Privacy. Do identity management systems provideadequate controls to preserve individual privacy?Does the system provide adequate support foranonymity and multiple user-controlled personas?• Identity theft. Do widespread identity managementsystems make it easier to perpetrate identity theft oridentity fraud, and what can we do to minimize riskto the organization, its employees, partners, cus-tomers and others?• Legal structures. What protections exist for theholder of the identity or the relying party? Do theseprotections go beyond contractual obligations whendigital identity systems are used for interactions thatare limited to the physical world today?

5.5. Product and Solution InteroperabilityChallengesMost of the current identity management productsand solutions rely on self-contained, stand-alonemanagement and control tools. Little integration or interoperability is available with other managementtools to deal with the management of security, trust,and privacy in an orchestrated way. To react tochanges, identity management products and solutionsneed to evolve toward higher levels of interoperabili-ty, flexibility, and capability.

Particularly challenging are the interoperability issuesin the federated identity management space, that aredue to competing and overlapping proposals, suchas the Liberty Alliance ID-FF, OpenId, Higgins, andCardSpace initiatives. A promising initiative in thiscontext is the Concordia Initiative, which tries to cre-ate interoperability options and proposals among theabove mentioned proposals and initiatives. More infocan be found atwww.projectconcordia.org/index.php/Main_Page.

6. Identity Management TrendsOrganizations should not only focus on the key ele-ments that were outlined above when building anidentity management solution they must also considerthe following identity management trends:

• Identity services• Business-driven identity management• Identity-capable platforms and device-based iden-tity management

6.1. Identity ServicesAn emerging trend in enterprise identity managementand federated identity management is the use ofIdentity Services, or services that leverage identitymanagement components and solutions to providereusable identity management capabilities acrossorganizations. Examples of emerging identity servicesare:

• Authentication and credentialing services• Single-sign-on services• Authorization services• Provisioning services• Services for long-term archiving of identity informa-tion and related records• Cryptographic services such as digital signing,time-stamping and encryption

Identity services reflect the increasing interest andshift of enterprise IT applications and solutionstowards Service Oriented Architecture (SOA)-basedand Web 2.0-based approaches. In the medium andlongterm, identity services will significantly impactapplications and services and the way organizationsdeal with identity management in general.

3-8

Identity Managem

ent

6.2. Business-driven Identity ManagementEnterprises and other organizations are increasinglymanaging IT from a business perspective, to reducecosts, improve availability, tune capacity, optimizeresource utilization, and to deal with risks and regu-latory compliance.

In this context, the ITIL (IT Infrastructure Library)framework defines a set of best practices that arefocused on aligning IT with business objectives. TheITIL best practices create a service-oriented culture,where there is an understanding that IT exists tosupport the business, that there is a commitment todeliver an agreed level of service, and that cus-tomers’ satisfaction always comes first.

The ITIL core disciplines are centered on ServiceSupport and Service Delivery. ITIL provides guidancein terms of Configuration Management, ChangeManagement, Incident Management, SecurityManagement (based on ISO/IEC 17799) and AuditManagement.

Considering the increased importance identity man-agement has in enterprises and the trend towardsidentity services, ITIL will play a key role in the defi-nition of best practices and identity controls foridentity management.

6.3. Identity-Capable Platforms and Device-based Identity Management An important emerging area in identity managementis device-based identity management. This is aboutthe management of the identity of devices(smartphones, PDAs, laptops, etc.) in enterprise andfederated contexts; using these devices to store - in asecure and trusted way - identity information; andenabling interactions and SSO between thesedevices, their users and other parties.

A considerable amount of work in this space hasbeen done by HP Labs, together with HP businesses.Two research projects that are specifically worth not-ing are the HPL project on 1) Liberty Allianceidentity-capable platforms and provisioning services;and the HPL project on 2) device-based identitymanagement in enterprises.

Liberty Alliance Identity-Capable Platforms andProvisioning ServicesLiberty Alliance’s “Advanced Client Technologies”initiative aims at defining and specifying technolo-gies that encompass a suite of advanced functional-ity in the areas of identity-capable devices, SSO,identity federation, service hosting, reporting andprovisioning.

The key goal of this HPL R&D initiative is to enableusers, via identity-capable platforms (ICP - such aslaptops, smart phones, PDAs, etc.) to engage infederated, multiparty interactions and transactions(on the Internet or other networks) in a simplifiedand transparent way. At the same time these ICPdevices store, process and potentially disclose iden-tity tokens in a secure, private and policy-controlledway. Identity tokens are provisioned to ICP devicesvia provisioning services and by means of protocolsspecified by the Liberty Alliance.

Intel has been leading the definition of Identity-capable Devices specifications in the context ofLiberty Alliance. Other players include Nokia, BT,Vodafone, Gemplus, NTT, Sun, Symlab and HP. Aworking group in Liberty Alliance (supported, amongmany, by Intel, BT, HP Software/HP Labs) is stan-dardizing ICP properties and its capabilities alongwith the required back-end operational services. HPand HP Labs have developed and provided back-end service capabilities that are required to enableICP.

Device-based Identity Management in EnterprisesThe management of device identities is becoming akey requirement in enterprises where the identities ofplatforms and devices have become as important asthe identities of humans to grant access to enterpriseresources. In this context, access control systemsneed to understand which devices with what prop-erties are being used to access resource, by whomand in which contexts. Trust in managed devices’identities is an important first step to enable this.

The separation between work, public and privateaspects of a person’s life is becoming more andmore blurred. In particular, some devices are notonly used for work-related matters but also for per-sonal matters, such as accessing the web to retrieveinformation and make transactions, exchanging per-sonal e-mails, making personal phone calls, storingand keeping track of personal information, calen-dars, etc.

From a user (individual) perspective, this trend furthersimplifies their day-to-day life by avoiding anyunnecessary duplication of devices, tools and relatedefforts. From an enterprise perspective, the fact thatdevices are used by employees for a variety of pur-poses, introduces additional risks and threats, inparticular about the integrity of these devices andtheir trustworthiness to access enterprise intranetsand networked resources. An additional risk is thatprivate devices (e.g. personal laptops, etc.) couldalso be used at work - with potential lower securityand assurance levels (e.g. about installed software,patch control, local access control settings, etc.) thanthe ones mandated by the enterprise.

3-9

http://www.itil.co.uk/

Current enterprise services, applications and informa-tion are mainly protected by traditional access controlsystems that usually only take into account human-based identities (via passwords, digital certificates,etc.) or (in more advanced situations) only human-based identities that are strongly bound to a givendevice. To have better control of accessed resources,it is becoming more and more important for enter-prises also to explicitly identify what the identity of adevice is, along with its properties - consider theidentity of a device as a self-standing entity or theidentity of a device as one of a group of known enti-ties. Furthermore, trust and assurance is requiredabout the authenticity and validity of a device’s iden-tity.

HP Labs R&D in this space has been focusing onmodeling devices’ identities, enabling their provision-ing in heterogeneous enterprise systems, providingsupport for making and enforcing related accesscontrol decisions, and leveraging trusted computingcapabilities of modern devices to deal with aspects oftrust management.

7. Summary of IdentityManagement ConceptsFrom a technological and IT perspective, identitymanagement is just one aspect of managing businesssolutions and the overall IT stack of networks, plat-forms, OSs, applications, middleware, and services.Identity management must be considered in a holisticway by including the management of security, trust,and privacy along with the management of policies,requirements, and changes. All of these aspects areinterrelated and affect business solutions and the ITstack at different levels of abstraction.

The components within the identity managementlandscape are rapidly changing. Classic identitymanagement components are consolidating. On theother hand, new components and standards areemerging, such as identity federations, identity forweb services, and privacy management solutions. Agood example is the linking of identity and networksecurity solutions in the network access control (NAC)space. Where NAC begins by authenticating andvalidating the posture (or health) of a device attempt-ing to connect to a network, the identity dimensionensures that the device is known, as well as the userof that device, before access is granted to specificparts of the network. Combining the various layers ofdevice, network, identity and communication accesscontrols into common policy models and knownenforcement points allows an organization to delivera more comprehensive defense in depth environment.

Identity management is also gaining importance.Future identity management solutions will play a morecentral role in the IT industry due to the pervasivenessand the increased presence of identity information in

all components of the IT stack. Very important trendsare also identity services, business-driven identitymanagement, identity-capable platforms and device-based identity management.

8. HP Identity ManagementProducts and SolutionsFor HP, identity management is the ability to:

• Identify every user, application, and devicethroughout and across organizations over time• Provide flexible authentication, access control, andauditing technologies, while respecting privacy andregulatory controls• Bring management capabilities to individuals, smallorganizations, and large organizations via easy-to-use and understandable tools that cope with dynamicpopulations and business changes

HP's identity management vision is centered on thepervasiveness of identity management technologiesand solutions:

• Identity management is about the management ofuser, application, service and device identities.• Identity management is about the management ofidentities in different contexts: enterprises, small andmedium businesses (SMBs), consumers, and the pub-lic sector.• Identity management deals with the managementof the entire lifecycle of identities and their attributes.

The following sections will define HP’s identity man-agement vision in more detail by exploring the dif-ferent identity management building blocks. We willaddress identity repositories, security components,privacy management, identity lifecycle management,and federated identity management. In addition, wewill discuss the Hewlett Packard National IdentitySolution (HP NIS) as an example of how these build-ing blocks are combined to create an integratednational identity management solution.

8.1. Identity RepositoriesDirectories are the most commonly used repositoriesfor storing identity-related information. As mentionedpreviously, identity management solutions can incor-porate other repositories, including SQL-rooted data-bases and XML-formatted files.

8.1.1. Types of Directory-based IdentityRepositoriesDifferent technological approaches exist for directory-based identity repositories: centralized enterprisedirectories, meta-directories, directory synchronizationutilities, and virtual directories. Of these, only a cen-tralized enterprise directory is a true identity reposi-tory. The other tools integrate and link different iden-tity repositories:

3-10

Identity Managem

ent

• Enterprise directories can provide a single author-itative source for identity information throughout anenterprise. All users and directory-enabled applica-tions rely on the identities stored in the enterprisedirectory. This is the ideal scenario. However, mostenterprises cannot use this approach due to thepresence of legacy service-and application-specificdirectories.

• Meta-directories provide a consolidated view ofthe identity data stored in different repositories. Theyalso synchronize the data in the different reposito-ries. A meta-directory resembles an advanceddirectory synchronization utility. Most meta-directorysolutions come with workflow logic, and they overlap with many of today's identity provisioningsolutions.

• Directory synchronization utilities are intelligentLDAP-based utilities that can synchronize identitydata between different types of identity repositories -such as directories and databases.

• Virtual directories, unlike meta-directories, do notbuild a central repository - although there is usuallysome degree of caching capability inherent in theproducts to mitigate potential network performanceand reliability issues. Instead, they rely largely ondirectory server or client functions to access the datastored in different directory sources. Virtual directo-ries also allow for the creation of different applica-tion-specific views of directory data - e.g. a customerapplication view and an employee application view.

8.1.2. HP and Identity RepositoriesHP considers directory identity repositories a maturemarket and uses a best-of-breed and customer pref-erence approach. Table 3-2 gives a non-exhaustiveoverview of directory solutions.

HP offers the Red Hat/Netscape Directory Server forHP-UX 11i. The directory server is built into thefoundation HP-UX operating environment. It providesthe central database repository of user names andobjects for system and application access.

Vendor Directory Product URL

Enterprise Directory

HP Red Hat/Netscape Directory Server www.hp.com/go/redhat

www.hp.com/go/hpux11isecurity

Novell eDirectory www.novell.com

Microsoft Corporation Active DirectoryActive Directory Application Mode (ADAM)Active Directory Lightweight Directory Services(AD LDS)

www.microsoft.com

Critical Path, Inc. Directory Server www.cp.net

Oracle Oracle Internet Directory www.oracle.com

Sun Microsystems, Inc. Sun Java System Directory Server www.sun.com

Meta-directory

Microsoft Corporation Identity Lifecycle Manager 2007 (ILM 2007) www.microsoft.com

Critical Path, Inc. Meta-Directory Server www.cp.net

Siemens HiPath SIcurity DirX Identity www.siemens.com

DirectorySynchronization

HP LDAP Directory Synchronizer (Compaq LDSU) www.hp.com

IBM Corporation IBM Tivoli Directory Integrator www.ibm.com

Virtual Directory

Radiant Logic, Inc. Radiant One Virtual Directory Server www.radiantlogic.com

Table 3-2Directory solutions

3-11

8.2. Security ComponentsThis section discusses the triple-A components of anidentity management solution: authentication, authori-zation, and auditing services. It provides details aboutthe solutions HP offers in this space.

8.2.1. Authentication TechnologiesAuthentication is the process of verifying an entity'sidentity. Authorization credentials, which are uniquelylinked to an entity, are typically used for verification.The security quality of authentication technologieslargely depends on the following dynamics: the num-ber of authentication factors, the authentication proto-col, and the authentication method.

Multifactor authentication methods offer higher securi-ty quality than single-factor authentication methods. Agood example of a multifactor authentication system isa smart card. It combines possession (of the card) andknowledge (of the card's PIN). Table 3-3 gives anoverview of different authentication methods and thenumber of authentication factors they support.

Many identity management solutions require theauthentication infrastructure to support multipleauthentication methods and protocols. This may benecessary when the environment supports internal andexternal users that access a variety of resources.When resources hold different values or contain sen-sitive information, different methods and protocolsmay also be necessary. Access to confidential infor-mation, for example, may require a stronger authenti-cation method than access to information publishedon a corporate intranet. In some authentication infra-structures, this feature is known as graded authentica-tion. This simply means that the resources and infor-mation a user is allowed to access vary depending onthe strength of the authentication protocol andmethod.

8.2.1.1. Strong AuthenticationToday's problems of identity theft and the misuse ofidentities and their attributes are accelerated by theever-increasing amount of interconnected users,applications, and devices. To attain greater levels ofauthentication, identity management solutions requirestrong authentication. Over the last decade, strongauthentication has been associated with bothcryptography and multifactor-rooted authentication.

Cryptography-based authentication means that the authentication protocol includes cryptographic opera-tions in the identity and credential verification process.Table 3-4 provides descriptions of popular strong userand device authentication solutions.

Biometric AuthenticationBiometric authentication is a form of strong userauthentication receiving substantial attention. A bio-metric is any measurable aspect of a human's physi-ology or behavior that can be reliably captured andused as a distinguishing identifier for that personwithin a defined population. Biometrics are anauthentication mechanism that use the "what you are"about an individual to determine his or her identity.

Biometrics are a method of tying a claim of identity toan individual in a way that is not easy to spoof.Historically, passwords or PIN codes authenticated aperson's claim of identity. Passwords have manysecurity-related issues, including the ease with whichthey can be shared and intercepted. Biometricauthentication may not require a physical token ormemorized knowledge; the user makes a "claim ofidentity" and proves that claim through a biometricscan. Typically, a claim of identity takes the form ofentering a username, presenting a physical badge, orpresenting a passport/ID card. If the biometric scanmatches a previously stored sample, the user isauthenticated.

Biometrics can also distinguish an individual from apre-defined group, which is known as identification.Identification does not require a claim of identity fromthe individual in question; the system's goal is todetermine if the individual's identity is known to itwithin a specified degree of accuracy. Identification istypically conducted over a pre-defined population ofusers who have enrolled a sample of their biometrics.

A biometric system can only compare a current sam-ple with a previously enrolled sample set. Before userscan be authenticated using biometrics, they mustenroll samples in the authentication system. It is criticalto perform quality checking at the time of enrollment,as a poor quality biometric enrollment negativelyaffects the performance of the overall system.

3-12

Password or PIN Smart Card or Token Biometric Device Biometric Device andSmart Card

Dial Back Trusted PlatformModule (TPM)

Knowledge x x x x

Possession x x x

Biometric Data x x

Location x

Table 3-3Overview of authentication methods and the authentication factors they support

Today's problems ofidentity theft and

the misuse of iden-tities and theirattributes are

accelerated by theever-increasing

amount of intercon-nected users,

applications, anddevices.

Identity Managem

ent

Understanding Biometric TechnologyA biometric is any measurable aspect of a human'sphysiology that can be reliably captured and usedas a distinguishing identifier for that person within adefined population. Examples of biometrics used inpractice are fingerprints, iris scans, hand-geometryanalysis or facial recognition. A biometric securitysystem typically uses a biometric to replace a pass-word to authenticate an individual. However, bio-metrics can also be used to identify if an individualis a member of a user group (termed identification).

Like any relatively new technology, the biometricsindustry is rife with hype and speculation. Commonmyths about biometrics include:

Myth 1: Biometrics are foolproof. No security tech-nology is considered foolproof, especially when pit-ted against a determined attacker. Biometric match-ing of individuals is a probabilistic system, and thereis a probability of a false match, where an intruderis accepted as having a valid identity. The goal isincreasing the probability of a valid match andreducing the probability of a false match to as closeto zero as possible.

Myth 2: Biometrics are more secure than otherforms of authentication. While the biometric match-ing step could be considered a "secure" verificationof a person's identity, a biometric-based securitysystem is only as strong as its weakest link. Similar toattacks against cryptographic systems, attackers maynot only subvert the biometric component but also anelement in the supporting infrastructure, for examplethe storage of the biometrics.

Myth 3: A fingerprint is a secret and unique identi-fier. Although fingerprints are thought to be unique,an individual's fingerprints are not secrets. We leavethousands of impressions every day of our finger-prints as we move through the world.

Myth 4: Biometric systems have perfect accuracy.Biometric matching is a probabilistic algorithm; therecan be no absolute certainty that two biometricsamples match, merely degrees of confidence in amatch. Factors such as environment, device robust-ness and the demographics of a population eachaffect the total accuracy of a biometric system.

Myth 5: Biometrics can pick terrorists out from acrowd. The technology for face detection from mov-ing video streams is available today, but the qualityof the images captured is not sufficient for accuratematching. Even under ideal lighting and cameraconditions, people can easily obscure or changetheir face with hats, scarves, or glasses. For exam-ple, even if a face matching system had a 1% falsedetection error rate (an extremely optimistic sce-nario), in a busy metropolitan airport it would iden-tify more than 1,000 innocent people as terrorists.

3-13

SSttrroonngg AAuutthheennttiiccaattiioonn SSoolluuttiioonn DDeessccrriippttiioonn

Strong User AuthenticationHardware Tokens Hardware tokens are Liquid Crystal Display (LCD) panel devices that display number sequences that

change periodically, for example, once per minute. In combination with a PIN, the token's software usesthese sequences to create one-time passwords. Some tokens challenge the user with a built-in numerickeypad to calculate the passwords. Examples are the tokens from RSA (SecurID), ActivIdentity andVasco.

Smart Card-Based Tokens Smart cards are devices that can take a number of different physical forms. Most smart cards are similarto credit cards, with the addition of small, dime-sized memory chips or microprocessors. USB tokens canoperate similarly to smart cards, and some vendors have implemented smart card functionality on cellphones and PDAs. Smart cards and other tokens are tamper-resistant devices that can be used forsecure storage of private keys, passwords, and other personal information. Some models perform privatekey operations (generation, signing, and decryption) in a safe, isolated manner on the card itself. Smartcard solutions require smart card readers to be deployed or integrated with the devices.

Software Tokens Software tokens operate like hardware tokens, except that a software program installed on a user'sworkstation or other computing device (PDA or Pocket PC) provides a token generator orchallenge/response system.

Biometric Authentication Biometric authentication mechanisms match a physical characteristic of a user against a databaserecord. Common methods include iris, palm, or fingerprint scans, as well as voice authentication. Afteryears of development, these systems are becoming more reliable, yielding fewer false positives and falsenegatives. Prices are also falling, making biometrics increasingly practical, though still far more expen-sive than free passwords. Biometric solutions are particularly successful in physical facilities authentica-tion and government applications like border security and law enforcement.

Strong Device Authentication

Radio Frequency Identification (RFID) An RFID system is a tag, which contains a miniscule computer chip and an antenna, that is attached toor embedded in an item. Items can be anything from a computer, to a dishwasher, to a living being. Thetag transmits a signal to an electronic reader, which associates the signal with the specific item to whichit is attached. The evader transmits this information to servers that collect and organize the data fortracking. RFID systems have the power to dramatically refashion such processes as the supply chain bymaking them more efficient, and they can bring direct consumer and societal benefits such as personal-ized shopping, medical reminders, and the ridentification of toxins before they reach landfills. However,the potential to tag and track every item raises privacy and civil liberty concerns. RFID technology hasthe potential to invade customer privacy and diminish customer control over personal information.

Trusted Platform Module (TPM) A TPM is an embedded security chip uniquely bound to a single computer platform that can be used forboth user and device authentication. TPM core components are an RSA engine, a hash engine, a keygenerator, and a Random Number Generator (RNG). The TPM architecture has been defined by anindustry body called the Trusted Computing Group (TCG).

Why Use Biometrics?Biometrics are appropriate for situations that requirestrong user authentication, in place of a password orsmart card. For example, biometrics can be used asphysical access controls for facilities or logical accesscontrols for desktop computer login.

What Types of Biometrics are Available?There are many different forms of biometrics that canverify an individual's identity. No one biometric cansatisfy all operational requirements; some are moresuited for office environments, and others apply to abroader range of environments.

• Fingerprint: The most recognized form of biometricis a fingerprint. Fingerprint scanners can take whole-hand images, multiple -finger images, or single-fingerimages.

• Iris scan: Iris scanning is often confused with reti-nal scanning. The iris is the visible colored part ofthe eye that surrounds the pupil. It is believed to beunique for each human.

• Retinal scan: Often confused with iris scanning, theretina is an area at the rear of the eyeball. An iris

scanner is a specialized device that must scan theeye from very close range. Despite its accuracy, reti-nal scanning is rarely used because of privacy andusability issues.

• Vein pattern: The pattern of veins in the hand isbelieved to be unique across the population. Thehand is placed on a reader and illuminated withinfrared light to detect the veins.

• Hand geometry: The geometry of the hand ispotentially unique across the population. The hand isplaced on a scanner and various measurements aretaken of finger spacing, length, and angle.

• Voice analysis: Voice biometrics analyze theinflections of a speaker's voice to authenticate thespeaker.

• Face: Facial biometrics analyze a picture (orstream of images) from a human face. Typically, afacial biometric system uses a standard digital cam-era to take a picture of a face.

Table 3-4Overview of strong user and device authentication solutions

3-14

Identity Managem

ent

Biometrics IssuesBiometric technology brings a different set of opera-tional and security issues into consideration:

• Ease of measurement: A fingerprint is easy tomeasure in an office environment, but it may be dif-ficult to capture in an industrial setting where opera-tors wear protective gloves. If the biometric is noteasy to measure, users will be frustrated.• Range of accuracy: Biometrics accuracy is highlydependent on the choice of sensors, the user popu-lation, the operational environment, and the mannerof use.• Device robustness: Biometric readers are subject tothe usual wear and tear any office product experi-ences. Some will fail more rapidly than others, andeach device may fail in different ways. For example,some readers may degrade the image that theycapture so that a comparison may still be made, butothers may simply refuse to capture an image.• Technology improvements: The biometrics industryis moving at such a rapid pace of change thatchoosing a device and biometric system is often amoving target. When investing in biometric systemstoday, organizations should leave options open tomove to a newer technology in the future.• Acceptability to users: If users feel that the bio-metric system is slowing them down in their businessactivities, they will attempt to find ways around thesystem, or will claim that it does not work correctly.

HP Strong Authentication SolutionsHP offers a variety of strong authentication solutions.These include smart card technologies, biometricdevices, TPM solutions and RFID technologies.Smart Card Security for HP ProtectTools is HP'sstrong authentication solution rooted in smart cards.

It has several unique features:

• Smart card in BIOS allows for pre-boot authenti-cation and is OS independent.• Smart card logon allows for strong, smart card-based Microsoft Windows authentication withoutrequiring a PKI.

Smart Card Security for HP ProtectTools is availableon select commercial desktop, notebook, and work-station models. For the current model list, seewww.hp.com/go/notebooks orwww.hp.com/go/desktops.

HP biometric solutions include the HP USB biometricfingerprint reader, the HP built-in fingerprint readeron select models of the HP iPAQ Pocket PC, and theintegrated biometric readers on select commercialnotebooks. Credential Manager for HP ProtectTools,a module of HP ProtectTools, is standard on selectcommercial notebooks, desktops and workstations.Credential Manager offers an efficient and integrat-ed means of managing multi-factor authenticationwith a fingerprint reader, smart card or token.

Tying the TPM to authentication technologies pro-vides even stronger protection of identities by con-necting software to hardware. Embedded Securityfor HP ProtectTools uses the TPM embedded securitychip to help protect against unauthorized access tosensitive user data and credentials. It is supportedon all HP business notebooks, and select desktopsand workstations configured with a TPM embeddedsecurity chip. See www.hp.com/go/notebooks orwww.hp.com/go/desktops for specific informationon platforms. HP is the co-founder and leader ofTPM specification development within the TCG. Formore information about the TCG, see www.trusted-computinggroup.org.

3-15

HP is leveraging its experience, expertise, andunderstanding of RFID technologies in its consultingservices, and HP is one of the world's largest playersin the space. HP has taken a leadership role indeveloping RFID standards. In fact, HP was perform-ing trials and pilot projects long before January2005, when Wal-Mart and the U.S. Department ofDefense insisted that their suppliers begin using RFIDtagging. With the world's ninth largest non-militarysupply chain, HP wants to demonstrate the value ofRFID systems for increasing the end-to-end speed andvisibility of supply chains.

8.2.1.2. Single Sign-On (SSO)Single sign-on is the ability for a user to authenticateonce to a single authentication authority, obtain acredential token or artifact with a defined lifespan,and use it to access other protected resources withoutre-authenticating. The Open Group (www.open-group.org) defines SSO as the "mechanism wherebya single action of user authentication and authoriza-tion can permit a user to access all computers andsystems where that user has access permission, with-out the need to enter multiple passwords."

HP and SSOFor enterprise and web SSO, HP takes a best-of-breed approach, leveraging the solutions from indus-try leaders such as Citrix Systems (PasswordManager; www.citrix.com).

For facilitating SSO on the client side, HP offersCredential Manager for HP ProtectTools. CredentialManager for HP ProtectTools is a client-side creden-tial caching-based SSO solution. Credential Manageracts as a personal password vault that makesaccessing protected information more secure andconvenient by automatically remembering credentialsfor websites, applications and protected networkresources. Thanks to Credential Manager for HPProtectTools, users no longer need to remember mul-tiple passwords. Additionally, it provides enhancedprotection against unauthorized access to a commer-cial notebook, desktop, or workstation, includingalternatives to passwords when logging on toMicrosoft Windows.

For identity control and access protection, CredentialManager for HP ProtectTools allows the user to defineand implement multi-factor authentication capabilities.For example, when authenticating to a PC, users canbe required to provide combinations of differentsecurity technologies, such as a smart card or a bio-metric ID. Furthermore, Credential Manager for HPProtectTools password store is protected via encryp-tion. It can also be hardened through the use of aTPM embedded security chip.

SSO is the abilityfor a user to

authenticate onceto a single authen-tication authority,

obtain a credentialtoken or artifactwith a defined

lifespan, and use itto access other

protected resourceswithout re-authenti-

cating.

3-16

Identity Managem

ent

8.2.1.3. Authentication Support inHP-UX 11iThe HP-UX 11i OS is designed to meet the securityrequirements of demanding environments. With apluggable framework for authentication, HP-UX 11ican integrate into security infrastructures and alsomaintain a pervasive management solution. The HP-UX Pluggable Authentication Module (PAM) subsys-tem provides a pluggable authentication backbonefor secured authentication services on HP-UX. HPoffers several authentication pluggable securitymodules for PAM, including integration withKerberos and LDAP.

The HP-UX 11i AAA Radius server can act as thefront end to the identity management system byoperating at the point of entry to a network (theaccess control point). When the HP-UX 11i AAARadius server is tied to the Red Hat/NetscapeDirectory Server, external remote access is authenti-cated. In addition, this arrangement controls andpasses access to network usage accounting systemsand eventual billing software. This configuration isespecially useful for Telco and Internet serviceproviders.

8.2.2. Authorization TechnologiesThe goal of an authorization system is to protectresources and information while allowing fluidaccess for legitimate users of these resources.Authorization is the act of granting subjects accessrights to protected resources. The main difficulty isscaling authorization policy administration to thou-sands - possibly millions - of subjects and protectedresources. As the numbers grow, administrators needto reduce the ratio of policies to the number of sub-jects and protected resources without compromisingthe security of the system.

Authorization policies are rules for determiningwhich subjects are allowed to access resources. Insome cases, privacy considerations may requiresupport for some form of anonymous or pseudony-mous access. In most cases, however, users must beidentified prior to receiving the authorization toaccess resources. An identity management infra-structure is therefore critical to establishing users'identities as the basis for authorizing access toresources.

Two interesting access control models used in theidentity management infrastructure are the role-based access control (RBAC) model and the rule set-based access control (RSBAC) model. A role is anorganizational job function with a clear definition ofinherent responsibility and authority (permissions).The process by which an enterprise develops,applies, and maintains RBAC is known as role engi-neering. As old roles are retired or modified andnew roles are defined to meet changing businessneeds, an enterprise defines processes for updatingroles.

Role-based approaches are suitable when job func-tions are easily partitioned. Wide-scale implemen-tations remain stalled because of the complex natureand large scope of role engineering projects, transi-tory job assignments in knowledge-based organiza-tions, lack of funding, limited standardization, andproprietary access control mechanisms. A commonchallenge facing role-based systems is findingagreement among stakeholders for standardizedvocabularies and role definitions.

An alternative to an RBAC approach is RSBAC. Withthis approach, access is granted or denied based ona set of pre-defined rules or organizational policies.Access control decisions can change dynamicallybased on access control policies. Rules are context-dependent: they can take into account things like thetime of day, resource type, and access location.

The main difficultyis scaling authori-

zation policyadministration to

thousands -possibly millions -

of subjects andprotected resources.

As the numbersgrow, administra-tors need to reducethe ratio of policiesto the number of

subjects and protected resources

without compromising the

security of the system.

3-17

8.2.2.2. Authorization Support in HP-UX 11iHP-UX 11i is designed to meet the security require-ments of demanding environments and provides apluggable framework for both authentication andauthorization. As part of HP-UX 11i v2, HP-UX addsthe Access Control Policy Switch, which is availableas part of the RBAC subsystem.

With the PAM, RBAC, and identity managementintegration features of HP-UX 11i, administration ofauthentication and OS- or application-specific privi-leges can be centrally managed through identitymanagement products. These features enable thepervasive management capabilities required bytoday's organizations.

As noted previously, the HP-UX 11i AAA Radiusserver can act as the front end to the identity man-agement system by operating at the access controlpoint. When combined with the Red Hat/NetscapeDirectory Server, the system offers additional benefitsfor authentication, access control, and accountingthat are especially useful for telco and internet serv-ice providers.

8.2.3. Auditing TechnologiesIncreasingly, regulatory demands require enterprisesto understand what their users are doing. The chal-lenge is consolidating and making sense of identitydata with respect to policies and regulations in acomplex and ever-changing environment. Auditingsystems capture security-related events in identitymanagement systems and ensure accountability forthe underlying IT and security infrastructure.Complete and accurate audit and event records pro-vide the evidence that enterprises need to demon-strate compliance with business, security, legal, andregulatory mandates. It is especially critical to auditthe authorization, provisioning, and privacy compo-nents of identity management systems, which maycreate or remove user privileges and accounts.

Typically, it is difficult and costly for an organizationto determine who did what and when. There are noteasy methods for management to determine compli-ance with specific regulations or to view trends.Additionally, organizations cannot track who knewabout violations - clear and specific ownership doesnot exist.

As a result, organizations risk failing regulatoryaudits. This is a critical concern for all CIOs, CSOs,and personnel directly responsible for the protectionof organizational resources, including privacy offi-cers, risk managers, and auditors. Company execu-tives can now be personally liable for failures in theircontrol systems, and regulatory failures can lead tocritical business impacts such as lost customers, fines,or jail time for those responsible.

Challenges requiring organizations to better manageaudit and reporting include the need to:

• Comply with regulations such as the Basel IIAccord, EU Directive on Data Protection, JapaneseData Protection, and the Personal InformationProtection and Electronic Documents Act (PIPEDA)• Control the identity infrastructure; specifically,knowing who has access to what and who approvedaccess• Track and trend compliance for repeatable successwith audits, for example, compare compliance fortoday, last week, the last six months, and longer

HP uses a best-of-breed and customer preferenceapproach for recommending multi- platform andmulti- application auditing solutions to customers.

8.3. Privacy ManagementIn the context of electronic privacy, users expressconcerns regarding today's IT systems and environ-ments like the Internet. Some of the key privacy con-cerns include:

• Data is collected silently. This is facilitated by theWeb, which allows large quantities of data to becollected inexpensively and unobtrusively.• Data from multiple sources may be merged. Non-identifiable information can become identifiablewhen merged with other sources and information.• Data collected for business purposes may be usedin civil and criminal proceedings.• Data collected for business purposes may be for-warded to third parties, without notifying the user.• Data may be copied and used without authoriza-tion. This may happen simply when data are usedfor purposes other than those for which they werecollected; it may also happen as a result of failure ofaccess controls allowing malicious parties, within oroutside the collecting organization, to obtain data forcriminal purposes such as fraud and identity theft.• Users are not given meaningful choices for the useof their personal data.

3-18

Increasingly,regulatory demandsrequire enterprisesto understand what

their users aredoing. Thechallenge is

consolidating andmaking sense ofidentity data withrespect to policiesand regulations in

a complex andever-changingenvironment.

Identity Managem

ent

Trends TopicGlobal Privacy

Privacy involves the treatment of personal data. A key concern of individuals who provide personal data isits authorized but undisclosed secondary use. Preventing undisclosed use requires the collecting party toinform individuals of any intent to share their personal data beyond the primary use. The collecting partyshould allow individuals a choice to opt in and then subsequently respect the agreement. These circum-stances bring the matter of privacy closer to the contractual and legal spheres rather than the technological.

Legal and cultural approaches to privacy differ widely around the globe. The European Union, for example,has explicit data-protection regulations. In the U.S., individual privacy is generally a matter of contractualand informed-consent practices, although regulations apply in specific sectors such as the health industry.Privacy approaches in Asian countries vary widely in both legal requirements and prevailing attitudes.Further complicating the picture are tensions related to anonymity, such as preserving the right to individualprivacy while preventing the use of anonymity as a means for criminals to conceal activities, and allowinglaw enforcement and homeland security agencies to gather extensive personal data to pursue preventiveand investigative programs.

Some specific technologies that address global privacy and anonymity pressures are in development. Forexample, there are many cryptographic techniques for "managed anonymity" or pseudonymity. These tech-niques, such as double-spending detection in electronic cash schemes, protect individual identities for nor-mal operations; however, they can reveal identities in exceptional circumstances. Privacy-preserving compu-tations are also feasible in some cases. For example, the holders of two different databases can jointly dis-cover common entries without revealing information to each other. The provision of reliable remote executionenvironments, where executable content can run on a machine that demonstrates its trustworthiness, offersthe promise of data transmission with continued effective controls on data use.

3-19

Privacy considerations typically arise when anorganization needs to collect and store customer,employee, and other private data. Other situationsthat raise privacy concerns include demonstratingconformance with privacy regulations and forwardinguser information (identity information, web-serviceaccess information, security assertions, or localizationdata) to third-party service providers.

Numerous efforts have produced legislative frame-works for privacy. Examples are the EU Directive onData Protection, U.S. laws such as HIPAA and theChildren's Online Privacy Protection Act (COPPA),and frameworks such as Safe Harbor. However, pri-vacy and data protection laws are hard to enforcewhen personal information spreads across bound-aries. In general, users have little understanding orknowledge of privacy laws and their implications.

Privacy management in an IT environment has manydifferent aspects. These include negotiation, policylifecycle management, enforcement, monitoring,decision support, violation detection, preservingcomputation, data minimization and transformation,rating and branding, verification and certification,auditing and accountability, mediation and delega-tion, anonymization and pseudonymization, and usertraining. In the context of identity management solu-tions, privacy-protecting technologies can be viewedas an extension to 1) authorization systems and 2)provisioning and identity lifecycle management solu-tions. Authorization policies control data accessbased on factors like privacy regulations and userconsent. Obligation policies control how to handlethe lifecycle of identity information during its lifetime,including data deletion/retention, datatransformation/minimization, notifications, etc.

Privacy management is an identity management areathat requires much work and effort. HP and othermajor IT players like IBM Corporation are leadingkey developments in the privacy management space.HP is involved in several cross-industry and govern-ment-driven privacy standardization initiatives. HPLabs, jointly with HP business groups (and also in thecontext of international projects, such as theEuropean Union (EU)-funded PRIME project), areactively researching and developing technologiesand solutions in the privacy space. HP Labs privacyresearch has been focusing on a Privacy PolicyEnforcement System and an Obligation ManagementSystem to model, deploy and enforce privacy policiesand obligations at the operational level: the feasibili-ty of these R&D systems has been demonstrated byshowing how they can be integrated with HP identitymanagement solutions.

HP Labs privacy research has been focusing on aPrivacy Policy Enforcement System and an ObligationManagement System to model, deploy and enforceprivacy policies and obligations at the operationallevel.

HP Labs Privacy Policy Enforcement SystemTraditional access control solutions (that involve users,their roles, protected resources and access rights) arenecessary but not sufficient to enforce privacy con-straints when accessing personal data. These solu-tions need to be extended to keep into account thepurpose by which data has been collected, consentgiven by data subjects and other conditions.

This HPL research focuses on the development of aprivacy-aware access control system that enforcesprivacy policies (defined by privacy administratorsand based on data subjects' privacy preferences) onpersonal data stored in heterogeneous enterprisedata repositories. In this system, privacy policiesexplicitly define the purposes for which personal datacan be accessed, how to keep into account datasubjects' consent and what actions need to be ful-filled when the data is accessed (filtering out data,blocking access, logging, etc.).

The HP Labs Privacy Policy Enforcement System pro-vides the following key functionalities: (1) it allowsadministrators to graphically author policies involvingboth privacy and access control aspects; (2) it allowsfor fine–grained modeling of personal data (stored inrelational databases, LDAP directories, etc.) that aresubjected to privacy policies; (3) it allows for thedeployment of policies and the decision–makingprocess based on these policies; (4) it allows for theenforcement of privacy–related policies when thedata is accessed.

3-20

Identity Managem

ent

HP Labs Privacy Obligation Management SystemAccess control solutions cannot deal with all aspectsof privacy policy enforcement. In particular they arenot designed to handle constraints dictated by pri-vacy obligations, such as duties and expectations ondata deletion, data retention, data transformation,etc. For example, data might need to be deletedafter a predefined period of time, independentlyfrom the fact that this data has ever been accessed.Privacy obligations introduce the need to deal withprivacy–aware information lifecycle management -i.e. ensure that the creation, storage, modificationand deletion of data is driven by privacy criteria.

HP Labs has been working on this area, in particularon the problem of explicitly representing obligations,reasoning on them, enforcing and monitoring them.A main differentiation of the HP Labs work is theclear separation between access control manage-ment and obligation management – without impos-ing a subordinated view of obligations to accesscontrol policies.

HP Labs has defined a privacy obligation manage-ment modeland an Obligation Management System(OMS) to explicitly manage privacy obligations onpersonal data.

The HP Labs OMS provides the following functional-ities: (1) explicit representation of privacy obligationsas reaction rules; (2) scheduling of privacy obliga-tions; (3) enforcement of obligations; (4) monitoringof enforced obligations. Privacy obligations can beautomatically derived from privacy preferences (e.g.requests for deletion or notifications) expressed bypeople or administrators on personal data. Theseobligations are scheduled by the OMS system basedon relevant events. If triggered by these events, OMSenforces privacy obligations, for example by delet-ing data, sending notifications or triggering work-flows. Enforced obligations are monitored for a pre-defined period of time for compliance reasons.

A full working prototype of the HP Labs OMS hasbeen implemented in the context of the EU PRIMEProject (see www.prime-project.eu).

8.4. Identity Lifecycle ManagementIdentity lifecycle management or provisioning solu-tions are similar to SSO solutions in that they oper-ate from the top down; the application manages allof the systems under it. Administrative functions -from the essential add, modify, and delete to themore general maintenance and monitoring - areunder the control of the provisioning system.Provisioning functions can also include non – elec-tronic tasks such as identifying a cubicle, connectinga network port, and acquiring a PC.

With provisioning products, organizations riskimplementing one solution that can potentially clashwith another. Provisioning solutions often incorporateother parts of the identity management framework,such as self – service and password management.

The only mature provisioning – specific standard atthis time is the Service Provisioning MarkupLanguage (SPML). SPML messages facilitate the cre-ation, modification, activation, suspension, enable-ment, and deletion of identity – related data in dif-ferent identity repositories. The Organization for theAdvancement of Structured Information Standards(OASIS) has been working on the SPML specificationsince late 2001. For more information, seewww.oasis–open.org/home/index.php.

HP uses a best-of-breed and customer preferenceapproach for recommending identity lifecycle man-agement and provisioning solutions to customers.

8.5. Federated Identity ManagementFederation enables the trusted interchange ofsecurity-related information between differentautonomous policy domains. Security-related infor-mation includes authentication, authorization, andauditing data. Although federation is generally usedin the context of an inter-enterprise security mecha-nism, it can also be used within an enterprise toprovide tighter integration between loosely coupledecosystems.

Typically, a federation provides a common frame-work for trust - a standard syntax, vocabulary,attribute set, and set of policies and practices for thetrusted interchange of security-related information. Bilateral (federation) agreements between partnersare often required to negotiate the specifics ofaccess, such as which users or systems can accesswhich resources, under what circumstances, andunder what contractual relationships. Access controlalways remains with the owner of the resource. Afederation might also define minimum acceptabletrust levels or authentication mechanisms required forspecific circumstances.

A federation agreement always deals with two enti-ties: an asserting party that generates securityassertions and a relying party that trusts the securityassertion made by the asserting party. There are anumber of federations being formed, supporting avariety of vertical marketplaces, communities ofinterest (financial services, health sciences, researchand education), and geopolitical boundaries (stateand national governments).

HP uses a best-of-breed and customer preferenceapproach for recommending identity federationsolutions to customers.3-21

8.5.1. Federation StandardsA variety of standards, specifications, and protocols relate to federated identity management. Figure 3-5shows the positioning of some of the relevant federated identity management standards. The Liberty Alliancespecifications define the protocol messages, profiles, and processing rules for identity federation and man-agement. They rely heavily on other standards such as SAML and WS-Security. Additionally, the LibertyAlliance has contributed portions of its specification to the technical committee working on SAML. More infor-mation is available from www.projectliberty.org. HP endorses the Liberty Alliance and actively participates inthe creation of its specifications.

SAML is an OASIS specification that provides a set of XML and Simple Object Application Protocol (SOAP)-based services, protocols, and formats for exchanging authentication and authorization information. Moreinformation is available from www.oasisopen.org/committees/tc_home.php?wg_abbrev=security.

WS-Security is another OASIS specification that defines mechanisms implemented in SOAP headers. Thesemechanisms are designed to enhance SOAP messaging by providing a quality of protection through messageintegrity, message confidentiality, and single message authentication. More information is available fromwww.oasis-open.org/committees/tc_home.php?wg_abbrev=wss.

The Web Services protocol specifications (WS-*) are currently in development by Microsoft Corporation andIBM Corporation. They include specifications for WS-Policy, WS-Trust, and WS-Federation.

Other identity management enabling standards are:• Service Provisioning Markup Language (SPML),www.oasisopen.org/committees/tc_home.php?wg_abbrev=provision.• XML Access Control Markup Language (XACML),www.oasisopen.org/committees/tc_home.php?wg_abbrev=xacml.• XML Signature, www.w3.org/Signature.• XML Encryption, www.w3.org/Encryption.

Figure 3-5How the identity federation standards stack up

Oth

er E

nabl

ing

Stan

dard

s

OA

SIS

SAM

L

OA

SIS

WS-

Secu

rity

WS-

*

Spin

-O!s

(e.g

., M

eta

Dat

a Sp

ec)

3-22

Identity Managem

ent

8.6. HP’s National Identity SystemThe HP National Identity System (HP NIS) is apublic-sector identity credentialing solution that pro-vides the component modules required to implementa national-scale enrollment and document issuancesolution. HP NIS supports workflow processes forcitizen enrollment, establishes and maintains a dis-tributed citizen registry system, manages identifica-tion document processes, and incorporates biometricand PKI verification.

8.6.1. Multiple StakeholdersThere are multiple participants in a national ID sys-tem, and each group brings its own requirementsand perspective. A successful credential issuance

system must satisfy the needs of each stakeholder. The three stakeholder classes for HP NIS are:• Customers: National governments or governmentdepartments are the purchasing customers for mostnational ID or passport systems.• Suppliers: A single vendor cannot offer a compre-hensive national ID solution; for example, there arespecialists in passport production, ID card printing,and smart cards that must work together to meetcustomer needs.• Citizens: The ultimate credential holders and usersare citizens who expect their government to providea secure document that is durable, easy-to-use, andinexpensive.

8.6.2. The identity document lifecycleIdentity documents follow a well-defined lifecycle from issuance through end-of-life disposal, as illustrated inFigures 3-6 and 3-7. The lifecycle mirrors the processes in place in the government department that issuesthe document. For example, the lifecycle for a passport document includes document request (applying for apassport), adjudication (determining if a passport should be issued), issuance (printing the passport andencoding data on the chip), and usage (using the passport to cross the border).

Figure 3-6The identity document lifecycle

Document Usage

DocumentVeri!cation & Checking

User Education Support & Help Desk

Registration & Enrollment

Entitlement DocumentPersonalization

DocumentEnd-of-Life & Renewal

Key Generation & Certi!cates

EntitlementDocumentManagement

Secure Document/ Key Issuance & Distribution

Document or Key Revocation

Identity Veri!cation

Central Registry

Issuing O"ces

Certi!cation Authority

Secure Web Services Access

Public Access Points

Checking & Update Points

Entitlement Document Request

Distributed Registries

What is a public-sector identity credential?

A public-sector identity credential is a documentissued by a government or state agency used by acitizen or resident to gain access to state providedservices. Examples of these identity credentialsinclude ID cards, health/welfare entitlement cards,medical information cards, passports, visas anddriver’s licenses.

An identity credential issued by a government isoften considered a secure document and thusrequires security features to reduce the likelihood offraudulent copies being produced, or existing doc-

uments being modified. Furthermore there must be trust in the integrity of the document issuance process so that suitable background checks areperformed before a document is issued. For exam-ple, in countries which issue ID cards to citizensthere is an expectation that one card is issued percitizen and each citizen can hold only one ID card.Machine-readable travel documents include pass-ports (both traditional and ePassports) and mustcomply with international standards for dataencoding and formatting to permit inspection atborder crossing points.

3-23

8.6.3. HP NIS ArchitectureNIS incorporates several high-level core processes consisting of enrollment, validation, registration, issuace,card usage, support, and lifecycle management. The processes begin after properly validating an applicantin accordance with customer policy.

EnrollmentEnrollment typically includes review and authentication of an applicant's official breeder documents, personalinformation, and biometric data. Customer policy dictates the number and types of breeder documents toauthenticate and the nature of the authentication process. Generally, an apparatus electronically screensthese documents to detect document tampering (such as an altered driver’s license with a different photo-graph, signature, or other demographic information). The analysis of several factors easily detects tampering,for example, changes in laminating materials, changes in text density and color, or minute misalignments ofbackground patterns or holograms. Checking documents such as birth certificates with the issuing agency forauthenticity is another common requirement.

Demographic and biometric information may be collected from applicants. Demographic information may beuploaded via optical character recognition technology from paper forms completed by applicants; entered byapplicants at kiosks or workstations located at application processing centers; or entered, in part, from aweb-based interface. Biometric scanning occurs at an application processing station. All information, demo-graphic (from whatever input source) and biometric, is encrypted and transmitted to a secure enrollmentdatabase where it remains in encrypted format. Once the applicant authenticates the demographic informa-tion gathered during the enrollment process, the application document is signed. Signed documents areencrypted and forwarded to the enrollment database.

All information submitted by the applicant is stored exactly as submitted (either text input or scanned docu-ment). Subsequent changes are captured and stored as submitted, and the system maintains a complete his-tory of all data entries. Data management of applications is configurable according to local legislativerequirements. Receipt of the signed application form is the trigger for the next step of validation.

ValidationValidation is an automated process that electronically verifies demographic and biometric information withexisting watch lists and with public records on file in various governmental and targeted public databases.Biographic information, such as fingerprints, are checked against existing national registries and against theNIS database of completed registrants to ensure that an applicant is not registering with an illegal alias toobtain a fraudulent credential. Applicable demographic information, such as birth date, address, and anyother information designated by customer policy, is crosschecked against external databases and registers.During processing, the applications database maintains a historical record of validation processing.

Entitlement Cards Identity Cards Passports Election Management

Drivers Licenses BMD Certi!cates Foreign Residents

Government Information

Arms Licenses

Central Registry

Figure 3-7Central registry

3-24

Identity Managem

ent

When validation is complete, the applicant’s file isconsidered a positive verification, or it is listed as asuspicious record for further examination and adju-dication. Customer policy dictates the reviewprocess; generally, it requires human intervention. Ifdesired by the customer, however, the validationreview can be entirely automated.

RegistrationValidated records are forwarded to the personnelregistry (database), where a complete record of alldata files, including biometrics, are stored andmaintained. Separately, a dedicated biometricdatabase stores biometric data files to provide visualand electronic replication. Records from this data-base help create digital information for the identifi-cation document. The biometric records also authen-ticate online requests for identity verification whencardholders attempt to gain physical or logical entryinto locations and/or systems.

IssuanceIssuance is an automated four-step procedure:

1. Personalization: In this first step the blank docu-ment is printed and digital information is loaded if achip is present on the card. Examples of informationthat may be stored on a chip include applets, cer-tificates, key materials, demographic information,and biometric information for visual or electronicviewing. 2. Quality assurance: The finished document isvisually and electronically checked to ensure that itcomplies with requirements. The visual inspectionprocess is usually automated.3. Issuance: The document is issued to the appli-cant, often requiring an identity check.4. Activation: If the card contains a chip, it must beactivated by the holder before it can be used.

The exact format, appearance, and electrical char-acteristics conform to the standards directed by cus-tomer policy.

PersonalizationDuring personalization, information together withsecurity features are physically printed on the card.The card’s chip is electronically formatted with per-sonalization data, PKI materials if required, certifi-cates if required, and other customer-specified codessuch as PINs and/or personal unlock keys (PUKs). Personalization artifacts physically printed on thecard typically consist of the card holder’s name,picture, signature, and card expiration date. Thesame information is electronically stored on thecard’s chip, together with biometric information suchas face or fingerprints images.

Quality AssuranceCredential quality assurance is an automated pro-cedure to verify that:

• The data printed on the card conforms to the pre-cision and security requirements specified by thecustomer (e.g. all elements are clearly printed).• The data encoded on the chip is correctly encod-ed.

IssuanceDetailed procedures for the handover of an identitycard to a user conform to customer policy. HP NIS isa versatile system designed to support a multitude ofoptions including the use of mailing/courier services,internal document distribution systems, and in-personcard handover.

ActivationActivation of the identity card can occur upon han-dover (if it is performed at a site with a card reader)or upon first use at a site with a card reader.Activation of the card and all subsequent usage isrecorded and maintained in an auditable registryper the customer’s policies and procedures.

Card UsageDuring card usage, a comparison process deter-mines that the credential holder is the persondepicted by the information on the credential docu-ment. Depending upon the level of securityemployed, the comparison process can include:

• A visual comparison of the credential holder’s facewith the photograph on the credential• An automated comparison of live biometric data(for example, from a fingerprint scanner) to biometricdata stored on the credential document• A comparison of live biometric data with a remotebiometric data registry, and an authentication of thePKI materials by a central database

SupportCredential holder support includes both a self-administration component and a help desk compo-nent. The self-administration component lets endusers make limited credential changes, such asmodifying PINs, and changes to non-critical data (asdefined by customer policies). Help desk staff canblock credential use in cases of lost or stolen identitycards and unblock credentials under specific situa-tions.

3-25

Lifecycle ManagementLifecycle management is the most critical element ofHP NIS. Lifecycle management is the all-encompass-ing maintenance and management of every piece ofidentity management information and material,including, but not limited to, blank identity documentsreceived into inventory, collected demographic andbiometric data, accumulated vetting reports and otherancillary information from official sources, activeidentity credential status, revoked or suspended cre-dentials, and auditing reports.

HP NIS lifecycle management consists of six generalprocesses:

• Track and manage all unused security consum-ables, such as blank identity cards, PKI materials,certificates, holograms, and laminates. The inventoryand control function tracks quantities and locations ofthese materials, and it generates reorder notices asappropriate.• Track and manage identity card OS and appletlifecycles, including revision and version control for allinstalled firmware and software, by credential serialnumber.• Manage application forms for all materials submit-ted to NIS during the enrollment of an applicant.Submitted materials are never deleted.• Manage the personnel registry and biometricdatabase where copies of all validated documents,reports, and other data entries are stored, togetherwith biometric data files, respectively. Once entered,items are not deleted from the personnel registry.• Track and manage all issued physical credentials,including a complete audit trail for credentialenabling, use, suspension, query, revocation, reissue,loss, recovery, and compromise of the issued docu-ment.• Track and manage all personalization entries, con-sisting of all initial and updated demographic, bio-metric, PKI materials, and/or certificate entries on theissued credential document.

8.6.4. NIS GovernanceGovernance refers to implementing and enforcing thepolicies that control data encryption, data storage,and access to stored data. NIS is designed to meetor exceed the stringent security standards dictated bygovernments around the world. All sensitive data isencrypted and signed before transmission and whenstored on any permanent or erasable medium.Encryption applies to all data, including data collect-ed and stored during enrollment and data perma-nently stored in the personal and biometric registries.

8.6.5. Confidence in Identity DocumentsFor an identity document to be useful, both the issuerand the validator of the document must have confi-dence in its integrity and authenticity. Documentintegrity applies to the physical document and anyelectronic data encoded on the document’s smart

card chip. Physical security features include securityfoils, laminates, microprinting, and holograms. Thesefeatures allow a visual inspection of the document todetect tampering or forgery. Logical security featuresinclude digital signatures on the chip contents,encrypted sessions between the chip and a readerdevice, and PKI technology to ensure that the elec-tronic data on the chip was issued by a known entity(for example, a country or state).

At the least secure level, an individual seeking entryinto a restricted space surrenders his or her identifi-cation card to an attendant, who verifies that the cardis not altered, that the photograph on the card is thatof the presenter, and that the card has not expired.Once satisfied that identity is verified, the attendantgrants access to a controlled area. This examplechecks only the physical security features of the iden-tity document.

Security is increased when individuals use a cardreader for access. In this example, individuals passtheir card through a reader and enter a PIN to verifythey are the cardholder. The card reader verifies thatthe PIN matches the stored PIN on the card and thatthe card has not expired. If the data matches, indi-viduals gain physical entry into the controlled facilityor electrical access to a computer or network. To fur-ther increase security, an attendant can also checkthe physical security features of the identity document.

Incorporating biometric authentication with the cardreader substantially increases security. Individualsseeking entry into a controlled area or access to acomputer or network must pass their card through areader and enter a PIN for comparison against thestored PIN. Additionally, individuals must submit abiometric sample (such as a fingerprint scan) to com-pare with the digital biometric file stored on the card.Finally, the reader verifies that the card is not expired.If all checks are satisfactory, the individual is grantedphysical entry or logical access. Again, the process ismore secure if an attendant verifies the picture on theID card and checks that the card is not altered.

8.6.6. NIS SummaryHP NIS is a versatile credentialing system, designedand engineered from the ground up to meet the mostdemanding requirements for stringent security, world-wide. It is easily deployed as a modular system, andit efficiently operates from widely dispersed, remotelocations. The system's scalability fits deployment tosmall, large, or global populations with equal ease.Deployment causes minimal impact on day-to-dayactivities and does not require excessive overhead.The ease of scalability means that NIS is capable ofprocessing very large citizenries, including nationalpopulations, in a relatively short time span.

3-26

Identity Managem

ent

9. Successfully ApproachingIdentity ManagementIdentity management employs a consolidated viewof an "identity" across the enterprise, includingidentity information and attributes aspects, authenti-cation aspects and privilege and entitlement aspectsaffecting people, processes and technology.Because of the scope and enterprise-wide reach ofidentity management, starting in the humanresources organization, over to the business, internaland external audit and compliance and securityorganizations, to IT and helpdesk, identity manage-ment programs need to be set up and justified cor-rectly in order to become successful. Identity man-agement will then become an integral strategy of theenterprise iterating through defined and plannedcycles of improvements.

9.1. Review and Envision PhaseA critical success factor of identity management ini-tiatives is to move early toward a value consensusshared across all organizations that will be impactedin your identity management initiative. Shared valueconsensus will be a key to motivating separate inter-ests to work together toward a common cause.We help enterprises determining the readiness tolaunch improvement initiatives. Using the BusinessReadiness service for identity management, HPServices supports enterprises define targeted busi-ness capabilities and postulate impact of thosecapabilities to the organization.

Utilizing the experience from identity managementprograms in other organizations, business impact isseen key to the program and can be categorizedinto the following areas:

Regulation conformance: Enterprises that need toconform to regulations such Sarbanes-Oxley, Basel IIor other industry specific regulations are often chal-lenged with optimizing the regular auditing processfor compliancy to required security controls.

Security: Enterprise security risk and business impactanalysis results in risk mitigation strategies often inthe area of inadequate account and permissionmanagement with lifecycle events of job and rolechanges and terminations.

Data quality: Due to the fast growth of applicationsand identity systems and repositories, companieshave been struggling in setting up the right lifecycleprocess resulting in inconsistencies in profile andentitlement data.

Agility and productivity and user convenience:Identity lifecycle processes such as user onboarding,role change and termination can be complexprocesses with many people and organizationsinvolved. Enterprises with high dynamics with the

work force or the customer base look at automationto respond to changes quicker.

Cost Reduction: Enterprises looking at return ofinvestment calculations reviewing spending in manyareas such as the helpdesk performing manual pro-visioning and password management, user man-agement efforts within business applications or theconsolidation of point identity management solu-tions.

9.2. Definition PhaseDeveloping an overarching strategy represents a keysuccess factor for the identity management initiative.HP Services provides the Discovery and Frameworkservice to help enterprises organize this initiative,achieving a common understanding of the currentsituation and providing the strategic alignmentthroughout the organization of the desired state,including a roadmap of how and when to get there. Utilizing individual workshops with various parts ofthe organization supports the discovery of the currentstate from all angels including major painpointsexisting throughout the organization.

To achieve enterprise value, the ultimate scope mustdeliver benefits meaningful across the constituencies,however, a broad scope can create what mayappear initially to be an insurmountable projectchallenge. To overcome this, the prioritization andevaluation of major pain points including the align-ment of corporate and IT architecture strategy is theenablement for the development of not only a high-level architecture but also the partitioning andsequence of the ultimate scope into an implementa-tion roadmap of manageable projects in whichprogress can be measure and goals can be adjustedas necessary.

9.3. Design and Implementation PhaseOnce the scope and project has been clearlydefined for the particular cycle of improvement, thedetailed functional, technical and implementationrequirements will be discovered and aligned to theoriginating business requirements.

The resulting design must comprehend not only toolsand technologies but also lifecycle processes andorganizational responsibilities and agreements.

The implementation must factor in the best practicesfor the technology, process and organizationalimpact. HP Services utilizes its 10-step implementa-tion methodology for identity management deploy-ments to ensure successful deployments.

3-27

9.4. Identity Management Success FactorsIn addition to the many success factors that are spe-cific to the program phases, HP has developed overallkey success factors for enterprises’ identity manage-ment initiatives:

Manageable Project Phases: Because of the globalreach of identity management, the amount of func-tional and technical requirements an identity man-agement initiative is challenged with can be large.Therefore identity management programs must ensurethat business value is returned to the organization in atimely manner, while not trying to attempt to solve toomany issues at the same time. This includes the cleardefinition of: • Scope• Realistic timelines• Demonstrable benefits

Governance: Operationalizing identity managementprograms require the establishment of strategy align-ment and definition of responsibilities throughout theorganization. This includes:• Steering committee to prioritize efforts and resolveconflicts• Accountability from all program participants• Continuous communication and loopback to busi-ness stakeholders

Experience: Identity management programs requireextensive experience in a lot of very different areas,covering:• Business processes• Legal and regulatory implications• Technology• Operations

10. HP Identity ManagementServicesBased on the principles that were outlined in the section on "Successfully Approaching Identity Management" above, HP Services provides thefollowing end-to-end service offerings for identitymanagement (the offerings are summarized in Figure3-8):

Business Readiness WorkshopThis service analyzes and assesses the true businessvalue that an identity management solution couldhave for your organization. By taking a high-levelview of your current business objectives, internalprocesses and IT infrastructure, you’ll be able to pin-point where identity management might have thegreatest financial impact for your organization; someof the key areas to target for improvement; and themost effective long-term strategy. Focal areas includeregulation conformance, security, data quality, agilityand productivity and cost reduction.

Identity Management Discovery andFramework ServiceThis service follows a proven methodology to lay thefoundation for effective change of your identity man-agement processes and IT environment. Working withyou, we gather information, establish guiding designprinciples, help express business value, outline theidentity management vision architecture and developa roadmap for improvement phases.

Discovery &Framework

Discovery

Design

Planning

Define

User Provisioning

Federation

Access Management

Directory Integration

Review & Envision

Manage & Support

Implement

Design & Plan

ReadinessWorkshop

Build

Testing

Pilot

Deployment

Assurance

Figure 3-8HP identity management services

"Building a flexibleand responsive

identitymanagement

foundation requiresan investment of

time, money,energy, and

resources, but it canhelp enterprises

gain anadvantage over

their competition."-The Burton Group,

“Building theBusiness Case for

identity managementInvestment”,

v2, January 3,2006

3-28

Identity Managem

ent

Design and Planning ServicesAligning with your architecture vision and roadmap, we develop detailed business, functional and technicalrequirements that will be transformed into the detailed design for the identity management solution, coveringthe functional solution areas of User Provisioning, Directory Integration, Auditing and Reporting and/orAccess Management and Federation.

Identity Management Implementation ServicesUsing a proven HP methodology, our experienced consultants review, detail, and finalize your identity man-agement implementation plan; conduct a production pilot; train and equip your deployment staff; fully exe-cute the plan by deploying all solution components; conduct acceptance testing; and orient your operationsstaff for transition to production.

11. Identity Management SummaryIdentity management is the ability to identify every user, application, or device across organizations and toprovide flexible authentication, access control, and auditing while respecting privacy and regulatory con-trols. Delivered via a set of processes and tools for creating, maintaining, and terminating a digital identity,these tools allow administrators to manage large populations of users, applications, and systems quicklyand easily. They allow selective assignment of roles and privileges, making it easier to comply with regula-tory controls and contribute to privacy-sensitive access controls.

For HP, identity management is centered on the pervasiveness of identity management technologies andsolutions:

• Identity management is about the management of user, application, and device identities.• Identity management is about the management of identities in different contexts: enterprises, SMBs, con-sumers, and the public sector.• Identity management deals with the management of the entire lifecycle of identities and their attributes.

HP considers privacy management, identity services, business-driven identity management, identity-capableplatforms, and device-based identity management as important emerging identity management fields andhas invested in specific research in these different areas that is driven from HP Labs. As an example of anend-to-end identity management system, the HP National Identity Solution provides governments with ahigh-performance, extremely secure, and extremely reliable credentialing solution. Similarly, HP can providefully integrated end-to-end identity management solutions to meet any enterprise or public sector need.

Table 3-5HP identity management solution offering summary

IDM Component Solution URL

Strong User and Device Authentication Embedded Security for HP ProtectToolsSmart Card Security for HP ProtectTools

www.hp.com/go/notebookswww.hp.com/go/desktops

SSO Credential Manager for HP ProtectTools www.hp.com/go/notebookswww.hp.com/go/desktops

AAA & Identity Repositories HP-UX 11i Identity Management Solutions www.hp.com/go/hpux11isecurity

Identity Management Services IDM Consulting and IntegrationIDM Managed Services

www.hp.com/go/securityClick HP security services link

Government National Identity Solution (NIS) http://government.hp.com

3-29

Chapter 4 Trusted Infrastructure

"Every change in the business triggers an ITevent. If you get the infrastructure right,everything is possible."-Bob Napier, late CIO, Hewlett-Packard

Running a business requires the availability and reliability of the IT infrastructure, which underlies most criti-cal business processes. The reliability of the IT infrastructure is paramount. It implements the appropriatetechnologies to secure the end-to-end IT infrastructure, including data centers, networks, productivity tools,end-user desktops, and wireless devices. A trusted infrastructure and its network, host, storage, and printcomponents form the basis of HP's security framework.

This chapter of the handbook discusses IT infrastructure security across networks, hosts, mass storage, andprint infrastructure. It introduces the concepts related to trusted infrastructures, trusted computing, and direc-tions in infrastructure technology. HP's security strategies for trusted infrastructure are also discussed, fol-lowed by detailed information about host, network, storage, and printing security.

1. DefinitionTrusted infrastructures are composed of networks, hardware platforms, operating environments, and appli-cations that behave in an expected and predictable way for their intended purpose. Trusted infrastructuressupport the IT applications underlying critical business processes. When IT infrastructure technologies fail tokeep pace with emerging threats, we no longer trust them to sustain the applications we depend on in bothbusiness and society.

2. PurposeThe complexity of today's IT infrastructure exposes it to numerous threats. As shown in Figure 4-2, threatsand challenges come from a wide variety of sources. These sources range from internal and external attacksto the risks introduced by common requirements for mobility, business partner connectivity, and outsourcingof IT services.

The need for a trusted IT infrastructure derives from an increasing reliance on IT systems to do everythingfrom running businesses to running our society's utility infrastructures. Just as the dependence on IT perme-ates all aspects of society, security capabilities must permeate all aspects of the IT infrastructure. Securitymust be built-in, not bolted-on, at the platform level, at the network level, and in the very processes used fordeveloping systems. A trusted infrastructure reliably manages and controls access to information assets whiledelivering the horsepower for critical business processes. It helps implement appropriate technologies tosecure an organization's end-to-end IT infrastructure, worldwide.

Initially, security models in computing resembled a fortress with heavily guarded walls. As the power ofcomputing, connectivity, and the Internet has become evident to businesses, this fortress model has mani-fested its limitations. The need for new IT security approaches has emerged as more companies harness thepower of the network to do business online with customers and business partners.

Figure 4-1Trusted Infrastructure

ProactiveSecurityM

anagement

Business Objectives


OperationalRisk

IdentityM

anagement




Network StorageHost

Imaging and Printing

4-1

HP is working to meet trusted infrastructure needsacross a unique breadth of products, from laptopsand servers and storage and software to printersusing HP network components. This is why HP creat-ed the Secure Advantage framework. Together withthe HP ProtectTools client security portfolio and otherHP security products and services explained in thishandbook, HP Secure Advantage delivers a portfolioof products to meet customers’ needs for secure dataand infrastructure protection. Fortunately, HP has along history in security and is leveraging this expert-ise to deliver the HP Secure Advantage portfolio. Thisis especially important today as customers adopt the24-by-7 next-generation data center model thatenables the shift of high-cost IT silos to low-cost,pooled IT assets in order to optimize infrastructures toreduce cost, increase agility, and improve quality ofservice. Security is a key enabler of HP's AdaptiveInfrastructure (AI) offering that provides the platformfor the next-generation data center and a linkage ofsecurity to other AI enablers such as IT systems andservices, power and cooling, management, virtual-ization and automation.

Since security and compliance are an absolutenecessity for businesses today; the HP SecureAdvantage portfolio is designed to enable enterprisesto fully automate, optimize and accelerate their ITinfrastructures securely with proper validation, inorder to achieve better business outcomes by mitigat-ing risk.

2.1. Perimeter Security: Keep the Bad GuysOutIn the early days of computing, before its ubiquity inthe commercial sector, dependency on IT infrastruc-tures and the need for IT security were strongest fororganizations in the government and military sectors.In these contexts, communication security and theneed for access control to data were well understoodand paramount. Conversely, the commercial sectorperceived computing technology as a welcome per-

formance and efficiency improvement - not a necessi-ty. As a result, while computing technology becamemore widely available, technical developments moti-vated by the commercial sector focused on usabilityand performance.

For commercial computing applications, it was ini-tially sufficient for organizational boundaries in thephysical world to drive the requirements of main-stream IT security. The focus was on keeping the badguys out using perimeter security. In the meantime,sensitive government and commercial organizationssought custom solutions to their IT security needsbecause they could not rely on off-the-shelf commer-cial technologies.

Many of the architectures that underlie major portionsof today's infrastructures were designed to rely onperimeter security. However, as this perimeter securitymodel has shown its limitations, so have the securitymodels of the computers inside the perimeter.

2.2. Trusted Infrastructure: Let the RightPeople In and the Right Devices OnIn today's world of remote workers, wireless users,trading partners, and connected customers, theexpectations of perimeter defenses must be reexam-ined. Protecting the perimeter or point of contact withthe Internet is still important, but it does not sufficientlyprovide end-to-end security. An effective securitystrategy must be far more flexible and sophisticated -simply posting a guard at the gate to the network isnot enough. Infrastructure security requirements haveevolved from keeping the bad guys out to letting theright people in. Legitimate users should have easyaccess to authorized resources, but they should beprevented from accessing unauthorized resources.

Figure 4-2Challenges for IT infrastructures

Others on the Network

Internet CorporateNetwork

Network Infrastructure& Gateways

Remote Users Enterprise Backend

Client Devices & EmployeesPartners & Outsourcing

4-2


2.3. Ongoing EvolutionOrganizations continue to use IT in new and chang-ing ways. The evolution in computing and use mod-els initiated by the Internet, connectivity, and mobili-ty is still in its relative infancy. Modern businessesare interconnected with their customers and businesspartners, and they support an increasingly mobileworkforce requiring seamless access to a company'sIT networks from anywhere in the world. Similarly, asIT outsourcing offerings have become more compre-hensive, more businesses are choosing a provider tohost their IT systems. This recent and widespreadevolution of how IT is used to run a business createsnew challenges.

3. Infrastructure TechnologyDirectionsAn IT infrastructure is the collection of IT systemssupporting a given set of IT applications. The coreelements that comprise the fabric of a company's ITbackbone are networking technologies and hosttechnologies. Networking technologies incorporatehardware and infrastructure services and enable thesecure and reliable transport of data. By contrast,host technologies incorporate hardware platformsand operating systems (OSs) and enable securemanipulation and storage of data.

Major developments in infrastructure technologieshave occurred in the last several years. Mobility is areality, networking is becoming pervasive, and ITinfrastructures are becoming more adaptive andflexible at meeting business needs faster and atlower cost. Important areas of technological devel-opment in network security include network securityarchitectures and network-enforced security compli-ance. Regarding host security, significant areas ofdevelopment include OSs and hardware platforms.

3.1. Network Security Developments

3.1.1. From the Fortress Enterprise to theAdaptive EdgeAs the enterprise IT infrastructure matures and adaptsto new ways of doing businesses in an interconnect-ed world, the network edge has moved outside thetraditional physical enterprise. From the increasingpressure to provide mobility to a large part of theworkforce, to the need for extending an IT infra-

structure into a partner network to boost businessefficiency, the edge of the enterprise IT infrastructureis less distinct. To adapt to a trend towards networkcommoditization, network architecture approachesneed reconsideration. HP itself pioneered the "bub-ble architecture" in an attempt to apply good com-partmentalization policy to network architecture andsimplify security policy management.

HP promotes the compartmentalization philosophywith its Adaptive Network Architecture (ANA). HPuses ANA as a value-added differentiator for cus-tomers implementing network solutions such as IPcommunications, network consolidation and networksecurity. ANA's goal is to logically compartmentalizean enterprise network based on the business needsof applications or hosted services and extend thosecompartments enterprise-wide, independent ofgeography, while enabling centralized policy man-agement. The result is a simple network model thatincreases security and risk mitigation and reducesthe cost of security policy management and controlswhile minimizing the time needed to implementchange. Because ANA can establish network accessand security rules for any given compartmentupfront, adding systems to (or deleting them from)any compartment becomes easy as business needschange.

In this new environment, where the network edgereaches across public and untrusted networks into aremote host, client, or server, providing centralizedadministrative management of security policy all theway to the network edge is increasingly important.An organization cannot afford even one successfulpenetration of perimeter defenses; an attack jeop-ardizes the entire data network. To retain agility,businesses must manage the increased threat velocityand avoid ad hoc approaches. This creates a strongneed for new approaches in data network architec-ture design that meet business agility needs whileproviding security with defense in depth. For exam-ple, the HP ProCurve Identity Driven Managementsolution addresses endpoint compliance require-ments by allowing organizations to centrally controlnetwork access policy across wired and wirelessaccess points (APs).

4-3

Self Test for a Trusted Infrastructure

1. Can I reliably distinguish a device that belongs to my organization’s IT infrastructure from one that doesnot?

2. Can I tell that the firmware, software, and configuration of the devices inside my organization’s ITinfrastructure are in accordance with our IT security policies?

3. Can I trust the behavior of the platforms in my organization’s IT infrastructure per our business objec-tives?

Conventional network perimeter defenses are chal-lenged to simultaneously meet the needs of businessagility and information asset protection. For example,firewalls are increasingly managed using exceptionlists, causing access holes within the firewalls andsecurity and operational concerns. Another problem-atic trend is channeling a variety of application trafficover port 80 - the port commonly used for HTTP.Because port 80 is normally open to traffic evenwhen the firewall is in its tightest state, this effectivelycircumvents firewall controls. In addition, some usersprovision direct external connections to support par-ticular applications or projects, which can completelycircumvent firewalls and other security controls.

3.1.2. Network-Enforced SecurityComplianceGreater commonality in security functions acrossLocal Area Networks (LANs), Wireless Local AreaNetworks (WLANs), and Wide Area Networks(WANs) is required. These three types of networkscurrently exhibit a large disparity in the level of secu-rity functions provided by their associated products.

To harmonize security enforcement is important tohelp maintain such security policies as access controlacross the network. It also facilitates central manage-ment of the entire infrastructure. Solutions exist todaythat help to implement such controls above a networkinfrastructure. However, additional efforts are neces-sary to provide holistic solutions that effectively dealwith complex heterogeneous environments.

Pervasive and manageable security mechanisms arestarting to be built into networks, with the help ofstandards such as IEEE 802.1x (for port-based accesscontrol). Additionally, infrastructure protocols such as802.1x limit access to authenticated devices andusers. When combined with a software solution forenforcement of end-point security compliance, thesemechanisms help to support security policy decisionsat the network edge. This permits such solutions asquarantining and remediation to take direct action onan authentication or compliance failure. Note thatthese approaches are not limited to the network edge- variations often can and should be used in the net-work core.

To better control connectivity to the infrastructureacross a growing range of access technologies, newsolutions are being developed in the field of NetworkAccess Control (NAC). Initiatives such as Cisco'sNetwork Admission Control (C-NAC) and Microsoft'sNetwork Access Protection (NAP) are emerging asvendor specific solutions to this requirement.

While both initiatives provide a piece of the solution,organizations need an industry-standard solution tothis industry-wide problem that manifests itself in thelargest and most heterogeneous customer environ-ments. To that effect, HP helped launch and promotethe Trusted Computing Group (TCG) Trusted Network

Connect (TNC) working group to produce specifica-tions that support interoperability between individualvendor products across the network access ecosystem.The recent convergence of Microsoft NAP specifica-tions with the TNC specifications in the TCG is anencouraging development in that direction.

Another important development in network securityincludes the emergence of behavioral approaches tomitigating threats. Building security features directlyinto the network creates proactive security manage-ment solutions. These types of solutions rely on coop-eration from the components of the infrastructure formanaging and mitigating fast-spreading threats. TheProactive Security Management chapter (Chapter 2)of this handbook provides details about these emerg-ing solutions.

3.2. Host Security DevelopmentsAs discussed previously, most businesses now dependon a secure infrastructure. Yet they deployed platformsand OSs that were not necessarily designed withsecurity requirements in mind; nor were theydesigned to work together well (if at all) in thisregard. As a result, implementers of individual appli-cations have been required to overcome these limita-tions and apply security protection themselves. Atrusted infrastructure includes OSs and hardwareplatforms that offer reliability, manageability, andintegration of security.

3.2.1. Operating SystemsWhen the necessary security mechanisms are builtinto the base of an OS, organizations can rely onstandard enforcement mechanisms in the securityarchitecture. Built-in mechanisms are harder to sub-vert. They also reduce dependence on correct imple-mentation of the necessary security components in anapplication by (potentially) non-expert developers.

Security-relevant OS services include authentication,cryptographic libraries, intrusion detection, intrusionprevention, and compartmentalization technologies.When built into the core of the system, these securitymechanisms are easier to control by policy, easier tomanage across different OSs, and more reliablyimplemented by experts.

The release of the Microsoft Vista OS in 2006demonstrates how OS security has become importantin the mainstream and provides many security fea-tures built-in to this popular off the shelf client OS.Security features of Microsoft Vista will be discussedin more details in section 5.4.3.

4-4


3.2.2. Hardware PlatformsThe utility computing platforms of the future providevirtualization of computing resources, such as CPUs,storage devices, and networks. These platforms,whether client or server systems, require integratedsecurity mechanisms. For virtualization derived utilitycomputing to succeed—from VMware to HP- UX,Microsoft Virtual Server, and Xen (an opensourcevirtual machine project)—businesses must be confi-dent in the reliable separation and isolation ofprocesses.

Modern platform and processor architectures, suchas the IA-64 platform (Intel Itanium), are designedwith security in mind. Other computing platforms inbroad use today predate many of these securityconsiderations. Most were initially designed withvery different use models and functional require-ments compared to today's expectations in typical ITdeployments. For example, the original IBM PC,which is largely preserved in current PCs and mass-market servers, was not designed to meet the securi-ty requirements of present-day deployments. This iswhy HP has been leading industry efforts such asthat of the Trusted Computing Group (TCG), to bringaspects of high-grade security technology to com-mercial IT systems at a low cost. Today TCG tech-nology helps raises the bar for available off-the-shelfclient and server technologies. More generally, HPaims to improve enterprise IT security by providingthe foundation for enforceable security policies andstrengthened identity mechanisms across a range ofplatforms.

Another important development is the emergence ofvirtualization technology in desktop PC and note-book devices, where it promises to offer better sup-port for separation of duty between differentprocesses running on the same machine. A recentexample of commercial applications of virtualizationtechnology on client devices is Intel's vPro. Movingforward, such technologies will help deliver enter-prise manageability and security more reliably byisolating certain key functions from the operatingsystem for remote management.

3.3. Encryption and Key ManagementDevelopmentsThe number of reported incidents of lost and stolenemployee and customer data has risen exponentiallyover the past few years. There are many ways inwhich this data falls into the wrong hands, but lostand stolen tape drives and laptops containing criti-cal personal data are some of the more commonnews stories available. This has lead to an increasein regulations such as the PCI ones (Payment CardIndustry), to assure protection of consumer creditcard data. The industry is focused on providing end-to-end solutions to implementing data protection,with a focus on enabling the use of encryption toprotect data at rest across the enterprise infrastruc

ture. This industry trend contributes to support HP'slong-standing vision of the need for more trustedinfrastructure where security is built in to the infra-structure components rather than bolted on as anafterthought. Protecting data at rest is one suchcapability that must become inherent to trustedinfrastructure technologies.

Data encryption has been around for a long time,but was considered costly and hard to manage inthe past. You can buy encryption engines to insertinto the data path for encryption; however, thesedevices are specialized for specific use and eachhas their own key management capabilities. Thisincrease in need for data protection has driven theencryption market to develop lower cost and moremanageable encryption capability. For this reason,encryption is being built in to client, server, storagesystems with eventual inclusion across the wholeenterprise environment. The current trend is set onconsolidating data-at-rest solutions to enable enter-prise wide management of data encryption in het-erogeneous infrastructures, but the need for end-to-end data protection solutions means that this trend israpidly extending to broader data-in-motion anddata-in-use models.

This trend has already started playing out withencryption solutions becoming increasingly main-stream across industry solutions, with data protectionservices built in to infrastructure platforms. In HP'sportfolio this includes such solutions as DriveEncryption for HP ProtectTools, Microsoft Vista'sBitLocker Drive Encryption, HP-UX's EncryptedVolume File System (EVFS), or the recentlyannounced encryption industry standard for LTO4tapes. And we expect to see more encryption capa-bilities being built into network switches and intoindividual drive mechanisms in the near future.

Coinciding with developments in increased encryp-tion capabilities are improved key managementsolutions to assure ease of managing the encryptionkey lifecycle. Good key lifecycle management isimperative for encryption solutions; once somethingis encrypted it is not readable without the key. Thisalso means that if the key is lost or corrupted, thedata is non-retrievable.

As these technologies are built out, so will the stan-dards definitions for encryption and key manage-ment. The myriad of various encryption and keymanagement solutions leads to complexity andincreased cost to manage these multiple environ-ments. It is imperative that solutions be integratedaround a common set of standards. This is also whyvarious standards bodies such as OASIS, IEEE1619.3, T10, TCG and others focus increasingly onencryption and key management.

4-5

4. HP's Strategic FocusHP believes that security for trusted infrastructuresmust be built in and not bolted on as an afterthought.This belief requires a new level of maturity for ITsecurity. Generally, IT solutions must provide improvedmechanisms to underpin an organization's IT securitypolicies, even in the face of developments such asutility computing, virtualization, and mobility.

4.1. Achieving Security through OpenStandardsCreating trusted infrastructures using open and indus-try-standard technologies is central to meeting thereal needs of IT managers. Open standards make itpossible to provide security that is built in, manage-able, and interoperable. The goal of enabling effec-tive management of trusted infrastructures across largeheterogeneous enterprises requires strong interoper-ability between vendor technologies, which demandscollaboration and the development of (and adher-ence to) industry-wide specifications. For this reason,HP leads and participates in many standards bodiesfor infrastructure technologies. In fact, HP is an earlyfounder and promoter of the Trusted ComputingGroup (TCG), created specifically to advance state-of-the-art technology in trusted infrastructures.

Interoperability is crucial for retaining business agility,particularly when businesses strive to achieve end-to-end security in a trusted infrastructure. HP's effortswithin organizations such as the Internet EngineeringTask Force (IETF) are aimed at creating the necessaryinteroperability interfaces.

Furthermore, efforts to advance the state of securitymechanisms in the network must be combined withefforts to evolve device security. Trusted infrastructuresolutions will rely on this. For example, approaches tonetwork access control security will serve businessneeds only if they can be deployed in a truly adap-tive and heterogeneous environment. They must inter-operate smoothly and support the relevant industrystandard(s).

4.2. Trusted Computing for TrustedInfrastructuresThe TCG focuses on designing and standardizingsecurity building blocks for the architecture of mosttypes of computing platforms currently in use. Thiswork supports the ability of those platforms to meetthe growing need for more trusted infrastructure tech-nologies. The Trusted Computing initiative collectivelyaddresses new security requirements for computingplatforms. At the same time, it preserves the opennessand backward compatibility of platforms to remediatemainstream security holes and threats.

4.2.1. Trusted Computing ProductsTrusted Computing security technology has becomebroadly available in business client PCs and note-books from HP and other vendors, and in select serv-er offerings.

HP has been a leader of the Trusted Computing ini-tiative from the outset. HP's PC business and HP Labsteams include inventors and experts in TrustedComputing who spearheaded the Trusted Computinginitiative many years ago. Trusted Computing is agreat example of bringing "HP Invent" from HP Labsand forward- looking businesses into HP product linesand out to end users.

Trusted Computing delivers some significant benefitstoday, and some of these are manifested in HP prod-ucts such as the HP ProtectTools Security Suite, orHP- UX Trusted Computing Services (TCS). Whilethese products can be deployed today to better pro-tect business applications and information assets, fur-ther advantages of Trusted Computing will increasewhen new hardware platform architectures are com-bined with redesigned OS software that can fullyexploit the improved security attributes of the plat-form.

For more information about Trusted Computing tech-nology, refer to the HP book “Trusted Computing:TCPA Technology in Context”, by Siani Pearson, etal., Prentice Hall PTR 2002, ISBN 0-13-009220-7.

4-6

TCPA and TCG HistoryTCPA stands for the Trusted Computing Platform Alliance. The TCPA was founded in 1999 by HP, Compaq,Intel Corporation, Microsoft Corporation, and IBM Corporation to address the issues of Trusted ComputingPlatforms. It is the predecessor organization of the Trusted Computing Group (TCG), which was establishedin 2003. The TCG was formed with a broader set of promoter members, a collection of typical industryconsortium bylaws, and intellectual property agreements centered on reciprocal Reasonable and Non-Discriminatory (RAND) licensing. TCPA specifications in progress were brought into the TCG. The TCGextends Trusted Computing work to a broad set of platform technologies as well asinfrastructure protocols and software stack interoperability.


4.2.2. Trusted Computing PlatformFunctionalityThe purpose of the TCG architecture is to prevent thesubversion of key security features by softwareattacks on the platform. So that both local andremote users can trust reported information about theplatform, it is necessary to protect the reportingmechanisms against software attack. The reason isobvious: the platform cannot reliably detect a soft-ware attack if its own software can be subverted.Protection against hardware attack is also necessaryso that a remote user can trust reported informationabout a platform. This helps the remote user know,for example, that a local user has not physicallytampered with the platform.

The Trusted Platform Module (TPM) is at the base ofthe trusted platform architecture. TPM is an enablingtechnology consisting of a dedicated security hard-ware device (with associated software) that meetsTCG specifications. The TPM chip can be integratedwith computer motherboards and many types ofdevices, including PDAs, notebooks, cellular phones,and servers. It provides multiple security functionsincluding:

• Device authentication• Attestation of software state on the platform• Protection of secrets and stored data on the plat-form

The TPM includes all the functions that must be trust-ed in order for the TCG architecture to provide a setof features that cannot be subverted. Figure 4-3illustrates the internal architecture of a TPM. From abusiness perspective, TPM-enabled devices create away to manage business risk, manage assets, andprotect critical infrastructures. For example, a TPMcan support:

Data protection• Stronger encryption• Ease of use

Network protection• Device authentication• Protection of network credentials

Identity protection• Strong, auditable, and attestable device identitiesrooted in hardware• Built-in second-factor authentication methods forprotecting a user identity

IT services and infrastructure for managing platforms• OS-independent hardware-based policy enforce-ment on the use of and access to keys and dataprotected by the TPM• Security policy compliance• Software and hardware configuration management

Figure 4-3Example of TPM internal architecture

4-7

4.2.2.1. Device AuthenticationTrusted platforms provide mechanisms to help estab-lish confidence in the behavior of a platform in an ITinfrastructure. The basis for this confidence rests withthe declarations from recognized and trusted thirdparties. These third parties can endorse a platformbecause they have assessed and measured theintegrity of the platform. If the measurements meet aspecific criteria, the third party states that the platformis trustworthy for certain purposes.

To associate trust with a specific platform, the trustedthird party can certify a TPM cryptographic key. Twomajor classes of TPM cryptographic keys can reliablyidentify a trusted platform: non-migratable keys andmigratable keys. Non-migratable keys are locked tothe trusted platform from which they originate. Bycontrast, migratable keys can be moved from theoriginating trusted platform to another system, butonly under the tight control of the owner of that sys-tem (the system user or possibly an IT administratorfor that system).

Migratable and non-migratable keys exist so that aTPM can use them as cryptographic identifiers toprove that it deserves a third party's trust. For exam-ple, remote access software could use a TPM crypto-graphic key to uniquely identify the system in an IPsecurity (IPsec) or an 802.1x authentication protocolto the back end of the IT infrastructure.

The concept of platform identity creates a reliablenew security feature for the IT security tool kit: deviceauthentication. Strong association of cryptographiccredentials to a computing platform allows companiesto personalize systems and issue credentials forrecognition by the corporate network. Platform identi-ty can also be used to configure the security creden-tials of a computing platform independent from OSsecurity. This provides protection from mistakes ordeliberate violation of certain security policies by OSadministrators. For example, a security credentialprotected by TPM hardware can be controlled by

specialized IT personnel (or a TPM administrator) toprevent copying or moving between machines by OSor domain administrators.

Features for device authentication are available todayin a range of systems across the industry that haveonboard TPMs. HP ProtectTools Embedded Securityproducts provide features and mechanisms that canbe used off the shelf for stronger hardware protectionof user identity credentials, and they provide thebuilding blocks to integrate more advanced physicaldevice authentication to access control processes in ITinfrastructure services.

4.2.2.2. Attestation of Software StateA computer platform has integrity if the OS andunderlying firmware are tamper-free and applicationsrunning on the platform execute without interference.Existing security solutions assume the integrity of theplatforms on which they operate. In particular, theyassume that secrets can be safely stored and used oneven the most open computing platforms, such asPCs.

Because platform owners are in control of their plat-forms' software environment and history (includinginteractions, physical modification, and software exe-cution), owners may place trust in the integrity of theirplatforms. However, platforms are increasingly con-nected and exposed to threats from the Internet,which makes this confidence questionable. A thirdparty is in an entirely different position than theowner, because the third party usually knows nothingabout the environment and history of a remote plat-form. A third party, therefore, has no explicit confi-dence in the integrity of a remote platform.

4-8


For this purpose, the TCG defines an architecturethat allows a computing platform to verifiably andreliably prove its integrity. This is achieved via aTPM-based mechanism that enables reporting ofsoftware and configuration measurements to aremote party. These integrity-reporting features areknown as an attestation of the software state andconfiguration of a system. The features are notavailable today in mainstream platforms, becausethey are not integrated with mainstream OSs. Thefirst commercial OS implementation that takesadvantage of the TPM to verify software state is theMicrosoft Windows Vista OS. The application thattakes advantage of the TPM in this way is theBitLocker Drive Encryption feature, which protectsdata on the system. In the future, Linux systems, UNIXsystems, and the next version of the MicrosoftWindows OS are expected to take advantage ofadditional TPM mechanisms and support attestationfeatures.

Attestation mechanisms provide the anchor for newarchitectures that will strongly rely on state informa-tion provided by remote systems. For example, aremote access solution could require systems thatrequest network access to first attest that they haveimplemented the latest enterprise-approved securitymeasures, such as anti-virus software and desktopfirewall configuration on the client device. Anotherexample is an information-flow security solution thatcontrols access to and manipulation of enterprisedata in an enforceable manner, based on securitypolicy.

4.2.2.3. Protection of Secrets and StoredDataOn a trusted platform, a TPM provides logical andphysical protection of secrets and logical protectionof the data protected by those secrets. The TPM actsas a conventional cryptographic co-processor and itsintegrity-reporting mechanisms can prevent therelease of secrets to inappropriate processing envi-ronments.

Specifically, a trusted platform provides hardwareprotection for keys and other secrets that typicallyencrypt files or authorize access to servers or othernetworks. The TPM can prevent the release of secretsconditioned upon presentation of a valid authoriza-tion value, the presence of a particular TPM, and/orthe verification of a particular software state in theplatform. This mechanism is known as the ability toseal storage to a given platform and/or a givensoftware state on that platform. The TPM can there-fore prevent inappropriate access to encrypted filesand network resources that would otherwise be vul-nerable to attacks, such as searching the contents ofa hard disk, moving a hard disk to another platform,or loading software to snoop on other processes.

Because the TPM can enforce such policies, it isessentially a hardware-based policy enforcementmechanism for data decryption and cryptographiccredentials.

Attestation of software state and sealed storagemechanisms will only be available to applicationswhen OSs integrate the attestation features of theTCG architecture. As discussed earlier, this is begin-ning to occur for enterprise customers with the intro-duction of Microsoft Windows Vista and its BitLockerDrive Encryption feature. Today, HP ProtectToolsEmbedded Security products take advantage of thestandard protected storage feature of a TPM tostrengthen encryption solutions and provide astronger tie between security credentials and aphysical device.

4.2.3. Elements of a More Secure Platform

4.2.3.1. Embedded Security and TPMIn a PC, a TPM is attached to the low-pin-count(LPC) bus on the motherboard. A TPM providesmechanisms for root security functions and a hard-ware root of trust in support of OS security. Beyondproviding well-understood cryptographic functions,TPM features support the design of new OS archi-tectures that create a chain of trust, which is builtfrom the TPM hardware root of trust and extends tosoftware on the platform. With a TPM, a typicalchain of trust can provide strong cryptographicattestation (across a network) of the state of a localplatform's firmware, hardware configuration, OS,and software configuration. Combining a TPM withhigher-level software creates the basis for strong,hardware-based policy enforcement for the first timein mass-market systems. HP workstations, desktopPCs, and notebooks are available with a TPM.

4.2.3.2. Operating SystemsOS support is expected to gate the most widespreadcommercial availability of the Trusted Computingplatforms. Those platforms will integrate TPM featuresand combine other components - such as new CPUand chipset security architectures from AMD or Intel(for example, Intel's TXT Technology) to providesecurity mechanisms that directly benefit higher-levelapplications.

As noted previously, Microsoft is expected to buildon these technology components in future versions ofthe Microsoft Windows OS and provide remote soft-ware state attestation features enabled by the TrustedComputing architecture. Linux and UNIX vendors areexpected to make use of these technologies in thesame timeframe to create similar capabilities forthese platforms.

4-9

4.2.3.3. ApplicationsHP's ProtectTools products enable legacy applica-tions to take advantage of the TPM transparentlythrough standard interfaces such as the MicrosoftCryptographic API (MSCAPI) and the Public-KeyCryptography Standards (PKCS) #11 interface. Theyalso provide applications designed to use a TPM toenhance data security. Newly developed applica-tions will use TPMs on computing platforms. OSs thatbuild a chain of trust from the TPM will also providebenefits for the management of trusted infrastructures,independent of individual applications.

4.2.4. Trusted Computing Across theInfrastructureThe benefits of Trusted Computing are available tovirtually any device that contains a processor and anOS/environment, runs applications, and communi-cates with other devices via networks. The value ofthis emerging technology becomes greater in moreopen platforms; it helps attest to appropriate stateand configuration without restricting and locking theplatform completely. The expectation is that TrustedComputing will appear in all relevant form factorsover time, including PDAs, servers, and mobilephones.

4.2.5. Security and Privacy IssuesNot surprisingly, many security-enhancing technolo-gies have privacy implications. Privacy requirementsare dependent upon the context in which they areviewed. In some transaction usage models, increas-ing the security of data requires identification froman actor (user or system) that wants to access thedata. In other models, anonymity helps ensure thesecurity of the actor's identity or PersonallyIdentifiable Information (PII).

In the past, Trusted Computing was mischaracterizedas a privacy threat. In fact, Trusted Computing speci-fications have been developed with specific, privacy-sensitive principles to allow for secure IT solutions that respect privacy. Trusted Computing contains building blocks that, used correctly, canprotect the privacy of data or the actors wantingdata access. Notably, the Trusted Computing specifications have consistently built privacy consid-erations into the design of the technical architecture.Various mechanisms support the protection of privatedata and avoid approaches that create privacy con-cerns (such as a visible, single, and unique identifierfor a platform). From mechanisms that support thecreation of pseudonymous identifiers to designs thatlet platform owners opt - in to use the technology, thetechnical specifications carefully consider the protec-tion of PII.

Trusted Computing can be effectively deployedacross a variety of use models with differing privacyattributes. This includes meeting the strictest privacylegislation and providing the basis of privacy-enhancing technologies for future IT solutions andplatforms. HP's ProtectTools Embedded Securityproducts comply with the privacy-sensitive and user-control spirit of the TCG specifications. In addition,HP Labs is actively pursuing the design of new priva-cy-enhancing applications of Trusted Computing withthe broader research community.

The TCG has active working groups to address thedifferent types of platforms. The working groups aredesigning specifications for the Trusted Computingarchitectures of the various device categories andtheir use models. All of the TCG's work focuses onmanufacturer - and vendor-independent specifica-tions to enable interoperability of implementations.

In addition, the TCG is focusing on infrastructureprotocols and mechanisms to design interoperabilityand support for new trusted computing features. HPleads and participates in these efforts, including theTNC working group. This work will allow the nextgeneration of infrastructure services to seamlessly useTrusted Computing technology across multi-vendorplatforms, OSs, and applications, supporting thedesign and deployment of truly heterogeneous trustedinfrastructures.

4.3. Network Access Control (NAC)NAC has evolved over a number of years to becomeviewed as a critical part of layered defense ordefense in depth network security. However there isstill some lack of consensus around what NAC reallymeans. This is due to a combination of early propri-etary approaches, Cisco's Network Access Controlscheme (C-NAC) Microsoft’s approach with NetworkAccess Protection (NAP), and an early lack of stan-dards. HP has worked to address the lack of stan-dards through the TCG with TNC (Trusted NetworkConnect). HP sees NAC as a standard part of net-work security offerings over the next few years, and itis critical that a common understanding of core NACcapabilities, essential services and common stan-dards is established.

4-10

In the past, TrustedComputing wasmischaracterized

as a privacy threat.In fact, Trusted

Computing specifications havebeen developed

with specific, privacy-sensitive

principlesto allow for secure

IT solutions thatrespect privacy.

Trusted Computingcontains buildingblocks that, used

correctly, can protect the privacy

of data or theactors wanting data

access.


4.3.1.What is Network Access Control(NAC)?HP defines NAC as the combination of software,hardware, services and processes designed to pro-tect a network from untrusted or unsecured end-points. NAC is primarily a network security element,intended to protect the network and its resourcesfrom harmful users and systems/devices. NAC con-trols and restricts access to network resources basedon certain criteria and business policies. In its mostbasic form, NAC allows a network administrator torestrict network access to authorized users and/ordevices. However, many organizations have theneed to provide, or can benefit from providing, dif-ferent levels of access depending on the role of theuser. For example, employees have access to internalnetwork resources and the Internet while guest usersare only provided access to the external Internet.

The need for protection from malicious software isaccomplished by evaluating the "health" or "securi-ty" posture of devices connecting to the network. Therequired posture is defined by organizational poli-cies and is based on checking for things such asoperating system version, patches, security software(anti-virus, anti-spam, firewalls, etc.), security settingson common software installations, or other requiredor prohibited software. NAC goals can be furthercomplicated by the fact that today's network is oftencomprised of network access requests from devicesthat are not under direct organizational control, suchas contractor and guest laptops. Furthermore, theneed to understand and comply with regulatoryagencies and company policies alike drives a needfor the organization to seek solutions that meet thisgoal, often with fewer resources than ever before.

NAC must deliver on securing the organizationbased on the organizations governance model andbusiness objectives. This means that NAC should notbecome a barrier to business and must be able tohandle exceptions or emergencies as well.

4.3.2. NAC BenefitsThe business benefits of proper NAC solutions aresignificant, and include:

• Improved governance and compliance:When dealing with regulatory or corporate compli-ance requirements, NAC allows an organization tosignificantly improve their ability to ensure thataccess to specific systems and data is only availableto specific authorized devices and users that complywith policy. Additionally, with the right implementa-tion, the ability to audit and report on the environ-ment is increased. NAC implementations then allowfor the high level governance capabilities to bealigned with common network security due diligenceused in many different governance frameworks.

• Improved security posture: NAC provides anadditional protection layer for an organization'sDefense in Depth or Layered Security requirements.While it requires analysis specific to an organiza-tion, the goal is to minimize risk to the networkbusiness resources from unauthorized, unhealthy andout-of-compliance devices and endpoints. By doingthis, NAC can reduce unnecessary exposure of cor-porate assets; for example, if a PC is running peer-to-peer software, then there is a risk that confidentialdocuments could be inadvertently shared. The pres-ence of such software could be detected, auditedand acted upon to ensure that the PC does not getonto the secured network with such software inoperation.

• Improved operational cost management:Organizations face tremendous pressures to preventbreaches, ranging from virus infection through dataloss, while at the same time maintain or decreasecost structures. Investing in NAC capabilities allowsan organization to increase the security posturewhile ensuring that fewer issues need to be resolvedpost-breach. Costs associated with resolving securitybreaches after the fact are often hard to quantify,but a lot of data is available to evaluate the likeli-hood of such events.

4.3.3. NAC ChallengesNAC solutions today are not overtly complex in theirgoals or implementations, but can also be consid-ered relatively simplistic in their enforcement capa-bilities. The largest challenges facing NAC todayare:

• Politics: Like many technologies, NAC has thepotential to significantly change the way in whichpeople will need to work when using networkedresources. Initial implementations can fail if they cre-ate too complex remediation processes, or worse,force a user into a dead end where they are unableto work at all. The commonplace example is a criti-cal deal being lost because some individual couldnot get on the network to obtain or submit criticaltime-sensitive information. Make that person anexecutive and the example can often become moreserious.

4-11

• Complex integrations: In order to successfullydeliver NAC, it is required that all parties work welltogether. Many vendors provide their own partnerintegration programs.

• Legacy or limited endpoint capabilities:While endpoints such as PCs and servers can runagents or respond to remote queries to determinetheir software posture, devices such as networkedprinters, phones, PDAs and so forth usually do not yethave the standard capability to respond to standardor even alternate NAC challenges, such as webaccess redirection or 802.1x-based authentication.Therefore organizations implementing NAC usuallyend up using exceptions such as MAC or IP addressauthentication, or implementing guest VLANs. SinceMAC or IP address authentication can often bespoofed, it is important to consider carefully thesecurity implication on a NAC deployment, andimplement a separate guest VLAN when possible. tools.

• Proprietary solutions: Most vendors have theirown agent technology. Firstly the initial lack of com-mon baseline functionality and standards has forcedvendors to implement or OEM client agents that can-not work with other solutions. An ongoing disconnectbetween standards and proprietary solutions remainsat the network level, which limits comprehensiveinnovation across the NAC management space, interms of standard integrations with tools such asSIM/SEM, change management, network manage-ment, and similar tools.

HP is working on all these areas through a combina-tion of standards activities, partner integrations andadvanced service delivery capabilities. In addition,HP ProCurve's unique identity and immunity solutionsalready provide advanced NAC capabilities acrossthe network, to the network ports and endpoints thatare part of the evolving NAC environment.

4.3.4. NAC FuturesTo address many of the challenges associated withNAC, HP sees the NAC market evolving to deliver thefollowing:

• Standardized NAC infrastructure: With thework of the TCG's TNC working group, HP believesthat standards for NAC infrastructure will help meetcustomer needs for interoperability between NAClevel products. For example, Microsoft's recent NAPalignment with TNC will have a significant impact oncreating a common NAC framework. HP will continueto work with vendors and standards bodies to delivera standardized NAC infrastructure. Further, theincreased use of interoperability testing will ensurethat the infrastructures will provide for easier deploy-ments.

• Device Identities: HP sees the need for securedevice identities to be implemented to support NACsecurity architectures. Using existing standards suchas TCG's TPM specifications, the TCG's TNC workinggroup and the IEEE 802.1AR work will better addressnetwork infrastructure security needs: endpoints willbe able to provide stronger security assurances withhardware protected device identity credentials, andsigned health statements to a NAC ecosystem.

• Standardized NAC integrations: To minimizefriction between governance models and networksecurity initiatives, it is critical that NAC be able tosupport and respond to an organization's supportingSecurity Information/Event Management (SIM/SEM),change management, network management, andsimilar tools.

• Behavior-based NAC: Linking NAC implemen-tations with network monitoring capabilities allows forlegacy devices to participate more fully in a completeNAC environment, while appropriately mitigating therisks associated with their lack of NAC device clientcapabilities. This will evolve into a cyclical relation-ship between these solution areas delivered by stan-dardized NAC integrations.

• Virtualization and hypervisor evolutions:With the emergence of virtualization technology onendpoints, we expect to see the development ofhypervisor-level NAC solutions for endpoint compli-ance enforcement. Proprietary technologies such asIntel vPro are beginning to take advantage of hyper-visor technology to isolate and secure network security policy enforcement on individual endpoints,and we expect such implementations to integrate withNAC architectures moving forward.

4-12


4.4. Secure DevelopmentThe root cause of most security incidents (beyond theperpetrator of an attack) is typically the exploitationof a vulnerability that allows the unintended out-come. Of course, people and processes can createsignificant vulnerabilities, and there are many waysto track known vulnerabilities, patch them, and blockthem. However, this reactive approach is not suffi-cient by itself. To be truly proactive about dealingwith security-related vulnerabilities, the responsibilityshifts upstream in the development cycles to thedevelopment teams who create the software orfirmware in the first place. That's where the vulnera-bilities are created unknowingly. It is clear thatdevelopers must be more aware of best practicesand bad practices to create less vulnerable productsand solutions. This is the motivation behind HP'ssecure development initiatives. For HP, secure devel-opment is an ongoing process that begins withawareness and education and continues all the waythrough the product lifecycle. This is how HP worksto produce secure and trusted products and solutionsminimizing bugs and flaws that have security impli-cations as well as building in security right from thestart.

4.4.1. Minimizing FlawsAs evidence of the importance of secure develop-ment practices, various worms such as Code Red,Nimda, Blaster, Slammer, and Sasser have causedhavoc on public networks, private networks, andhome systems. The root causes of the vulnerabilities -which were exploited by these attacks-comes downto a single untrusted library call, a failure to preventa memory structure from overflowing, or some otherinsecure software development practice. Using suchattack analysis information, HP's secure developmentinitiatives are aimed at minimizing known bugs andflaws that have security implications through educa-tion for the developers and internal tools/method-ologies. In addition, developers can add securitytechnology to design and solution architectures. Thecombination of secure development methods, inter-nal tools and the inclusion of security technologiesearly on or upstream in our product lifecycles meansthat HP can increase solution quality and trustwor-thiness without significantly impacting the product'stime to market or costs. For our customers, thismeans better overall quality, value and cost savingsby avoiding security issues in deployment.

4.4.2. Developer EducationHP has a worldwide security education programtargeted at all internal developers. Both generaldevelopers and security-focused developers need tolearn how to make less vulnerable products by mini-mizing bugs and flaws with security implications.The curriculum also includes courses for security-focused developers who also need to learn how toincorporate specific built-in security technologies.The program includes best-practice white papers,on-demand seminars, computer-based trainingmodules, and instructor-led courses.

4.4.3. Product Development LifecycleOther parts of HP's secure development initiativesfocus on constantly improving product developmentlifecycles. HP has added security-focused steps toeach stage of product lifecycles. For example, riskassessment and vulnerability assessment techniquesare used during the design phases, and the testingphases present the opportunity to perform bothcomponent- and system-level security testing.Processes and methodologies are brought into HPdevelopment lifecycles, along with source code,application- and system-level vulnerability scanners,and threat assessment tools. HP uses both its ownHP-invented tools and best-in-class tools from third-party vendors.

4-13

4.4.4. Vulnerability AnalysisAs mentioned above, vulnerability assessment toolsor scanners play an important role in the productlifecycle and can serve both proactive and reactivefunctions in the development and maintenance ofsecure programs. Proactive vulnerability analysisrefers to employing risk assessment and vulnerabilitytools early on in the development process. Duringarchitecture definition, risk assessment can highlightthe areas of highest risk, assert security best prac-tices to secure those high risk areas and even guidethe application of vulnerability assessment toolsbased on business requirements and risk prioritiza-tion. Reactively, in later stages of product develop-ment and testing, assessment tools can be run on therunning programs, applications and the source codeitself.

This provides a quality checkpoint or testing phasethat can catch security bugs or flaws that have beencreated. Further, most assessment tools provide cor-rective information about how to resolve the bug orflaw. Vulnerability assessment tools look for knownpatterns of bugs and flaws, and their databases ofthese now exceed 4,000 known problems today,and grow frequently! But even more advances havegiven us the ability to look for unknown flaws orbugs that lead to security problems - these includetechniques such as dynamic attack methodologiesand/or fuzzing techniques to reveal previouslyundetected flaws in an application. These are flaw-finding techniques where a testing tool (fuzzer ordynamic attack generator) sends random input to theprogram being tested, looking for input that can leadto an exception, crash or server error in the case ofweb apps. The testing for unknown and known flawsoccurs simultaneously or as part of the same processfor most modern scanners, such as HP WebInspect.

The proactive approach for applications is to performsuch vulnerability analysis of applications while theyare under development and to perform applicationsecurity assessments against deployed productionapplications on a regular basis to ensure the securitystate of the application remains known and good inthe face of constantly evolving threats. Interestingly,compliance issues are driving more vulnerabilityassessment directly. For example, the Payment CardIndustry Data Security Stander (PCI DSS) requiresapplication assessments of applications in develop-ment and on a regular basis after deployment. If youprocess credit card transactions online, you arerequired to comply with PCI DSS and therefore youare required to use vulnerability assessment tech-niques.

All the above effort results in products, solutions, andservices that are built with fewer bugs and flaws(with security implications) and designed with securi-ty in mind. In addition, HP sells the assessment toolsto build your own secure development processes,and HP Services is making secure developmentpractices and expertise available directly to cus-tomers. Secure development services from HP includeeducation and training as well as threat and vulner-ability assessment.

4-14


5. Host SecurityIn the book The Mezonic Agenda, a respectedsecurity expert, Chad Davis, chases an internationalconspiracy to sway the U.S. presidential election.Early in the story, Chad avenges an embarrassingsituation by quickly updating a very visible webpage - in spite of excellent client-side security.Specifically, he discovers that JavaScript validationroutines in the client HTML are the sole bastionagainst an SQL-injection attack. He ultimately pegsdown his arrogant colleague by entering:

There are two very important - and relevant - lessonsto learn from this example:

• Security is no longer about perimeter defenses. Inthe early days of mainframes, there were singlepoints of access to computing resources and datathat were easy to secure and manage. Now, how-ever, data and processing power is distributedthroughout the organization, in hundreds of differentservers covering thousands or even millions ofclients. There is no good place to draw the perime-ter, because the network topology is so dynamic thatit is generally impossible to enumerate or calculate.

• Everybody forgets the server. Even well-trainedand experienced security architects adopt theperimeter model and neglect to recognize the inher-ent vulnerabilities in application and OS code. Theymay also believe that platform security is not cost-effective because, unlike most other countermea-sures, it requires frequent administration and intro-duces significant complexity into both security policyplanning and security administration.

What is the point of developing a secure networkperimeter with layered levels of firewalls, strongpasswords, and intrusion prevention and detectionsystems, if a simple buffer overflow exploit opens theweb server to unfettered access by unauthorizedusers?

Hardened OSs have historically been hard to use,hard to integrate with the environment, and difficultto verify as secure. The most important question iswhether platform security yields the expected returns.Is the effort required and Total Cost of Ownership(TCO) too high relative to the estimated threats andthe value of the assets being protected? Althoughplatform security can be very effective, it may notalways be worth the cost.

HP looked intently at this issue and enhanced thedelivery of platform security through the operatingenvironment. The result is new tools and techniquesthat reduce risk to the enterprise without ballooningTCO or creating an unacceptable customer/user experience. This section shares our view of platformsecurity and its value to the overall infrastructure.

5.1. EnvironmentOrganizations in specific sectors and industries -such as financial services, the military, and the intel-ligence community - have used strong platformsecurity for decades. In the majority of other sectorsor industries, the reaction to hardened OS productswas a question of why an organization would wantto implement them given the additional effort andinconvenience required to achieve the high level ofsecurity. This question illustrates the fact that securityand platform security were not high enough prioritiesfor IT administrators to warrant the cost and addi-tional effort. In addition, as recently as ten yearsago the platform security community did not differ-entiate between life-and-death and profit-and-lossmarket segments. Instead, it offered a single solutionto satisfy all higher security requirements.

5.1.1. Battlefield Protection, EnterpriseOverkillLegacy host security grew out of Cold War technol-ogy and thinking. Early offerings were based on theCompartmented Mode Workstation, an intelligencedesktop that allowed secure assembly of field datagathered from spies all over the world. Correctlyimplemented, even the spies did not know what thedata meant, because they never saw it all piecedtogether - hence the compartmented approach.In the context of international espionage, host secu-rity was defined as:

• Separation or compartmentalization of differentkinds of information• Separation of powers or authorizations, so thatnobody had all the keys• Separation of various activities into individualtasks, each with its own associated privilege• Highly granular accounting systems or auditingthat tracked each user and system event

The main idea was compartmentalization or layer-ing, much like the watertight compartments in asubmarine: a failure in one section did not flood theentire submarine. However, transferring this securitymodel to the connected enterprise raises someissues.

4-15

“; EXEC master..xp_cmdshell 'echo I aminsecure! >?c:\inetpub\wwwroot\home.html”

5.1.1.1. Drawbacks of the Legacy Approach to Host SecurityThis approach to host security usually has a high TCO for several reasons:

• Systems are designed for split administration (prohibiting one person from managing the whole system),which means higher personnel costs.• The level of security usually adopts a firewall mentality: what is not expressly permitted is prohibited. Thatmodel works well for routers sorting subnets, but it breaks quickly for complex applications trying to commu-nicate with scores of OS services over dozens of interprocess communication (IPC) connections.• Secure platforms are often simple, functioning without today's modern operating environment managementsystems. As a result, implementing routine functions requires extra effort.• Secure platforms require custom, security-aware applications that are specifically written to behave in a wayacceptable to a completely hardened OS.

5.1.1.2. BenefitsThe infrastructure environment is not perfect. Ever since the early days of computing, programs have hadbugs. Every piece of software contains some level of program faults, design mistakes, partially implementedfeatures, and possible holes that developers may have been aware of but considered safe from exploit.

Layered security acknowledges upfront that systems and software always contain defects or bugs of somekind. Under the right set of circumstances they will eventually break or be compromised. Like the proverbialsubmarine, military security is equipped with watertight doors, with the full expectation that one or more lay-ers will not withstand every attack. A hardened operating environment is one of the most effective ways toprevent broken and rogue applications from violating OS security policies.

Figure 4-4 illustrates how attacks can penetrate layers of defense. If A1, A2, and A3 are attacks using differ-ent exploits, each attack is stopped at different layers in the diagram. The layered host security modelassumes that bulletproof protection does not exist, and that some number of attacks will be successful. Thegoals are to set up several layers to prevent as many attacks as possible, survive the attacks that do occur,quickly regroup, assess and repair the damage (as possible), and continue operating as planned. Applicationsoftware is often developed with the assumption that protection comes from somewhere else. It relies on theoperating environment for protection from other users/processes on the system as well as the external, distrib-uted, and networked environment.

4-16

Figure 4-4Host security layers


5.1.2. Commercialized Forms of MilitarySystemsSeveral attempts have been made to transition themilitary approach to platform security into the enter-prise space. Most of these either simplify the com-partment layout (preconfigured systems) or acceptthe requirement for ongoing, highly specialized con-sulting. Whether using preconfigured or customizedsystems, the administration costs are relatively highcompared to commercial systems, meaning the TCOcomparison has not traditionally been favorable. Inaddition, security is sometimes so tight that someapplications or services simply cannot run on thetransitioned systems, regardless of expenditure.

The emerging requirement expressed by HP cus-tomers is for strong host security with lower TCO,coupled with the flexibility to accommodate a broadrange of applications, platforms, management tools,and markets. This led HP to analyze the host securitymarket, along with some of our other markets, tofind out whether high security can be simple, avail-able, and cost-effective. The catch for the high-secu-rity operating environment is usually the TCO, whichis generally very high when the asset value is high.However, this can be overcome if the host is chosenwell, matched to the enterprise infrastructure, andsurrounded by properly crafted, implemented, andenforced security policy.

5.2. Principles of Design for the EnterpriseAs HP has considered how to make high securityproduce a higher return over a broader target mar-ket, we have made several discoveries. First, life anddeath situations merit a cost/benefit analysis that isdifferent from normal business environments. Themilitary model addresses non-financial losses, suchas the loss of human life and the collapse ofgovernments - events much more catastrophic anduntenable than a simple reduction in profits. Whenmilitary models are considered for business purpos-es, they are usually out of balance on the expenseside. In other words, military security, quite appro-priately, is not intended to produce a financial returnon investment (ROI).

Second, these layered approaches generally assumethat any manageable level of complexity is accept-able, even if the administration effort is high. Thismay be appropriate in a life-or-death environment.Without the military/political threat, however, theROI is not justified, except for a few highly sensitiveniche markets such as high-end financial services.Armed with these observations, HP set out to deter-mine whether the high-security approach can beretooled to accommodate an enterprise environment.We began to ask detailed questions about highsecurity, exploring different aspects of military andlayered security models and ways to implementthese features without placing the TCO equation outof balance.

5.2.1. Easily Administered LayersRegardless of how high security is implemented,layering is still needed because it is fundamental tocontainment and risk mitigation. It must be designedinto the core operating environment to minimizetampering. Luckily, the internal mechanics are not theproblem. The real issues with the military model areconfiguration and administration. In a typical model,compartments are defined by many layers of indi-rection, which leads to complexity and lack of flexi-bility.

In an enterprise environment, the average userdepends on a specialist to define layers in mosthigh-security platform systems. Platform layers mustbe simple to configure and maintain. In fact, a lay-ered model that is both role-based and rule-basedeliminates most of these administration issues,allowing the platform administrator to easily createand change configurations. If a system sets up thelayering correctly and the administrator describes thelayers in a straightforward way, administrative costsdrop dramatically - contributing to a significantincrease in ROI.

5.2.2. Flexible Role-based Access ControlsIt is clear that several other military security featureshave value in the commercial space. For example,the root account on most systems is all-powerful andable to execute any system command at any time.Even experienced administrators use root only whenthey require elevated privilege. This observationdrives the concept of designing tools that adopt avalid role for specific commands, only for the timerequired to perform a specific task or function.

Administrators gain privilege for each command thatneeds it, for the time required, and in a specific areaof responsibility. These Role Based Access Controls(RBACs) can be managed on a user-by-user basis.This permits specific users to assume more powerfulroles or privileges, depending on their job require-ments.

4-17

5.2.3. Realistic Privilege Allocation andManagementAnother aspect of platform security is the level ofprivilege assigned to system capabilities. In a truemilitary environment, every system function has itsown privilege level - much like putting lockboxesinside a locked desk drawer, inside a locked office,and so on. In the enterprise environment, there aretwo problems with numerous locks. First, far too manycheckpoints are required for a relatively simple systemoperation, for example, printing a document. Theextra checkpoints cause normal system operations tobe slower and make applications more complex.Second, the privileges often overlap or create unnec-essary redundancy.

Clearly, privileges have value in a secure environ-ment. For example, it is valuable to control the abilityto erase a disk drive or transmit files over the Internet.But the privileges must be assigned to enterprise-levelactivities, such as erasing a disk drive or sendingfiles, rather than to the minute collection of systemoperations that make up these activities. If platformprivileges are reallocated to a higher level ofabstraction, they provide useful protection withoutincurring unnecessary costs - and thus lower the TCO.

5.2.4. Balanced Security and PerformanceHP realized that the military model focused very little,if any, on performance. If the system did not run fastenough, more powerful hardware could be obtained.This is a critical difference between a life-or-deathdecision and an enterprise's profit-and-loss decision.Espionage and battlefield situations usually involveescalation of force, little or no consideration of cost,and more and bigger hardware.

In an enterprise environment, bigger is not necessarilybetter or more cost-effective. In fact, enterprises tendto accept a slightly higher level of risk in order toreduce costs or raise ROI. And if the security is par-ticularly demanding of resources or effort, an enter-prise might disable security features, which may bean appropriate choice for the environment. Hence,there is a need to link platform security with systemperformance management tools. For example, theHP-UX 11i v2 security containment and processorpartitioning solutions known as vPARs (virtual parti-tions) and nPARs (node partitions) tie into workloadmanagement, process resource management, and theHP ServiceGuard product. (For more information, seewww.hp.com/go/unix).

In order to increase performance while maintainingsecurity, other design goals emerge such as keepingapplications in their designated compartment andpreventing them from using more resources thanappropriate. Another example comes from the virtualpartitioning architectures: when an application needs more computing resources, it must be able to automatically add resources without compromising security. These examples of combining performancewith security goals illustrate how the role of security isto support new models of operation, not to administersecurity for security's sake.

5.3. Implementing Secure PlatformsSecure platforms are, to a great extent, constructedduring implementation and integration. They arebuilding blocks or foundational elements. Althoughnot all secure platforms involve changes to the OS,most of them are so tightly integrated with the OSkernel and other core operating environment functionsthat it is unreasonable to design a platform securitysystem in the field. Based on that understanding, twoconclusions can be drawn:

• The selection, configuration, and implementation ofa solution is more important than the availability ofspecific security features. In other words, the securityof the platform depends greatly on how it is config-ured and implemented.• Because platform security architecture is largelypredesigned and made configurable, a good plat-form security implementation should place increasedemphasis on security management. A secure platformis not effective unless it is accompanied by solidsecurity policy that supports and surrounds the plat-form.

This section briefly reexamines some of the funda-mentals of security architecture, focusing on how theyrelate to implementing and ensuring a secure plat-form.

5.3.1. Security Architecture ModelsUnfortunately, the first step in constructing a securityarchitecture model requires abandoning the secureperimeter model. The distributed nature of computingsystems makes the perimeter difficult to locate andsecure. Examining the basics of security modelinghelps to understand why perimeter-based thinking isflawed. Security modeling is the fundamental base-line for security assurance, that is, for assessing andverifying the security of a given implementation.There are probably as many security models as thereare ranking experts. Examining a few of the mostcommon models illustrates what they have in commonand why the perimeter model breaks down in enter-prise computing.

4-18


5.3.1.1. State Machine

State machine is the core of most security modelingand verification systems. In a state machine model,the world is divided into subjects and objects.Subjects do the acting and objects are acted upon.Each subject (program, process) and object (file,memory range) is assumed to have states, whichchange over time (state transitions).

A simple example of subjects and objects might be{man, boy, bat, ball}. Acceptable states might be{accelerating, decelerating, stationary}. Most of theacceptable state transitions would involve the boyaccelerating the ball with the bat in such a way thatthe ball does not use the man as the unexpectedsubject of a deceleration state change. In a securesystem, the goal is to ensure that every possible statechange or state transition is considered to answerthe question: if the system starts in a secure state,are there any actions of subjects on objects (statetransitions) that can cause the system to becomeinsecure?

5.3.1.2. Bell-LaPadulaThe Bell-LaPadula model, dating from the 1970's,mirrors the classification system used by most gov-ernments to label sensitive documents. The funda-mental principle of Bell-LaPadula is the way itimposes a lattice or hierarchy of subjects andobjects. It facilitates a quick comparison to decidewhether a given subject is allowed to perform a cer-tain action on a given object. It hinges on properlabeling of subjects and objects, and the discussionof levels, labels, domains, and dominance can bevery complex. The Bell-LaPadula model is concernedwith the confidentiality of data.

5.3.1.3. BibaEssentially, the Biba model is identical to the Bell-LaPadula model, except that it deals with dataintegrity. A user may be authorized to access certaindata, but how does the user know that it is the rightdata and that it has not been corrupted? This modelalso makes use of subjects and objects.

5.3.1.4. Clark-WilsonClark-Wilson is a proxy-based integrity model, stilt-ed toward the commercial environment and focusedon separation of powers or authorizations. The goalis to prevent authorized users from making unautho-rized changes to information.

5.3.2. The Trusted Computing Base andDynamic Proliferation ModelLoosely described, the security perimeter is equiva-lent to the trusted computing base (TCB). The TCB isroughly defined as the set of subjects and objectsover which the security administrator can have rea-sonable control and assurance. The components thatcan be cleanly identified, mapped, analyzed, andcontrolled by the security administrator fall within the TCB and earn certain levels of trust. Things that arenot as neatly managed fall outside the TCB andcannot be trusted (within the confines of this model).In a perfect world, the security perimeter includes allenterprise data, users, and resources and an appro-priate (reasonable or cost-effective) level of trustthrough various security policies and controls. Eventhings coming in from outside the TCB, such as net-work connections or anonymous customers, can beidentified in a way that makes them appropriatelytrusted (or untrusted) subjects in a TCB statemachine.

In the real world, however, this approach overlooksa problem called dynamic proliferation. Subjectsand objects change state too quickly to cost-effec-tively maintain the TCB perimeter. The perimeter mustexpand and contract constantly if the enterprise is tofunction effectively within the business environment.With dynamic proliferation, each subject and eachobject must carry its own set of acceptable states, ineffect forming a "mini-TCB" that must be carefullymaintained. For example, a file could keep its ownsecure record of who can access it and what can bechanged, with the record attached to the file itselfand not stored in a separate database.

Currently, there are several initiatives targeted ataddressing the disappearing perimeter. On the sub-ject side, there are solutions such as federated iden-tity management, identity and access management,and security information management. For objects,the individual repository/processing unit (the server)needs to function as an isolated TCB, which trans-lates into the need for a secure platform.

5.3.3. Strategies for ImplementationKnowing the difficulties inherent in identifying andcontrolling the TCB, how can secure platforms beestablished from which to launch and manage con-nected enterprise services? The next few sectionsoutline these steps.

4-19

5.3.3.1. The Confidentiality, Integrity, andAvailability (CIA) TriadAll security exists to ensure exactly three things, confidentiality, integrity, and availability:

• Confidentiality implies no unauthorized disclosureof information.• Integrity implies no unauthorized modification ordestruction of information.• Availability implies that authorized users canaccess information when it is needed.

At its most basic level, platform security selects assetsthat can be confined to a single server and ensuresthat appropriate levels of confidentiality, integrity,and availability are guaranteed for the assets whilethey are on that server. Assets may be data or pro-grams, CPU cycles or bits, subjects, or objects.Security analysis usually involves a large number ofsecurity goals, threats, threat agents, exposures,risks, and countermeasures. However, the analysiscircles back to ensuring some combination of thesethree basic properties.

5.3.3.2. Identifying VulnerabilitiesLike most security analyses, the first step in planninga secure platform is to identify the realistic vulnera-bilities relative to the value of the assets being pro-tected. Using the CIA triad is particularly helpful inthis case, because it helps to quickly sort subjectsand objects, and it elicits a description of useful andnot-so-useful state changes.

There are three key questions for identifying vulnera-bilities:

• How can the confidentiality of information on thisplatform be compromised?• How can the integrity of information on this plat-form be compromised?• How can the availability of information on thisplatform be compromised?

Answering these three questions in detail requires thesecurity architect or consultant to address a numberof other questions as part of a standard risk analysis.For example, the questions above cannot be ade-quately answered without asking:

• What information is stored on this platform? Thatis, what are the assets?• What does confidentiality mean in this situation?• Who is authorized for what information, at whattime, under what conditions?• What does integrity really mean? Who is author-ized to change data? What internal verificationmechanisms are already in place that guaranteeintegrity or obviously identify data integrity issues?• What does availability really mean? How manyusers should access how much data over what timespan? How often does the data change, and howquickly must those changes be propagated?

There are also inductive vulnerability assessmenttechniques, which involve attacking the platform inquestion with various exploits to see how the confi-dentiality, integrity, or availability of the platformmight be violated. However, these must be precededby (at least) a rudimentary paper analysis. Withoutknowledge of what CIA means to the enterprise, it isdifficult to gauge whether a given attempt is anattack or an acceptable access method.

4-20


5.3.3.3. Identifying Threats and ThreatAgentsAfter assessing what CIA means for a given organi-zation or enterprise, it is useful to evaluate thethreats by separating CIA into a series of commonsecurity goals, for example:

• Maintaining privacy: Protecting from unlawful dis-closure• Maintaining secrecy: Protecting from industrialespionage• Maintaining integrity: Keeping the data intact• Maintaining access to service: Keeping the systemup and running• Limiting abuse: Defending against a maliciousinternal user• Identifying problems: Overcoming stealth• Assuring security: Locking out unauthorized users• Maintaining security policy: Knowing what to do,when to do it, and how to do it

For each area, many different threats can occur thatvary in type, format, and means of attack. Ratherthan cataloging the threats, each of the securitygoals is detailed as a means for easily recognizingpotential threats.

Maintaining PrivacyPrivacy of data (one aspect of confidentiality) mustbe maintained. Certain data must be kept strictly inconfidence. The risk associated with the loss of pri-vacy is known as unlawful disclosure. Each personand enterprise should have the opportunity tochoose when and with whom data is shared. Inmany industries, such as telecommunications andmedical services, regulatory requirements and dis-closure laws provide stiff civil or criminal penaltiesfor failure to maintain the privacy of data.

Unlawful disclosure usually occurs in one of fourways:

• An authorized party (responsible for maintainingprivacy) reveals information through error, neglect,or malicious intent.• An authorized party (responsible for maintainingprivacy) accidentally or deliberately grants access toan unauthorized party.• An unauthorized party monitors communicationschannels (for example, a telephone tap) to obtaininformation while it is transmitted between author-ized parties.• An unauthorized party obtains direct access tofiles or other information resources to collect infor-mation.

Maintaining SecrecyAccess to competitive data should be limited to aneed-to-know basis. Data is usually classified intorisk categories (For example, company-confidentialor competition-sensitive), with access to a categorytied to a title or position (role). Disclosure may beunintentional or malicious. Public disclosure of secretinformation can mean the loss of revenue and com-petitive edge.

When organizations become very large, it is usuallyimpractical to explicitly identify each person whohas access to competitive information. Instead, clas-sifications (levels of secrecy) are used. These aretypically connected to job description or position inthe organizational chart. This kind of security iscalled multi-level security because there are need-to-know or safe-to-know strata that define who canknow what. All such multi-level security measures aredesigned to reduce the probability that sensitivedata will end up in the hands of a competitor orsomeone who will deliberately use it to damage theenterprise.

Maintaining Access to ServiceLosses can be incurred because information or com-puting resources are not available. Deliberately pre-venting legitimate access is known as Denial ofService (DoS). A person or enterprise should not beprevented from using information because someoneelse maliciously disables the means to access thatinformation. This also applies to informationresources, such as computers, networks, and com-munications systems. Of all threats, DoS is the mostinsidious and the most difficult to prevent. A simpleexample is someone who ties up a competitor'stelephone lines with bogus calls, preventing legiti-mate customers from being serviced.

One of the most common Internet DoS attacks,which can be performed by relatively unsophisticat-ed attackers using tools available from certain websites, involves constantly accessing (hitting) a site'shomepage, causing some customers to time outwithout accessing the page. If a malicious organiza-tion employed enough agents, each using a webbrowser to repeatedly request a competitor's webpages, the target would be effectively closed down.Because the web pages must be available to every-one on the Internet to be effective, it is not possibleto totally prevent this attack. However, effectivesecurity strategies can significantly reduce the impactand subsequent risk.

4-21

Maintaining IntegrityDeliberate corruption or destruction of data can denyaccess through:

• Outright destruction of files: Another variety of DoS• Overt corruption of files: Data is obviously obliter-ated or garbled beyond usability• Covert corruption of files: Data is altered in a waythat is not immediately apparent to give false impres-sions• Corruption of computer programs: Programs aremodified to take unauthorized or destructive actions

A customer or enterprise should not be preventedfrom using information because someone elsedestroys it. This goal covers data that has beenimperceptibly altered to produce bad decisions orfalse conclusions. It also addresses bogus programsthat damage the system, including Trojan horses,viruses, and other forms of malicious code.

Limiting AbuseEmployees must not be allowed to betray trust by:

• Gaining unauthorized access to corporate data orcomputing resources• Granting access to an unauthorized party• Misusing corporate computing resources• Corrupting or destroying computing resources

Privileged users must not be allowed to betray thetrust granted to them by the organization. There areseveral ways that privileges can be abused.

Enterprise employees may gain unauthorized accessto files or corporate information systems, accessingdata for which they are not entitled. They may grantunauthorized data access to a third party, such as acompetitor or foreign power. They may misuse cor-porate computing resources to perform essential serv-ices for a competitor; or they may simply corrupt,obliterate, or steal corporate resources, as in the caseof a disgruntled employee.

As with DoS, there is no perfect defense. However,limiting employees' access to competitive data, confi-dential data, and resources not required for their jobhas a tremendous impact on mitigating this risk fac-tor.

Identifying ProblemsIdentifying an attack is a cornerstone of layeredsecurity protection. Enterprises must know that abreach has occurred, identify the perpetrator and/orthe means of attack (if possible), and quickly assessand control damage. Solid problem identification isthe most significant step in damage control.

In spite of active security measures, there is always aprobability (however small) that someone will pene-trate the system. If the surveillance system is well-designed, however, the chances are high that a per-petrator will be caught or positively identified. Inaddition, the presence of visible surveillance oftenacts as a powerful deterrent to potential violators.

Even if the perpetrator is not identified and caught,enterprises must be able to assess and repair thedamage as accurately as possible and repair theexploited vulnerability. This assessment is the mostsignificant step in damage control. For example, if acorporation knows that its pricing strategies are com-promised, it could change the data to confuse theperpetrator.

Assuring SecurityA secure system is only part of the security solution.The system must also be configured, maintained, andoperated properly. In addition, corporate proceduresmust support system security. Confused administratorsand sloppy procedures are easy targets for attackers.To ensure that security and policy compliance ismaintained, administrators must clearly understandthe steps to take and the correct order. Confusionregarding the administration of a secure system oftenleads to inadvertent openings that a perpetrator canexploit. In addition, site security policy must ensurethat hard-copy documents, media, and conversationsdo not reveal information being protected by thesecure system. For example, positioning a computerscreen to face an uncovered, first-floor window couldeasily defeat the purpose of all other security fea-tures.

Maintaining Security PolicySecurity policy is important to the people and processpart of the security equation (people, process andtechnology). Security policy is the set of rules andprocedures for people in the organization to follow,and it also serves as a set of guidelines for process.Security policy spans how to handle information, howto conduct business transactions, what to do in thecase of a security incident, and what happens whensecurity policies are violated. To be effective, securitypolicy maintenance must start with awareness andtraining, and it should continue with policy updates.All the while, documentation should also be main-tained for legal and regulatory policies that requiremonitoring for compliance, enforcement, and investi-gation.

4-22


5.3.3.4. Assessing Risk and ChoosingCountermeasuresEffective risk analysis for implementing a secureplatform hinges heavily on the correct use of the CIAtriad (discussed earlier in this chapter). It also relieson the careful and ongoing assessment of vulnera-bilities, threats, threat agents, losses, exposures, andrisks.

It is useful to define different types of risk-mitigationstrategies that help to secure a computing platformor operating environment. In fact, there are someproven risk-mitigation strategies that help to meet thecollection of platform security goals discussed previ-ously. Furthermore, layering these strategies dramat-ically increases security and decreases risk. Risk-mit-igation strategies include:

• Internet traffic filtering• User authentication• Data partitioning• Integrity checking• Use of least privilege• User authorization• System surveillance• System alarms• Simple security administration• Clear site security policy, including compliancemonitoring and enforcement• Ongoing user training and awareness efforts

Internet Traffic FilteringStopping problematic traffic before it reaches a sys-tem averts subsequent problems and cleanup work.Filtering known bad traffic (such as virus attacks) andpreventing inbound or outbound connections from orto known bad IP addresses are two examples ofnetwork traffic to stop at the outside edge of aninfrastructure. A firewall is one technology thatallows this type of filtering.

User AuthenticationMany tools for guessing or cracking passwords arefreely available. Given the low cost of powerfulcomputers and the fact that many people chooseeasy to guess passwords, password cracking hasbecome a very simple operation. To combat this, itis important to improve user authentication beforegranting access to resources. This can be accom-plished using a combination of three authenticationmethods:

• Something the user knows: passwords that areimproved to thwart cracking attempts. Password-hardening tools make users select passwords thatare not comprised of common words and names.

• Something the user has: smart cards or physicaltoken devices (such as a keychain security token) canrespond to a challenge during login. Users login,enter the password, and the system challenges themto enter a valid ID number (or some other credential)from the smart card or token.• Something the user is: biometrics refers to meas-urements of unique physical features of humanbeings including fingerprints, retinal scans, voiceprinting, and blood vessel printing.

There are different ways to authenticate that usersare who they claim to be. Additionally, it is impor-tant to select the right level of authentication to meetsecurity requirements and policies.

Data PartitioningAccess can be controlled by implementing a multi-level security system. Programs and users are given aclearance, and files and data are given a label. Ifthe label does not match the clearance, access isdenied. Hierarchical access can also be defined insuch schemes. Multi-level security systems partitiondata into compartments, for example, inside(intranet) and outside (Internet). Programs running onthe outside cannot access files on the inside, andvice versa. Attackers coming in from the Internetshould not be able to reach into the inside compart-ment to access data files, run programs, or down-load/upload files. If programs in two or more com-partments must share data, hierarchical access maybe necessary. In the example given, a system com-partment may be required to store configuration filesand other files needed by all system programs andapplications.

Integrity CheckingSecurity features are typically complemented withintegrity checking, for example:

• Files, directories, and system tools carry securityattributes.• A master list of security attributes is maintained ina safe location.• Files and directories are periodically checkedagainst the list.• If discrepancies are found, they must be explainedand then fixed.

In an integrity-checking system, the system knowswhich security attributes (for example, owner, data-partitioning compartment, read access, checksum, orsignature) should be assigned to key files. Anadministrator runs the program periodically to checkthe state of the file system. Any errors are immedi-ately flagged, and the administrator can reset fileattributes, restore from known good copies (if avail-able), or disable the system until an investigationcan take place.4-23

Use of Least PrivilegeIn nearly every OS, programs use such OS servicesas terminal input/output (I/O) for portability.Normally, every program has access to every service.This unlimited access presents an opening for rogueprograms and hackers. To restrict behavior, eachservice is protected with a privilege. If a requestinguser or system has insufficient privilege(s) for accessto a particular service, then that service should not beaccessible. Using only the needed privilege for theshortest possible time is known as least privilege.

Every program that runs on a system must performcertain basic tasks. Because programmers do notwant to recreate all of these basic operations, such asaccessing files or controlling a display, the systemprovides a set of system services (sometimes calledsystem calls) to handle them. Access to system servic-es is typically unrestricted - meaning that an attack-er's malicious program could easily use system serv-ices to bypass security measures.

To overcome this weakness, system services can bedivided into classes, with a specific privilege assignedto each class. All programs that expect to perform abasic operation such as I/O must present the appro-priate privilege for each operation and then relin-quish the privilege when it is no longer needed. Forexample, if a program needs to store a file, it shouldrequest write permission to the destination file system,perform the store function, and then relinquish writepermission. Therefore, the program only possesses theability to write to that file system for the time required.If the process was subsequently compromised, itwould not have the ability to write.

Privileges significantly reduce the level of risk frommalicious programs and Trojan horses. Because privi-leges must also accommodate off-the-shelf or legacyapplications, there must be a special category ofprivileges for executable programs. However, theseprivileges should only be assigned by a properlyauthorized user within the enterprise.

User AuthorizationMany systems have a super user or root account thatis all-powerful and to which all administrators havefull access. Unlimited access provides an opportunityfor attack. Superuser access must be divided into dis-crete authorizations. Every administrative job or rolecarries a subset of these authorizations. If definedcorrectly, these roles provide a balance of power.

The most common means of penetrating an HP-UX-based system is to obtain the super user accountpassword. If the various capabilities normallyassigned to the root account are divided into discreteauthorizations, each of which permit access to a verylimited subset of capabilities, the super user accountcan be disabled or restricted to only a few highlytrusted individuals. Each discrete authorization allowsaccess to a very small set of system features.Authorizations can be grouped into roles and distrib-uted to specific individuals, so that users or systemshave only the authorizations required to perform theirspecific functions. For example, night operators donot usually need super user access to the system, butthey do require certain access privileges beyond thatof a normal user.

System SurveillanceThere is no substitute for monitoring and surveillance.Effective monitoring and surveillance should:

• Execute at a low level, within or near the OS• Record system events with timestamps and user IDs(auditing)• Avoid degrading performance by allowing tuningand customization• Collect and present information in real time, if pos-sible

Because most security breaches involve stealth, thesystem should notify the appropriate administratorsand/or security personnel when security has beenbreached. This allows personnel to quickly assess andlimit the damage. To provide this information, thesystem should implement an auditing system to logsuspicious activities. Since any system activity, mali-ciously used, could be considered suspicious, theseactivities must usually cover the full range of process-es at the OS level. Monitoring at the system levelminimizes the chances of disguising suspicious activi-ty.

Because OS-level activities represent a very largevolume of audit data, there must be a mechanism totune resource usage, such as disk and CPU time. Inaddition, audit trails must often be preserved as evi-dence. Records management utilities must be avail-able to allow audit data to be offloaded to andrestored from removable media on a session-by-ses-sion basis. Finally, there must be post-processing toolsfor analyzing audit data and producing reports.Various kinds of filtering tools are needed to helpfocus the search for suspicious behavior.

4-24


System AlarmsBecause auditing is passive, active surveillance isalso needed. Effective active surveillance should:

• Execute at a low level, near the OS• Monitor audit events or key system activities• Filter data to allow targeting of specific events ortimes• Provide real-time notification• Activate automated defense measures• Prioritize responses (if and as appropriate)• Offer a high level of user configuration

Audit data must be examined carefully and theinformation is relatively detailed. To ease the dataanalysis burden and provide a real-time intrusiondetection capability, systems can implement analarm capability. Alarms can use the same set ofsystem events recognized by the auditing feature, orthey can use pseudo-events that address commonpenetration points.

Alarms can provide alerts for:

• Specific events that occur all the time• Events that happen at an unexpected time of day(for example, a login at 3:00 in the morning)• Events that happen too often (for example, fiveconsecutive failed logins)

Alarms can also be implemented to select only cer-tain conditions or patterns on which to trigger.When an alarm is activated, the system may doanything from simply logging the alarm to pagingan operator and shutting down the system. Theactions depend on the system configuration andsecurity policy in effect at the site.

Simple Security AdministrationPoor administration can nullify even the most effec-tive security. Important attributes of security adminis-tration include:

• Security features must be simple to administer.• Administration must be similar in format to normaloperations.• Steps must be clear and well established.• Training of appropriate personnel should be thor-ough and ongoing.• Updates to protection tools (such as patches andthreat signatures) should be tested and applied inconformance with clear site security policies.

Key security features must be controllable from anative system interface, in a format consistent withthe normal functionality of the system. For example,a menu-driven system should have menu-drivensecurity controls. These controls should be dividedinto categories corresponding to security rolesdefined at the site (for example, operator, nightoperator, and system manager). Because maintain-ing a secure system can be a complex process,online help and documentation is usually essential.Each step that must be taken to ensure security mustbe represented in order and in a format that is easi-ly accessible to administrators.

4-25

Clear Site Security PoliciesHP has well-established processes for defining anddeveloping security policy. It is sufficient to note someareas that are often under-addressed when dealingwith platform security:

• Physical handling of media and hardcopy• Physical access rules and procedures• Platform security configuration control and updatepolicies• Handling of suspected or known penetrationattempts (incident response)• Training• Policy compliance monitoring and enforcement

The key is to include the platform and its uniquesecurity management requirements in the overallsecurity policy analysis.

5.3.4. Device Security in PracticeVirtually all systems in the infrastructure have infor-mation that is important to users, and the task ofreconstructing data and applications is never pleas-ant. A lost or stolen device, damage caused by virusinfections and the need to get a user or an applica-tion back to work as quickly as possible, can allplace a significant amount of stress on those needingto resolve the situation. Proactively minimizing thepotential of these types of issues can make a tremen-dous difference in resources expended for safe-guarding devices and the information assets theymust protect.

The first step in constructing such a plan is to under-stand the organization's specific risk environment andsupporting policies and will often include a combi-nation of asset control policies and procedures, whichinclude topic areas such as physical security, devicebackup or synchronization, standardization for mobileplatforms, authentication, storage, and encryption.Having assessed these areas, the next logical stepwill be to identify individual solutions that will effi-ciently and effectively assist in managing the envi-ronment form a holistic perspective. HP offers a solu-tion with HP ProtectTools and HP Secure Advantagefor HP client, server and storage system portfolios.

Protecting data at rest on devices across the infra-structure is the first step of a comprehensive securityarchitecture.

5.3.5. Protecting Data at restProtecting data at rest requires protecting againstthreat of unauthorized access to sensitive informationstored locally on the device itself. While this has tra-ditionally been addressed with procedural measuresfor device access and administration, the increasedcomplexity of data centers and the growing numberof mobile and remote client systems is making itessential to build access control and data protectionmechanisms into the infrastructure itself. Data protec

tion solutions should secure the device with tightaccess control mechanisms, whether at the OS level,with data encryption, or better yet, using supportinghardware security features. Recurring, high-profileincidents spanning industry and government agenciesreinforce the dangers inherent in allowing sensitivedata to reside on user-controlled systems. To protectsensitive data, organizations must develop, teach,and motivate individuals to strictly adhere to policiesfor transferring sensitive data from central repositoriesto individual systems, as well as deploy infrastructuretechnologies that provide strong controls and protec-tions to data at rest on client or server systems. HPsecurity solutions provide means of achieving this bydeploying encryption solutions across client andserver systems, with support from embedded hard-ware security solutions that are designed to theTrusted Computing Group specifications.

Strong user authentication can help access control gobeyond strong passwords, and move to hardware-based tokens such as smart cards. Requiring multi-factor authentication, such as biometrics combinedwith passwords is an important means to increasedevice protection. Power-on authentication, such asDriveLock technology, provides additional protection.HP’s client portfolio integrates strong user authentica-tion solutions with power on authentication, diskaccess control mechanisms (such as DriveLock), andfull volume encryption solutions, with support fromembedded hardware security such as a TPM. Theseintegrations provide stronger user authentication, andthey aim to tie local data on the hard drive to a par-ticular client device for enhanced data protection.

5.3.6. Mobile Device SecurityMobility has extended the device spectrum from tra-ditional desktops and servers to notebooks, hand-helds, phones, and a wide range of specializedappliances. These devices are vulnerable to a newset of security issues, including susceptibility to lossand theft, increased use outside company premises,and less processing power to ward off threats.Generally, mobile device security falls into threeareas:

• Securing local data from unauthorized access• Safeguarding the device from malicious threats ordata loss• Protecting connectivity between the device and theapplications residing on corporate servers

4-26


5.3.6.1. Securing Local Data fromUnauthorized AccessThe most common concern relating to mobile devicesecurity is the threat of unauthorized access to sensi-tive information stored locally on the device itself. Afundamental distinction of mobile devices is that theycan be used offsite in public (even adversarial) envi-ronments. Requirements for any solution shouldinclude securing the device with tight access controlmechanisms, whether at the OS level, with dataencryption, or with hardware features. Recurring,high-profile incidents spanning industry and govern-ment agencies reinforce the dangers inherent inallowing sensitive data to reside on user-controlledsystems. To protect sensitive data, organizations mustdevelop, teach, and strictly enforce policies fortransferring sensitive data from central repositories toindividual systems. Protection of data at rest will beachieved using mechanisms such as those describedearlier in this section.

5.3.6.2. Safeguarding the DeviceLike other systems, safeguarding applications anddata is an issue for mobile devices. Virtually all sys-tems have information that is important to users, andreconstructing the configuration of the applicationsand platform is never a pleasant task. In addition,there is also the need to cope with a lost device or avirus infection and get the user back to work asquickly as possible. Therefore, safeguarding devicescalls for a multifaceted approach involving somecombination of asset control policies and procedures(for example, what to do if a PDA is lost), physicalsecurity, device backup or synchronization, mobileplatform standardization, strong authentication, andstorage encryption. Of course, the first step in riskmanagement is always to understand the organiza-tion's specific risk environment.

5.3.6.3. Protecting ConnectivityMost mobile users want to connect to their enterprisenetworks and access applications. These connectionsand actions need to be protected beyond the scopeof the mobile device. Users need to establish asecure connection over a typically wireless transmis-sion medium. In some cases, the device can connectdirectly to the private network, but oftentimes its pathtraverses some type of public network.

Popular public packet data networks includeWireless LANs (WLANs), General Packet RadioService (GPRS), Cellular Digital Packet Data (CDPD),or even circuit-switched connections dialed in to anISP. If IP networking is supported, the user mayestablish an IPsec or SSL VPN connection to the cor-porate infrastructure. For detailed information aboutwireless security technologies, including WirelessPersonal Area Networks (WPANs), WLANs, andWireless Wide Area Networks (WWANs), refer tothe Trusted Infrastructure Network Security section ofthis handbook.

5.3.6.4. Centralized Policy Management

Covering all three areas of mobile security is anadditional dimension that is particularly importantfor large organizations. Centralized policy manage-ment is possibly the most critical challenge thatenterprises have in deploying mobile devices. Asound authentication and encryption solution shouldbe enough to thwart all but the most resourceful ofhackers. However, in an enterprise the concerns rundeeper than the presence of a few software compo-nents. It is important to ensure that all of the toolsand settings are configured correctly.

This requirement highlights the difference betweenconsumer and enterprise concerns around mobiledevices security. While individual customers have fulljurisdiction over their own property, enterprises donot necessarily trust their users to configure and runtheir devices in a secure fashion, particularly whensensitive information is stored on the device.

Users may find strong passwords difficult to remem-ber and periodic re-authentication to be annoying. Ifit is a user’s personal device with only personalinformation nobody can blame the user if he or shechooses to lower his or her security settings.However, when the device contains critical enterprisedata, security policies mandate that much strictersettings must be enforced.

One aspect of centralized policy management is theinitial deployment of any security software. It alsoincludes the ability of the enterprise to centrallydeploy new applications and new versions of exist-ing security products.

But simply setting up the device is not sufficient. It isalso of critical importance to the enterprise to beable to ensure compliance of any devices that thatmight have sensitive data on them. This means thatthe enterprise needs to be able to determine if aterminal has been adequately security before allow-ing the user to synchronize any sensitive data.

4-27

5.4. HP Host Security Products andSolutionsHP offers a complete range of host security productsand solutions to help address the threats and mitigatethe risks discussed in this section. The following sec-tions provide an overview of individual products andsolutions.

5.4.1. HP ProtectTools for Client SecurityAs computers become more mobile and better con-nected, threats to data security are increasing inmagnitude as well as complexity. Organizations inwhich data security directly impacts business healthare becoming increasingly concerned about thisproblem. Client devices including notebooks, desk-tops and workstations tend to be the front line ofaccess to an organization's information assets. Assuch, client device security becomes a key mechanismto securing the IT infrastructure. Security requirementsat the client device level can range from strengthen-ing user authentication, to hardening the client device(at the hardware, OS, or application level), to pro-tecting data as it resides on the device.

Client device security is of strategic importance to HP,as it is to an increasing majority of business and ITmanagers. As such, HP offers the comprehensive HPProtectTools client device security solution set. HPProtectTools originated with an HP developed smartcard security solution for client PCs. The application isnow part of HP's business notebook, desktop, andworkstation smart card solutions. As the HP securityportfolio has grown, the HP ProtectTools name hasalso grown to represent a broad security solution setthat encompasses software, hardware, and services.HP's Personal Systems Group (PSG) and HP Services(HPS) deliver security solutions designed to addresssecurity challenges at all levels of client devices.

5.4.1.1. HP ProtectTools Security ManagerTaking a holistic approach to security, HP designedthe HP ProtectTools Security Manager to bring manytechnology areas together in a way that not onlyprotects client devices but also prevents them frombecoming points of vulnerability that threaten theentire IT infrastructure. The HP ProtectTools SecurityManager is at the heart of the HP ProtectTools secu-rity offering for HP notebook, desktop, and worksta-tion PCs. (See www.hp.com/go/security for productinformation.) This single-client console applicationunifies the security capabilities of HP client PCs undera common architecture and single user interface. Arange of features build on underlying hardware secu-rity building blocks, such as biometrics, smart cardtechnology, and embedded security chips (TPMs)designed in accordance with the TCG standard.Collectively, these features address business needs forbetter protection against unauthorized PC access andstronger protection for sensitive data.

Most importantly, HP ProtectTools hardware securitymechanisms provide the enhanced benefit of notrelying solely on OS and application security vulner-abilities that are known targets to most off-the-shelfhacking tools. HP ProtectTools Security Managerembodies an extensible framework designed toenhance security software functionality through add-on modules including:

Embedded Security for HP ProtectToolsEmbedded Security enables strong hardware-basedprotection of data and digital signatures and reliablehardware-based device authentication.

Java Card Security for HP ProtectToolsJava Card Security enables stronger user authentica-tion, using two-factor authentication and HP-patentedpre-boot authentication technology.

4-28


BIOS Configuration Security for HPProtectTools BIOS Configuration Security provides easy access tofeatures such as power-on user and administratorpassword management and easy configuration ofpre-boot authentication features including smart card,power-on password, and TPM-embedded securitychip.

Credential Manager for HP ProtectToolsCredential Manager provides flexible multifactorauthentication that combines a wide array of devicesincluding biometrics, smart cards, and USB tokens,and provides a completely automated single sign-onwith automatic field detection, registration, and cre-dential entry.

Device Access Manager for HP ProtectToolsDevice Access Manager creates policies that controlwhich users or user types get access to which devicesor device types. With Device Access Manager, poli-cies can specify what types of devices are allowed ordisallowed, depending on the user, such as allowingkeyboard and mouse but disallowing USB storagedevices for users without administrative rights. Anenterprise version of Device Access Manager is alsoavailable for configuring and deploying the samepolicies remotely.

Drive Encryption for HP ProtectToolsDrive Encryption encodes every bit of information onyour hard drive volume so that it becomes unread-able to an unauthorized person. This feature helpsensure that sensitive information cannot be accessedif the notebook, desktop, workstation or hard drive islost or stolen and also ensures critical personal andbusiness data stored on the hard drive is safer with-out user intervention. Drive Encryption is a standardfeature on select HP business notebooks, desktopsand workstations.

5.4.1.2. HP ProtectTools for MicrosoftProductsThe HP Microsoft ProtectTools suite adds to the secu-rity functionality provided by standard Microsoftproducts. They have been developed in partnershipwith Microsoft to ensure they integrate seamlesslywith standard Microsoft products in order to meet theneeds of security-conscious organizations. These HPProtectTools Secure Commercial Off The Shelf(SCOTS) products have the following functionality:

HP ProtectTools Authentication ServicesThis product provides a number of features thatenhance the standard Microsoft authenticationprocess. The central feature is enhanced passwordmanagement, achieved by implementing a CESG-approved password hashing and password genera-tion system. Each organization is provided with spe-cial CESG seed values to ensure each organization'ssystem is unique. Where government algorithms are

not applicable, alternative commercial algorithms areused.

The product also manages change of administrationpasswords, provides last successful and unsuccessfullogin information, and can be configured for multiplelogin denial and timed auto-logout. The use of aunique password hashing mechanism for systemsprevents access from unauthorized systems evenwhen a valid username and password are used.

HP ProtectTools E-mail Release Manager The inappropriate release of a sensitive e-mail is aconstant threat to any organization. E-mail is theeasiest way of sending information around the worldvia the internet, and once the e-mail is sent, it hasgone. HP ProtectTools E-mail Release Manager inte-grates with Microsoft Outlook to help mitigate suchthreats. For example, every e-mail created could bemade to automatically carry the label of "CompanyConfidential". Any e-mail with this label could thenbe restricted to a distribution of employees with therelevant authority. Other labels could be configuredfor specialist teams, the general public, relatedorganizations or suppliers, senior management onlyor "Project X only" groups, respectively. Any, or all,of these could have the e-mail electronically signed,encrypted, and audited, and additional user inputcan be mandated to confirm the authority to sendthat type of e-mail. The HP ProtectTools E-mailRelease Manager Outlook Web Access extensionprovides the same functionality but in a web-basedenvironment.

HP ProtectTools Device Access ManagerDevice Access Manager for HP ProtectTools (DAM) isa plug-in module into HP ProtectTools SecurityManager (which is discussed in section 5.4.1.1.). HPSecurity Manager is a single-client console applica-tion that unifies the security capabilities of HP clientPCs under a common architecture and single userinterface. HP Device Access Manager can be foundwithin the HP ProtectTools Security Manager optionin the Control Panel. It provides a SimpleConfiguration view, which offers the most commonaccess scenarios, and an advanced Device ClassConfiguration view allowing more complex accessscenarios to be specified. Access to the configurationcan be controlled and is restricted to Administratorsor delegated to power users via the User AccessSettings configuration view, and only authorizedusers can access the Security Manager DAM utilityand modify the configuration.

The HP Device Access Manager for ProtectTools isdesigned for standalone use, whereby all of the con-figuration settings are stored locally in the registry.The related management product, Enterprise DeviceAccess Manager (EDAM), stores configuration in theActive Directory.

4-29

HP ProtectTools Enterprise Device AccessManager Managing and controlling the import and export ofdata onto or from systems is essential. Today's sys-tems come with floppy drives, CD/DVD read andwrite drives, compact flash cards and a combinationof USB, serial and parallel ports. In many casesthese devices are essential for carrying out day-to-day business, but they can present security threats asthey provide means of exporting confidential data orof importing malicious code. One option is to havedevices removed from the system altogether, but thisis expensive and results in non-standard system sup-port and maintenance. HP ProtectTools EnterpriseDevice Access Manager (EDAM) controls access toclasses of devices or individual types of devicesbased on permissions granted to a computer, to auser, or to a group. HP ProtectTools Enterprise DeviceAccess Manager utilizes the Microsoft WindowsActive Directory to store and propagate deviceaccess permissions throughout the Windows domain.It can even control the type of devices that areallowed to connect to a particular port. For examplea user may be permitted to connect a particularprinter, mouse and keyboard via a USB port whileexcluding any mass storage device.

HP ProtectTools Role-based Access In today's busy working environments many peopleundertake numerous different jobs or roles. Theseroles need different kinds of access to different sys-tems or applications. HP ProtectTools Role-basedAccess provides the opportunity for a standard desk-top across a whole organization while providingsecure terminal server access from any workstation toa user's applications and data for their particularrole or roles.

HP ProtectTools Windows MobileMost organizations see mobile commuting as thenext big opportunity for achieving cost reductionswhile increasing business efficiency. Security hasbeen the major concern preventing the take-up ofthis technology. HP has the capability to secureremote connections and protect the data held onmobile devices such as notebooks and PDAs. HPProtectTools Windows Mobile ensures that properauthentication is undertaken, that all data is deletedif the system is lost or stolen and the password isincorrectly entered a predetermined number of times,and ensures that PDAs can only link with known andauthorized PCs.

HP ProtectTools Application Manager A major concern for all organizations is the threatfrom malicious code that is introduced into computersystems known as malware. Such malware can beintroduced inadvertently by honest users or deliber-ately by malicious users. This can happen throughinternal network connections, internet access or ahost of different peripherals such as CD/DVDs, flop-py disks, memory sticks, etc. HP ProtectToolsApplication Manager acts against this threat bycontrolling the execution of code. In the default configuration, only code introduced by the systemadministrator, or belonging to the system account,will be allowed to execute. This configuration can beextended to require signatures on executable fileswhich are validated as the file is loaded and beforethey can be run. The fundamental approach ofchecking ownership and the signatures of the files,before allowing them to execute, protects againstmalware from all sources. This same tool can also beused to control access to executable code alreadyloaded which requires controlled access such as sys-tem configuration programs.

With the HP ProtectTools for Microsoft Products suite,HP addresses the security needs of a broader rangeof market segments. Customers benefit from HP secu-rity innovations that have proven reliability - the resultof an exhaustive validation process in demandingcustomer environments.

For more information, see the HP ProtectToolsoverview and white papers athttp://h20219.www2.hp.com/services/cache/45782-0-0-225-121.aspx. Free software evaluation down-loads are available at www.software.hp.com.

5.4.2. HP NetTopHP NetTop is a highly secure and layered architec-ture of Security-Enhanced Linux (SELinux), theVMware Workstation, and customized security poli-cies. HP NetTop is an information assurance solutionthat enables connectivity to multiple network domainsof differing sensitivities from a single system, whilemaintaining data and domain separation throughsecure virtual machine air gaps.

HP NetTop is backed by the HP Technology SolutionsGroup to provide assessment, planning, policy defi-nition, rollout, and support tailored to an organiza-tion. HP NetTop provides strong compartments thatmeet many government and financial industryrequirements. Originally developed by the NationalSecurity Agency (NSA), HP NetTop is now offered byHP as a full-service solution to public and privateenterprises.

4-30


5.4.2.2. HP NetTop SolutionsHP NetTop solutions exist for both public and privateorganizations. HP provides:

• Health care organizations with HIPAA complianceby maintaining patient records in isolated domainswhile allowing access to those who need it• Financial institutions with customer record andfinancial data security• U.S. Defense and intelligence agencies withDirector of Central Intelligence Directive (DCID) 6/3Protection Level 4 (PL4)-compliant, low-cost securitydomain separation and access to multiple coalitionnetworks

A complete security solution - from initial assessmentthrough rollout, training, and post-deployment sup-port - ensures that HP NetTop works now and in thefuture. With HP's unified desktop and delivery, HPNetTop adapts enterprise computing to current andemerging risks. For more information about HPNetTop, visit www.hp.com/go/nettop.

5.4.3. Host Operating System Security

5.4.3.1. HP-UXFor the past 20 years, HP has delivered one of themost trustworthy and secure UNIX operating systems.Designed for protection against both external andinternal threats, the HP-UX 11i operating system hasa well-integrated set of security features aimed atproactively mitigating risk and helping reduce com-pliance cost.

For enterprise customers who must respond to con-stantly changing business needs, security solutionsprovided with the HP-UX 11i operating system sim-plify the deployment of layered security featureswhile providing the extra assurance of in-depth pro-tection. HP-UX 11i security solutions are included aspart of the base HP-UX operating environments.

5.4.3.1.1. Platform Security FundamentalsThe most basic goal of operating system security isto preserve the integrity of the system in the face ofattack. The HP-UX 11i operating system includes anumber of features that assist the administrator inlocking down the platform:

• HP-UX Bastille provides a graphical interfacethat guides an administrator in tasks that harden thesystem against attack, including locking down systemports, files and other components.• Host IDS uses kernel-level system audit informa-tion to continuously monitor many systems forattacks, generating alerts and, as an option, alsoresponding in real-time.• IPFilter provides system firewall capabilities,including stateful connection filtering to limit the"attack surface" of the platform, and connectionthrottling to limit the effectiveness of DoS attacks.• Install-time Security eases default lock -downs by offering a menu of security profiles thatmay be applied as part of the OS installationprocess.• Security Patch Check helps ensure securitypatch currency by periodically connecting to HP andrecommending the latest security-relevant patches.• Execute-protected Stack prevents commontypes of buffer overflow attacks, which are a leadingcontributor to platform compromise.

5.4.3.1.2. Security ContainmentHP Security Containment for HP-UX 11i is a suite ofsecurity technologies designed to dramaticallyreduce the likelihood of system compromise. HPincorporates these enhanced security features intothe mainstream HP-UX 11i operating environment tohelp businesses combat increasingly complexthreats. Without requiring modification to applica-tions, HP Security Containment isolates compromisedapplications, which are denied unauthorized accessto other applications or files on the system. HP-UX11i Security Containment comprises three core tech-nologies that together provide a highly secure oper-ating environment:

• Compartments provide isolation and restrictaccess to application and system resources outsideof the compartment to prevent catastrophic damageshould a compartment be penetrated. HP-UXSecurity Containment accomplishes this by control-ling the flow of information between processes indifferent compartments. For example, outside com-partments can accept and process customer-facingdata, and then transfer it securely, by rule, to insidecompartments for non-public access and processing.

4-31

• Fine-grained Privileges grant only the privi-leges needed for a task, and optionally, only for thetime needed to perform the task. Applications thatare privilege-aware are able to elevate their privilegelevel during the operation and lower it after comple-tion of the operation.• Role-based Access Control provides a mecha-nism to allow non-root users to perform administrativetasks, effectively splitting the power of root into amanageable set of roles. An out-of-the-box configu-ration supports many common HP-UX 11i commands.

5.4.3.1.3. Mission-critical VirtualizationThe HP Virtual Server Environment (VSE) enablescompanies to take advantage of consolidation andvirtualization techniques to improve server utilizationwhile reducing operating system management costsand increasing security levels. VSE provides a mech-anism for consolidating applications within a singleoperating system image. By combining the benefits ofHP Process Resource Manager for resource entitle-ment and HP Security Containment for security isola-tion, Secure Resource Partitions provide a securesolution for lightweight virtualization within VSEinfrastructures.

5.4.3.1.4. Identity Management andAccountability HP-UX 11i v2 provides a number of built-in featuresdesigned to support the implementation of identitymanagement architectures to provide manageableaccess control policies.

• Standard Mode Security Enhancementsoffer granular account and password policies on asystem-wide or per-user basis, including the ability togenerate detailed system audits for user accountabil-ity.• HP-UX LDAP-UX client services simplifyidentity management by allowing system authentica-tion and naming services to leverage a new or exist-ing LDAP directory.• Kerberos server and clients offer enterprise-classSSO services as well as enhanced interoperabilitywith Windows ADS.• HP-UX AAA server (RADIUS) authenticates net-work devices and controls access.• Red Hat Directory Server for HP-UX pro-vides an industry-standard, centralized directoryservice to store digital identity information.

5.4.3.1.5. Common Criteria CertificationThe HP-UX 11i v2 operating system running on HP9000 or HP Integrity platforms has been successfullyevaluated against the requirements for the EAL4Common Criteria (ISO 15408) Assurance Level, aug-mented by ALC_FLR.3 (flaw remediation), using theControlled Access (CAPP) and Role-based Access Control (RBAC) Protection Profiles. EAL4+ issometimes used as the abbreviated form for addi-tional assurances. Details of the evaluation and eval-uated configuration are available at:www.commoncriteriaportal.org/public/files/epfiles/CRP225.pdf andwww.commoncriteriaportal.org/public/files/epfiles/hp-ux11iv2.pdf.

5.4.3.1.6. HP-UX 11i v3 EnhancementsStrengthen Security and StreamlineCompliance HP is committed to a long-term roadmap for the HP-UX 11i operating system that encompasses continuedenhancements to its built-in security features. The lat-est release of the operating system, HP-UX 11i v3,introduces a suite of new features that proactivelymitigate risk and reduce the cost of compliance:

• Encrypted Volume and File System trans-parently protects data at rest against unauthorizeddisclosure if the data is lost or stolen, and may alsoprovide safe harbor, avoiding the need for breachdisclosure required by some state breach disclosurelaws.• Trusted Computing Services provides softwaresupport for Trusted Platform Module (TPM) embeddedsecurity hardware that is available on select HPIntegrity servers for enhanced key protection andEVFS auto-boot support. • HP Protected Systems offers an automatedmechanism to configure and deploy more secure sys-tems by leveraging the built in protection of HP-UX11i servers, reducing the time and level of securityknowledge required by IT personnel when configur-ing such mechanisms as Security Containment, whichisolates processes and resources.

4-32


• HP-UX Bastille with drift reporting checks the consistency of a system's hardening configuration withpreviously applied hardening policy to avoid risk of system changes. This data reduces system exposure tomalware, simplifies compliance maintenance, and provides visibility into undone hardening to allowplanned response without risk of unexpected system breakage.• HP-UX AAA Server offers more flexible integration with enterprise databases in combination with cen-tralized, RADIUS-based user authentication and network access logging to simplify auditing and compli-ance.

The HP-UX 11i operating environment provides a comprehensive array of features that automate securityprocesses, mitigating risks and lowering the cost of compliance. HP rigorously designs, engineers and teststhese features through targeted development as well as collaborative projects with open-source and thirdparty partners. Fully integrated within the HP-UX 11i operating system, this continually evolving suite ofsecurity enhancements is available at no extra cost to HP-UX customers.

5.4.3.2. Microsoft Windows and Server ApplicationsHP Services provides a number of offerings and security services (including design, configuration and hard-ening services) around Microsoft OS security in a client role and in a number of server roles. The MicrosoftWindows Server OS includes a number of server applications such as Domain controller, Directory server(Active Directory (AD) or Active Directory Application Mode (ADAM)), Dynamic Host Configuration Protocol(DHCP) server, Domain Name System (DNS) server, Windows Internet Naming Service (WINS) server, Fileserver, or Print server, Internet Information Server (IIS) (Microsoft's application server), Internet AuthenticationService (IAS) server (Microsoft RADIUS server), Certificate server (for Public Key Infrastructure services),Network Access Protection (NAP) server (Microsoft's Network Admission Control (NAC) solution).

Other specific server roles (not bundled with the Windows Server OS and part of dedicated Microsoft soft-ware offerings) include Exchange Server (Microsoft's messaging server), Office Communications Server(OCS) (Microsoft's real-time collaboration server), SharePoint Portal Server (Microsoft's web portal server),SQL Server (Microsoft's database server), Identity Lifecycle Manager (ILM) (Microsoft's identity managementand provisioning server), System Center (Microsoft's management server), and BizTalk Server (Microsoft'sbusiness integration and process management server).

HP also offers exclusive Microsoft Windows NT, Microsoft Windows 2000, Microsoft Windows XP,Windows Vista and Microsoft Windows Server 2003 security solutions. These solutions can for examplereplace the password hashing algorithms supplied in Microsoft Windows with customer-specific algorithmsthat make brute force or dictionary password hacking much more difficult. See also the "HP ProtectTools forMicrosoft Products" section earlier in this chapter (section 5.4.1.2.) or the following URL for more informationon the HP ProtectTools security solutions for Microsoft platforms and applications: http://h20219.www2.hp.com/services/cache/45782-0-0-225-121.aspx.

Microsoft has also bundled an important set of host protection security features in its latest client (WindowsVista) and server operating systems (Windows Server 2008). These features are summarized in table 4-1and explained below.

Malware Prevention Features Malware Isolation Features Malware Remediation Features

• Security Development Lifecycle• Kernel-mode driver signing (64-bit only) • Patchguard (64-bit only)• Data Execution Protection (DEP)• Address Space Layout Randomization(ASLR)• Windows Defender• Automatic Updates• Windows Firewall• User Account Control (UAC)• Built-in Administrator Account Protection

• Service Hardening• Network Access Protection (NAP) Client• Windows Firewall• Internet Explorer Protected Mode• User Account Control (UAC)• Windows Defender• Windows Integrity Controls (WICs)

• Windows Defender• Security Center• Malicious Software Removal Tool (MSRT)

Table 4-1 Windows Vista malware protection features

4-33

Fundamental Protection in Windows OSsIn Windows Vista and Windows Server 2008Microsoft pioneers a couple of very fundamentalmalware protection measures that are not only relat-ed to new features included in these OSs, but also tothe way the OSs were developed and engineered.

Windows Vista and Windows Server 2008 are thefirst Microsoft OSs that were developed following theMicrosoft Security Development Lifecycle (SDL)methodology. SDL's primary goal is to improve theoverall security quality of Microsoft software andmake it more resistant to withstand malware attacks.SDL defines a formal and repeatable methodologythat developers can leverage before releasing theircode. Among the key elements of SDL are techniquesfor attack surface reduction analysis and measure-ment, and guidance for least privilege and securitytesting. More information on SDL can be found at thisURL: http://msdn.microsoft.com/security/default.aspx?pull=/library/en-us/dnsecure/html/sdl.asp.

A Vista and Windows Server 2008 malware protec-tion feature that is linked to software development,and more particularly to the development of drivers,is driver signing. Even though earlier Windows ver-sions have an unsigned driver detection mechanismthat can warn the user when he/she is about toinstall an unsigned driver, there were no driver sig-nature checks on the kernel level. The new kernel-level driver signing and checking mechanism can(indirectly) better protect Vista from crashes or vul-nerabilities that occur when malware installs or loadsmalicious drivers into kernel mode. More importantly,Windows Vista and Windows Server 2008 kernelsrequire Windows Hardware Quality Labs (WHQL)-signed drivers: this means that the drivers are onlysigned after they passed a set of predefined tests thatare run by Microsoft or one of its affiliates. Moreinformation on Vista driver signing can also be foundat this URL:www.microsoft.com/whdc/winlogo/drvsign/drvsign.mspx.

At the kernel level, another Vista and WindowsServer 2008 malware protection feature is calledPatchguard. This feature is also referred to as kernelpatch protection. Patchguard can prevent kernel-mode drivers from extending or replacing OS kernelservices, and prohibit software from performingunsupported patches in the kernel. With PatchguardMicrosoft is specifically targeting rootkits. Rootkits aresoftware tools that try to conceal running processes,files or system data from the operating system inorder to avoid detection.

Both driver signing and kernel patch protection areonly implemented in the 64-bit versions of Vista andWindows Server 2008. Microsoft found that imple-menting these features in the 32-bit Vista andWindows Server 2008 versions was too difficult - notto say impossible. One reason for this decision wasthat most legacy 32-bit Windows drivers are notidentified using a digital signature. Implementingstricter control over these modifications in the 32-bitVista and Windows Server 2008 versions could havecreated major compatibility and performance issuesfor these legacy applications.

Data Execution Protection (DEP) is a memory protec-tion feature that protects Windows systems againstbuffer overflow attacks - a technique often used bymalware to compromise a computer system. During abuffer overflow attack malware tries to insert andexecute code from non-executable memory locations.DEP allows Windows to mark certain memory loca-tions as non-executable (NX). These NX memorylocations can only contain data and the processorand the OS will prevent applications or services fromloading executable code in them. DEP is not onlysupported in Vista and Windows Server 2008 butalso in Windows Server 2003 Service Pack 1 (SP1),R2 and Windows XP Service Pack 2. DEP leveragesa processor feature that AMD refers to as the no-execute page-protection (NX) feature and that Intelrefers to as the Execute Disable Bit (XD) feature. Atthe time of writing AMD only supported NX on its64-bit processors. Intel only supported XC on theItanium and EM64T 64-bit processors and a smallnumber of 32-bit Prescott processors.

To check whether a system supports this hardware-enforced DEP follow the procedure outlined in thefollowing Microsoft Knowledge Base (KB) article:http://support.microsoft.com/kb/912923. Microsofthas also added a workaround - referred to as soft-ware-enforced DEP - that allows the Vista, WindowsServer 2008, Windows Server 2003 SP1 and R2,and Windows XP SP2 operating systems to provideDEP on 32-bit processor systems. In this workaroundthe processor-level NX-or XD-bit is provided by set ofcookies (or canaries as Microsoft refers to them) thatthe OS automatically adds to data objects stored inthe OS heap and stack. See the following MicrosoftKB article for more info on DEP and how to configureit: http://support.microsoft.com/kb/875352/en-us.

4-34


Ensuring Isolation in Windows OSsWindows Vista and Windows Server 2008 includeimportant new features to isolate the OS, servicesand data thereby making the platform more resilientto malware attacks. These features are the enhancedWindows Firewall, service hardening, inclusion ofthe Network Access Protection (NAP) client andWindows Integrity Controls (WICs).

A properly configured personal firewall is an impor-tant first line of defense for isolating an OS andpreventing malware from infecting computers andspreading out across the network. Windows Vista'sand Windows Server 2008's personal firewall, theWindows Firewall, is enabled by default and nowprovides both inbound and outbound filtering (earli-er versions only supported inbound filtering).Outbound filtering can effectively prevent malwarefrom communicating with other computers and fan-ning out to other systems across the network.

Windows services have always been a favorite mal-ware target: many services are always on and run-ning in a highly-privileged security context (forexample, using the local system account (LSA)). InVista and Windows Server 2008 Microsoft incorpo-rates the notion of restricted services or services thatare isolated to a maximum extent. One of the isola-tion techniques Vista and Windows Server 2008 useis what Microsoft refers to as Session 0 Isolation.Session 0 is the first session that the Windows OScreates when it starts. Session 0 Isolation ensuresthat only services are allowed to run in session 0.Before Vista and Windows Server 2008 user-levelapplications could also run in Session 0.

Furthermore, Vista and Windows Server 2008 marksSession 0 as non-interactive, meaning that servicescannot directly communicate with users, for exampleby creating dialog boxes. Vista and WindowsServer 2008 services also receive the least possibleamount of privileges; what is needed to do their joband nothing less or more: Windows Server 2008revisited the default permissions and rights that areassigned to services. Vista and Windows Server2008 services are also constrained in their commu-nications, as Vista assigns a Security Identifier (SID)to each service, implements service-specific accesscontrol lists on system resources such as the registryand the file system, and per-service inbound/out-bound access restrictions on the Windows Firewall.

Network Access Protection (NAP) is the name ofMicrosoft's network admission control (NAC) archi-tecture. NAP is a technology that can ensure thatonly healthy machines connect to an organization'sIT infrastructure. "Healthy" in this context refers to:systems that are not infected by malware, that havethe latest anti-virus and spyware protection signa-tures installed, that have the latest security patchesinstalled and that have properly configured security settings. NAP can also require strong user andmachine authentication before letting a machine anduser onto a corporate network. NAP not only isolatesunhealthy and unauthorized machines, it can alsoheal them, for example, by installing the latest secu-rity patches, removing malicious code and/or lock-ing down a system's security settings. The NAP clientcomponent is included in Vista and will also bemade available for Windows Server 2003 and XPService Pack 2 (SP2) clients. The NAP server com-ponent will be bundled with Windows Server 2008.In September 2006 Microsoft and Cisco jointlyannounced that they would work on an interoper-ability architecture for Microsoft NAP and CiscoNetwork Admission Control (CNAC) - which is anarchitecture similar to NAP that is built into Cisconetwork infrastructure products. See the following formore information on this: www.microsoft.com/tech-net/community/columns/secmgmt/sm0906.mspx.

Windows Integrity Controls (WICs) is the name of anew mandatory access control model that Microsoftimplements in Windows Vista and Windows Server2008. Vista and Windows Server 2008 use WICsin addition to the classical Discretionary AccessControl (DAC) settings that are based on resourcepermissions and Access Control Lists (ACLs). WICsare also enforced prior to the classical DAC settings;in other words, WIC settings have precedence overDAC settings. The goal of the WIC model is to blockelevation of privilege attacks - these attacks canoccur when, for example, a piece of code that isdownloaded from the Internet tries to interfere withsystem resources or processes. Every Windows Vistaand Windows Server 2008 system file and processhas an Integrity Level (IL) assigned to it in its systemACL. Code and files that are downloaded from theInternet are also automatically assigned an IL. Whena process tries to write to a file, Windows Vista andWindows Server 2008 will check whether theprocess has a higher IL than the file's IL - if it has alower IL, the process will be blocked from writing tothe file. In Vista and Windows Server 2008, browser- downloaded code always gets a low IL, and sys-tem files (or files that are owned by the OS) alwayshave a high IL - which makes it impossible forbrowser-downloaded code to interfere with systemfiles.

4-35

Honoring Least Privilege in Windows OSsUser Account Control (UAC) is the least privilege fea-ture bundled with Vista and Windows Server 2008,and is one of the most important architectural securitychanges in Vista and Windows Server 2008. UACensures that any user account that logs on toWindows (even accounts with administrator-levelprivileges) initially only have plain user privileges. It isonly when the user account needs to perform a taskthat requires administrative privileges that Vista andWindows Server 2008 temporarily expand theaccount's privileges.

An important UAC property that significantly reducesthe Vista and Windows Server 2008 attack surface isUser Interface Privilege Isolation. UIPI providesprocess isolation by ensuring that processes runningin the security context of a limited-account user can-not interfere with processes running in the securitycontext of a privileged-account user. UIPI protectsagainst shatter attacks, during which malware thatruns in the security context of a limited-account userleverages the Windows inter-process messaging sys-tem to inject malicious code into a process that runsin the security context of a privileged-account user.

New and Updated Security Tools inWindows OSsIn Vista and Windows Server 2008 Microsoftenhanced and added a set of important malwareprotection tools: Windows Defender, the MaliciousSoftware Removal Tool (MSRT), the Security Center,Automatic Updates (AU), and the Internet Explorer(IE) malware protection feature.

Windows Defender is the real-time spyware protec-tion solution that is bundled with Windows Vista. It isthe rebranded version of the Giant AntiSpywaresolution that Microsoft acquired in 2004. Defendercontinuously monitors operating system resources suchas the registry and the file system that are commonlyabused by spyware. If an application attempts tomake changes to one of the monitored resourcesDefender blocks the application and prompts the userto reject or allow the change.

Finally Microsoft added several new malware protec-tion features to Internet Explorer 7 that is bundledwith Vista and Windows Server 2008. These featuresinclude a phishing filter and better protection againstmalicious ActiveX controls.

5.4.3.3. LinuxAs an open source project, Linux benefits from thecontributions of a diverse security community and hasa well-deserved reputation for being resistant toattacks and intrusions when configured correctly.Moreover, Linux is unique as a general-purposeoperating system that can address multi-level security(MLS) requirements that are traditionally met by mili-tary-grade trusted operating systems. HP remainscommitted to advancing community efforts toenhance Linux security by contributing to the devel-opment of MLS features, supporting Common Criteriaevaluation efforts, and providing migration servicesfor customers moving their applications from trustedoperating systems to enterprise Linux.

The open source development model is frequentlycredited with strengthening the security features ofLinux by virtue of its open review process. Althoughnot all projects enjoy this quality of scrutiny, Linux hasreceived better code and fewer bugs as a conse-quence. Another result of the active community is arobust set of security mechanisms, cryptographiclibraries, and trusted utilities available on Linux forhost, network, and application security.

Linux offers a full range of access control mecha-nisms, including Discretionary Access Control (DAC),Role-based Access Control (RBAC), and MandatoryAccess Control (MAC). Supplementing the traditionalDAC implementation by the kernel, Linux SecurityModules (LSM) is a lightweight framework with hooksin the kernel to enable various access control mecha-nisms to be loaded as kernel modules.

One such module, initiated by the U.S. NationalSecurity Agency (NSA), is Security Enhanced Linux(SELinux), which some Linux distributions now deliverwithout requiring special setup. SELinux implements aflexible MAC mechanism called type enforcement,which associates each subject and object with a typeidentifier and allows rules governing type-basedaccess to be defined in a policy file loaded into thekernel at boot time. Because the policy is not hard-coded in the kernel, SELinux provides strong manda-tory security in a form that system administrators canadapt to a wide variety of security goals reliably andflexibly. Red Hat Enterprise Linux 5, for example,enables SELinux by default with a MAC policy thatprovides containment around network-facing dae-mons. An administrator can deploy a more fine-grained multi-level security scheme by loading a dif-ferent SELinux policy.

4-36


In contrast to the SELinux approach, SUSE LinuxEnterprise 10 builds on the inherent security of Linuxby integrating a wide range of security capabilities,including encryption, firewalls, certificate creationand management, authentication, access control andproxy management. It is the only Linux distribution toinclude integrated application-level security withNovell AppArmor. AppArmor tools identify the pro-grams that need containment, capture applicationbehavior in a "learning mode" and turn that behav-ior into security policy.

HP offers Linux from Red Hat and Novell and sup-ports both Red Hat Enterprise Linux with SELinux andSUSE Linux Enterprise Server with AppArmor. HP hasalso demonstrated a broader commitment to thedevelopment and certification of multi-level securityfeatures in Linux. HP has completed three consecu-tive certifications with Red Hat Enterprise Linux aswell as one recent certification with Novell SUSELinux Enterprise Server.• HP has completed Labeled Security (LSPP), RBAC,and Controlled Access (CAPP) certification atEvaluation Assurance Level (EAL) 4+ of Red HatEnterprise Linux 5 on HP Integrity servers, HPProLiant servers, and selected HP workstations. HPworked closely with Red Hat, NSA, and the securitycommunity to enhance multi-level security capabili-ties, contributing to file system auditing, labeledprinting, and labeled networking for greater com-patibility with legacy trusted operating systems.• HP has completed CAPP certification at EAL 3+ ofNovell SUSE on HP ProLiant servers, HP Integrityservers, and HP carrier-grade systems. The certifica-tion includes systems with the Intel Itanium 2, IntelXeon, Intel Pentium, and AMD Opteron processorfamilies.

HP continues to enhance the multi-level securitycapabilities of Linux by supporting the developmentof auditing, labeled printing, and labeled network-ing, and submitting these contributions to the com-munity under the Gnu General Public License (GPL).HP also offers a porting kit and migration services tosupport customers seeking to move their applicationsfrom a legacy trusted operating system to enterpriseLinux. For more information, seewww.hp.com/go/linuxsecurity.

5.4.3.4. HP OpenVMSSecurity, at its core, is about protecting data andtransactions from unauthorized access and ensuringthat data is available when businesses need it. HPOpenVMS ships with an out-of-the-box defaultsecurity architecture that provides "Rings ofProtection" (see Figure 4-5, next page) that grantusers and applications the least amount of privilegeneeded to accomplish their tasks. In addition to therings, which are analogous to multiple layers ofphysical security found at many buildings,OpenVMS adds yet another dimension of locallyexclusive access. A user, process, or device mayhave access to a particular layer for a specific pur-pose and still be excluded from access to all otherlevels for which privileges have not been granted.This provides even stronger assurance against suchactions as back-door unauthorized access.

The system itself performs privileged tasks on behalfof a user or application without needing to grant theuser that privilege. This design protects OpenVMSfrom viruses and similar attacks. Data protectionextends across the whole system implementation frommemory to disk storage to processor to I/O, so thata flexible but secure system can be configured tomeet the needs of any enterprise.

Installing OpenVMS without security parameterchanges results in a secure environment with nodefault passwords or accounts with known pass-words. One of the first things that OpenVMSrequests during installation is the installer's identifi-cation and primary security parameters. OpenVMSmay be installed without this information, but accessis not allowed and installation must begin anew. Thisdefault feature is designed specifically to ensure thatdefinitive security precautions are instituted from thevery beginning of use.

The resulting system with established rings of securityand the ability to monitor and identify users, eventhose with the most privileges, provides for animplementation of security policy that can be fol-lowed directly from the first moment of installation. Inaddition, OpenVMS provides exceptional data con-fidentiality (protecting data from unauthorizedaccess) with encryption tools and a default protec-tion scheme that is secure and flexible.

4-37

OpenVMS has had security designed in since it was first developed. At the core of the OS is a security modelthat ensures that every transaction on an OpenVMS system is auditable and access is granted or denied bythe security model. The system provides a rich set of tools to control user access to system-controlled datastructures and devices that store information. OpenVMS employs a reference monitor concept that mediatesall access attempts between subjects (such as user processes) and security-relevant system objects (such asfiles). OpenVMS also provides a system security audit log file that records the results of all object accessattempts. The audit log can also capture information about a wide variety of other security-relevant events.

Because the OpenVMS security model is built into its design, the security features, including the robust log-ging and auditing functionality, require minimal overhead. As a result, users have the highest level of securityin a commercial off-the-shelf operating environment with full performance. When the impact of security is fur-ther considered in the context of total cost of ownership (TCO), HP OpenVMS performs very favorably incomparison to competitive environments. The results of a relevant study can be found athttp://h71000.www7.hp.com/openvms/whitepapers/TCS_2004.pdf.

The OpenVMS security architecture and model apply equally to a single system in a computer lab, or to anentire OpenVMS Disaster Tolerant cluster spread over hundreds of miles. In any case, each access will betested, audited, and validated. To find out more about OpenVMS security, go to www.hp.com/go/openvms/security or review the white paper at http://h71028.www7.hp.com/ERC/downloads/4AA0-2896ENW.pdf.

Figure 4-5OpenVMS rings of protection

Unauthorized Users

Authorized Users

Application

Executive

Supervisor

Kernel

Many users with very limited privileges

Few users with broad privileges

Privilege Level

4-38


5.4.3.5. HP NonStop SystemsHP NonStop systems provide strong security for anumber of financial and other mission-critical appli-cations. With their integrated hardware, software,and middleware, HP Integrity NonStop NS-seriesand NonStop S-series systems protect your applica-tion in these ways:

• Modular operating system: Except for a small ker-nel, most of the HP NonStop operating system func-tionality is handled by specialized system processes,such as the memory manager and disk access man-ager that communicate through interprocess mes-sages.• Minimum privilege: Not all system or applicationprocesses need administrator or root privileges torun, but may be started with the minimum authorityrequired by the customer. • Processes that run in their own virtual addressspace: No matter what a non-privileged processdoes, it cannot view or alter the memory of anyother process running on the system unless theprocesses agree to share portions of their memory.Processes normally communicate by sending mes-sages.

HP Safeguard security management software,included as part of the NonStop operating systemfor Integrity NonStop NS-series servers and avail-able for NonStop S-series servers, implements afiner-grained subject/object access control modelthan the one provided by basic system security serv-ices.

• Authentication: Safeguard software complementsand extends the basic security features by addingadvanced support for UNIX-type user names andfeatures such as account expiration, temporaryaccess suspension and restoration, password quality,password history, password change intervals, andautomatic user account suspension after excessivelogon failures.

• Authorization: Safeguard software can improveserver availability by reserving resources for criticalproduction applications, ensuring that only author-ized clients can access application servers, and pro-tecting critical data from unauthorized or accidentalmodification. Authorized users can exercise controlover objects such as disk files, tape drives, and otherprocesses. You establish the protection of an objectby creating one or more access control lists (ACLs) or protection records for it. An ACL contains subjectsor groups of subjects (users) and the access that theyare permitted to the object.

• Auditing: Safeguard software audits logonattempts, access to objects, and changes to thesecurity settings for those objects, allowing yoursecurity administrators to detect unauthorized systemaccess, detect unauthorized security setting changes,and verify that policies are being followed. Securityadministrators can specify the objects and the typesof access to be audited and how much or how littlesystem activity to record for later review. Safeguardsoftware also logs changes made to an object'sACLs. This record can be reviewed by managementand auditors to verify that security administratoractivity conforms to established management poli-cies. In addition, Safeguard audits changes to itsown configuration.

The HP NonStop Security Review Service provides acomprehensive assessment of the security risks to abusiness's HP NonStop Server with clear, prioritizedrecommendations to counter those risks.

There are dozens of NonStop system securityenhancements available from HP partners.Customers can take advantage of valuable off-the-shelf features such as single sign-on; support for RSASecureID tokens; graphical interfaces; enhancedlogging and reporting; limiting authorization to spe-cific times, locations, and access devices; and gran-ularity to the individual command level of systemutilities. Frequent interaction with these partnersallows HP to understand what new APIs should bemade available to increase the functionality ofNonStop system security.

HP NonStop systems use best-practices technology toprovide strong authentication, authorization, andprivacy in their overall networking design. Thisincludes support of biometrics, tokens, and PINs forauthentication. Least-privilege access, role-basedsecurity, and subject/object access control modelsare used for authorization solutions. The HP NonStopSecurity Review Service provides a comprehensiveassessment of the security risks to a business's HPNonStop Server with clear, prioritized recommenda-tions to counter those risks.

4-39

5.4.4. HP Atalla Security ProductsHP Atalla Security Products incorporate years ofcryptographic expertise and industry best practicesinto designing and building hardware-based com-mercial security appliances that meet the high levelsof government security requirements.

The Atalla Cryptographic Subsystem (ACS) used inmost Atalla products is the first reparable technologyto have been validated at Federal InformationProcessing Standard (FIPS) 140-2 Level 4, the highestgovernment standard for physical security and keymanagement. Where it is appropriate, other Atallaproducts meet Common Criteria levels 4 and above.Within HP, Atalla is uniquely focused on strong secu-rity solutions and cryptographic performance.

HP Atalla products that secure worldwide bank pay-ments networks have set new security, performance,and flexibility standards In the face of increasinglysophisticated threats and escalating risks. HP Atalla isthe market and technology leader in strongAutomated Teller Machine (ATM), Electronic FundsTransfer (EFT), and Point-of-Sale (POS) network secu-rity. Atalla products provide unparalleled perform-ance, price, and protection to over one thousandleading financial institutions, independent softwarevendors (ISVs), and HP financial industry partners.

The high-performance HP Atalla Ax150 NetworkSecurity Processor (NSP), an evolution of the industry-leading Atalla Ax100 NSP family, is a hardened,rack-mountable, 2U appliance with a state-of-the-arttamper-resistant architecture. The Atalla Ax150 NSPprovides unrivaled protection for Triple DES and othercryptographic keys when safeguarding value-basedtransactions. The Atalla Ax150 NSP series consist ofthree models; each model offers identical securityfunctionality, with different processing capabilities.The high-end HP Atalla A10150 NSP performs up to950 Triple DES PIN translates per second while usingthe industry-standard Atalla Key Block. All AtallaAx150 NSP meet the FIPS 140-2 Level 4 standard.

The HP Atalla Secure Configuration Assistant (SCA) isan easy-to-use handheld device to configure com-mands, define parameters, and inject cryptographickeys into new-generation HP Atalla network securityprocessors. The SCA is based on a security-enhancedHP iPAQ personal data assistant (PDA), with an easy-to-use graphical user interface that saves time andreduces human error. The Atalla SCA security engineis a custom smart card that performs all cryptograph-ic functions and stores security-relevant data such ascryptographic key components to ensure the highestlevels of physical and logical security.

The Atalla SCA is physically secured with tamper-evi-dent seals and has exceptional logical security fea-tures. The Atalla SCA application starts automaticallyon SCA power-on, accepts digitally signed upgradesonly from HP Atalla Security Products, and is lockedto prevent the installation of any rogue applications.The custom SCA smart card Is certified to the FIPS140-2 Level 3 standard. Together, the Atalla NSP andAtalla SCA form the only end-to-end truly secure keyinitialization, configuration, and key managementsolution on the market.

4-40


The Atalla Key Block (AKB) is an extensible,secure, industry-standard foundation for crypto-graphic key management. The Atalla Key Block isthe new-generation key management solution fromHP Atalla, designed from the ground up to provideunrivalled logical security for Triple DES and otheradvanced cryptographic keys. No matter whatstrength cryptographic algorithm is in use, secure keymanagement is pivotal to its effectiveness.

The Atalla Key Block prevents even a knowledgeableattacker from:

• Changing any attribute of any key• Changing any bits of any key• Using part of a key as the entire key• Rearranging any part of a key• Substituting parts of a key into another key• Identifying weaker keys

The result of more than three decades of crypto-graphic expertise, the Atalla Key Block has becomethe industry standard for cryptographic key man-agement as defined by ANSI X9.24-2004, RetailFinancial Services Symmetric Key Management Part1: Using Symmetric Techniques.

Customers deploying the Atalla Key Block are ableto derive maximum value from their cryptographicschemes, overcome key security issues associatedwith mixed encryption environments, and enjoyextensible protection far into the future. Designed forsimplicity of use as well as security, the Atalla KeyBlock is supported by leading financial institutions,ISVs, and HP industry partners with an interest in thesecurity of financial networks.

The HP Atalla Resource Manager (ARM) is aset of software tools that provide flexible and uniqueease-of-use features to HP NonStop server users formanaging groups of Atalla NSP to optimize theperformance and security of cryptographic opera-tions. ARM enables users of two or more Atalla NSPto simplify their environment by managing the cryp-tographic access to NSP. IT organizations with acomplex Atalla NSP environment or experiencingrapid growth can save time and money using ARMto customize their environment to the needs of theirfinancial institution.

The HP Atalla Trusted Print Center (ATPC)brings robust cryptographic security to the printing ofPIN mailers and the re-keying of remote ATMs. TheATPC is a cost-effective in-house solution used togenerate PINs (personal identification numbers) andprint PIN mailers that advise account holders of theirPIN in a secure manner. A PIN mailer is a tamper-evident form where the PIN is never visible to any-one until the intended recipient opens the foldedsecure form. Until the advent of the ATPC, thisessential process within financial institutions hasbeen less than secure.

The protection and changing of unique keys withinan ATM or POS device is essential to the security ofbanking networks. The distribution of key compo-nents is a logistical nightmare for financial institu-tions. Like PIN mailers, the ATPC solution generates,encrypts, transmits, decrypts, and prints key compo-nents on secure ATPC forms maintaining best securitypractices such as the dual-control principle. The twotechnicians servicing the remote cryptographicdevice open their tamper-evident forms and injecttheir respective key components, then communicatethe completed tasks to the host application for finaltest of the newly injected key. The sensitive crypto-graphic key is never "in the clear" from the NSPuntil used at the ATM or POS device. The ATPC usesa custom Atalla NSP that meets the FIPS 140-2 Level4 standard.

The Atalla Remote Key feature is a secondtechnology used to remotely key and re-key ATMsand other cryptographic devices. ATMs are notphysically secure while being serviced. For example,there is no dual control or split knowledge ofencryption keys. In addition, changing ATM keys areestimated to cost up to $400 per ATM change.

The industry is moving to a faster, more accurateprocess with no human intervention that will reduceoverheads and increase the number of key changesper annum. HP Atalla supports initiatives from ATMvendors such as NCR, Diebold, and others that meetrecommendations such those of VISA andMasterCard.

For more information about HP Atalla SecurityProducts, see www.atalla.com.

5.4.5. HP Trusted Compliance Solution forEnergyThe HP Trusted Compliance Solution for Energy(TCS-e) uniquely helps North American utilitiesdefine, implement and maintain their security con-trols while automating these processes to reduceboth the initial and the ongoing costs of NERC CIP002-009 compliance while ensuring the integrity ofNERC evidence.

Utilities and their auditors can easily and immedi-ately see who accessed critical infrastructure andwhen - for compliance, audits, and forensic investi-gations - with confidence that this data has not beencompromised. To maintain the highest levels of reli-ability to end customers, automatic real-time search-es for security signatures immediately alert utilities topotential security-related or natural crisis events.

4-41

Workflow management translates NERC CIP ever-green review requirements into automated remindersto responsible reviewers and approvers, ensuringongoing compliance. Unlike an off-the-shelf tool thatcan be used to collect the required documentation,TCS-e was purpose-built around NERC CIP require-ments integrating data access, security and workflow.TCS-e provides a comprehensive methodology withinthe help module, developed by a senior industryconsultant to help utilities navigate the complex NERCCIP standards as they plan and execute their securitycompliance efforts.

The Trusted Compliance Solution for Energy is pack-aged as a 2U-high, hardened appliance with anembedded cryptographic engine, a TrustedConfiguration System for assured deployment andmanagement, and three management services:

• The Trusted Compliance Manager (TCM) securelyautomates the assembly, review, approval, and auditof NERC CIP 002-009 compliance evidence so thata utility senior manager may sign off with confidence.TCM provides a “Dashboard” that depicts the orga-nization's progress to compliance to NERC CIP cybersecurity standards. TCM automates the secure man-agement of compliance documents with digital sig-natures and trusted timestamps. When senior man-agers are asked to sign off on their team's compli-ance effort, they can do so with confidence.

• The Trusted Log and Analysis Manager (TLAM)securely collects, compresses, and stores log recorddata in a trusted, purpose-built, replicated repositorythat compresses data at a ratio of up to forty to oneover a relational database management system(RDBMS). Log records are secured with trusted timestamps and digital signature so there is no questionjust who did what and when. TLAM is a “Flight DataRecorder” for internal or external audits and forensicinvestigations. Sophisticated report and query toolsscan the still-compressed data repository to returninformation orders of magnitude faster than a tradi-tional RDBMS.

• The Trusted Real-time Alert Manager (TRAM) is aMotion Sensor that scans log record data fromnumerous sources, in realtime for potential security-related or natural events against control systems, andalerts trained personnel for further investigation andaction. TRAM can detect simple threshold events orcomplex series of events that may be unique to thecontrol system environment.TCS-e leverages uniquesecurity capabilities from HP that provide the trust andreliability found in the global bank payments inter-change network. With Federal Information ProcessingStandard (FIPS) 140-2 Level 4 protection, TCS-e meetsthe most rigorous U.S. government standards to pro-tect a utility's most sensitive compliance, informationtechnology, and process control data and logrecords.

5.4.6. Vulnerability Assessment Tools fromHPHP Application Security Center software solutionshelp security professionals, developers and QA teamssave time and money by catching security defects asearly in the application development lifecycle as pos-sible.

HP Application Security Center software is designedwith flexibility in mind. Some development and QAorganizations want to deploy software that is inte-grated into the development and testing environ-ments. Others want a centralized solution for author-ized team members to conduct security tests as need-ed. Many organizations implement a combinedapproach in which security professionals manage theoverall security program, working with developers,QA teams and security experts. They need flexiblesolutions to define and manage web applicationsecurity processes.

HP Application Security Center's DevInspect,QAInspect and WebInspect softwares are designedfor developers, QA professionals and security profes-sionals respectively. HP Assessment ManagementPlatform software brings these products together andcan be leveraged by each audience for different pur-poses. When used together, these products providean effective end-to-end security testing solution foryour enterprise.

The HP Application Security Center software providescommon security policy definitions, centralized per-missions control and web access to security informa-tion, and it supports the complete applicationlifecycle from development to production.

5.4.6.1. Vulnerability Assessment Tools forSecurity Professionals Security professionals must secure enterprise webapplications and reduce the risk of malicious attacksfrom hackers. Hackers are constantly finding newways around traditional defenses in order to breakinto web applications and web services. While pro-tecting assets and maintaining security awareness inthis complex, fast-changing environment, securityprofessionals must also demonstrate the state of yourweb security and regulatory compliance.

4-42


Security professionals must also address an over-whelming number of applications, vulnerabilities andpeople around the world. They must identify criticalapplications, maintain a holistic risk managementview and give numerous stakeholders visibility intothe state of application security across the enterprise.They must scale their assessment processes acrossthe enterprise and throughout the lifecycle to devel-opers, QA teams, other security professionals andbusiness managers who own the applications. Manyorganizations are striving for proactive applicationsecurity programs that find vulnerabilities early in thelifecycle to avoid the excessive costs associated withfixing defects in production applications. The securityprofessionals driving these programs need sophisti-cated software to help them coordinate a globalteam of people and manage and mitigate applica-tion risk. HP offers two software products that can beused separately or together to test web applicationsand manage your overall security program: HPWebInspect and the HP Assessment ManagementPlatform.

HP WebInspect HP WebInspect is easy-to-use, extensible and accu-rate web application security assessment software.Many security professionals begin their applicationsecurity testing programs with HP WebInspect, whichenables both security experts and security novices toidentify critical, high-risk security vulnerabilities inweb applications and web services. HP WebInspectaddresses the complexity of Web 2.0 and identifiesvulnerabilities that are undetectable by traditionalscanners. HP WebInspect supports today's mostcomplex web application technologies with break-through testing innovations, including simultaneouscrawl and audit (SCA) and concurrent applicationscanning, resulting in fast and accurate automatedweb application security.

HP Assessment Management Platform HP Assessment Management Platform fully addressesthe complexities of today's web application securityprograms. After using HP WebInspect for a shorttime, security professionals often need to scale theirprogram to test additional web applications andperform tests more frequently. They need both auto-mated and scheduled penetration testing and moremanual expert tests. They need to extend security testing to additional security professionals aroundthe globe as well as developers and QA teams, whoaddress security early in the application lifecycle.

HP Assessment Management Platform supports anadvanced global security program that allows multi-ple participants to get the application security infor-mation they need and participate in the assessmentand remediation process, while letting security pro-fessionals maintain centralized control. HPAssessment Management Platform is distributed andscalable. It provides a web-based interface for a

consolidated global view, supporting multi-userlifecycle collaboration and control of applicationsecurity risk throughout the enterprise. Developers,QA teams and security professionals can use HPAssessment Management Platform as a black boxassessment tool across the enterprise to target vul-nerabilities that hackers can exploit.

5.4.6.2. Vulnerability Assessment Tools forDevelopers Developers are increasingly using products to helpthem code more securely. Developers know thatsecurity defects are like other defects. Catchingsecurity defects early eliminates the time andexpense associated with later-stage patches. Today'sglobal organizations have thousands of developersdispersed all over the world. In many cases, devel-opment is outsourced to third party vendors.Establishing common practices and tools for securecoding is an ever-present challenge. HP offers twoproducts that present different options for developersto test their web applications for security: HPDevInspect and the HP Assessment ManagementPlatform.

HP DevInspect HP DevInspect simplifies security for developers byautomatically finding and fixing application securitydefects. HP DevInspect also helps developers buildsecure web applications and web services quicklyand easily, without affecting schedules or requiringsecurity expertise. HP DevInspect is installed on anindividual developer's system and, using a HybridAnalysis approach, combines source code analysiswith black box testing to reduce false positives andfind additional security defects.

HP DevInspect integrates with the following integrat-ed development environments (IDEs):

• Microsoft Visual Studio 2003 and 2005 • IBM Rational Application Developer 6 and 7 • Eclipse 3.1 or higher

HP DevInspect supports C#, Java, Visual Basic,HTML, XML, SOAP, WSDL, JavaScript and VBScript.

HP Assessment Management PlatformMany development organizations also use HPAssessment Management Platform, which developerscan use to conduct assessments of their code asneeded. Developers can use HP AssessmentManagement Platform to conduct black box testingof their application, targeting only exploitable secu-rity defects. HP Assessment Management Platformconducts comprehensive tests for all web applica-tions, regardless of the language in which they arebuilt. HP Assessment Management Platform alsoincludes flexible reporting capabilities that let devel-opment teams share information and security policieswith QA teams and security professionals.4-43

5.4.6.3. Vulnerability Assessment Tools forQA Professionals QA teams use security products to help them findsecurity defects in web applications. Security testershave always focused on functionality and perform-ance. Now that web applications are maturing, QAteams are conducting more focused and comprehen-sive security testing on web applications.

HP QAInspect HP QAInspect applies innovative techniques to iden-tify security defects from the hacker's perspective. HPQAInspect reports on vulnerabilities with detailedsecurity knowledge in a way that QA professionalscan understand with a concise, prioritized list of vul-nerabilities and thorough vulnerability descriptions.Analysis results yield detailed information on possibletypes of attacks, including cross-site scripting (XSS) orSQL injection, as well as on compliance issues relat-ed to regulations, such as SOX, HIPAA and PCI.

HP QAInspect integrates with the following testingtools: • HP Quality Center software• HP WinRunner software and HP QuickTestProfessional software• HP Business Process Testing software• IBM Rational Software Delivery Platform (SDP),Rational ClearQuest and Rational Functional Tester

HP Assessment Management Platform Many QA teams also use HP AssessmentManagement Platform to assess their applications. HPAssessment Management Platform conducts compre-hensive tests for all web applications, and its auto-matic scheduling capability lets QA teams scheduleregular web security tests. HP AssessmentManagement Platform also includes comprehensivereporting capabilities that help QA teams shareinformation and security policies with developmentteams and security professionals.

5.4.7. HP Enterprise Mobility SuiteThe HP Enterprise Mobility Suite (HP EMS) providesenterprises with a secure and cost- effective solutionto deploy mobile devices to the field while ensuringmanageability and security.

HP EMS enhances the security of sensitive corporatedata by extending corporate security policy enforce-ment to the mobile device and by reducing securityvulnerabilities with Over-The-Air (OTA) access to theentire fleet of devices. HP EMS also provides a dedi-cated enterprise management solution for automatingmobile device management, including OTA devicesetup, diagnostics and application management.

HP EMS gives enterprises the following security andpolicy conformance mechanisms for their mobiledevices:

• Remote lock or wipe of compromised devices.Enterprises can remotely push lock or wipe com-mands to lost or stolen devices to restrict access todata and device functionality. Locking a deviceimmediately protects data until the device has beenrecovered or wiped. • Device lockdown. EMS supports the nativeWindows Mobile lockdown features with policies todisable Bluetooth, Wi-Fi, IR, camera, and removablestorage. • Policy conformance. Enterprises can set IT policiesfor devices to regularly self-audit these devices forconformance to corporate policies, such as thoserequiring encryption and power-on passwords. Theycan flag non-conforming devices and automaticallyapply policies so devices return to conformanceimmediately. • Support for user certificates (for HP iPAQ only).User certificates can enable secure mobile access tothe network behind the firewall.

HP EMS can manage both mobile phones and non-phone devices (for example: PDAs) over any avail-able HTTPs connection including cellular, WIFI, ortethered connections. It leverages the mobile- opti-mized Open Mobile Alliance (OMA) - DeviceManagement (OMA-DM) standard for supportingmultiple device platforms.

For more information on the HP Enterprise MobilitySuite see www.hp.com/go/ems.

5.5. Host Security SummaryHost security has traditionally been a military-gradesolution with high costs in the areas of user satisfac-tion, user productivity, and operations - in addition tothe cost of the solutions themselves. Host security istransforming to meet the needs of businesses andother organizations, which are driving secure hosts todeliver ease of administration, flexible role-basedaccess control, useful privilege management, andsecurity balanced with performance.

The concept of relying solely on a bulletproofperimeter defense is evolving into the concept of lay-ered defenses that acknowledge the real threat envi-ronment. Furthermore, the layers need to extend allthe way down to the servers themselves. The motiva-tion for these changes comes from far-reaching,global virus attacks, such as the Blaster and Sasserworms, that have easily crossed secured perimeters.

HP has intently examined the issues related to hostsecurity to enhance the delivery of platform securitythrough the operating environment. The results arenew tools and techniques that reduce the risk toenterprises without ballooning TCO or creating anunacceptable customer or user experience.

4-44


6. Network SecurityThe enterprise network connects all other trusted infrastructure elements. A properly secured network protectsand integrates its hosts, while remaining functional in the face of business-driven change and today'scountless threats to information availability, integrity, and confidentiality. This section focuses on data net-work security and limits its coverage to IP-based networks. It discusses network security threats, defensesand design, and the selection of specific network security components.

6.1. EnvironmentEnterprise networks are changing. Modern networks have a diversity of components with varying trust lev-els; they are no longer simply fortresses encircled by defensive rings. Traditional enterprise networks havean internal compartment devoted to internal communications and a carefully isolated compartment -commonly called a demilitarized zone (DMZ) - devoted exclusively to externally accessible services.Firewalls control access between the internal network and the DMZ, and between the entire network andthe Internet.Three factors have caused the enterprise network to change dramatically: Internet delivery ofservices, telecommuters and mobile workers, and outsourcing. These factors are illustrated in Figure 4-6.

6.1.1. Internet Delivery of ServicesOrganizations use the Internet to deliver increasingly complex services in intra- and inter-domains, includingcollaboration and transactions with vendors, customers, and partners. This process often relies on interac-tions between groups of systems on different enterprise networks. Therefore, external services hosted in theDMZ interact with internal systems in increasingly complex ways, complicating the relationship between theDMZ and the internal network.

6.1.2. Telecommuters and Mobile WorkersOrganizations rely on telecommuters and mobile workers to perform critical tasks that require access tointernal applications and data. Organizations must provide access to internal resources from almost anylocation and for a variety of devices over which they have varying degrees of control. These requirementsfurther blur the network perimeter.

6.1.3. OutsourcingOrganizations are distinguishing between their core competencies and other business-critical activities inorder to better compete in the global economy. Many organizations are aggressively outsourcing criticalwork to distant partners or delivering global services based on their core competencies. IT has respondedby making internal applications available externally via virtual private networks (VPNs), leased connections,terminal serving, and reverse proxies.

Taken together, these three trends result in networks with a variety of users, segments, and hosts that areauthorized to do different things and are trusted at different levels. Fortunately, while networks have becomemore complex, their security capabilities have become more sophisticated and autonomous.

Figure 4-6Enterprise network trends

Internet Deliveryof Services

Enterprises Outsourcing

Telecommuters & Mobile Workers

4-45

6.2. Network Security Analysis andPlanningNetwork security addresses enterprise network tech-nologies that connect to the Internet and to extranetsin addition to the boundary of the IT infrastructure.Network security must also focus on the security ofwireless networks. Controlling access to networkresources and providing lower-level prevention anddetection of attacks allows enterprises to optimallyprotect their information assets.

6.2.1. ApproachA traditional approach to network security implemen-tations is to encircle an unsecured network with aperimeter defense solution that controls access to thenetwork. Perimeter defense is an integral part of anoverall defense strategy. However, within the perime-ter, a user left unrestricted may cause intentional oraccidental damage. The network can be extremelyvulnerable to a hostile party gaining access to a sys-tem or application inside the perimeter, and it can becompromised by an authorized user. Crucial stepsinclude ensuring that all devices on the network areauthorized to connect, the devices are up to date inconfiguration according to organizational policy, andthe network is adequately defended against attack.

Deploying a collection of security techniques andtools, including firewalls, intrusion detection systems(IDSs), intrusion prevention systems (IPSs), and VPNs,can help enterprises to ensure overall network securi-ty. However, as network boundaries expand andfluctuate due to interconnected business relationshipswith employees, vendors, and customers, efficientlymaking and enforcing access decisions becomeschallenging. While protecting the network is a highpriority, minimizing friction to legitimate authorizedusage is the goal. Even the most trusted and securesystems are exposed to a variety of threats whenemployees take them offsite. The health of the devicesmust be reevaluated every time they attempt to con-nect to the network. As in all other areas of networksecurity, nothing is static and nothing should beassumed or taken for granted.

There are a number of approaches to network securi-ty, and there is not a single solution that applies to allorganizations. Many factors impact assessing anddeveloping a strategy for authentication and authori-zation of devices and users, and for assessing andremediating threats posed by devices attempting toaccess the network. Ultimately, any network securitysolution, no matter how sophisticated or capable,does not mitigate or eliminate the ultimate responsi-bility of the organization. Protecting sensitive datawhere it is stored and exerting appropriate controlsfor when and under what terms data is accessed arecritical components of an organization's completesecurity solution.

From a technology perspective, network security is arapidly developing area, with new threat vectors andnew security solutions being developed and refinedconstantly. Organizations rarely have the necessaryinternal resources to best evaluate, determine, andimplement appropriate courses of action. Given thebreadth and heterogeneity of the HP portfolio, HPconsultants are uniquely qualified to advise organi-zations about how best to design and implement anetwork security architecture that supports businessgoals.

HP Services employs a proven solution framework toensure that networking technology is aligned withbusiness strategy to become a business enabler, notan obstacle. The process begins with an analysis ofthe organization's business requirements, includingbusiness drivers and associated metrics. It includeseconomic analysis of the impact of technology on anorganization's operations and compliance with gov-ernance and business objectives.

4-46


6.2.2. Understanding Security Risks andThreatsEvolving regulatory and legal requirements areincreasing enterprise risk exposure to a level whereIT risk management should be a top priority.Network administrators face a witch's brew of dan-gers: vulnerability scanning; DoS attacks; hijackingof networks to do harm elsewhere; defacement ofpublic web sites; physical intrusion into sensitiveareas; abuse of kiosks, hotspots, and other publiccomputing facilities; wide distribution of high-qualityattack tools; network mapping and port scanning;vulnerability scanning; war dialing; and war driving.The list seems endless.

As stated previously, the dangers do not alwayscome from the outside. External threats can also berealized by internal attackers who may be employ-ees or contractors engaged by the enterprise.Another area of vulnerability is a trusted networkconnection, such as a connection with a vendor ortrading partner that has experienced a networksecurity breach. Due to the wide availability ofready-to-run attack software tools, attacks can evenbe mounted by unsophisticated users - sometimesreferred to as script kiddies.

There are four general categories of security threatsto the network:

1. Unstructured threats consist of random attackersusing a variety of tools to attempt to crack protectedsystems. The tools used include password crackers,credit card number generators, and malicious shellscripts, among others.

2. Structured threats are usually generated by tech-nically competent individuals or organizations. Theyseek to obtain access to highly sensitive data, andtheir attacks include development of sophisticatedattack plans. They are often sponsored by organizedcrime and well-financed organizations.

3. External threats include structured and unstruc-tured attacks. They may be random errors or attackswith malicious or destructive intent.

4. Internal threats usually involve disgruntled or for-mer employees. These threats seem the most omi-nous, but measures are available to mitigate them.Internal threats may result from user ignorance, aknowing violation of security policies, access ofmalicious web sites, or a download or received e-mail that contains viruses, worms, spyware, or othermalware.

6.2.3. Understanding Types of AttacksThe security threat environment is growing moreunpredictable, and new threats are emerging andevolving at an increasingly rapid pace.

The best strategy for protecting the enterprise is toadopt a security posture that is as proactive as pos-sible. This section discusses types of security attackcategories and specific mitigation methods.

Attacks that compromise resources consist of fourbasic categories:

1. Reconnaissance attacks occur when an attackerattempts to discover and map systems, services, andvulnerabilities. Typical tools and techniques includepacket sniffers, port scans, ping sweeps, Internetinformation queries, and vulnerability scanning soft-ware.

2. Access attacks occur when an attacker attemptsto retrieve data, gain access, or escalate accessprivileges.

3. DoS attacks occur when an attacker attempts todisrupt the service that a resource normally provides.

4. Worm, virus, and Trojan horse attacks occurwhen an attacker attempts to damage or corrupt asystem, replicate malicious code, or deny services oraccess to network resources.

6.2.3.1. Reconnaissance AttacksReconnaissance attacks are performed with packetsniffers, port scans, ping sweeps, Internet informationqueries, or vulnerability scanning software.

Packet SniffersA packet sniffer captures data that is transmitted incleartext on the network. Examples include usernames and passwords transmitted in applicationssuch as telnet, FTP, and e-mail. Detecting the snifferis difficult unless direct access is available to thesystem running the sniffer.

Mitigation strategies for packet sniffers include:

• Secure password mechanisms thwart packet snif-fers from capturing user names and passwords. Theoptions in this area include one-time passwords orencrypting the authentication handshake between aclient and a server. Because they are typically goodfor a short time period, such as a minute, even one-time passwords should not be transmitted in theclear whenever possible.• Anti-sniffer tools detect the presence of a sniffer onthe network. They must be in place for a period oftime in order to detect anomalies that occur whenan unauthorized sniffer is launched on the network.• Switched network infrastructures greatly reduce theeffectiveness of packet sniffers in the enterprise.• Cryptographically secure channels for transmittingdata are the best way to render a packet snifferirrelevant.

4-47

Port Scans and Ping SweepsPort scans and ping sweeps cannot be preventedentirely. IDS systems at the network boundary and onthe host can detect these types of attacks and notifythe administrator that an attack is underway.

Internet Information QueriesDomain Name System (DNS) queries can reveal theIP addresses of systems on a network. This can bevery useful for IT personnel to manage the network.On the other hand, an attacker can use the IPaddresses to launch a ping sweep to map the net-work, and then a port scanner can be used to pro-vide a list of all services running on the network.

Vulnerability Scanning SoftwareThese tools are typically intended to enable IT per-sonnel to efficiently find vulnerabilities such as per-missively configured hosts, missing patches, andweak passwords. In the hands of an attacker, how-ever, they can point to a successful attack.

Intrusion Detection Systems (IDSs)IDSs can detect patterns of activity associated withvulnerability scanning. In addition, internal use canbe controlled by clear and well-enforced policies:only security personnel should be authorized to usevulnerability-scanning software. Of course, properlypatched and configured systems also play a key role.

6.2.3.2. Access AttacksAccess attacks can take the form of password attacksand trust exploitation attacks. Network access controltechnologies are particularly important tools fordefending against access attacks. They are a keyelement of an overall network security architecturecustomized for an organization's business environ-ments and goals. Network access control technolo-gies are discussed in more detail later in this chapter.

Password AttacksPassword attacks are executed by malicious users inorder to retrieve data or escalate privileges. They aremitigated as follows:

• Use strong passwords. Characteristics of strongpasswords include at least eight characters, upper-and lower-case characters, numbers, and specialcharacters. Password management software canrequire strong passwords. A key element is trainingusers and enforcing password policies, for example,forbidding employees to keep passwords on stickynotes at their desks.• Expire passwords regularly. Password expirationperiods depend on the business risks associated withunauthorized access to the protected data or systems,the likelihood of password compromise, and theexpected frequency of password use.

• Disable accounts. After a specific number of unsuccessful password attempts, the user accountshould be disabled.• Do not transmit plaintext, static passwords. Useone-time passwords or encrypted authentication cre-dentials.

Trust Exploitation AttacksTrust exploitation attacks involve a user or systemtaking advantage of privileges that a system hasgranted (either to all users or to specific users) with-out an appropriate level of authentication. Systems onthe outside of a firewall should never be entirelytrusted on the inside of the network. All too often,systems or network administrators establish trustbetween a user and some data based solely on an IPaddress. For example, a network administrator mightallow access to an internal website from the Internetbased on an IP address at a user's house. This is aninsecure access method because an attacker coulduse (spoof) the same IP address.

Examples of trust exploitation attacks include man-in-the-middle and port redirection. In a man-in-the-middle attack, the attacker becomes an intermediaryin a communication session between two nodes inorder to capture or alter information. Port redirectionworks by compromising a target system to listen on acertain configured port and redirect all packets to asecondary destination.

Trust exploitation is mitigated by preventing trustbetween external hosts and internal hosts, properlyauthenticating users, and using secure protocols forsensitive communication sessions.

6.2.3.3. Denial-of-Service (DoS) AttacksDoS attacks are defined simply by their name: theattacker denies a particular service that is normallyavailable to users. It is important to note the methodthat an attacker uses to execute a DoS attack. Themost common type of DoS attack is a DistributedDoS (DDoS). This type of attack is executed throughthe distribution of malicious code to a large numberof systems. The most common delivery methods aredistributing e-mail attachments and exploiting targetsystems in order to deposit the DDoS code.

DoS and DDoS attack mitigation is straightforward,but it is difficult to completely eliminate vulnerabilityto DDoS attacks. Mitigation includes proper anti-spoofing configuration of routers and firewalls andthe use of anti-DoS features on routers, firewalls, andhosts.

4-48


6.2.3.4. Worm, Virus, and Trojan Horse AttacksA worm executes arbitrary and often malicious code on a host, copies itself to the system's memory, andthen copies itself to other computers. A virus is a piece of software attached to another program. When theuser's normal program launches, the virus executes and causes unwanted or malicious actions on the hostcomputer. A Trojan horse is different in that it is written to appear entirely benign. However, it executesmalicious activities on the host computer.

Mitigation of worm, virus, and Trojan horse attacks is fairly straightforward, but in a large enterprise it canbe a challenging task. Mitigation is accomplished through properly using anti-virus software and updatinganti-virus signatures. Effective use of anti-virus software also includes installing it on enterprise servers -especially mail servers because e-mail is a significant delivery method for these attacks. As with accessattacks discussed previously, network access control technologies are important tools in defending againstthreats caused by the spread of worms and viruses. They provide mechanisms to enforce the compliance ofendpoints for admission to the network environment.

6.3. Principles of DesignNetwork security is an exacting discipline, and successful implementation requires significant attention todetail. Moreover, with so many variables and available options, it is essential to keep in mind one keypoint: an effective security solution reflects and protects key business processes and goals. Business driversmust remain foremost, with the network security architecture design supporting them. Identifying the businessproblems to address through the security solution is a critical element of the design process.

The tools and technologies employed are simply measures to solve business problems. This important step isoften performed with the assistance of a knowledgeable and skilled neutral third party able to objectivelyand effectively assess all of the relevant factors in context, and to put them in the appropriate perspective.Measures that harden and secure the network against internal and external attacks include:

• Compartmentalizing the network (logically, not physically or geographically) to group resources thatrequire similar levels of protection and promote efficient management. This applies not only to legacy sys-tems but also to the overall network architecture. The business drivers should be the key element in deter-mining compartmentalization methods.• Deploying firewalls at the network level (via network hardware devices, servers, or other products) and onindividual workstations and devices.• Hardening the TCP/IP stack with restrictive settings.• Deploying port and packet filtering features built into OSs.• Conducting ongoing training and user awareness - including internal users, vendors, and partners - toensure continued compliance with organizational security policies.

4-49

As with any complex endeavor, however, the right overall direction is essential. A few vitally important princi-ples stand out for any network type and use. These principles should orient the design effort - along withgood security policies, mitigation strategies, techniques, and tools. Table 4-2 presents an overview of keydesign principles. More detail about each design principle can be found in Appendix A.

Table 4-2Key principles of design for network security

Type Key Points Benefits Cautions

Standardization • Reduces complexity• Deploys widely tested and trusted tools throughout the enterprise• Benefits from balancing withdiverse architectures• Conserves resources

• Reduces the number of threats, risks, and vulnerabilities to identify• Reduces the number of countermeasures to implement • Uses widely tested and trustedapproaches

• Does not prevent a single suc-cessful attack from being replicat-ed widely • Requires some diversity for alayered, resilient defense

Least Privilege Access • Requires robust means of establishing and managing digital identities• Grants minimum access to systems or networks needed forbusiness requirements

• Prevents unnecessary resourceaccess• Mitigates the associated risks ofresource misuse

• Requires sophisticated tools andprocesses for user privilegeadministration• Requires a greater financial ?investment

Layered Defense • Spans physical, technical, andadministrative security measures • Limits risk by combining coun-termeasures

• Protects the enterprise with multipleforms of defense

• Makes networks more complexand expensive

Redundancy • Requires justification by business needs

• Enables networks to withstand failure of individual components• Enables networks to withstand successful attacks on individual components

• Makes networks more complexand expensive

Compartmentalization • Uses logical, not physical, compartments• Works with geographically dispersed systems• Facilitates layered defense and standardization; flexible and adaptable

• Defines access policies centrally and implements them at compartmental boundaries• Accepts changes in business structure and operations withoutrequiring changes to the physical network• Contains security breaches to mitigate damage to the overall network

• Requires careful design• Requires increased cost andcomplexity with increasing numberof compartments

4-50


6.4. Securing Network Perimeters andManaging Network AccessEnterprises typically have a multi-level security struc-ture. The first level is the perimeter of the corporatenetwork. To reduce the threat of industrial espionageor deliberate sabotage, only employees, authorizedcontractors, or other business partners (via anextranet) are allowed access. Although this safetynet is difficult to enforce entirely, it thwarts theattempts of casual attackers and creates an obstaclefor sophisticated intruders. What does this mean forwireless implementations? First, the secured perimetermust be accessible to mobile devices. Second, infor-mation used to access the perimeter from mobiledevices must be encrypted to ensure that it is notintercepted or falsified. Typically, the solution to bothof these problems is a VPN.

The most sensitive applications need to maintain anadditional level of security configuration thatincludes authentication, authorization, and auditing(AAA). Users with a business need for accessing theapplication must authenticate to the application first.Depending on their roles and responsibilities, userscan have different authorization levels (read-only,modify, delete) or authorization to different subsets ofdata. A log preserves an audit trail of all actionsrequested and performed.

Organizations should consider these and other busi-ness needs when determining how to secure the net-work perimeter and manage network access. Keysteps in this process include defining securityrequirements, designing the perimeter, determiningaccess control techniques, and conducting ongoingevaluation and assessment.

6.4.1. Defining Security RequirementsPrioritizing assets in terms of their importance andvulnerability helps organizations identify securityneeds based on the requirements of the resourcesbeing protected.

The result is an informed decision as to the appro-priate level of expenditure (both human and finan-cial) for resource protection.

Outward-facing resources such as public web sitesneed to be accessible but also protected againstintrusion. At the other end of the spectrum areresources such as financial systems and sensitiveproprietary data that require the most restrictivecontrols. Occupying the middle ground are resourcessuch as extranets or other sites made available tocertain authorized external users (such as vendors,customers, or partners) under specific, well-definedcircumstances.

An effective design presumes a solid understandingof the business model and goals and how they areinstantiated throughout the enterprise in various sys-tems and resources. Also required is a clear pictureof which users and systems - internal and external -require specific access to each resource or compart-ment. Based on this analysis, which requires contin-ual updating as the business and operating environ-ments evolve, a picture of the threat environmentemerges and drives the design of effective andappropriate perimeter controls.

6.4.2. Designing the PerimeterPerimeter design should be based on a clear under-standing of security requirements and the likelythreats to resources. It must also include the ability toadapt as protected resources and the threat environ-ment change. The concept of the network edge issubject to many interpretations, particularly in acomplex business environment that constantly shiftsin response to changes in external relationships (withvendors, customers, or partners). Regulatory compli-ance constraints can also be a factor as businessesmove to a global platform and seek compliance witha variety of foreign regulatory environments.4-51

More specifically, what type of access controls arecalled for at the perimeter? An example of a commonchallenge is an unauthorized wireless AP deployedby individual users or workgroups. With the advent ofinexpensive and simple wireless gear available at theconsumer level, any Ethernet jack becomes a poten-tial unsecured entry point into the network. Thedevices' default configuration is usually set for unre-stricted access, and most users do not know how toproperly secure them. This is a prime example of whyongoing user training and awareness are critical.When users perceive a need for wireless access, theyshould understand enterprise policies and work withthe IT department.

Compartmentalization is an architectural approachthat is gaining wide acceptance for a network'ssecurity architecture implementation. It enablesgrouping of resources requiring similar levels of pro-tection in such a way as to provide effective and effi-cient security management and monitoring. This is akey element in HP's Adaptive Network Architecture(ANA), which is described in more detail later in thischapter. Network compartmentalization lets organi-zations define multiple logical perimeters - each withits own security policies and security architecture -reflecting the specific requirements of the resourcescontained within each compartment.

Still, the first security measure in most enterprises is aperimeter defense. Enterprises have become verydependent on firewalls and other perimeter protectionsystems to safeguard their networks. Because it is dif-ficult to secure all the systems in an enterprise andkeep them secure, it is necessary to rely on theperimeter as the first line of defense.

Traditionally, firewalls have been mistakenly viewedas magic black boxes; enterprises tend to install fire-walls and forget about them. Perimeter security plan-ning and design should begin with risk assessmentand consider perimeter defense strategies and stan-dards such as defense-in-depth (layered defenses),trust zones, and hardened systems. Perimeter securityimplementation should encompass routers, dial-upmodems, switches, wireless networking, firewalls,IDSs/IPSs, VPNs, and ongoing network securityassessments.

6.4.3. Determining Access ControlTechniquesWith user devices such as notebooks, PDAs, andsmartphones frequently leaving the known safe envi-ronment of the enterprise network for remote use,nothing can be assumed about the state of thedevice. Any device attempting to access the networkmust be confirmed safe or quarantined for remedia-tion. Techniques for remediation often include evalu-ation and updates for OSs, applications, anti-virussoftware, spyware software, and firewalls.

Access control decisions in a modern enterprise net-work must be more granular than a simplistic yes orno, permitted or denied. Assessing and remediatingendpoint compliance is a key part of the system.Sound network design includes AAA capabilities,and none of the approaches for protecting anddefending the network perimeter reduces the clearrequirement to protect data where it resides. Even ifunauthorized or ill-intentioned users gain networkaccess, protected data is safe from unauthorizedaccess or tampering.

A device that is malicious by design or incorrectlyconfigured can pose a substantial threat to an enter-prise network. A good proactive security posture dic-tates that whenever a device attempts to connect tothe network, there must be a decision about whether,and under what terms, to allow or deny access. Inturn, this access decision must be enforced.

A multi-faceted system is an integral part of the over-all network design. A variety of access technologiesis available, and selecting the right one (or combina-tion) for a particular environment and situation isessential. VPNs and wireless networking are two keytechnologies commonly used to manage access. Formore information about VPNs and wireless accesscontrol technologies, see the Network Security sec-tion.

For policy enforcement, the organization needs toapply appropriate access control policies - often inte-grating authentication, authorization, and accesscontrol enforcement. Supporting policy enforcement isa policy decision engine, which evaluates the knownattributes of a device, queries for more data asneeded, and ultimately comes to an informed accessdecision.

6.4.4. Conducting Ongoing Evaluation andAssessmentA process should be developed and implemented tomeasure the effectiveness of security solutions on aregular basis. This typically includes associated met-rics for understanding the benefits to the organizationderived from implementing the solutions and trends,as well as a process for developing strategies forimprovement.

4-52


6.5. Securing Wireless AccessIn many ways, wireless security is just like wiredsecurity and the issues are largely the same.Regardless of the medium, every system needs tosafeguard proper authentication, privacy of trans-mission, prevention of viruses, and protection againstDoS attacks. The differences arise from the fact thatmobile devices and their transmissions over anunshielded medium (air) are inherently more vulner-able to impersonation, sabotage, and interception.

6.5.1. Securing Wireless Personal AreaNetworks (WPANs)Bluetooth is a Wireless Personal Area Network(WPAN) technology intended primarily for cablereplacement. It offers simple connectivity between anumber of personal devices and correspondingperipherals, such as headsets, phones, printers, key-boards, and pointing devices. It also supports con-sumer electronics such as cameras and VCRs.Weak protocols can represent a major area ofsecurity exposure. Poor stack implementations poseanother. However, in the case of Bluetooth, mostvulnerabilities stem at least partially from suboptimaldevice configuration. For example, the default set-tings of many phones can leave them susceptible toBluejacking (unwanted messages disguised as busi-ness cards). And careless usage may even result inintercepted and manipulated data traffic.

One of the strengths of Bluetooth is that there areseveral different levels at which the user can specifyconnectivity options and balance the requirements ofusability and security. However, this complexity canalso pose a potential risk if users are not familiarwith the implications of the settings.

The Bluetooth specifications contain many differentsecurity elements and their implementation can entaileven more considerations. One logical way to com-partmentalize the model is to look at it chronologi-cally, by analyzing each step required to use andoperate Bluetooth.

Hardware Selection: The first question to ask iswhether a Bluetooth-enabled devices is even neededand if so which device should be selected. The typeof device will determine the set of services that mightbe relevant to it, both as a consumer and provider.But it will also impact the human-machine interfacefor configuring Bluetooth. So for example, a periph-eral such as a Bluetooth headset or GPS receiver hasvery limited options to set a PIN or configure refinedlevels of access.

Radio Activation: The second question to ask iswhether Bluetooth is always needed. By turning theradio off when it isn't being used it is possible toreduce the attack surface and conserve battery life.

Visibility: The fact that Bluetooth is active does notmean that other users and devices can see it. It maybe necessary to make the device visible at times butthere is no need for general visibility.

Pairing: The pairing process precedes most activeBluetooth usage. It is necessary so that only devicesthat belong together can join together. Thus, it isimportant to be very careful while executing thisprocedure.

Authorization: After pairing the user may stillwant an active approval of each connection request.This can be tedious but does provide an additionallevel of security.

Service Configuration: Even paired devices maynot need access to all the services available on aparticular device. The user may be able to decidewhich are required and which are not, as well aswhat security to enforce on each of the services.

In order to ensure a secure deployment of Bluetoothit is important to evaluate all levels of operationsystematically.

6.5.2. Securing Wireless Local AreaNetworks (WLANs)There are three acceptable ways to secure WirelessLocal Area Networks (WLANs) today: WiFiProtected Access (WPA), VPN with IP security(IPsec), and network access control. Another alter-native is to leave wireless access points entirely openand unsecured, but place them outside the perimeter(firewall) of the network. This enables use by vendorsand visitors who need wireless access, for example.

6.5.2.1. WiFi Protected Access (WPA)WPA provides acceptable security using either aPre-Shared Key (PSK) or in conjunction with the802.1x protocol and Remote Authentication Dial-inUser Service (RADIUS). For enterprises, the 802.1xprotocol is advisable because PSK managementdoes not scale easily or provide user-based authen-tication.

The advantages of this approach are that it involvesthe least infrastructure and is most efficient in band-width. The disadvantage is that all the NetworkInterface Cards (NICs) and access points (APs) mustsupport WPA. Large implementations may thereforeexperience significant costs for upgrading andreplacing equipment.

4-53

6.5.2.2. Virtual Private Network (VPN)VPNs enable organizations to use the public Internet for secure communications. VPNs provide authentication,confidentiality, and message integrity services that enable organizations to trust information sent over theInternet. The VPN Consortium (VPNC; www.vpnc.org), an international trade organization for manufacturersin the VPN market, specifies three VPN technologies:

• IPsec with encryption in either tunnel or transport mode• IPsec over Layer 2 Tunneling Protocol (L2TP)• Secure Sockets Layer (SSL) 3.0 or Transport Layer Security (TLS) with encryption

Wireless connectivity can be protected with a VPN. With this technique, all WiFi APs must be placed in avirtual local area network (VLAN) that terminates at a VPN concentrator. Users must authenticate to the VPNto access the network, which also ensures that the content is encrypted. The benefit of a VPN is that it is aproven technology that works with all NICs and APs. The disadvantage is that it adds about 30% of overheadonto the data being transmitted, which constrains air traffic in environments limited by capacity. In addition,the network must be configured to use VLANs and a VPN concentrator must be available.

6.5.2.3. Network Layer Access ControlThe 802.1x protocol provides a limited form of network access control to gain access to a network, the usermust successfully authenticate. However, no other controls limit user authorization. To address the need forrefined access control, new appliance products are appearing in the market. They are known as role-basedaccess controls (RBACs), network access controls, or simply wireless switches.

These appliances require the user to start a browser session before accessing the network. A switch redirectsthe browser to an authentication page and typically authenticates to a RADIUS server. In addition to simplyallowing or rejecting access, they can constrain access based on any combination of time of day, user group,location (VLAN), target subnet, and target application. For example, employees in the finance departmentmay be allowed to access the payroll system from their offices at any time. From the lobby, access to thepayroll system could be restricted to office hours and access to e-mail could be allowed at any time.

Beyond the virtually unlimited combination of access control rules, these products can offer enhanced servicessuch as bandwidth throttling and over-the-air encryption. They are similar to a VPN. In some respects, theyare a VPN superset because a VPN client operates between the client and the switch. Network access controlis NIC/AP independent but requires dedicated equipment, which can be expensive. It is ideal in environmentswith highly diverse user groups for limiting access to the resources and applications that each group needs.Some of the main customer segments include educational institutions and airports. Universities have diverseneeds for groups such as professors, administrators, students, visiting professors, and guests. Airports havediverse needs for venue operators, passengers, airlines, airport security, and baggage handling.

4-54

Technology Advantages Disadvantages

WiFi Protected Access (WAP)• Little additional infrastructure• Efficient bandwidth

• NICs and APs need to support WPA (addscost to upgrade and replace equipment)

VPN (IPsec) • Proven technology• Works with all NICs and APs

• Adds 30% overhead• Can constrain air traffic

Network access control • NIC/AP independent• Ideal for highly diverse sets of users

• Requires dedicated equipment (adds cost)

Table 4-3Wireless LAN security methods


6.5.2.4. Wireless Wide Area Networks(WWANs)Today's Wireless Wide Area Networks (WWANs)include security provisions that are enforced bymobile terminals and base stations. Current exam-ples of WWANs include Global System for MobileCommunications (GSM), General Packet RadioService (GPRS), High-speed Download PacketAccess (HSDPA), IS-95 Code Division MultipleAccess (CDMA), IS-136 Time Division MultipleAccess (TDMA), and Single Carrier RadioTransmission Technology (1xRTT).

Although encryption algorithms provide an effectivebarrier to the vast majority of attackers, it is impor-tant to realize that they, like virtually all otherencryption methods, are not uncrackable. Both theCDMA and GSM algorithms are reported to havebeen cracked. The value of the protection does notlie in providing a completely secure environment forsensitive transactions. Instead, it offers an obstacleso that monitoring and interception of random orbulk transmissions is simply not cost-effective or easyfor a casual or unsophisticated attacker.

WWAN security is important for service providersand consumers. Most enterprises do not rely onnative WWAN security since their requirementsmandate end-to-end security. Instead they overlaythe network with a VPN or SSL connection that pro-vides the needed authentication and encryption andthereby shields them from any vulnerabilities In theair interface.

6.5.2.5. Unauthorized Wireless Bridging

The problem of unauthorized wireless bridging (illus-trated in Figure 4-7) is simple. A PC with two net-work interfaces connects one interface to the privateLAN and the other interface to a public network. Thefact that the device is simultaneously connected toboth networks is not inherently a security risk.However, it does become one if the user bridges theconnection, for example through Internet ConnectionSharing (ICS).

In practical terms bridging might be carried out by alaptop user with a Wireless Wide Area Networkcard (e.g. GPRS or 1xRTT). The user might havelegitimate reasons for sharing the WWAN connec-tion to the LAN, for example, for home use.However, in the office, the operation will create adisruption at minimum and can potentially provideunlimited network access to hostile intruders.

Figure 4-7Unauthorized wireless bridge

Private LAN

Public Network

4-55

6.6. IPv6 SecurityThe Internet Protocol version 4 (IPv4) is the foundation of the vast majority of today’s networks. Any changein this base protocol has serious consequences for all computerized applications and infrastructure.

The initial proposal to overhaul IPv4 was based on the expectation that IPv4 addresses would soon beexhausted. While that specific risk was temporarily deferred through Network Address Translation (NAT),IPv4’s successor IPv6 has differentiated itself through some additional technical advantages that provide apowerful foundation for the creation of new and improved net-centric products and services.

• Scalability – larger address space• Mobility – seamless roaming• Administration – auto-configuration for network resources, renumbering of addresses• Robustness – extensibility, and more

The need for new functionality will probably drive only a limited number of our companies to IPv6 in theshort term. Some users will find they have no choice as they will find it increasingly difficult to obtain addi-tional IPv4 address space. For more information, see the warning from the American Registry of InternetNumbers (ARIN) at www.arin.net/announcements/20070521.html.

Others may need specific IPv6 enhancements for specialized applications like mobility. For most enterprisesthe return on investment at this point is not yet compelling. They are, however, increasingly concerned aboutsecurity. IPv6 is enabled by default with many Linux distributions as well as with Microsoft Windows Vistaand Microsoft Windows Server 2008, which means that most enterprises are able to deploy some IPv6technology today. If not carefully monitored and managed, rogue deployments can lead to devastatingsecurity breaches. The only way to address these threats is to develop a comprehensive security architecturethat includes proactively monitoring any IPv6 network activity.

4-56


Additional developments that indicate the imminent adoption of IPv6 across the industry include:

• A U.S. White House directive (www.whitehouse.gov/omb/memoranda/fy2005/m05-22.pdf) states that“all agency infrastructures (network backbones) must be using IPv6 and agency networks must interface withthis infrastructure” by June 2008. Outside the U.S., many government agencies across Europe and Asianow have similar directives which are forcing a ramp-up to IPv6.• Mobile phone operators are deploying new technologies like third generation data networks or the IPMultimedia Subsystem (IMS) which require IPv6 in the core network.• The European Space Agency (ESA) has declared its support of IPv6.• The Japanese Intelligent Transport System (ITS) project supports IPv6 and the European Car2Car consor-tium has recommended exclusive use of IPv6 for future Car2car applications.• The Digital Video Broadcasting (DVB-S) consortium has decided to move to IPv6.• The Chinese Government has created and financially supports CNGI, an IPv6 backbone networkdesigned to be the core of China’s Internet infrastructure.• CENELEC has opted for IPv6 for the Smart home concept.

As we prepare for the eventual deployment of IPv6, we must ensure this transition receives a systematicsecurity assessment.

Fortunately, security has always been one of the highest priorities of the IPv6 architects. Its protocols areregularly scrutinized for any oversight that could jeopardize a wide-scale deployment, whether from risksrelated to confidentiality, integrity or even availability.

However, this is not sufficient. Every new technology brings with it new usage models, product portfolios and administrative requirements. The onus is therefore on every security architect to understand the securityramifications of emerging technologies and develop a plan that applies existing policies to the new require-ments, or indeed updates the policies to reflect new demands and usage models.

4-57

6.6.1. Network Address TranslationOne of the primary benefits of IPv6 is an enormousaddress space that can potentially remove therequirement for any Network Address Translation(NAT). The original purpose of NAT was to permitaddress growth beyond the range which a companyor service provider was able to acquire an alloca-tion. This requirement grew acute in the 1990s whenit became apparent that the IPv4 address spacewould not be able to cope with the full set of networknodes that would eventually connect to the Internet.

In the meantime, many have also come to see NATas a form of security, since it provides a controlmechanism for incoming data, hides internal topolo-gies and prevents direct connectivity between internaland external systems. In a small or home office envi-ronment a NAT router may act as a simple firewall,and in fact, NAT and firewall functionality are oftencombined on consumer gateways.

If IPv6 renders NAT unnecessary it would be easy toconclude that IPv6 weakens security. However, thereare some logical counterarguments that address thisconcern:

• IPv6 removes the requirement for NAT and the IPv6community discourages its use but it is still technicallypossible to use NAT on IPv6. IPv6 has no provisionfor universal private address space (RFC 1918) butthere is no need since there is sufficient routable pri-vate address space.• Any commercial firewall can enforce the samerestrictions as a NAT appliance and can providemuch more refined access controls in a flexible andsecure manner. The Internet-Draft IPv6 NetworkArchitecture Protection offers a complete comparisonof the two approaches.• Devices/appliances which perform NAT functionsare often bundled with other functionality like fire-walls and routing. The removal of NAT does notimpact any of these functions.• The focus in enterprise security is moving from theedge to other areas of the network. This does notmean that we can ever ignore the perimeter - it is stilla critical ingredient of any multi-tiered defense.Nevertheless, comprehensive safeguards at otherpolicy enforcement points allows more flexibility inbalancing usability, cost, manageability and securityat any given level.

In a compartmentalized network such as HP'sAdaptive Network Architecture, or even a traditionalDMZ, the notion of a single perimeter is weaker.There are many perimeters, and an attack from thehostile Internet will need to break through more thanone of them to gain access to many assets. NATadds substantial administrative complexity to sucharchitectures, and the simplification provided by theunified, transparent IPv6 address space providesoperational reliability benefits that outweigh the security benefits of NAT, as long as the "deny unlessexplicitly permitted" default firewall rule is enforced.NAT makes this rule technically difficult to defeat,which is a benefit in organizations with weak securitymanagement which may be swayed by businesspressures to put expediency ahead of security.

6.6.2. Increased Address SpaceOne of the best-known benefits of IPv6 is itsincreased address length of 128 bits with the mathe-matical implication of an exponentially largeraddress space. This poses an insurmountable prob-lem for many scanning tools. If the allocation issparse and random then it is virtually impossible fora sequential or random probe of addresses to returna useful number of hits.

While this obstacle to scanning is generally a posi-tive development it is important to note that it canalso provide a challenge for legitimate tools. Systemand network administrators may currently work withtools that scan the network for inventory purposes,detecting malicious activity and even patch systems.

They must also resort to other techniques but theirtask is considerably easier than that of an intruder.Authorized administrators can obtain valid IPaddresses from many network components such asrouters and DHCP servers. Nonetheless this is anitem that should not be ignored as the planning forIPv6 begins.

4-58


6.6.3. Hacker ToolsAs IPv6 is coming into the mainstream, nobodywould expect the hackers to be far behind. But per-haps they are actually ahead of most securitydepartments. As described in “Security Implicationsof IPv6” by Michael Warfield, underground sitesoffer many IPv6-enhanced versions of old tools, suchas halfscan6, netcat6, NMAP, Ethereal, Snort andTCPDump. They also host a number of protocolbouncers such as relay6, 6tunnel, nt6tunnel, andasybo that can relay and redirect connectionsbetween the two protocols, obscuring traceability.

6to4DDos is a distributed denial-of-service attackthat leverages 6to4 tunneling to destabilize bothIPv4 and IPv6 sites.

6.6.4. TransitionTransitions are always points of vulnerability.Multiple protocols are running on the network there-by increasing the exposure. IT has a double man-agement load and a new technology to work withmaking the chance of human error greater. But thereis no way to progress without transitions, so the bestwe can do is to identify the risks and try to addressthem.

One essential first step is to ensure that all of ourcurrent security policies and tools will continue towork in a transitional environment. The means thatall our firewalls, proxies, intrusion detection systems,anti-virus scanners and network management soft-ware must be IPv6-compliant. Fortunately, most ofthe products in these categories have included IPv6support. However, a prepared IT department mustmake a systematic check for the full feature set ofeach component.

The second major area of concern is around thetransition mechanisms. There are many options,including 6to4, ISATAP, Teredo, configured tunnels,MPLS, GRE and DSTM. There isn't always unani-mous agreement, because the security mechanismsare often one of the areas in which the drafts arechanging most frequently.

Before considering even a pilot implementation, it isabsolutely essential that the network security architectdiligently assesses the options and ensure that theyare functional and do not represent a risk in theparticular environment. This may include checkingfirewall compatibility, authentication mechanisms,availability (redundancy and failover) and even thecomplexity of the solution.

Perhaps the most important consideration withregard to transition mechanisms is that they allowusers to begin deployment of IPv6 ahead of their ITdepartment. Almost anyone can easily begin toexperiment with IPv6 by typing in a short line at thecommand prompt. In most cases, this activity will beconfined to the local area network, and even thoughnot centrally monitored, is fairly innocuous.

However, with many of the transition mechanismsbeing enabled by default, this danger is becomingmore pronounced. It is now no longer a safeassumption that the connectivity is limited to theLAN. It is quite feasible that they will establish aconnection to a public IPv6 network and potentiallyeven draw legitimate users through their tunnel.

6.7. Best Practices for Secure Networks

6.7.1. ManagementManagement best practices for secure networksinclude well-defined and enforced policies, stan-dards, user training, procedures, standard locked-down baseline configurations, and guidelines. Otherareas of concern are extranet user agreements andthe proper handling of worker termination. Specificengagements such as security reviews, risk and vul-nerability assessments, and incident and event man-agement must also conform to industry best prac-tices. A good reference for security managementpractices is the “Information Security ManagementHandbook”, by Harold F. Tipton and Micki Krause,Auerbach Publications, 5th Edition 2004, ISBN 0-8493-1997-8.

6.7.2. Operations SecurityA trusted infrastructure depends on operational con-tinuity and sustainability. This requires a consistentapproach. Best practices are important for selectingand deploying infrastructure components and ensur-ing sufficient capacity to establish a robust, scalable,and highly available infrastructure. Operational sus-tainability also provides common supporting opera-tions for backup, disaster recovery, replication, andbusiness continuity.

Operations security represents the controls and safe-guards that secure an enterprise's information assetson a computer or linked with the computer environ-ment. Security controls address software, hardware,and processes. As the core component of informa-tion security, operations security controls the waydata is accessed and processed, and it represents aset of controls designed to provide effective levels ofsecurity.

4-59

Operations security provides consistency across allapplications and processes. It includes protection ofphysical assets, such as computing equipment, net-works, and media. Operations security also includesresource protection, accountability access and use,and audit trails.

• Resource protection prevents the loss or compro-mise of an enterprise's computing resources, includ-ing main storage, storage media, communicationssoftware and hardware, processing equipment,standalone computers, mobile devices (as appropri-ate), and printers. Resource protection helps reducepotential damage from unauthorized disclosure andalteration of data by limiting opportunities for misuse.• Accountability access and use ensures access for aspecific authenticated and authorized individual useror system at a particular moment in time, and it tracksaccess and use to that individual or system.• Audit trails track activity to specific individuals orsystems to determine accountability and responsibility.Operations controls for protecting resources requireaccountability and responsibility for all of thoseinvolved in developing, maintaining, and utilizingprocessing resources.

6.7.3. Physical SecurityPhysical security consists of controlling access tophysical assets such as buildings, computers, anddocuments. Such assets can hold sensitive informationand provide access to networked resources.Enterprises implementing physical security must planthe appropriate level of security for and access to sitelocations, buildings, computer rooms, and data cen-ters. Managing and monitoring these facilities is amajor component of physical security. To addressphysical security needs, enterprises must define:

• Best practices for the management and monitoringof physical facilities• Mechanisms for protecting removable media andoffline data storage• Methods of securely labeling and protecting confi-dential documents

6.7.4. FirewallsFirewalls secure network perimeters, workgroups, andhosts. They can be configured to block unauthorizedincoming and outgoing traffic, conceal system identi-ties and network topologies, log traffic, and logevents of interest. Some firewalls have routing capa-bilities to direct incoming traffic appropriately, andsome firewalls are used to authenticate network users.However, firewalls cannot defend against attacks thatdo not use the network or that use it in an authorizedfashion. For example, an internal attack or maliciouscode downloaded from the Internet.

Firewalls can operate on a variety of platforms,including general-purpose servers, dedicated appli-ances, and desktop computers. The OSs of general-purpose servers must be carefully hardened to pro-vide a secure environment for the firewall. This hard-ening process generally involves setting systemparameters and disabling unnecessary system servic-es. This process is not necessary for appliance-basedfirewalls, which come with their own vendor-config-ured and supported hardware. Desktop firewallscontrol traffic to and from the host upon which theyreside, and they are installed directly on the desktopcomputer.

There are several different types of firewalls, includingpacket filters, circuit-level gateways, stateful packetinspection firewalls, and application proxy servers.They use different techniques to determine whethertraffic should be allowed or blocked, and they oper-ate at different layers of the Open SystemInterconnection (OSI) standard reference model setforth by the International Organization forStandardization (ISO), as noted in Table 4-4. Fordetails about these firewall types, refer to AppendixB.

4-60

Table 4-4Types of firewalls and OSI layers of operation

Type Layer of operation (OSI model)

Packet filters Network

Circuit-level gateways Session

Stateful packet inspection firewalls Network, transport, potentially others

Application proxy servers Application


6.7.5. Network Architecture andCompartmentalizationNetwork compartmentalization is a fundamentaldesign principle - a best practice for architectingnetworks to protect assets in accordance with keybusiness drivers. Compartments are not necessarilybased on physical location. Rather, they are logicalgroupings of assets that require similar levels of pro-tection, regardless of location. Because it enablescentralized management, compartmentalizationgreatly improves staff resource efficiency and pro-motes rapid and effective responses to security inci-dents.

Compartmentalization is accomplished by assigningan IP address space to each logical compartment,providing technological and geographical trans-parency. Access Control Lists (ACLs) and firewallrules (collectively known as policies) can be appliedbroadly to the compartment, rather than managedindividually across the enterprise. In some cases, thesame security policy applies to multiple IP addressspaces at geographically different locations. This isknown as a policy domain.

In time, the IP address of each network devicedetermines its membership in a specific policydomain. Network traffic from and to a device istreated according to its domain's policy. HP's ANA,which is covered in more detail later in this chapter,supports this approach. Appendix A contains amore detailed description of compartmentalization.

6.7.6. Authentication, Authorization, andAuditing (AAA) ServersTriple-A (AAA) servers authenticate network users,authorize them to use particular network resources,and account for their network usage. They provide acentral control point for external network access, andthey work with various types of network accessservers that interact with users and collect their cre-dentials. AAA servers are mentioned here becausenetwork access is a key element of a trusted infra-structure. The Identity Management chapter (Chapter3) of this handbook provides further details aboutAAA technology. See Appendix C for a summary ofAAA protocols.

6.7.7. Network Access Control (NAC)NAC is primarily a network security element, intend-ed to protect the network and its resources fromharmful users and systems/devices. NAC controlsand restricts access to network resources based oncertain criteria and business policies. In its mostbasic form, NAC allows a network administrator torestrict network access to authorized users and/ordevices. However, many organizations have theneed to provide, or can benefit from providing, dif-ferent levels of access depending on the role of theuser.

For example, employees have access to internal net-work resources and the Internet while guest users areonly provided access to the external Internet.There is also a need for protection from malicioussoftware, which is accomplished by evaluating thehealth or security posture of devices connecting tothe network. The required posture is defined byorganizational policies and is based on checking forthings such as operating system version, patches,security software (anti-virus, anti-spam, firewalls,etc.), security settings on common software installa-tions, or other required or prohibited software. NACgoals can be further complicated by the fact thattoday's network is often comprised of networkaccess requests from devices that are not underdirect organizational control, such as contractor andguest laptops. Furthermore, the need to understandand comply with regulatory agencies and companypolicies alike drives a need for the organization toseek solutions that meet this goal, often with fewerresources than ever before.

Critically, NAC is not an isolated security solution,but is part of a layered security, or Defense in Depthapproach to protecting your organization’s informa-tion technology assets. The challenge of effectivelycontrolling access to the network as part of an over-all network security architecture based on businessenvironments and goals emphasizes the importanceof HP's extensive and proven strengths in this area.The key is not simply to understand the various com-ponents in isolation, but to know how best to com-bine and apply them to meet business needs. A pri-mary goal of network access control technology isproviding a mechanism for deciding whether toallow or deny access based upon endpoint compli-ance with relevant configuration guidelines andbusiness security policies.

Complete NAC solutions incorporate appropriateendpoint, edge, core, LAN and WAN controls. NACalso provides mechanisms to quarantine and reme-diate non-compliant devices to allow them appro-priate access to network resources. A managedendpoint is any device that connects to the network,and is subject to the compliance of security policiesand is under administrative control. An unmanagedendpoint is any device that connects to a network, issubject to the compliance of security policies but isnot under an organization's direct control (e.g. acontractor computer, guest user, or other). AnEndpoint Policy is a collection of tests, or criteria,used to evaluate the integrity of an endpoint deviceattempting to access the network.

4-61

There are two primary models for NAC implementations: pre-connect NAC and post-connect NAC.Implementations may utilize hybrids of these two.

• Pre-connect NAC refers to network access control where the testing of the device to ensure compliance withnetwork access policies is done prior to the device being granted regular access on the network. A similarterm used in the industry is "pre-admission".• Post-connect NAC is network access control where validation and monitoring of the endpoint continuesafter access to the organizations network has been granted. A similar term used in the industry is "post-admission".

Although NAC is about controlling access to the organization’s network, control should not stop after pre-connect checks. Even a healthy endpoint with a known and trusted user has the potential to cause conse-quences once on the network. This drives the need for a more complete NAC solution that provides post-con-nect NAC validation and monitoring.

Figure 4-8 depicts an overview of network access management components. When a device attempts to con-nect to the network, via a wired jack, a wireless AP, or a remote access service, a policy enforcement point(PEP) allows or denies access. The ultimate access decision is made by a policy decision point (PDP), whichconsults the relevant enterprise policies to make an informed and correct access decision. A policy repositoryhouses the policies and rules consulted by the PDP. In addition, the process generally includes an endpointassessment step to determine the health of the system attempting access. If the device attempting access isdeemed unhealthy or unauthorized, it can be routed to a special quarantine area separate from the enterprisenetwork.

Once a user or device is permitted to attach to the network, policies based on the user or device identityand/or role determine the level of access; for example, authorized vendor A is permitted access to systems x,y, and z within a defined time window.

6.7.7.1. Policy Decision Point (PDP)Enabling effective access policy decisions can require collecting a variety of data and policies that are spreadamong numerous systems across the enterprise. An important aspect to consider is the identity of the user orprocess generating the access request, for example:

• Is the user or process known or unknown to the enterprise?• If known, what privileges are associated with this user identity or process?• If unknown, what if anything can be deduced from the context or other attributes associated with this entity?

Figure 4-8Network access management: logical view

Allow/Deny/ Redirect into Quarantine/ Remediation Area

Connect?Assess?

Enterprise Network

Network Access Point (wired jack or wireless AP) Compliant Yes/No

Allow?Policy Decision Point (PDP)

PolicyRepository

Redirect

Full Access

Quarantine/Remediation Area

Network Perimeter

PolicyEnforcement Point (PEP)

User/Client Device

Remote User

4-62


Even when the user associated with the device isknown (successfully authenticated) and authorized toaccess the entire network or specific hosts or servic-es, a separate evaluation of the device is necessary.Evaluation can include various attributes of thedevice, determined through endpoint assessment,such as:

• Device type: Computer, OS, PDA, any VOIPdevice, smartphone, or other?• Registered or known device: Is the device knownfrom past encounters or does it have a registereddevice identity?• Resource access policy: If authentication of thedevice is possible, does the use of this device meetthe policy for access to the requested resource?• OS and application updates: Are the followingitems verifiably up to date?

• OS and application patches• Anti-virus software and definitions• Anti-spyware software and definitions• Device (personal) firewall

6.7.7.2. Policy Enforcement Point (PEP)Once the PDP reaches an access decision, theresource to which the device is attempting to connectenforces the decision at the network level. If a deviceand user are known and authorized to connect tothe network, the PEP checks for restrictions on theaccess. Restrictions can include:

• Access valid until a certain time/date• Access limited to certain network zones or com-partments• Access limited to specific resources

6.7.7.3. NAC Deployment OptionsA good NAC implementation will utilize pre-authori-zation checks against security policy in order toprotect the network from harmful systems. The fol-lowing enforcement modes are common methods fordeploying NAC and can be used together to pro-vide complete access control coverage across thenetwork:

• Endpoint Enforcement: Using endpointenforcement entails having an agent deployed onthe endpoint making decisions based on policies ithas been given, before the device or user is allowedto connect. While appealing from a managementstandpoint, this is not necessarily true NAC as theenvironment must fully trust the endpoint anyway.

• Edge Enforcement: Using a combination ofeither 802.1x, SNMP or CLI to control switches, orthrough a VPN gateway, edge enforcement basedNAC is often the most efficient and effectiveenforcement method and is recommended for envi-ronments with devices. Often 802.1x is an increas-ingly common method used to authenticate devicesthat are connecting to the network.

In this mode, users and devices are usually but notalways authenticated using RADIUS. Endpoints areisolated so they can be tested for security policies.Then, they are either allowed to join the network, orare put in a remediation network so the user canresolve the security settings that have caused theisolation.

• DHCP Enforcement: NAC solutions can inte-grate with an organization's DHCP servers to isolateand test endpoints. As endpoints request a networkaddress, they are isolated by their network addressso they can be tested for compliance with securitypolicies. If they comply, they are provided with anew network address and allowed to participate onthe network. If they fail, they are placed into aremediation network so the user can resolve thesecurity settings that have caused the isolation. Thismethod is useful for environments where 802.1x isnot available because it is not supported by the net-work infrastructure.

• Inline Enforcement: In this mode, NAC solu-tions are placed inline with network traffic andactively filter new connections until they are testedfor compliance with the security policies. This is aneffective solution for testing endpoints that connectremotely through a VPN concentrator.

• Out-of-band Enforcement: In this mode, NACsolutions are placed deeper in the network either atconcentration points or often in the data center itself.An out-of-band solution monitors traffic on switchesto determine if enforcement is needed, and whenrequired, will enforce policy by changing PEP (e.g.switches or firewalls) configurations. For example,some vendors integrate with existing deploymentsusing HP's sFlow and Policy Based Routing (PBR)controls, or Cisco ACL's through CLI commands.Limitations are potential lags in detecting policy vio-lations allowing time for infected endpoints to attackothers, but deployment options are sometimescheaper.

Additionally, some deployments use no enforcementat all, at least, initially. The goal here is to enablethe logging and reporting aspects of the NAC solu-tion, such that security and IT management canreview, learn and determine the actual end-userimpact of policy enforcement. In this way anyunforeseen and potentially negative consequencescan be avoided before they occur. Choosing toratchet up the level of enforcement over time, interms of what restrictions are enforced and whatremediation is required is another way to carefullyroll out NAC. For example a staged approach mayrequire locking down the core finance departmentnetwork immediately while only warning or alertingother departments about their lack of compliancewithout lock-out for a certain time.

4-63

Each mode provides some benefits and poses somedrawbacks to the security of certain networks. Forexample, the inline mode has a greater ability torestrict devices since the PEP physically sits betweenthe clean and unclean networks; however, this modecan sometimes to be hard to scale up to largerdeployments depending on the vendor managementtools and hardware deployment options. The DHCPmodel is well-suited for existing infrastructures of anysize, but care and consideration must be given to thecurrent network's threat model for this model to beeffective. Utilizing IEEE 802.1x provides a robustauthentication scheme that integrates well, but itrequires extra infrastructure (such as RADIUS servicesand 802.1x supplicants).

Ultimately deployment options must meet the needs ofthe governance and security model of your organiza-tion. As a result a combination of these solutions maybe required to meet those needs, in parallel (layered)as well as across different locales. For example, usingboth endpoint and in-line enforcement allows forflexibility when dealing with areas that allow for bothcorporate owned and customers devices connecting.

6.7.7.4. Quarantine and RemediationIn order to support business functions, a networkcannot simply deny access with absolute quarantines;remediation mechanisms must also be included inNAC to facilitate the remediation of endpoints. If adevice attempts to connect to the network, and itdoes not meet policy-based criteria for permittingaccess, it can be isolated to a quarantined area (orcompartment) of the network that allows access tocertain unprotected resources. In some situations thismay be sufficient, as in the case of guests attemptingto simply connect to the Internet to check external e-mail accounts or access public web sites. Someorganizations provision a separate network segmentdedicated to guest access, with no connection to theinternal enterprise network.

If, however, the user is authorized and desires accessto protected resources, but problems with the devicehave been identified through the endpoint assess-ment, the quarantine area could provide access toresources for correcting identified deficiencies. Thismight include access to current anti-virus or spywaredefinitions, OS or application patches, and device-specific or personal firewall updates. The device isallowed on the enterprise network only when theidentified deficiencies are addressed, with accessdetermined by the policy affecting the user orprocess.

Some organizations may decide that entry into thequarantine area is not automatic, due to the possibil-ity of the quarantine becoming a source of infection.An additional concern is acceptable use policy (AUP)issues, such as the organization's open connectionsbecoming the source of inappropriate (or even harm-ful or illegal) traffic.

6.7.7.5. Assessment MethodsWhen attempting to connect to the network, an end-point must be assessed to determine whether it is incompliance with relevant security policies. There aretwo fundamental approaches to assessing the statusof a device attempting to access the network, activeor passive.

With active assessment, a software agent is installedon the device. It performs certain tests, gathers infor-mation, and reports its findings back to a serverdedicated to processing the information to determinethe most effective means of remediating any problemsidentified. This method can be problematic for anumber of reasons, including resistance to installingsoftware unknown to the user on the system. Giventhe challenges associated with supporting softwareon potentially unknown and unsupported systems, thisapproach may not be viable for all devices attempt-ing access, particularly devices such as PDAs orsmartphones. There are three primary ways in whichactive assessment occurs:

• Agent-based Permanent: This requires software tobe installed on each endpoint and once installed andrunning it is always available for the endpoint to betested.• Agent-based Transient: This requires an agent to betemporarily downloaded to the endpoint while it isbeing tested.• Agent-less: The agent-less approach uses nativeapplications or APIs to provide agent functions thatare then used for testing from a PEP.

Passive assessment is performed without installingsoftware on the device, but rather by assessing itsresponses to certain stimuli from the network.Requiring devices to install software agents to deter-mine and report on their health or install patches orupdates is potentially problematic. The requirementsmay violate guests' home organization policies, andthe definition of system health can vary from organi-zation to organization. Ultimately, network operatorsmust determine the appropriate policies required forsystems to attach to their networks. Users must decidewhether the policies are acceptable and whether theyare willing to connect under the terms required.

4-64


6.7.8. Intrusion Detection and PreventionSystemsNetworks are still vulnerable to external and internalattack, even if they are properly secured and everyeffort is made to control host security. IDSs and IPSsprovide an extra layer of defense. An IDS detectsand reports exploitation of network and system vul-nerabilities, whereas an IPS detects such exploitsand takes immediate action to thwart them.

IDSs may be host-based or network-based. Host-based IDSs reside on servers and analyze audit logsand other indicators of system activity. Network-based IDSs use dedicated hosts that intercept andanalyze network traffic. IDSs detect intrusions andother exploits such as privilege abuse by using pre-defined rules, predefined attack signatures, orobserved deviations from normal activity (statisticalanomalies).

IPSs take the idea of an IDS to the next step. Afterdetecting an attack, an IPS performs specific actionsto block an attempted attack or render it worthless.Like an IDS, IPSs may be host- or network-based.IPSs may respond to an attack by dropping suspi-cious data packets, terminating suspicious sessions,denying user access to resources, reporting activityto other hosts that may also be vulnerable, orupdating their own configurations to better addressspecific attacks. IPSs can integrate with firewalls, sothat when an IPS detects a source of hostile traffic,the firewall works to block it.

6.8. HP Network Security Products andSolutionsThis section provides an overview of HP's offerings,services, and solutions related to network security.HP provides a broad set of product and serviceofferings in this space, including many supplied bytrusted HP partners, in order to bring the best possi-ble solutions to our customers. After facing many ofthese challenges across our own internal networksand working with a number of diverse customerslarge and small, HP is uniquely positioned to bringconsiderable expertise to the enterprise.For further information, please seewww.hp.com/go/security/trusted.

6.8.1. Adaptive Network ArchitectureHP's ANA is a blueprint for:

• Segmenting or logically compartmentalizing anenterprise network based on the business needs ofapplications or hosted services• Extending the compartments enterprise-wide asrequired regardless of physical location• Enabling centralized policy management for theresulting architecture

Conventional perimeter defenses can no longer strikea balance between fast-changing business needs

and sufficient protection of company informationassets. Today, management of enterprise firewalls istypically exception-based, with a large number ofaccess holes that accommodate specific user or sys-tem requirements. These exceptions cause bothsecurity and operational concerns. ANA transformslegacy enterprise data network architecture from amonolithic perimeter to a set of purpose-built (andmore secure and manageable) distributed networkcompartments.

Compartmentalizing is not new; enterprises havebeen doing it for years but in a limited fashion.Traditionally, it has not been cost effective for com-panies to compartmentalize the entire network-con-ventional approaches are not scalable or sustain-able. As a result, companies only compartmentalizea small portion of their network. Implemented inter-nally within HP since 1999, ANA breaks through thisbarrier by combining processes, technology, and agovernance model. The governance model is a test-ed, hierarchical arrangement, where business units,IT architecture, network engineering, and networkoperations interact at various levels to instill agilityand consistency for planning and executing changeto network access policy.

There are three areas that demonstrate the capabilityof ANA: IP Communications (IPC) deployments, net-work consolidation (In the context of data centerconsolidation), and network admission control(802.1x) adoption. In all cases, a generic accesspolicy must be applied hundreds of times throughoutthe network. As business needs evolve and change,modifying such a policy on a global scale is ardu-ous. ANA enables agility by providing a means tomanage policy centrally and enforce it in a decen-tralized way. With ANA, changing a hundred geo-graphically distributed networks to permit or deny aspecific application service can be handled in hoursinstead of the days or weeks needed by convention-al practices.

HP has filed several patents for the process anddesign elements that form the underpinnings of ANAand has successfully deployed ANA worldwide forinternal operations. ANA has enabled HP to reducenetwork administration costs and operating expens-es, while shortening lead times for acquisitions andexternal collaboration.

Those interested in ANA have two implementationoptions. HP Services can provide the design, plan-ning and implementation of ANA in the context ofnetwork solutions such as IP Communication,Network Consolidation and Network Security. HPServices will also deliver ANA as part of a completeoutsourcing solution. Outsourcing Services deliversANA to outsourcing customers.4-65

6.8.2. HP ProCurve NetworkingFor nearly 20 years, HP ProCurve Networking hasbuilt enterprise LAN products that help people runtheir businesses more effectively. By providing acomplete and affordable portfolio of network securitysolutions and services, alongside HP's highly skilledprofessionals, these products can help manageinformation resources, provide consistent perform-ance, and deliver secure access to the enterprise.HP ProCurve's networking products support theProCurve Adaptive Edge Architecture (AEA), whichmoves intelligence and security to the edge of thenetwork where users connect. Enforcing security at acentral point gives malicious traffic an opportunity toinfiltrate the network from the edge to the core.

Stopping any unauthorized or suspicious activity atthe edge or access point immediately isolates theproblem and reduces the chance that the network asa whole will be impacted. This approach preventsusers from gaining unauthorized network knowledgeor performing electronic snooping to uncover pass-words or other critical information that might assist ina network attack.

HP ProCurve's unified approach addresses bothwired and wireless access and secures end-useraccess methods to the enterprise LAN. If a securitybreach cannot infiltrate the host because networkintelligence locks out the potential attacker, enterprisenetwork security improves dramatically.

6.8.2.1. HP ProCurve Networking:ProActive DefenseHP ProCurve's security framework is called ProActiveDefense. ProActive Defense is the HP ProCurveapproach to delivering a trusted network infrastruc-ture immune to threats, controllable for appropriateuse, and able to protect data and integrity for alluses. HP ProCurve delivers security solutions thatproactively prevent security breaches by providingcomprehensive access control (access security) andintegrity and confidentiality of sensitive data(privacy).

HP ProCurve delivers security solutions that defendthe network by securing the network from unautho-rized extension (infrastructure security), by keepingthe network safe from virus attacks (network immuni-ty), and by providing reports to administrators withvaluable information about the security of the net-work and security policy compliance (command fromthe center).

Access security controls which users have access tosystems and how they connect in a wired and wire-less world. HP ProCurve provides:

• Standard 802.1x port-based access control for allHP ProCurve enterprise-class managed products• A combination of 802.1x with 802.1Q standardsfor two levels of security - when a user authenticatesvia 802.1x, HP ProCurve switches can easily placethe user on the appropriate virtual local area net-work (VLAN) based on information from the authen-tication server, which limits users to exactly the net-work resources they are allowed to access• 802.1x for 802.11 wireless networks to ensure onlyauthorized users are granted access to the enterprisenetwork• Restrictions efficiently implemented at the networkedge to control access rights and privileges thateach user or group has to specific network resources,such as individual subnets, servers, or applications

Privacy ensures the integrity and confidentiality ofsensitive data. HP ProCurve provides:

• Protection from data manipulation• Prevention of data eavesdropping• End-to-end VPN support for remote access or site-to-site privacy• Wireless data privacy using 802.11i WiFi ProtectedAccess (WPA), Wired-Equivalent Privacy (WEP), andVPN technologies

4-66


Infrastructure security includes protection of networkcomponents and prevents unauthorized users fromoverriding other security provisions. HP ProCurveprovides:

• Secure controlled access to the configuration andmanagement of the network infrastructure• Switches that can authenticate network managersin a number of ways• Protection of remote management access to theconsole prompt using the Secure Shell (SSH) protocol

Network immunity relates to designing a networkinfrastructure to survive an attack without interruptingservice. Network-based viruses can infect authenti-cated notebooks and PCs when they connect to theInternet outside of the office. In addition to attackingnetwork components, these viruses can compromisethe network from within. With HP ProCurve:

• Products come with a number of built-in featuresthat improve the network resiliency in the face ofvirus outbreaks.• Management functions are protected from broad-cast storms, flooded traffic, and network loops,enabling access to switch management in the pres-ence of these network anomalies.• Products help reduce excessive broadcast trafficthat impacts every station on the network and typi-cally results from an erroneous situation.• Software releases run through extensive testingbefore distribution - one of the many standardregression test suites includes the CERT CoordinationCenter (CERT/CC) vulnerability test suite that bom-bards a switch with network attacks.• Routing switches support authenticated updatesfrom authenticated routers.

Command from the center is the ability that HPProCurve management tools provide to set securitypolicies, report alerts, and report information aboutthe security of the network.

HP ProCurve security solutions move importantaccess decisions and policy enforcement to the edgeof the network where users and applications con-nect. Core resources are freed to provide the highbandwidth interconnect functions they are meant for,which means enterprise networks are optimized toperform better. What is more, effective control to theedge helps enforce security policies necessary fornetwork convergence and a mobile workforce.

HP ProCurve Networking solutions have several lay-ers of built-in security and take advantage of thelatest standards-based security features to protectdata. HP ProCurve's diverse array of security prod-ucts and services bring trust, reliability, and flexibilityto enterprise networking.

6.8.2.2. HP ProCurve Networking:ProCurve Identity Driven ManagerNetwork intrusions do not always come from Internetconnectivity. Because intrusions can originate fromwithin the local network, network access controls arecritical to network security. ProCurve Identity DrivenManager (IDM) builds on the secure access featuresof ProCurve hardware and the standard RADIUSauthentication process.

4-67

As Figure 4-9 illustrates, IDM allows businesses todefine network access policies that enforce secureaccess to the network and provide dynamic securityand performance configuration to network ports asusers connect. These policies can allow, deny, andcustomize network access based on user, device,time, and location. The IDM 2.0 release adds inte-gration with the TNC architecture. This integrationallows network policies to verify that a system iscompliant with business policies before the system isallowed into the network.

ProCurve IDM is a key piece of ProCurve AEA, pro-viding the ability to centrally manage network accesspolicies while controlling a secure, adaptive edgenetwork.

6.8.2.3. HP ProCurve Networking: HP VirusThrottle SoftwareAs every IT manager knows, computer virus epi-demics are only getting worse. Current methods tostop the propagation of malicious agents rely on theuse of signature recognition to prevent hosts frombeing infected. While this approach has been effec-tive in protecting systems, it has several limitationsthat decrease its effectiveness as the number of virus-es increases. Signature recognition is fundamentally areactive and case-by-case approach. The latencybetween the introduction of a new virus or worm intoa network and the implementation and distribution ofa signature-based patch can be significant. Withinthis period, a network can be crippled by the abnor-mally high rate of traffic generated by infected hosts.

Virus throttling, in contrast, is based on the behaviorof malicious code and how it differs from unaffectedcode. Normally, a computer makes fairly few outgo-ing connections to new computers and is more likelyto regularly connect to the same set of computers.This is in contrast to the fundamental behavior of arapidly spreading worm, which attempts many out-going connections to new computers. For example,computers normally make approximately one con-nection per second; the SQL Slammer virus tries toinfect more than 800 computers per second.

HP Virus Throttle software establishes a rate limit onconnections to new computers. Normal traffic remainsunaffected, but suspect traffic that attempts to spreadfaster than the allowed rate is slowed. This createslarge backlogs of connection requests that can beeasily detected. Once the virus is slowed and detect-ed, technicians and system administrators have timeto isolate and remove the threat.

A virus-throttle approach differs from signature-and-patch approaches in three key ways:

• It focuses on the network behavior of the virus andprevents certain types of behavior, in particular, theattempted creation of a large number of outgoingconnections per second.• It restricts the code from leaving the system insteadof stopping viruses from entering the system.• It makes the system robust and tolerant to falsepositives by allowing connections beyond the permit-ted rate to be blocked for configurable periods oftime.

Figure 4-9HP ProCurve Identity Driven Manager 2.0

User Network Access PoliciesUser Information

User Customized Network Access Rights

4-68


HP Virus Throttle software should complement, notreplace, signature-based solutions. The virus-throttletechnology fills a gap in anti-virus protection thathas, until now, allowed previously unknown threatsto wreak significant damage before patches can bedeployed. With HP Virus Throttle, previouslyunknown threats can be mitigated, giving adminis-trators time to deploy signature updates and patch-es. Figure 4-10 illustrates the process employed byHP Virus Throttle software.

6.8.3. HP ProLiant Essentials IntelligentNetworking PackHP ProLiant Essentials Intelligent Networking Pack isa software solution available for HP ProLiant serversrunning Microsoft Windows 2000 and MicrosoftWindows 2003. It offers advanced networking andcombines capabilities for redundancy and load bal-ancing. HP Virus Throttle software, described previ-ously, is also implemented in this product. Whenimplemented with other virus-prevention tools, HPProLiant Essentials Intelligent Networking Pack pro-vides an extra layer of protection against attacks thatcan bring down the entire network.

6.8.4. HP ProLiant DL320Firewall/VPN/Cache ServerThe HP ProLiant DL320 Firewall/VPN/Cache Serverrunning Microsoft Internet Security and AccelerationServer 2004 provides an affordable, integrated,easy-to-use, and manageable hardware security andcaching solution. It can be quickly deployed to helpprotect key business applications, such as MicrosoftExchange Server, Outlook Web Access, InternetInformation Services, and SharePoint Portal Server.In addition, Microsoft Internet Security andAcceleration (ISA) Server 2004 integration withWindows Active Directory services enables adminis-trators to use the solution to apply group- and user-level policy and authentication across a broad rangeof scenarios, including firewall policy, VPN authenti-cation, and outbound web proxy and access control.

6.8.5. HP IPFilterHP IPFilter filters IP packets that access HP-UXservers. IP packets are granted or denied access toor from the system based on stateful packet inspec-tion and sophisticated packet-filtering rules.Featuring a unique packet throttling technologycalled Dynamic Connection Allocation, IPFilter canbe configured to either prevent or minimize theeffects of many types of DoS attacks. A HP ServiceProfessional can remotely install and configureIPFilter on a qualified HP Integrity Server and verifythat the software starts up and shuts down withouterror.

Figure 4-10HP Virus Throttle process

TCP/IP

Network Adapter

Working Set

Delay Queue

4-69

Table 4-5Examples of HP partner secure network offerings

Partner Product Name Purpose Partner Website

Cisco Systems Cisco Clean Access Enforces network security policies www.cisco.com

Cisco Secure Access Control Server (ACS) forWindows

Manages user access to Cisco devices andapplications with 802.1x access control

Cisco VPN-Enabled/Optimized Routers

Supports IPsec VPN features within Cisco routers

Cisco PIX 500 Series Firewalls

Provides stateful packet inspection, IPsec VPN,IPS, and other solutions for a wide range ofdevice applications

Proventia and RealSecure product lines for IDS/IPS

Provides IDS and IPS solutions www.iss.net

Microsoft Internet Security and Acceleration (ISA) Server

Provides application-layer firewall capabilities,VPN, and web cachingIntegrated with HP ProLiant DL 320 FirewallVPN Cache server

www.microsoft.comwww.hp.com/go/proliant

Nokia Nokia Firewall/VPN appliances Provides an integrated solution for secureInternet communications and access controlusing Check Point firewall and VPN software

www.nokia.com

Symantec Symantec Enterprise SecurityManager

Manages and reports on security policy com-pliance www.symantec.com

Symantec Enterprise Firewall Provides an enterprise-level firewall forWindows and Solaris platforms

Symantec Gateway Security Integrates stateful packet inspection firewall,anti-virus, IDS/IPS, content filtering, IPsec VPN,and hardware-assisted encryption technologiesin a self-contained device

4-70


6.9. HP Partner Secure Network OfferingsTo provide a complete and integrated set of options,HP has partnered with leading vendors whoseproducts and services enhance and complement HPproducts and services. Table 4-5 on the previouspage summarizes some of these partner offerings.See www.hp.com/go/security/strategy for detailsand updates about HP partner information.

6.10. Network Security SummaryHP's approach to network security begins with rig-orous, widely accepted analysis and planning tech-niques. Network design is based on proven, inte-grated solutions and leading products. For organi-zations that must adapt rapidly, HP's ANA technolo-gy secures key solutions within enterprise networkswhile enabling them to change quickly in responseto business imperatives.

HP and its partners offer a broad range of securityexpertise, products, solutions, and services to helpensure that organizations are not damaged by adisruption or compromise of their information flow.For more information, see www.hp.com/go/security/trusted.

7. Storage SecurityIn principle, storage security is straightforward. Inpractice, establishing storage security requires spe-cialized knowledge, careful attention to detail, andongoing review to ensure that storage solutions con-tinue to meet an organization's evolving needs.

7.1. EnvironmentStorage security represents a major component ofthe overall security plan for a data center and abusiness. Consequently, business policies and prac-tices must augment any hardware- or software-levelsecurity model, including network and system securi-ty.

7.1.1. ThreatsStorage has evolved into a resource shared by manysystems on a network. In many cases, it is no longersufficient to secure just one system to which a storagedevice connects, because storage devices now con-nect to many systems. To protect against a variety ofthreats (not all of which can be anticipated inadvance); storage security must address the varyingsecurity requirements of a diverse number of data-bases and applications. For example, storage secu-rity must protect:

• Valuable data belonging to each system againstunauthorized access, modification, or destruction byany of the other systems• Storage devices themselves against unauthorizedconfiguration changes, with audit trails of all suchchanges

There is no value in carefully securing storage andsubsequently leaving the system wide open to theInternet. Storage security must be a part of an over-all security plan, both for a single data center andfor the organization as a whole. Storage securityalso consists of a set of procedures that defineaccess rights for data and authority for managingdevices, and it defines an appropriate responsewhen security issues occur.

7.1.2. Types of StorageThere are three main types of storage to considertoday and two emerging technologies:

• Direct Attached Storage (DAS) is connecteddirectly to a single system, similar to the disk withina PC.• Network Attached Storage (NAS) is accessed viathe Ethernet LAN network, and it stores and retrievesfiles.• Storage Area Network (SAN) storage is accessedover a storage network, which today is typicallybased on Fibre Channel architecture, providing whatlooks like disk drives to systems.• Internet SCSI (iSCSI) offers storage networking overIP networks. It is an emerging technology being uti-lized in small-to-medium environments where I/Othroughput demands are relatively low. iSCSI is animportant addition to SAN technology because itenables a SAN to be deployed in a LAN, WAN, orMAN (local-, wide-, or metropolitan-area network).• Object storage is an emerging technology thatcombines aspects of SAN and NAS.

HP's storage security focus is on storage sharedbetween many systems on a network, primarily SANand secondarily NAS. Storage security is not a boxadded to a SAN as a firewall is added to a net-work. Security must be an attribute of every system,every switch, and every device in the SAN.

7.1.3. BenefitsStorage security provides protection from attacks andresulting exposures. Specifically, storage security:

• Protects data confidentiality• Protects data integrity• Protects data from destruction or loss

4-71

7.2. Principles of Risk MitigationMany ways exist to gain unauthorized access to dataand to retrieve, alter, or destroy data. Examples ofrisks that may require mitigation include:

• Stealing disk(s) and backup tapes• Copying disks• Allowing an unauthorized system to access a diskarray or tape library• Wiretapping within a data center and betweendata centers• Making unauthorized changes to permissions in thedisk array or in the switch• System mounting and initializing a volume it doesnot own as a result of a software defect• Operator error or miscommunication

7.2.1. Mitigation TechniquesMitigation of storage security risks involves identifi-cation and authentication, authorization, auditing,encryption and key management.

7.2.1.1. Identification and authenticationIdentification and authentication techniques include:

• User logon identification and authentication viasecurity mechanisms such as user name and pass-word protection for authorization of administrativeactions• Audit trails (logs) to identify what was done and bywhom, which deter deliberate misuse of authorityand help recover from incorrect actions• Timely revocation of an individual's identity ormodification of authorization when responsibilitieschange or the individual leaves the organization• Device identification and authentication throughemerging technologies that ensure a device is per-mitted on the storage network (These technologiescan also detect an "impostor" rogue device pretend-ing to be a different device or system.)

7.2.1.2. AuthorizationAuthorization techniques include:

• Authorization for an individual to manage onlyspecific devices or to limit access to many devices• Verification by storage devices that an administra-tor who issued a command is authorized to do so,before performing the requested action• Verification by disk arrays that the specific systemthat issued a read or write command has permissionto do so for that Logical Unit Number (LUN), beforeperforming the input/output (I/O) action (Throughemerging technologies, a tape library controller cansimilarly verify permissions on I/Os to a tape library.)

7.2.1.3.AuditingAuditing techniques include:

• Logging all administrative actions (changes) andany significant events (This is typically logged indi-vidually within devices, but logging software is thepreferred method because it presents a single viewand allows queries.)• Extending the auditing mechanism over the entirestorage network to track activities related to eachelement.

7.2.1.4. EncryptionEncryption techniques include:

• Encrypting data at rest on media such as a disk ora tape.• Encrypting data in flight between data centers (andpotentially within a data center) to protect againstwiretapping.• Encrypting data in use at the database or applica-tion level. This last item is not always considered astorage security item, but rather an application- orservice-specific security feature.

Customers are always faced with the question ofwhat is the best place to encrypt. Trade-offs exist foreach of the three encryption locations listed above.Customers will typically face more management anddeployment complexities the higher in the stack theywant to provide encryption (for example for data inuse instead of simply data at rest) - certainly whenthey attempt to deploy encryption across a largeenvironment. On the other hand: the higher in thestack they encrypt data, the more protection can beprovided. Encryption also represents an impact onperformance.

Encryption is gaining more widespread use, drivenby the increased incidents of lost customer data andthe growing amount of regulations. HP considers thatinitially customers will want to deploy encryption atthe storage device or media level because it is cheapand simple to manage. Over time, however, enter-prise data center customers will consider deployingencryption in multiple places based on what islegally required, what solutions are available and thesolutions' operational impact. Today for examplecustomers selectively and surgically encrypt at thedatabase and application level. Moving forward, HPexpects them to deploy encryption at the storagedevice or media level, because in the future doing sowill become cheap and simple to manage.The increased data threats and the need for fasterdata encryption also drive standardization efforts tobuild hardware encryption into storage devices. Forexample, data copied between data centers is nolonger protected from wiretapping by the physicalsecurity of the data centers.

4-72

TrustedInfrastructure

The lack of physical security on cables outside the data center can be mitigated by passing the trafficthrough a dedicated encryption system before it leaves the sending data center. Similarly the encryption ofbackup tapes that are transported off site is of increasing interest to many organizations and has lead tapevendors to build hardware encryption capabilities into tape devices. HP also expects that as time goes on,encryption standards will be increasingly driven into SAN switches.

Dedicated encryption systems are available for both Fibre Channel and IP networking, with the latter calledInternet Protocol Security (IPsec) gateways. Because of their cost and complexity, such installations are notcommon today. In the case of iSCSI, HP anticipates that IPsec will be built into future interfaces, makingencryption more affordable and more ubiquitous than is currently possible with IPsec gateways.

7.2.1.5. Key ManagementWhen dealing with encryption in enterprise environments key management is an area of particular concern:if you lose the keys you cannot decrypt the data. A primary concern here for example is that keys neitherbe lost nor exposed while a tape is still retained: the keys need to be accessible as long as the data lives,and for data at rest that could be decades.

Key management becomes unwieldy if multiple disparate solutions are deployed or the amount of encrypt-ing devices grows across the enterprise. What's needed in terms of data center key management is the fol-lowing:

• A scalable enterprise-wide infrastructure solution from a trusted vendor. HP expects that the volume ofencrypted data will mushroom over time.• Open, standards-based key management that integrates across the enterprise and across vendors.Interoperability is crucial.• Reliable and highly available key storage. This means with an ample provision for encryption key redun-dancy and without taking a performance hit.• Secure access and control meaning the establishment of key management policies ensuring that onlythose with the right permission can access the keys.• Simplified and automated management is a must because protecting data is already complex andresource-intensive. Key management needs to be as simple as possible, even at the enterprise level.

The summary is that in the context of data and storage security, enterprises will need an effective way tocentrally and automatically manage keys in a secure fashion, independent of where encryption occurs.

7.2.2. Data Access and Management MeasuresMitigation approaches generally fall into data access measures and management measures. Figure 4-11categorizes these mitigation approaches by data security and management security.

Data access approaches include device authentication, device authorization, and encryption. Managementtechniques include individual authentication and authorization, with audit trails and logging, and key man-agement. Some of the items in these categories are routinely used today. Others represent evolving,leading-edge mitigations.

Figure 4-11Storage security model

Key Management

4-73

7.3. Secure Storage PrioritiesAs businesses set secure storage priorities for thecoming years, securing the management interfaces ofall devices is usually the highest priority.

The key priorities for storage security include:• Facilitating secure management of ports and inter-faces on elements such as switches and arrays by:

• Using strong passwords and changingdefault passwords• Disabling unused management ports ondevices• Enabling firewall management of LANinterfaces to block widespread access

• Enabling LUN security (for example, SelectiveStorage Presentation and LUN Masking) if applicable• Using encryption to meet regulatory complianceand specific business objectives

A plan for storage security must incorporate peopleand procedures as well as equipment. It must fit withthe overall data center and business plans. Thismeans evolving the plan as both the situation andtechnology allow, training users accordingly, follow-ing the plan, and testing it.

7.4. HP Secure Storage Solutions

7.4.1. HP StorageWorks LTO-4 Ultrium 1840Tape DriveThe HP StorageWorks LTO-4 Ultrium 1840 is HP's firsttape drive that is capable of storing up to 1.6TB percartridge while providing hardware-based encryp-tion. The LTO4 drives coupled with the HP Secure KeyManager (explained in the next section) can deliver avery secure data privacy solution for offsite datamedia such as tapes.

Below is a short overview of the LTO-4 Ultrium 1840'smain product features:

• Supports AES 256-bit encryption• Provides easy-to-enable encryption for a securebackup and helps prevent unauthorized accessed oftape media if cartridges are lost or stolen• Includes a large-capacity, fast-performing tapedrive with 1.6 TB compressed capacity and240MB/sec compressed data transfer rate that isenhanced by HP's exclusive dynamic data-ratematching feature• Provides enterprise-class reliability. The LTO-4Ultrium 1840 is highly reliable, with an MTBF of250,000 hours at 100% duty cycle, and includes HPOne-Button Disaster Recovery (OBDR)• Assures Investment protection. The LTO-4 Ultrium1840 comes with a single-server version of HPStorageWorks Data Protector Express. It is read/writecompatible with LTO-3 media and read-only compat-ible with LTO-2 media.

7.4.2. HP StorageWorks Secure KeyManagerThe HP StorageWorks Secure Key Manager reducesan organization's risk of a costly data breach andreputation damage while improving regulatory com-pliance with a secure centralized encryption keymanagement solution for the HP LTO4 enterprise tapelibraries (see also previous section). The Secure KeyManager automates key generation and managementbased on security policies for multiple libraries. Thisoccurs transparent to ISV backup applications.

The Secure Key Manager is a hardened server appli-ance delivering secure identity-based access, admin-istration and logging with strong auditable securitydesigned to meet the rigorous FIPS 140-2 securitystandards. Additionally, the Secure Key Managerprovides reliable lifetime key archival with automaticmulti-site key replication, high availability clusteringand failover capabilities.

The HP StorageWorks Secure Key Manager providescentralized key management for HP StorageWorksEnterprise Storage Libraries (ESL) E-Series TapeLibraries and HP StorageWorks Enterprise ModularLibrary (EML) E-Series Tape Libraries.

In addition to the clustering capability, the Secure KeyManager provides comprehensive backup and restorefunctionality for keys, as well as redundant devicecomponents and active alerts. The Secure KeyManager supports policy granularity ranging from akey per library partition to a key per tape cartridgewhile featuring an open extensible architecture foremerging standards and allowing additional clienttypes in the future needing key management services.These clients may include other storage devices,switches, operating systems and applications. 4-74

HP Storage Security Self- Assessment ToolThe HP Storage Security self- assessment tool has been designed specifi-cally to help organizations understand how well their business is preparedfor managing risk to sensitive data in their storage and backup environ-ment, as well as complying with data privacy regulations. The tool hasbeen developed by the HP Consulting and Integration Security and RiskManagement Practice based on industry best practices and their experi-ence gained through the design and deployment of hundreds of data pro-tection engagements globally. Customers can access the tool from the fol-lowing URL: www.hp.com/storage/securityassessment

Using the tool organizations must answer a set of questions and HP pro-vides them with a personalized report that documents where their storageand backup security controls are appropriate, and where additional focusmay be required. Recommended courses of action are designed explicitlyto reduce the risk commensurate with their business, and to better complywith regulatory or industry mandates to which their business must adhere.

Customers can select any or all of the six key storage and backup securityelements they would like analyzed: governance, compliance, operations,technology, encryption, and/or key management.


7.4.3. HP Compliance Log WarehouseThe HP Compliance Log Warehouse (CLW) canaggregate security logs enterprise-wide and tunesecurity log reporting for specific audit and regula-tory requirements. By understanding the detailedevent data that IT systems already produce, organi-zations can better manage, investigate, and protectthese systems. HP CLW collects and analyzes datasuch as system and application log files, databaseevent records, and operating system event logs. Withpowerful compliance reporting tools, it turns thisdata into actionable intelligence, providing rapidtime-to-value at a fraction of the cost of traditionaldata warehousing and security solutions.

The HP CLW is a high-performance appliance withlog and analysis and real-time alert modules. It canprovide high speed collection and analysis of logdata that automates compliance reporting of manyindustry and government standards including SOX,PCI, FFIEC, HIPAA, NISPOM, DCID6/3, FISMA, EUData Retention and ISO 17799. The HP ComplianceLog Warehouse also has an adaptor for the HPSecure Key Manager.

7.5. Storage Security SummaryStorage security is part of HP's Trusted Infrastructureand is a major component of the overall securitysolution. Storage plays an indirect but critical role inan enterprise's overall security operations. A datacenter contains the majority of an organization'srecords; many business processes are affected ifstorage systems become unavailable or are compro-mised. An organization's storage and storage secu-rity strategy must relate directly to the businessprocesses, IT infrastructure, and overall securitymodel of the organization. Storage security drawsnot just on the organization's security governanceand attitude toward risk, which is driven from abusiness level, but also on its centralized identity(authentication) and authorization services and itssecurity management capabilities for managingthreats.

In addition to mitigating security risks through inde-pendent identification, authorization, auditing, andencryption techniques tied to storage, a broaderplan for infrastructure security across storage, net-working, and hosts must also be in place. Anattacker will seek weaknesses across all three areas.Securing storage over standard networking dependson how effectively the network is protected and onthe security of the storage system itself. This is par-ticularly true when storage is accessed over theorganization's backbone network rather thanthrough an isolated storage network or subnet.

8. Imaging and Printing SecuritySecurity of the imaging and printing environmenthas long been ignored by IT administrators. Printersand scanners have been considered little more thannetwork appliances, posing none of the risks ofclient and server PCs. Recent publications by hackergroups have raised the awareness that imaging andprinting devices are more than simple appliances,and that these devices have capabilities beyondprinting and scanning. As network printers andMulti-Function Printers (MFPs) grow in capability,they begin to resemble networked PCs in their abilityto send and receive data. It would be wise for acompany to view these networking devices like pub-licly available PCs with access to their network forsending and receiving data.

This section explains the threats and risks unique toimaging and printing environments and providesrecommendations and strategies to prevent theireffects. Parallels to common security capabilities aredrawn to aid in explaining hardcopy-specific needs.Imaging and printing devices are put into the contextof regulatory requirements, although - as will beseen - there is no simple solution.

4-75

8.1. HP's Imaging and Printing Security FrameworkTo simplify the presentation of security concepts, HP developed an imaging and printing security frameworkwith three categories of security functions:

The categories within HP's imaging and printing security framework are built from traditional network securitytheory, which identifies the four elements that compose a secure system: confidentiality, access control,integrity, and non-repudiation.

8.2. Secure the Imaging and Printing DeviceSecure the Imaging and Printing Device includes capabilities that provide access controls to the functions ofthe device and ensure the integrity of its operations. Access controls limit MFP and printer functions toauthorized users and include:

• Walk-up capabilities such as copying and digital sending• Network printing• Physical access to printed documents

Authentication requirements vary by environment, as do integration requirements to existing authorizationmechanisms.

8.2.1. Multi-Function Printer (MFP) Walk-up AuthenticationMFPs can require users to be authenticated before accessing MFP functions via the device control panel.MFPs can restrict access to digital sending functions and restrict digital sending e-mail destinations based onthe user. MFPs can control access to installed functions and installed applications (e.g. HP Autostore) basedon the user. Device usage may also be tracked with associated users.

Integrating MFP access controls with existing enterprise access controls reduces complexity and minimizesadministration requirements. HP and its partners support a wide variety of authentication mechanisms,including Microsoft Windows Domain accounts, proximity cards, and smart cards.

HP's Digital Sending Software (DSS) enables Windows and Netware authentication using an intermediaryserver, while Capella Technologies' VeriUser provides Windows authentication embedded in the MFP.Jetmobile's SecureJet, Ringdale's FollowMe, and SafeCom external authentication each provide smart card,swipe card, and proximity card capabilities.

8.2.2. Network printing authenticationPrinters and MFPs may enforce access controls for network printing to restrict usage of devices and the use ofhigh-value consumables. Auditing systems may also use the access controls to log user activity, such as datesand times of documents printed.

The HP Output Server and the Microsoft Windows Print Spooler provide direct integration of domainaccounts with printing access controls, which allows control of individual users and groups, including accessrights to network printers.

4-76

Table 4-6HP imaging and printing security framework: security function categories

Secure theDevice

Includes elements that protect the function of the physical device, including access controls for management and use,secure deletion of files, and physical security.

ProtectInformation onthe Network

Includes network communications, including media access protocols such as 802.1x and secure management, scan-ning, and printing protocols.

EffectivelyMonitor andManage

Includes the capabilities to securely manage fleets of imaging and printing devices and audit devices for complianceto security policies and regulatory requirements


8.2.3. Physical Document Access ControlDocuments in the output bin of a network printer areat risk for unauthorized access. PIN and Pull Printingallow print jobs to be saved electronically in thedevice, or on an external server, until the authorizeduser is ready to print them. The user provides a sim-ple PIN code, or uses an authentication methodsupported for other MFP walk-up operations, torelease the print job. HP printers and MFPs providenative support for PIN printing, while Jetmobile,Capella Technologies, Ringdale, and SafeCom eachprovide solutions integral to their authenticationproducts.

Server-based access control: All HP MFPs anddigital senders offer server-based Windows NTLM,LDAP, Kerberos, and Novell authentication andauthorization that integrates with your existing infra-structure to help your organization manage useraccess, prevent unwanted printing and digital send-ing, and help secure access to the management util-ity to prevent unwanted device configurations. Withthe exception of the HP 9085mfp and HP Color9850mfp, all HP MFPs have device-based LDAPauthentication (embedded from HP or installablefrom Capella Technologies). In addition, most HPMFPs have device-based Kerberos available. The HPOfficejet 9130 All-in-One supports authentication, aswell, via the optional C8267A Secure DigitalSending Solution DIMM. A wide variety of numerickeypad, proximity, and swipe-card solutions are alsoavailable, providing a very rich set of capabilities tomeet your particular needs.

Color access control: HP's suite of color accesscontrol features, available on some HP LaserJet MFPsand printers, lets you closely monitor color use,enable or disable color by individual users or groupsor even applications, disable color printing andcopying entirely until it's needed for special projects,and report costs back to specific clients, projects,workgroups, or departments.

Control panel lock: This feature within HP WebJetadmin allows network administrators to deterunauthorized users from changing certain deviceconfigurations and control-panel settings by estab-lishing a password and locking the control panel.You can choose from multiple levels of security, lock-ing out specific control panel menus and allowingusers to change the rest of the menus, or locking outall of the menus. It is even possible to lock the STOPbutton.

Private PIN printing: HP MFPs allow a personalidentification number to be associated with the printjob, which will only be released after that PIN hasbeen entered at the MFP's control panel. Enhancedcapabilities, such as retrieval of print jobs at any HPMFP or printer and the use of proximity and swipecards, can be applied using Ringdale's FollowMe orCapella Technologies' pull printing solutions.

Remote printing security: Secure DocumentExpress provides advanced document-encryption/decryption technology for HP devicesequipped with embedded virtual machines. Thisthird-party solution by Capella Technologies pro-vides a fast and economical alternative to certifiedmail, courier services, and other secure document-delivery methods by allowing users to safely print toany SD-Express-equipped MFP or printer from any-where on the Web.

8.2.4. HP Secure Erase for Imaging andPrintingTo meet the needs for higher levels of print andimaging security, Hewlett-Packard created HP SecureErase technology for Imaging and Printing. Thiscapability allows the administrator to select howdata is erased from storage devices, including print,scan, fax, and copy jobs. Several levels of erasesecurity are provided. The capability is provided asa standard feature on supported HP multifunctionperipherals (MFPs), digital copiers, and printerswhen used with HP's Web Jetadmin (available sep-arately).

HP Secure Erase technology provides a choice ofthree different modes of erase security, each ofwhich can be configured by an administrator andmay be protected from unauthorized changes with apassword. The three erase security modes are:

1. Secure Sanitizing Erase mode: Conforms to theU.S. Department of Defense 5220-22.M specifica-tion for deleting magnetically stored data. SecureSanitizing Erase uses multiple data overwrites toeliminate trace magnetic data and also preventssubsequent analysis of the hard disk drive's physicalplatters for the retrieval of data.

2. Secure Fast Erase mode: This mode completes theerasure faster than Secure Sanitize mode. SecureFast Erase mode overwrites the existing data once,and prevents software-based "undelete" operationson the data.

3. Non-secure Fast Erase mode: The quickest of thethree erasing modes. Non-secure Fast Erase modemarks the print job data as deleted, and allows theMFP's operating system to reclaim and subsequentlyoverwrite the data when needed.

4-77

HP Secure Erase technology is applied in two different ways to remove data from storage devices. Secure FileErase erases files on a continuous basis as soon as they are no longer needed to perform the requested func-tion. Secure Storage Erase removes all non-essential data from storage devices in a manner consistent withpreparation for decommissioning or redeployment. This operation can be initiated on demand or scheduledfor a later date and time.

All data removed from the system by a delete operation is erased using the active erase mode (SecureSanitizing Erase, Secure Fast Erase, or Non-secure Fast Erase) - this includes temporary files created during theprint, scan, fax, and copying processes. User-initiated delete operations, including Stored Jobs and Proof andHold Jobs deleted through the "Retrieve Job" menu, are also removed using the active Secure Erase mode.

In contrast, the Secure Storage Erase operation will erase stored files even though they have not beenretrieved. The HP Secure Erase features will not impact data stored on:

• Flash-based non-volatile RAM that is used to store default printer settings, page counts, etc.• A system RAM disk (if utilized)• The flash-based system boot RAM

HP's Secure Sanitizing Erase mode meets the U.S. Department of Defense 5220-22.M overwrite algorithms foroverwriting disk files. Using a succession of multiple data overwrites, including the validation of the success ofthose overwrites, Secure Sanitizing Erase mode can prevent the subsequent physical analysis of the hard diskdrive's media for recovery of data. Each byte of file data is overwritten with:

• The fixed character pattern (binary 01001000)• The compliment of the fixed character pattern (binary 10110111)• A random character: a stream of random characters is generated using the device's uptime as s seed and isused to overwrite data

To ensure successful completion of the write operation, each overwritten byte is verified.

8.3. Protect Information on the NetworkProtecting information on the network insures that network communications between users, administrators, theimaging and printing device, and the workflow are confidential and prevent unauthorized modification bymaintaining their integrity.

8.3.1. Network Connectivity with HP Jetdirect DevicesNetwork connectivity for HP imaging and printing devices is provided by the HP Jetdirect family of products,including internal cards, external boxes, and embedded networking. HP Jetdirect provides many secure net-work protocols and services, as listed in Table 4-6.

4-78

Table 4-6HP Jetdirect secure network protocols and services

802.1x forWiredNetworks

Provides access control to an ethernet network. Network devices that are unable to authenticate to the 802.1x authorizationserver have all network access denied. 802.1x can prevent unauthorized users from attaching devices to the network as wellas insure that only IT deployed and trusted devices, such as those with virus protection software, are allowed access.

IPsecAllows for strong authentication, confidentiality, and integrity of communications, and can secure network printing and scan-ning protocols. The HP Jetdirect 635n IPv6/IPsec and Gigabit Ethernet internal print server uses a cryptographic acceleratorto provide click-to-clunk performance that rivals unsecured protocols, and supports the IPsec implementations available in allcurrent major operating systems, including Windows, Unix, and Linux.

SNMPv3and HTTPs

Provide secure management of the imaging and printing device. SNMPv3 provides strong authentication and encryption ofmanagement communications and is used by HP Web Jetadmin to provide fleet management of HP imaging and printingdevices. HTTPs using SSL/TLS provides security of web protocols and is used for secure management using the device'sembedded web server, as well as security of web services such as consumable re-ordering.

Secure IPP(IPP-S)

The secure form of the IPP protocol using SSL/TLS - Secure IPP - requires no additional configuration and is primarily intend-ed for small networks lacking sophisticated IT administration. While Secure IPP may be used in large enterprise environments,IPsec is the recommended protocol for securing printing and scanning functions.


8.3.2. HP Digital Sending Software (DSS)HP Digital Sending Software allows MFPs to digitallysend documents to a variety of destinations, includ-ing e-mail, fax, and network folders.

DSS allows the MFP to authenticate a user prior toallowing access to MFP functions. DSS allows inte-gration of authentication functions with MicrosoftWindows (using NTLM or Kerberos) and NovellNetware (using Bindery or NDS) operating systems.If authentication is enabled, users are prompted fortheir username, password, and domain/tree by theMFP. The MFP then transmits these credentials to theDSS server, and the DSS server authenticates theuser to the Windows or Novell system as appropri-ate.

If a remote network folder requires authentication foraccess, the user's previously provided credentials areused. If the user has not previously provided theiruser credentials, they are prompted to enter them toaccess the network folder.

HP Digital Sending Software 4.0 can encryptscanned documents between the MFP and the DSSServer. The DSS Server may then use the secondarye-mail function to store the encrypted document in alocation accessible to third-party applications, suchas Omtool, that then securely re-transmit the docu-ment to its final destination via e-mail. In additionto the secondary e-mail function, secure sending toe-mail, fax, and network folders may be achievedby securing the network communications betweenthe DSS Server and the remote server using IPsec.

To control e-mail distribution, the SMTP server usedby the DSS Server may be configured to enforceinternal security policies. Such policies may preventdigital sending to e-mail addresses outside of theinternal network or analyzing the content of digitallysent documents to prevent breaches of confidentiali-ty.

8.3.3. Fax/LAN bridgingThe analog fax port of an HP imaging and printingdevice is isolated from the digital network connec-tivity of the device. Communications to the analogfax are routed directly to the device formatter andcannot be bridged to the digital network, preventingthe threat of an attacker connecting to the analogfax through a telephone line and then gainingaccess to an internal network.

HP is currently in the process of receiving CommonCriteria Certification to validate this behavior in theHP LaserJet 4345mfp and 4730mfp.

8.4. Effectively Monitor and ManageEffectively Monitor and Manage allows for imagingand printing infrastructure maintenance and enablesauditing to facilitate compliance with policy andregulatory requirements. Effectively managing net-work resources is critical to maintaining a securenetwork.

8.4.1. HP Web Jetadmin for FleetManagementHP Web Jetadmin (WJA) is the backbone for theadministration and maintenance of imaging andprinting products, from both HP and its competitors,deployed on enterprise networks. Fleet or batchmanagement enables consistent management andsecurity policy enforcement across a large number ofimaging and printing devices. WJA can manageany device that supports the SNMP Printer MIB andallow manufacturers to develop device-specificextensions using plugins.

WJA uses SNMPv3 to ensure authenticated andconfidential management of networked devices.WJA allows devices to be manually administeredand can automatically discover and configure newlyinstalled devices.

8.4.2. Device and Service ControlImaging and printing devices support many networkprotocols and services. Protocols and services thatare unused often go ignored, resulting in unintendedvulnerabilities, such as unsecured managementinterfaces or printing protocols that circumvent jobaccounting controls. HP imaging and printingdevices allow individual control over these protocolsand services and let administrators enable only thefunctionality required.

8.4.3. Firmware UpdatesFirmware updates can correct product defects andenhance product functionality, and they are animportant means for preventing the exploitation ofsecurity vulnerabilities. It is important for IT andsecurity administrators to monitor the availability offirmware updates and apply them as necessary. HPreleases firmware updates based on the severity ofthe defect and provides administrators the ability toreceive automatic e-mail notifications of releases.HP Web Jetadmin allows an administrator to dis-cover devices using out-of-date firmware and updatethose devices automatically over the network.

8.4.4. Logging Device ActivityLogging device activities ensures compliance tosecurity and access policies. HP DSS, Capella,SafeCom, and Ringdale each allow device activity,including user, document, and destination, to bemonitored. Logging functions can also include con-figuration and management actions.

4-79

8.5. HP Secure Print AdvantageThe HP Secure Print Advantage (SPA) is a compre-hensive, end-to-end, architected solution for securingthe transmission and printing of sensitive documentsand images, without disrupting your existing printernetwork. It consists of client software, a SecureDocument Server, and a Secure Print Module foreach networked printer (see also Figure 4-12). It is atraditional print server with policy configuration andenforcement, separation of roles, secure documentmanagement, authentication, authenticated audit,security protocol translation, and government certifi-cations.

8.5.1. A Traditional Print Server with StrongSecurityHP SPA enables enterprise-wide image and printmanagement for most image and print outputdevices. It services a variety of clients, including print,fax, and web, and it works with enterprise jobs andqueues. Benefits include simplified administration andinventory maintenance.

HP SPA simplifies print network administration in avariety of ways. The single-system interface outputsmanagement resources (print, fax, or web), and acommon interface lets you configure dissimilar desti-nation types. The system tracks job and output desti-nation status via graphical display, pager, or e-mailfor local and remote administration. By maintainingan inventory of output resources, such as ink andpaper, HP SPA also helps you proactively managesupplies.

To support usage optimization and load balancing,the system tracks the source of print jobs and thenumber of copies.

The HP SPA solution includes three main components:the Secure Document Server, the Secure PrintModule, and the secure client application.

• Secure Document Server: The SecureDocument Server transforms a traditional print serverinto a certified security appliance. It manages secureprinting, performs cryptographic key management,and enforces your organization's security policies.The HP SPA solution meets security standards such asCommon Criteria and FIPS 140-2 level 4, the highestlevel of U.S. government security certification forcommercial products.• Secure Print Module: The Secure Print Moduledecrypts print jobs and manages secure download ofupdates to the printer. It also secures printer commu-nication management, including user access andauthentication at the printer through techniques suchas biometrics, passwords, and smart cards. You caninstall the Secure Print Module with HP LaserJet print-ers and HP Multi-Function peripherals.• Encrypting Client: The Encrypting Client is aWindows-based client that encrypts data at theclient’s computer.

Figure 4-12HP Secure Print Advantage diagram

Encrypting Client Secure Print Server

Secure Print Module

MFP and/ or Printer

Client Standard Spooler

4-80


HP SPA can overlay an existing network - eliminat-ing the need to reconfigure the network to addsecurity. You can also integrate HP SPA in stepsaccording to a rollout schedule to minimize disrup-tions.

Simple to deploy and easy to maintain, the HP SPA:

• Introduces security without forcing major networkchanges• Works with new or previously installed HP or otherprinters• Manages non-SPA print jobs

HP SPA includes policy configuration and enforce-ment. You can set up policies locally or remotelyusing dual administrator or security officer control.Rules are enforced according to predefined policies.Device location awareness aids in identifying whichtype of job can go to which printer (separatingsecured vs. unsecured areas). And authentication,through PIN and smart card access built into theSecure Print Module, provides additional security.

8.5.2. Authentication, Authorization, andAuditing (AAA)AAA is important for effective network managementand security. HP SPA provides configurable privacy,authentication, and authorization in several interac-tions, including:

• Client to image and print server communication• Image and print server to device communication• User to device communication via smart card orPIN

HP SPA offers multi-layer authentication capabilitiesincluding LDAP, Windows Active Directory, and PIN-based authentication.

Auditing capabilities within HP SPA include infor-mation about:

• Job sender• Job completion date and time• Authentication• Job deletion, including who deleted it• User pick up or entry• Output errors, including partial images or printerrors

The HP Secure Print Advantage (SPA) is a compre-hensive, end-to-end architecture for the secure trans-mission and printing of sensitive documents andimages. It does not disrupt your existing printer net-work, but instead preserves assets and allows yourorganization to work during implementation. Withfeatures like policy configuration and enforcement,separation of roles, secure document management,AAA, security protocol translation, and governmentcertifications, HP SPA provides a comprehensivesolution for today's print security environment.

8.6. Imaging and Printing-relatedCertification and Standardization

8.6.1. Common Criteria CertificationHP is currently in process of receiving CommonCriteria Certification for Disk Erase and analog faxcapabilities for the HP LaserJet 4345mfp and4730mfp.

HP supports the IEEE p2600's development of animaging and printing security standard that willallow credible industry-wide Common CriteriaCertification and expects to certify products to thestandard when available.

While Common Criteria Certification provides avaluable means for assessing the security capabili-ties of a product, it is important to understand thetrue significance of Certification, what CommonCriteria is and is not, and the role Common CriteriaCertification plays in imaging and printing manu-facturers’ marketing differentiation claims.4-81

Common Criteria Certification provides no credible means for assessing the true security capabilities ofhardcopy products today, and should not be used as a measure for purchasing requirements. CommonCriteria does not dictate necessary security functionality, it merely provides a means to assess the correctnessof a manufacturer's implementation claims.

The varying levels of EAL (Evaluation Assurance Level) certification foster further confusion. Higher certifica-tion levels are assumed to provide greater levels of security. However, as certification reflects only the manu-facturer's functional claims, the higher levels of certification are frequently meaningless.

The majority of the hardcopy industry currently certifies Disk Erase and Analog Fax functions, but this certifi-cation does not accurately portray a product's security capabilities or vulnerabilities. A product may advertisecertification of these capabilities while providing no, or rudimentary, protection for the remaining system.

To ensure Common Criteria Certification provides value, it is important to understand the product's completerange of capabilities versus those for which certification is claimed. While certification can prove what aproduct does properly, it says nothing of what a product does not do, and to what degree that omission rep-resents a security risk.

8.6.2. IEEE p2600The IEEE p2600 working group is defining a security standard for hardcopy devices, as well as recommen-dations for the security capabilities of devices when deployed in various environments, including enterprise,high-security, small office/home office, and public spaces. The p2600 working group has broad industryparticipation, including HP, Lexmark, Canon, Xerox, Sharp, Ricoh, IBM, Epson, Okidata, Equitrac, and Oce.The p2600 standard will provide a means for credibly measuring the security capabilities of individual man-ufacturers. HP is actively participating within the working group and HP devices support the majority ofcapabilities specified in the draft documents.

8.6.3. NIST Security checklistsThe National Institute of Standards and Technologies (NIST) has been tasked by U.S. legislation to developchecklists that facilitate security configuration of devices likely to be used by the U.S. Federal Government.NIST has requested IT equipment manufacturers to develop these security checklists for their products. NISTwill review manufacturer's checklists for relevance and correctness and publish those checklists on a search-able NIST website. Details of the checklist program are available at http://csrc.nist.gov/checklists.

HP considers security checklists as a means to significantly improve the security capabilities' ease of configu-ration for imaging and printing products. A security checklist for the HP LaserJet 4345mfp is available forpublic review at http://checklists.nist.gov/repository, and is currently the only available hardcopy productchecklist available from any manufacturer. HP plans to develop additional checklists for hardcopy devices inthe future.

8.6.4. Conclusion: Look Beyond Common Criteria CertificationUltimately, individuals must look carefully at their requirements and not be swayed by manufacturer advertis-ing claims. Common Criteria Certification adds significant cost and development time to products, while pro-viding limited assurance to the product's actual capabilities and potential vulnerabilities. Products that are notcertified may actually provide more robust security capabilities than products that are certified. NIST securitychecklists simplify the complex process of enabling security functions, and better illustrate the product'scapabilities.

4-82


8.7. ConclusionHP imaging and printing has evolved with enterprisesecurity needs. HP offers imaging and printingdevices with a broad range of security capabilities,including high-security products that allow opera-tions in the most demanding environments and thetools to effectively manage large-scale deploymentsof those devices.

While it would be impossible to prescribe all of thesecurity requirements for an enterprise's imagingand printing environment, the following recommen-dations may be used as a starting point for enablingthat security.

1. Assess Common Criteria Certification needs: Thefeatures being certified by the hardcopy industry arenot representative of the true risks that face imagingand printing devices. It is critical to scrutinize certifi-cation and assess the capabilities of the deviceagainst actual needs.

2. Fleet/batch manage using HP Web Jetadmin:HP Web Jetadmin provides consistent managementof enterprise-deployed imaging and printing devicesand is critical for maintaining a secure environment.Fleet management aids in the consistency of policyenforcement and assists in audit and regulatorycompliance.

3. Update firmware images: Firmware updates pro-tect against product defects and vulnerabilities. HPprovides automated firmware update notificationservices, and HP Web Jetadmin aids in deployingupdates across enterprise environments.

4. Disable unused ports and services: Frequently,imaging and printing devices have unused capabili-ties that are enabled. In some cases, these capabili-ties may enable functionality counter to the intent ofthe administrator, such as leaving insecure manage-ment protocols accessible, when only encryptedmanagement is desired.

5. Implement access controls: HP printers and MFPsallow a variety of user-level authenticationmechanisms, including passwords, proximity cards,and smart cards. Access controls can ensure thatonly authorized users utilize the imaging and print-ing infrastructure, while authentication capabilitiesprovide assurances of who is using the environment,and how they are using it, which aids in audit andregulatory compliance.

6. Implement secure protocols: The sophisticationnecessary to sniff network traffic has been reducedby the distribution of hacking tools, as well as bylegitimate network analyzers. IPsec secures existingprinting and scanning applications with strongencryption, while SNMPv3 and HTTPS secures man-agement functions.

9. HP Trusted InfrastructureServicesHP offers a wide range of services capability fordesigning and implementing trusted infrastructuresthat meet organization's business needs. HP'sConsulting and Integration Services combined withHP Technology Services and HP OutsourcingServices offer trusted infrastructure services at everypoint in the security lifecycle. The following is anoverview of HP's Trusted Infrastructure services (seewww.hp.com/go/security):

• Infrastructure review and implementation design• Security assessments across the infrastructure• Physical asset protection• Network, system, and host security• Adaptive Network Architecture• Application security and application auditing• Security workshops and training

4-83

10. Trusted Infrastructure SummaryAs reliance on IT infrastructures increases for businesses and society, we face important challenges. We muststay ahead of the security needs for reliable infrastructure technologies. Fundamental IT building blocks mustbe innovated and redesigned to include security features. From clients to servers, from networking to storage,and in printing technologies, infrastructure security mechanisms must be continually improved to supportadaptive and flexible IT solutions.

HP is investing to ensure that we continue to deploy secure and reliable trusted infrastructures. HP is anindustry leader, driving this agenda across platforms, OSs, and infrastructure solutions. Importantly, HP'sleadership in the TCG has brought the industry together to greatly increase baseline security of infrastructuretechnologies to meet current and future customer needs.

Alongside other efforts, such as establishing secure development practices within HP and driving infrastructuretechnology standards, Trusted Computing provides the security building blocks that allow the IT industry tocontinue to innovate and deliver the power of IT across reliable trusted infrastructures.

4-84

Table 4-8HP trusted infrastructure solution offering summary

Trusted InfrastructureComponent

Solution URL

Network Security HP ProCurve NetworkingHP Virus ThrottleHP Adaptive Network ArchitectureHP Proliant Essentials Intelligent Networking PackHP IPFilter/9000HP ProLiant DL320 Firewall/VPN/Cache Server

www.hp.com/go/security/trustedClick solution components tab

Host Security HP ProtectToolsHP-UX 11iLinuxHP NetTopHP OpenVMSTru64HP NonStop SystemsHP Atalla Security ProductsHP Trusted Compliance Solution for EnergyHP Application Security CenterHP Enterprise Mobility Suite


www.spidynamics.comwww.hp.com/go/ems

Storage Security HP StorageWorks LTO-4 Ultrium 1840 Tape Drive

HP StorageWorks Secure Key Manager

HP Compliance Log Warehouse


Imaging and Printing Security HP Secure Print Advantagewww.hp.com/go/security/trustedClick solution components tab

HP Security Services Trusted Infrastructure Services www.hp.com/go/security/trustedClick solution components tab


For additional information, refer to the following resources:

Trusted Computing Platforms: TCPA Technology In Context, by Dr. Siani Pearson et al., Prentice Hall PTR, July2002, ISBN 0-13-009220-7 (Order at www.hp.com/hpbooks.)

Cisco's documentation web page: www.cisco.com/univercd/home/home.htm (For general references, see thelinks under the "Hot Items" and "Networking Information" headings.)

SANS Institute Information Security Reading Room: www.sans.org/rr/ (An excellent selection of white paperson a wide variety of network and general security topics)

Inside Network Perimeter Security, Stephen Northcutt et al., Sams, 2nd Edition 2005, ISBN 0-6723-2737-6

Information Security Management Handbook, Harold F. Tipton and Micki Krause, Auerbach Publications, 5thEdition 2004, ISBN 0-8493-1997-8

Official (ISC)2 Guide to the CISSP Exam, Susan Hansche, John Berti, and Chris Hare, Auerbach Publications2004, ISBN 0-8493-1707-X

4-85

Chapter 5Innovation in Information Security

"HP Labs' corporate immune systemtechnologies transformed debilitating attacks,which have caused widespread interruptionswithin other companies, into localized annoy-ances at HP. This secures our AdaptiveEnterprise. It is HP Invent at its best."-Sherry Ryan, HP Director of Information Security

IntroductionThe introduction to this handbook has outlined the changing nature of enterprise computing, the rapidlychanging threat landscape, and the consequences for IT security. Throughout the handbook, we havedescribed HP's current offerings that help our customers achieve appropriate IT security. In this section, wefocus on the longer-term future and the contributions of HP Labs, HP's central research organization. HP Labs'function is to deliver breakthrough technologies and technology advancements that provide a competitiveadvantage for HP, and to create business opportunities that go beyond HP's current strategies.

In this future, businesses will rely on highly mobile, flexible, shared infrastructures, supporting rapidly chang-ing business processes. In addition, personal experience-driven trends such as Web 2.0, which empowerusers to share information more richly, will shape the way employees manage information. This will place newchallenges on how enterprises manage information. There will be many challenges in keeping businesses andbusiness processes safe and secure. However, alongside these challenges, we also see opportunities to createqualitative changes in IT security that will be key enablers in making this new world a reality.

As context it is useful to think about the lifecycle of security management. As shown in Figure 5-1, securitystarts with an analysis of the IT-associated risks. From such analysis, policies and controls evolve that shapethe way security investments, operations, and configurations are executed. This in turn leads to mechanismsthat enforce policy in the infrastructure, and finally to the monitoring of key parts of the overall system, includ-ing incidents and events, that get aggregated and analyzed to provide assurance that regulations are beingmet and risks are appropriately mitigated. This all takes place in the context of a changing threat landscape,where we expect to have to protect against more targeted attacks and the exploitation of increasing numbersof unknown vulnerabilities.

5-1

Figure 5-1Security management lifecycle

Start Here

1. Understand Risk

2. Policy

3. Deploy Technology

Threats

4. TrustedInfrastructure

5. Compliance

Regulation

Accrediation

Many enterprises are consolidating or outsourcing their data centers. At HP Labs we are investing beyondthis stage to when data centers are shared and federated, creating a true compute utility. This programinvolves virtualization, automation, and even integrating smart cooling. Such an agile infrastructure willenable businesses to change IT more rapidly, but each change will have risk implications, which in turnmeans we have to get more efficient and effective at operating this security lifecycle. Today's best practicesand mechanisms will all help, but at some point soon a qualitative change in capability will be required.

This is a tremendous challenge, and one that we must overcome to realize the future IT vision. Today peopleand manual processes control much of this lifecycle, using crude tools and infrastructure that lacks the nec-essary security properties. HP Labs is creating technology to model, connect, simplify, and where possible,automate the various activities. We are also investing heavily to create trusted infrastructure with bettersecurity properties that will ensure that policies, remotely passed to shared and virtualized components, willbe reliably enforced and meaningful, trustworthy assurance information will be returned.

This chapter provides a short overview of some of these ideas, covering the Economics of InformationSecurity, Identity Management, Trusted Infrastructure, Assurance and Threat Management.

Unique among technology companies, HP has a broad and deep set of offerings across all market seg-ments: from consumer to enterprise, from small and midsize businesses to the public sector. Reflecting thisdiversity, HP Labs' research portfolio includes projects in imaging and printing, advanced architectures,mobile systems, nanotechnology, business intelligence, and media systems. Many of these technologies havethe potential to disrupt trust and security. Three examples that we picked out to cover in this chapter areQuantum Cryptography, Memory Spot and Trusted Printing.

5-2

InnovationinInform

ationSecurity

1. Trust EconomicsCreating a security architecture, particularly onewhich meets the security governance objectives of thebusiness within the overall requirements of IT gover-nance, is a challenging task. While senior managersor officers of an organization use quantitative meas-ures for financial risk management in corporate gov-ernance, they typically resort to a qualitative under-standing of IT risks to manage information systemrisk. Developing a quantitative information system riskmanagement toolset is a grand challenge in informa-tion security, which HP Labs is tackling through itsTrust Economics program.

Trust economics is the conceptual framework that HPis developing to pursue the study of informationsecurity policies, protocols, and investment strategies.HP's perspective is one of systems thinking, embrac-ing studies of both the economic factors and userbehaviors that bear on IT risk management. Two keyproblems facing senior managers with responsibilityfor information and systems security are:

• Developing an economic understanding of how toformulate, resource, measure, and value security poli-cies• Understanding the attitudes of users to both infor-mation and systems security and of their responses toimposed security policies

A model of the system and its economic environmentis necessary to assess the effectiveness and value ofsecurity investments. A rigorous understanding of thebehavior of users, together with the economic valueof the system's security measures, can be capturedwithin an extension of some established mathematicalsystems modeling techniques. Our technique inte-grates the following three perspectives:

• Modeling the behavior of the users of systems, bothinternal (operators, staff) and external (customers,regulators), in the context of security policies andprotocols• Mathematical modeling of systems, organizations,and networks, including the security policies andprotocols that govern access• Economic modeling of the costs and value of secu-rity policies, protocols, and technologies

The main challenge here is to understand how todevelop and integrate effectively two different kindsof modeling. We must extend the mathematical mod-eling of the technological aspects of a system toencompass the users of the system; we must alsointegrate economic models as valuation methods. Asignificant challenge is to build models at levels ofabstraction that capture just the questions of interestand avoid irrelevant, complicating details.

Mathematical systems' modeling uses methods drawnfrom algebra, logic, computation theory, and proba-bility theory. User modeling uses psychological mod-els (e.g., cognitive architectural and knowledge mod-els) based on our understanding of humans.Embedded user models (those held by systems repre-senting characteristics of users) often rely on statisticalmethods. Assessing the validity of such modelsrequires empirical study, either in the form of field orethnographic studies, and/or experimentation. Weaim to integrate these approaches into a suitableeconomic model and develop a new science of sys-tems security services.

Example topics we are investigating include:

• Establishing effective security cultures: By modelingthe behavioral consequences of policy choices, weseek to establish mechanisms for selecting thosechoices that promote more effective “cultures”. Forexample, by providing security consultants and sys-tems engineers with the tools and techniques toquantify decisions, better understood and more justi-fiably trusted systems can be built.• Employee risk assessment: By establishing mecha-nisms for assessing the consequences, relative to agiven security posture of particular patterns of behav-ior, we will be able to provide a framework to assessthe possible security implications of particular policyand implementation choices relative to the intendedusers of the system.• Investment strategies for information security:Understanding the investment options against thedynamic threat environment.

5-3

2. Identity ManagementIn many ways identity management is already amature discipline, with many good tools and bestpractices, as described in the identity managementchapter (Chapter 3) of this handbook. However, theproblem of identity and access management contin-ues to get more complicated. Solutions need to scaleto a growing number of users, roles, data items, andresources. Constant change, fueled by de-perimeter-ization and increasing numbers of acquisitions, vir-tual organizations and transient partnerships,demand techniques that simplify identity manage-ment.

Two trends create new challenges. The first challengecomes from the changing nature of resources andcontent that must be protected, and the second is thedevolution of identity control from the organization tothe individual. Content is getting more complicated,whether it is highly structured in centrally controlleddata warehouses, semi-structured formal documents,or even ad hoc items on collaboration portals orclient machines. Personal experience-driven trendssuch as Web 2.0 empower users to share informa-tion more richly and place the individual in greatercontrol of information and identity. Businesses mustadapt to these changes while preserving the controlthat allows them to meet regulatory requirementsand manage business risk.

This section presents HP research addressing tworelated challenges, in the context of policy enforce-ment/control and policy planning/definition:

• Content-aware Access Policies: Access policyexpression and enforcement to help deal with com-plexity, scale and assurance• Role Discovery: Sophisticated algorithms we havedeveloped to “discover” implicit roles and therebyhelp plan major Identity Management changes

2.1. Content-aware Access PoliciesEnterprise information can come from a number offorms including database tables, semi-structureddocuments (e.g. XML), or even unstructured files andvolumes. Moreover, the source and manner that thiscontent creation occurs can vary from formal busi-ness processes, ad hoc collaborations, or individualcontent generation (e.g. blogs). Finally, the subject ofthis information can span employee data, financials,sales collateral, contracts, intellectual property, andcustomer, partnership, and forecasts data, each withsubtly different business sensitivity and regulatorycontrol.

The challenge is how to maintain the ability for thebusiness to extract full value and flexibility from thisdata, while maintaining necessary control. As asimple example of the problem, consider accesscontrol rules to data containing personally identifi-able information (PII). Privacy protection legislationdemands that organizations clearly state the purposefor which they will access and use data containingPII. There may be much legitimate value that abusiness can make of such data, but without ways todifferentiate usage, it is difficult to use mechanismsto allow, anonymize, or restrict access in line with PIIregulations.

HP Labs has explored context aware access policiesto deal with this. The goal is to move beyond simplebinary access decisions. Content-aware access poli-cies take account of the content or context of arequest for data and might return limited portions ofthe data. An early example of this is the HP Labs“privacy policy enforcer”, which specifically takesaccount of purpose before granting access to PIIdata. A richer example is an engine that takes astructured (e.g. XML) document with policies poten-tially associated with each component of the docu-ment. For each request, the engine uses credentials,context, and policy to create a valid view of thedocument that it returns to the requestor.

This approach allows fine-grained access policies fordealing with anything from enterprise blogs topatient records. For example, it becomes possible toexpress and enforce audited access for doctorsaccessing a patient’s records remotely or outsidenormal hours; also, partial access could be grantedto nurses, hospital administrators and evenresearchers with particular credentials (e.g. to studycertain kinds of diseases).

Richer policy is only part of the problem, there arestill problems to make it easy to have content withappropriate structure, and as IT environmentsbecome more distributed and shared we will needinfrastructure with better security properties to ensurethat these richly expressed polices are beingenforced.

Individuals have a similar problem in their use ofinformation and communication technologies in theirprivate lives, and this is compounded by their usingmultiple partial identities for different online relation-ships and purposes. HP Labs is researching the useof a policy-driven approach for managing personalinformation within personal client devices and con-trolling its release to other parties based on theirpolicies, reputations and other trust factors.

5-4

InnovationinInform

ationSecurity

2.2. Role DiscoveryTraditionally, IT personnel manage access rightsdirectly. However, in large enterprise environments,this becomes impractical simply due to the scale anddynamic nature of the problem. In a large organiza-tion, it is common to have tens of thousands of usersconnecting to a similar number of resources. Role-based Access Control (RBAC) is a standard approachwhereby an intermediate set of entities, called roles,are used to aggregate resources. For example, a rolemight be defined for an accounts receivable clerk togrant access to the set of resources that such a per-son would need in order to do their job. Then userscan be simply assigned to roles. This greatly simpli-fies the management problem and is particularlyeffective because the approach more closely aligns tothe business objectives of the organization.

A major challenge is transforming an organizationfrom a traditional access control system to an RBACsystem. This labor-intensive process requires anorganization to initiate a role development study inwhich the roles need to be researched and meticu-lously defined to meet the organization’s businessneeds.

At HP Labs, we have developed a new approach,called role discovery, to make this role developmentprocess more efficient by discovering roles that areinherently defined in the organization’s existing tradi-tional access control environment.

The technical innovation behind role discovery is theformalization of this problem in terms of graph theory.We can show that a set of traditional access controlrules can be represented as a kind of graph called abipartite graph. Moreover, the transformation of thatsystem to a set of RBAC rules corresponds to trans-forming that bipartite graph into another kind ofgraph called a tripartite graph.

This is a well-known problem in theoretical computerscience. It is a particularly difficult problem, for whichno known algorithms can guarantee to find the opti-mal solution in a reasonable amount of time. In fact,it is even difficult to find an approximate solution effi-ciently. However, we have developed some algo-rithms that work extremely well, in practice, on realdata. These algorithms scale to very large problemsand are very fast.

HP’s internal IT department is using role discovery tohelp simplify the way we manage how external busi-ness partners connect into internal HP systems. Weare defining a new network access control paradigmthat leverages the simplicity and manageability ofRBAC for the network layer. Role discovery is a toolto help make that transition more efficient.

3. Trusted InfrastructureUtility computing introduces extraordinary flexibilityfor enterprise computing. It will mean computeresources available on tap with tightly defined andeasily expressed parameters. For example, an enter-prise service might be configured using the followingspecification:

I need resources to run an ERP application. The serv-ice needs to be globally available with load/perfor-mance requirements varying across time zones. Giventhat it is running in a shared environment, in additionto the normal security operations, I need extra assur-ance that confidentiality and integrity of my resourceswill be maintained.

5-5

Virtualization is a key ingredient to realizing thisvision. The ability to virtualize computing platformsenables us to run multiple operating systems on asingle platform. This is useful as many legacy appli-cations can now share physical resources, consoli-dating servers, and creating the flexibility to moveapplications around as demand changes. However,securing a single platform is challenging and some-thing that must exist as a foundation to the securityof the management system controlling these virtualresources.

Standard usage of virtualization has a virtualizationlayer that restricts the view the guest operating sys-tem (virtual machine) has of the physical platform.This can be extended to restrict the access each vir-tual machine has to other infrastructure elementssuch as the network, and shared storage. This isvery useful for utility computing as it enables us tocreate virtual (and flexible) network and storageinfrastructures that run over shared physical networkand storage resources. However, this makes the vir-tualization layer a critical point for security. Anydefects here could compromise the security of virtualnetworks/storage, the management system, as wellas the virtual machines “owned” by the customers ofthe utility.

Today’s virtualization platforms typically run a full-blown operating system directly. This is a large andcomplex piece of code to rely on to isolate function-ality and enforce policies. From a security perspec-tive, it is desirable to rely on the much simpler (andsmaller) virtual machine monitor (VMM) which ismainly responsible for the lifecycle and schedulingof virtual machines. The problem is how to design amanagement system for such a virtual platform whichitself is not subject to all of the vulnerabilities of alarge-scale operating system.

HP Labs is pursuing research to create a trusted vir-tual platform. One component of this research is thatwe would like to use the VMM to isolate varioussecurity services from the main management system.However, this is not practical or secure if each serv-

ice runs in a large-footprint OS. As such for the Xenvirtualization platform, we have built a very light-weight library OS with communication services, suit-able for running a number of security services. Thisenables us to create more trustworthy security servic-es such as component identity, integrity and audit.

A second problem that quickly emerges with allthese virtual components is how to ground or roottrust. If a virtual software component presents itself,on what basis can it be trusted? Trusted computing,as defined by the Trusted Computing Group (TCG),provides a physical root of trust for identity andattestation that is a natural answer to this. It is pos-sible to create a chain of trust through the virtualiza-tion layer so that identities and attestations presentedby virtual components are rooted in the physicalTPM. This means that a remote machine (customer ormanagement utility) can verify that each componentis running the expected software, and that it is run-ning on a virtual platform that can be trusted toenforce security policies, and the remote machinecan isolate the component from other software shar-ing the same physical platform.

In addition to securing platforms for next generationdata centers these security virtualization propertiesapply to client machines. For example, with thesemechanisms, users can trust using one virtualmachine for playing games, another for privatebanking, and another to access their workplaceintranet. Moreover, the bank and the employer canuse TCG-based attestation to gain assurance thatthe correct virtualization software is running, andthat bank and corporate approved software andconfigurations operate in the virtual machines withwhich they are interacting.

HP is leading the EU-funded research collaboration“Open Trusted Computing” (see www.opentc.net),which seeks to combine open source, virtualizationand TCG mechanisms to create trusted platforms.This project has already demonstrated the bankingexample described above. 5-6

InnovationinInform

ationSecurity

4. AssuranceWhile it is important to build security enforcementmechanisms into systems, it is equally important tobuild in the hooks to know the security is workingand to detect when users are misusing systems. Aswe build compute utilities with automated manage-ment, we need systems to provide automated assur-ance. Today because so much security relies on bestpractices, assurance is largely manual, with auditorsusing spreadsheets to reconcile events with processcontrols. There are two challenges here: first, how tobuild a framework to automate this kind of reconcili-ation, and second, to ensure there are independentpaths in the systems and infrastructure that can berelied on to provide trusted information to this frame-work.

The work on model-based compliance described inthe Governance and Compliance chapter (Chapter1) addresses the first of these problems. The model-ing tool allows auditors and risk officers to createintuitive graphical representations of the controls andhow they should be tested. The models also haveprecise semantics, which enables the structures to beintegrated directly with data from the IT environment.Through customer pilot projects, this approach hasbeen shown to remove much of the routine data col-lection and analysis, and allow more of auditor’stime to be devoted to more meaningful risk discus-sions.

We can apply this approach to current environments,but today designing the data collection is a manualintegration project. In utility environments, where theinfrastructure is always changing, the models need toadjust automatically to collect data appropriate forthe current configuration. Moreover, because multipleparties share the infrastructure, we have to addressthe second problem of making the collected datatrustworthy.

This is where our work on assurance and trustedinfrastructure come together. In the trusted infrastruc-ture subsection, we hinted at how the trusted virtualplatform design enables us to build small-footprintsecurity services that can be isolated (i.e. independ-ent) from other parts of the management system. Thisis the basis for the work we are doing to create asecure and independent audit service which can bedeployed (perhaps multiple times) onto a physicalplatform. The components of the audit service, attest-ed to using TCG-based mechanisms, provide config-urable and independent information monitoring ofthe basic building blocks of the utility.

Significant challenges remain, however, in determin-ing what mixture of events, configuration, and stateattestations provide adequate assurance about a vir-tual platform.

5. Threat ManagementIn the film The Matrix, the main character faces achoice: swallow a blue pill and continue to experi-ence “normal” life, or take the red pill and discovernew and deeper realities about the world.

In many ways, the majority of security activity -patching, protecting or monitoring against knownthreats - can be seen as acting in the blue pill world.This world assumes that vulnerabilities are discov-ered, patches are created, there is a race to deploypatches before exploit code can get to the vulnerablesystems, and that this race is getting harder andharder to win. The deeper reality or truth is worsethan this: while it is known that attackers activelydiscover vulnerabilities, the software vendors do notnecessarily learn of all the newly discovered vulnera-bilities, even after an attacker exploits them.

5-7

How about when looking at Figure 5-3?

The challenge is to create defensive techniques that address classes of threats without the need for knowl-edge, or even the existence, of specific threats at any point in time. The trusted infrastructure research pro-gram, which can protect vulnerable components through isolation, is one approach to this. Another moredirect and novel approach HP Labs is taking involves exploiting the differences between information and itsrepresentation by specific data or data formats. For example, rather than checking data for known patternsor signatures of exploits, we can often change the data representation of a piece of information while pre-serving the value in the information. Take Figure 5-2. Can you spot the difference?

Figure 5-2Threat management example Figure 1

Figure 5-3Threat management example Figure 2

5-8

ff d8 ff e0 00 10 4ª 46 49 46 00 01 01 01 00 48 |......JFIF.....H|00 48 00 00 ff fe 00 36 20 49 6d 61 67 65 20 67 |.H.....6 Image g|65 6e 65 72 61 74 65 64 20 62 79 20 45 53 50 20 |enerated by ESP |47 68 6f 73 74 73 63 72 69 70 74 20 28 64 65 76 |Ghostscript (dev|69 63 65 3d 70 6e 6d 72 61 77 29 0a ff db 00 43 |ice=pnmraw)....C|00 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 |................|01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 |................|01 ff db 00 43 01 01 01 01 01 01 01 01 01 01 01 |....C...........|01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 |................|….….

89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 |.PNG........IHDR|00 00 00 ab 00 00 01 0d 08 02 00 00 00 ff b8 02 |................|09 00 00 00 09 70 48 59 73 00 00 00 48 00 00 00 |.....pHYs...H...|48 00 46 c9 6b 3e 00 00 00 09 76 70 41 67 00 00 |H.F.k>....vpAg..|00 ab 00 00 01 0d 00 d2 65 48 5e 00 00 80 00 49 |........eH^....I|44 41 54 78 da e5 bd 79 9c 1b f5 79 3f fe 48 a3 |DATx...y...y?.H.|19 69 46 d7 4a 2b ed 7d d8 92 c1 7b 78 8d ed 5d |.iF.J+.}...{x..]|6c 0c 3e 93 35 60 48 4c 08 01 92 86 2b 4d 7f 86 |l.>.5`HL....+M..|26 69 1a 92 b6 a6 49 db 24 cd 65 7f db 40 d2 1c |&i....I.$.e..@..|….….

InnovationinInform

ationSecurity

The information conveyed by both images in Figure5-2 is seemingly that of the same tiger, howeverlooking at Figure 5-3, you can see that the con-stituent data representation of the images are signifi-cantly different: one image is in JPEG picture formatand the other is in PNG picture format. Since exploitshave to be extremely precise to utilize a vulnerability,it is likely that any exploit will be disabled by such adata conversion, and the conversion does notadversely affect the user. In this example, convertingfrom the JPEG to the PNG picture format doesn’tchange the picture’s visual image but does changethe data format. If there was a hidden exploit forJPEG image rendering software, it would be lost inthe transformation into the PNG format.

More generally, there are a vast number of equivalentdata formats available. We have used these to createa service that blindly and randomly transforms data,while maintaining information equivalence. The serv-ice disrupts any “bad” data while not affecting theinformation provided by “good” data. That is, theuser still experiences the value from the file, and anymalware or vulnerability has been cleaned out.

Clearly, there are more complications if the userwants to do more than view information, for this weare exploring notions of functional equivalence. Theapproach may not be applicable in all instances ofdata (for example, executables present quite a differ-ent challenge). However, a powerful aspect of thisapproach is that it protects against unknown attacks.

6. Quantum CryptographyQuantum computers are uniquely capable of factor-ing large numbers and this has the potential to dis-rupt many assumptions made about current cryptog-raphy. This fact has motivated the HP Labs researchon Quantum Key Distribution (QKD), which providesa means for two parties to generate secure, shared-secret material, which could be used as one-timesecret keys or pads to encrypt and decrypt informa-tion.

Used properly, one-time pads provide guaranteed,unbreakable cryptography, even with advances inquantum computation. The rules of quantum physicsguarantee that using QKD makes it impossible for aneavesdropper to snoop on an interaction undetected.

The one-time pads generated using QKD may beused in a number of ways to protect e-commerce, orto identify individuals to each other. In addition, one-time pads provide the security required for performingthe QKD operation.

Other research and product groups offer QKD sys-tems. The problem that HP Labs is addressing is howto make this technology available to the mass con-sumer market.

We have built a low-cost, free-space quantum cryp-tography system using off-the-shelf components that isable to generate and renew shared secrets ondemand over a short range (up to one meter) inshaded daylight conditions. The transmitter uses acompact diffraction-grating optical element design,which we plan to incorporate into a hand-held devicesuch as a smart card or mobile phone.

As an example of the problems to be solved, imaginea very weak light signal (small numbers of photons)being received amongst a background of randomlight. The signal has to be identified and extracted.Once extracted, the endpoints have to communicatein order to error-correct and generate a sharedsecret. A full software system has been developed tohandle this signal processing.

Currently the system can generate around 40,000bits of secret keys from a one-second interactionbetween transmitter and receiver, depending on thelight conditions.

5-9

7. Memory Spot TechnologyHP Laboratories has developed a miniature wireless data chip called memory spot, which at present has noequal in terms of its combination of size, memory capacity and data access speed. Embeddable into physi-cal media (e.g. paper), this technology has the potential to completely change many security rules andassumptions. For example, this technology can be applied to allow an organization to securely link digitaland physical objects such as a file and a printout of that file.

Memory spot is a fully functional chip that, in its current design, is fabricated onto a 1.4mmx1.4mm squareof silicon. It is a near-contact technology that allows a very fast data transfer rate of 10Mb per second. Thisis 25 times faster than the current, fastest RFID system - and this higher transfer speed permits rapid down-load of large amounts of data in a very short time; a “touch-and-go” style of interaction is possible even forlarge data transfers. For example, a 20-second audio file can be transferred from a memory spot device inunder 50 milliseconds.

From a security angle, each memory spot device is equipped with an on-chip challenge-response authenti-cator based on an industry standard SHA-1 algorithm. This feature is useful when local authentication isrequired or in situations where local authentication is the only available option. If deployed correctly, mem-ory spot’s on-board authenticator makes the chip virtually impossible to clone.

Each memory spot device is also equipped with a rudimentary yet effective on-board data read accessmechanism based on a 224-bit password. If activated, data can be added to a memory spot but cannot beread unless supplied with the correct password. This feature enables a memory spot device to act as a datacarrier without the need to review any shared secret or public key.

Memory spot has application in areas such as pharmaceutical anti-counterfeiting, assuring the provenanceof high-value items (e.g. aviation parts), and validating documents such as birth and marriage certificates.

Figure 5-4Micrograph of the 32k memory spot chip

5-10

InnovationinInform

ationSecurity

8. Trusted PrintingHP has unique and significant experience in imagingand printing. We complete this security innovationchapter by drawing out two final examples where HPLabs have made contributions to create trusted print-ing solutions.

Counterfeiting of products and documents is an illicitindustry costing legitimate brand owners hundreds ofbillions of dollars each year. Two new businesses areforming within HP: one providing product securityand the other providing document security.

The first business is called Trusted Track and Trace.Product Track and Trace is the generation and stor-age of a provenance record for a given packagedgood. This includes the package identifier along withinformation about where and when it was scannedwhile in transit from the manufacturing site to the enduser. Bar codes or RFID, increasingly using theElectronic Product Code (EPC) standards withEPCglobal certification, are the standard mechanismsfor Product Track and Trace. Trusted track and traceaugments the EPCglobal traceability through a secu-rity label that incorporates multiple features that areboth difficult to copy and difficult to reproduce with-out using the HP Indigo variable data press. Variablemicrotext and wide-gamut color features are com-bined with EPCglobal-compliant bar coding to createan eye-catching, authenticable security label.

This program has benefited from the HP securitycommunity’s expertise in consulting and integration ofEPCglobal-compliant solutions. The HP security com-munity has also provided leadership on securityissues for authorization, data retention, databaseaccess control, and other areas. This program hasalso benefited from HP’s security application threatanalysis methodology: a full threat analysis reviewwas performed for the Trusted Track and Trace pro-gram during the design phase to ensure that system-level security threats were addressed in the finalapproved product design.

The second new business is called Trusted Hardcopy.This business solves the customer need of being ableto trust documents that enable high-value transac-tions. Financial, government and educational institu-tions, among other document-issuing authorities, cre-ate documents that are later used by banks, realestate offices, insurance offices, etc., to approvetransactions at points of authentication. These trans-actions of value are subject to a high rate of docu-ment counterfeiting. HP’s Trusted Hardcopy solutionprovides document protection at document creation,on the document itself, and at the site of authentica-tion. The document contains security deterrents,including a 2D barcode and copy/tamper-evidentfeatures, which combined provide a hash of thesalient (indexing) information on the document. Thesefeatures are generated (hashed) and affixed to thedocument during its creation, and then can be readand validated at the point of authentication.

This program has also benefited from the HP securitycommunity’s strength in secure printing. Secure print-ing provides authorized printing, where a print job isnot completed until authorized by the requestor (e.g.with a password, smart card, etc.) and where thedocument printed is securely removed from the printdevice’s memory afterward.

9. ConclusionWe expect the context to remain challenging; busi-nesses will continue to balance the demands toreduce cost and maintain control of IT. In addition,they will quite rightly seek new ways to improve busi-ness processes and gain competitive advantagethrough changes in IT.

This short chapter has described just a sample of thesecurity research in HP Labs. Each of the subsectionshas shown, in different ways, how we can use sci-ence, mathematics and technology to help businessesoperate the security lifecycle more efficiently or withmore agility. More details can be found in the HPLabs technical reports series atwww.hpl.hp.com/techreports.

The context is always changing which causes theresearch to evolve continually. Therefore, we suggestif you want an up-to-date view on our research, youexplore the HP Labs web pages atwww.hpl.hp.com/research.

5-11

Conclusion

"HP's strategy is to build security into itsproducts, drive industry standards on securityand privacy, align business and regulatoryrequirements with security lifecycle delivery,and innovate ways to deliver a safer IT envi-ronment for our customers."-Tony Redmond, Vice President, HP SecurityOffice

Inventive, Reliable SecurityAll of HP's businesses sell products, services, or solutions that require varying levels of security, to be bothacceptable to customers and competitive in the market. Security is increasingly becoming an attribute that isassociated with quality. HP wants our products, services, and solutions to be secure in operation, deployment,and use. We want to be known as a company that designs for security and privacy, drives best practices,contributes in a significant manner to new security standards, and delivers a safer IT environment to our cus-tomers. We draw on our own resources as well as those of our pure-play security partners, such as Symantec,Check Point, Nokia, Cisco, and VeriSign, to deliver hardware and software products and services that con-tribute to our strategy and meet the requirements of our customers.

Delivering a safer IT environment requires a framework for rapid and effective response to threats and busi-ness objectives. HP focuses on the key areas of governance and compliance, identity management, proactivesecurity management, and trusted infrastructure to bring our customers the safe, proactive, and adaptable ITenvironment that is necessary to support the objectives of companies and organizations today and in thefuture.

Governance and ComplianceOne of the most striking features of today's business environment is its dynamic nature. Successful companiescapitalize on change, turning what is often unexpected and disruptive into a business advantage. HP'sSecurity Governance Services provide companies and organizations with an enterprise-wide policy founda-tion, a governance model, and an organizational structure. The program can apply to the entire enterprise orto a business line, and it defines the integration and orchestration principles that shape the enterprise securitysystem. This program meets the requirements of the ecosystem in which the enterprise operates, including reg-ulations, business community practices, technology constraints, and the culture specific to the enterprise.Security governance provides guidance on how IT staff translates business security requirements into securitymeasures and implementations. HP's Security Governance Services include a broad set of offerings deliveredacross the governance lifecycle to build an enterprise-wide policy foundation, a secure and agile architecture,process framework, and an organizational structure. Together these services enable dynamic businesses tomanage the risks associated with their information assets.

6-1

Figure 1HP's security framework

ProactiveSecurityM

anagement

Business Objectives



OperationalRisk

IdentityM

anagement


Proactive Security ManagementIt is often joked that the most secure computer is onethat is in a guarded, locked room…and is alsoturned off. The point of the joke is that there is nosuch thing as 100% security and the most securesystem is one that is not useful. The reality is thatthere is a set of trade-offs or variables to manage -such as costs, asset values, security technologies,people. Proactive security management is the sci-ence of managing those variables - with people,processes and technology - to support an organiza-tion's goals, and do so while maintaining anacceptable level of risk. The environment for our ITinfrastructures includes an ever-changing state ofthreats, an evolving set of vulnerabilities and thebasic, human-nature condition that if something hasvalue then there is at least one person who might tryto take it.

Security management has matured far beyond sim-ply keeping out intruders or presenting a single con-sole to coordinate individual security tools. In orderto achieve its stated goals, security managementmust: (1) Manage the protection of data, applica-tions, systems, and networks, both proactively andreactively; (2) respond to changes in business andorganizational models as well as the changingthreat environment; (3) integrate with IT infrastructuremanagement and operations; and (4) all the while,maintain a level of security and operational risk thatis pre-defined by that organization.

Identity ManagementIdentity management is the ability to identify everyuser, application, or device across organizations andprovide flexible authentication, access control, andauditing while respecting privacy and regulatorycontrols. Delivered via a set of processes and toolsfor creating, maintaining, and terminating a digitalidentity, these tools allow administrators to managelarge populations of users, applications, and systemsquickly and easily. They allow selective assignmentof roles and privileges, making it easier to complywith regulatory controls and contribute to privacy-sensitive access controls.

For HP, identity management is a pervasive set oftechnologies and solutions:

• Identity management is about the management ofuser, application, and device identities.• Identity management is about the management ofidentities in different contexts: enterprises, SMBs,consumers, and the public sector.• Identity management deals with the managementof the entire lifecycle of identities and their attributes.

HP considers privacy management, identity services,business-driven identity management, identity-capa-ble platforms, and device-based identity manage-ment as important emerging identity managementfields and drives specific research in these areasfrom HP Labs.

As an example of an end-to-end identity manage-ment system, the HP National Identity Solution pro-vides governments with a high-performance,extremely secure, and extremely reliable credential-ing solution. Similarly, HP can provide fully integrat-ed end-to-end identity management solutions tomeet any enterprise or public sector need.

6-2


As businesses and society increase their reliance onIT infrastructures, we face important challenges to stayahead of security threats to infrastructure technolo-gies. Fundamental IT building blocks must be inno-vated and redesigned to include security features.Across all technologies, from clients to servers, fromnetworking to storage, and in printing systems, HPcontinually strives to improve infrastructure securitymechanisms to support adaptive and flexible IT solu-tions.

HP is investing to ensure that we continue to deploysecure and reliable trusted infrastructures. HP is anindustry leader, driving this agenda across platforms,operating systems, and infrastructure solutions.Importantly, HP's leadership in the Trusted ComputingGroup has brought the industry together, greatlyincreasing baseline security of infrastructure technolo-gies to meet current and future customer needs.

Alongside other efforts, such as establishing securedevelopment practices within HP and driving infra-structure technology standards, Trusted Computingprovides the security building blocks that allow the ITindustry to continue to innovate and deliver the powerof IT across reliable trusted infrastructures.

HP Labs InventionHP Labs security research contributes innovative tech-nology breakthroughs across all aspects of the cor-porate security strategy. Focused research alignsdirectly with primary initiatives and drives businessunits to think differently about approaches to securitychallenges. From trust economics to trusted infrastruc-ture and assurance automation, HP Labs is inventingnew technologies for the full security lifecycle. Inaddition, HP Labs invests in longer-term research tosustain a competitive pipeline of invention and inno-vative security capabilities for a wide range ofemerging technology and application domains.

Proactive Security for a Safer ITEnvironmentToday's enterprise environment is increasingly volatiledue to changes driven by business opportunity andthreats emerging from attacks that are ever moresophisticated. In addition, government regulation isincreasing corporate accountability for proper busi-ness practices and for protecting individual privacy.These pressures mandate a change in tactics for ITsecurity - a change to a new proactive approachrather than the conventional reactive approach.

To enable our customers to implement a proactive ITsecurity environment, HP wants our products, services,and solutions to be secure throughout their lifecycle.By focusing on the key areas of proactive securitymanagement, identity management, and trustedinfrastructure with keen attention to governance andcompliance issues, we have developed a solidframework for proactive enterprise security. With thisframework, we deliver a safer IT environment to ourcustomers - one that responds to changes in threatsand corporate business objectives while it maintainsdefined levels of security and risk.

6-3

Appendix A:Principles of Design for Network Security

Appendix B:Types of Firewalls and Open Systems Interconnection(OSI) Layers of Operation

Appendix C:Authentication, Authorization and Auditing (AAA)Servers

StandardizationEach type of network component, design, procedure,or baseline configuration has its own security impli-cations. Each of these elements must be consistentlymanaged and periodically reviewed as an organiza-tion evolves and its threat environment changes.Therefore, reducing the number of dissimilar elementsin the network environment will, in general, reducethe complexity and cost of security.

For example, reducing the number of different oper-ating system (OS) platforms reduces the number ofjob descriptions, operational procedures, administra-tive tools, and other supporting elements for which anorganization must train users, identify threats, assessrisks and vulnerabilities, and implement countermea-sures. Furthermore, standardization of job descrip-tions, required training, and local team organizationcan significantly simplify security management.

Another advantage of standardization is the ability todeploy widely tested and trusted approachesthroughout the enterprise. For example, standard pro-tocols for secure communication such as SecureSockets Layer (SSL), Secure Shell (SSH), and the IPsec(IP security) protocol family have been widely scruti-nized and, over time, strengthened against a widevariety of potential attacks. By standardizing a limitednumber of well-accepted technical approaches andbusiness best practices, organizations benefit from theexperience and efforts of countless contributors overmany years.

In some cases, however, implementation of diversecountermeasures (such as Linux-based bastion hoststo further secure a properly configured MicrosoftExchange e-mail infrastructure) can provide addition-al protection that outweighs the additional complexi-ty. Therefore, the advantages of standardizationshould be balanced, in some instances, with theadvantages of diverse countermeasures as part of alayered defense strategy.

Likewise, standardization brings with it an increasingrequirement that whatever is standardized must behighly secure. A single vulnerability exploit can affectthe entire network. Appropriate standardization can,however, conserve resources that can be applied todiverse countermeasures. For example, an organiza-tion could standardize on a regional e-mail infra-structure based on specific Microsoft Exchange andbastion host configurations.

Least Privilege AccessIndividuals, systems, applications, and businessprocesses should have access to the minimum amountof information necessary to conduct business. Leastprivilege access depends on the existence of a robustmeans of establishing and managing digital identi-ties. (For more information about digital identities, seethe Identity Management chapter.)

Least privilege access for networks has broad impli-cations. It means that only public network resourcesshould be available to individuals whose identity ororganizational affiliation is unknown or unauthenti-cated. Individuals who must access the network,including individual network hosts, should only haveaccess to the network-related information and equip-ment they need to do their jobs.

For example, operations personnel should not haveaccess to application source code, and applicationdevelopers should not have access to the resourcesneeded for actively managing the production net-work. Physical access to data centers, telecom cabi-nets, and other network equipment should be restrict-ed to authorized individuals.

A-1

Appendix APrinciples of Design for NetworkSecurity

Least privilege access involves more than people. Anattacker could compromise any network resource.Resource privileges, and the privileges availablethrough them, should be restricted to the minimumnecessary to meet business requirements. For exam-ple, router access control lists (ACLs) and firewallconfigurations should be as restrictive as possible.Unnecessary services should be shut down onservers. Public resources such as web servers shouldbe carefully secured to prevent unauthorized manip-ulation by external attackers.

Finally, least privilege access also involves the distri-bution of network traffic. IP networks are inherentlyinsecure. Any wired or wireless network is a poten-tial target for attackers seeking to observe or alternetwork traffic. On a LAN without switches, eachdatagram (message or message portion) reaches allhost network interfaces, and it is up to the host todetermine how the datagram is processed.

Encryption of sensitive information is an importantcountermeasure. All sensitive (non-public) informa-tion transmitted over wireless networks or the Internetshould be encrypted. Encryption may also beapplied to data stored on or transmitted over inter-nal networks. However, encryption is not alwaysfeasible, and most encrypted network traffic remainssusceptible to the analysis of communication patternsbetween network hosts, which is known as trafficanalysis. In addition, if traffic from public networkresources competes for bandwidth with internal net-work traffic, the organization is susceptible to acrippling Denial of Service (DoS) attack launchedthrough the Internet.

In summary, traffic should not flow over a networksegment unless there is a business need. Switches,which are commonly used to improve network per-formance, can also improve network security bychanneling network traffic directly to its intendedrecipient or to a small subnet. Network designerscan also use Virtual LANs (VLANs) - which define

network membership on a logical basis rather thana physical basis - to resegment networks withoutrewiring them. Therefore, network designers canpartition hosts and host traffic based on businessand security requirements rather than physical loca-tion. Together, switches and VLANs can help preventunnecessary distribution and exposure of networktraffic.

Layered DefenseA layered defense is essential to an enterprise's net-work security strategy, approach, and implementa-tions. Such an approach includes appropriate secu-rity policies, security awareness and training, securi-ty technology, best practices implementation andoperation, and auditing.

Technology is critical to any layered defense strate-gy. An enterprise would not consciously connectinternal networks to the Internet without a perimeterdefense mechanism such as a firewall. However,even firewalls cannot be relied upon as the only wayof protecting the network. Technology must be lay-ered to provide maximum coverage and security foran enterprise's information assets.

The principal layers of security technology representthe perimeter, network, and hosts. Thus, in additionto a network-based Intrusion Detection System (IDS),a host-based IDS should be used to ensure hostintegrity. Encryption, anti-virus, system auditing andlogging, backups, honeypots (hosts or otherresources such as decoy user accounts used to lureand observe attackers), and other technologies sup-port a layered defense strategy. Building a layereddefense strategy requires breaking networks intodivisions such as subnets and demilitarized zones(DMZs), with multiple layers of screening routers,firewalls, virtual private network (VPN) deployments,anti-virus solutions, intrusion prevention systems(IPSs), and IDSs to help identify malicious traffic notprevented by perimeter defenses.

Countermeasures must be combined to be effective.Any single countermeasure could fail or be suscepti-ble to an attack, now or in the future. Similar to leastprivilege access, layered defense has broad appli-cations to network security. For example, to log on toa system designed for internal use in a well-securednetwork, an attacker must penetrate multiple firewallsand routers secured with ACLs and somehow obtaina valid access credential. In addition, an IDS/IPSplays a role in mitigating the risk of unauthorizedsystem access. If the attacker is a curious visitor whohas obtained a valid user name and password bylooking over an employee's shoulder, other controlsmust also be in place. These controls typicallyinclude site physical security, security policies, andawareness programs that shape employee behavioras well as logging and auditing of access to sensi-tive resources.A-2

There are other important examples of the need for a layered defense. For instance, an employee download-ing malicious software during an SSL browser session can circumvent many layers of classical networkdefenses such as firewalls and IDSs; consequently, additional defenses are necessary. These defenses typicallyinclude employee awareness efforts and policies against misuse of company resources as well as the enforcedpresence of personal firewalls and updated anti-virus software.

Network designers should think of a layered defense in three ways:• Layers of different approaches that span physical, technical, and administrative controls• Layers of physical and technical obstacles that a potential attacker must overcome• Layers of countermeasures that prevent attacks, detect and report attacks, limit the damage that a singleattack can carry out, and facilitate recovery from attacks

RedundancyThe network designer must consider the enterprise-wide impact of the failure or compromise of any networkcomponent. Redundant service providers, connections, entry points, and network services should all be con-sidered. However, redundancy makes networks more complex and expensive. Therefore, it must be carefullyjustified. For example, redundancy may not be justified for a reliable switch that services a small workgroup,but Internet access for a major campus may well warrant redundant connections from different serviceproviders.

CompartmentalizationEnterprise networks can be divided into compartments or subnets to control security and other operationalrisks, facilitate standardization, establish least privilege access, and achieve a degree of redundancy. Manyorganizations use the structure of their business operations as an initial guide to compartmentalization. Forexample, if an organization is partitioned into three major divisions and a corporate office, four businessapplication compartments may be warranted.

One of the advantages of compartmentalization is that access policies can be determined centrally andimplemented at compartment boundaries. In the example network of four business application compartments,hosts in each compartment may have limited access to hosts in other compartments because each divisionoperates independently. However, hosts in the corporate network may have more extensive access to the divi-sional compartments to enable integration and oversight of divisional operations.

In addition to business application compartments, compartments can be created for other purposes. As shownin Figure A-1, compartments for cross-business services might be created by grouping e-mail, directories, andnaming services; tools to monitor and manage the network; and all end-user desktops in separate compart-ments. Other compartments may contain applications that are accessible from the Internet (such as corporateand divisional websites) and hosts that are accessible to external organizations and individuals via secureremote access. Compartmental access policies generally allow most types of outbound traffic, but they limitinbound traffic based on business need or application type.

A-3

Figure A-1Compartmentalized network, cross-business services

Internet Tra�c

External Tra�c

E-mail, Directories,Naming Services

Network Monitoring& Management Tools

End-user Desktops Business Applications Internet Applications

Compartments are not physical entities; they are accomplished by the logical network design. Hosts withina single compartment need not be in the same physical location. In fact, hosts within a single compartmentcan be located anywhere in the world, and diverse compartments may securely share a single site or com-puter room. A compartmentalized network can be engineered to adapt rapidly to changes in businessstructure and operations because compartments can be created, evolved, repurposed, or eliminated usingVLANs with little or no change to the physical network. Compartmentalization facilitates adoption of otherdesign principles. For example:

• Standardization is facilitated by centralizing policy management and providing standard network topolo-gies for particular purposes.• Least privilege access implementation is simplified by compartment access policies.• Layered defense is facilitated by secured compartment boundaries that provide an additional layer ofdefense between the host and the network perimeter.• Redundancy principles can be addressed by redundant resources implemented within the same compart-ment but at different physical locations. Multiple network routes may be established between compartmentpartitions located at different sites. Compartments themselves may be connected with a virtual backbonecomposed of redundant network routes.

A-4

Packet FiltersPacket filtering is pervasive in today's network envi-ronment, and implementations exist in routers, switch-es, and OSs. Packet filters operate at the networklayer and make decisions to allow or deny a particu-lar network packet based on its content. Packet filterscan be configured to allow or deny a packet basedon the source or destination IP address; the UserDatagram Protocol (UDP), Transmission ControlProtocol (TCP), or Internet Control Message Protocol(ICMP) source or destination port; or the TCPacknowledgement bit. Packet filters are stateless, andthey operate very efficiently due to the simplicity oftheir technique. However, they are vulnerable tospoofing (attacks based on falsified addresses andports). In addition, they cannot defend against illogi-cal packet sequences intended to disable or pene-trate network hosts.

Circuit-level GatewaysCircuit-level gateways establish sessions betweentrusted hosts and clients. Like proxies, they enableclients and servers to communicate without a directconnection. Many circuit-level gateways are based onthe SOCKS protocol, which enables clients that havebeen properly modified to use a SOCKS gateway toaccess TCP applications without revealing

their IP addresses. SOCKS works with virtually anyTCP application, including web browsers and FTPclients. SOCKS gateways can act as simple firewallsby examining incoming and outgoing packets anddetermining whether to allow them based on config-ured rules.

Stateful Inspection FirewallsStateful inspection firewalls allow or deny networktraffic based not only on the contents of individualnetwork packets but also on the state of existing con-versations. This is crucial for preventing attacks thatpresent unexpected or spoofed packet sequences tonetwork hosts in hopes of penetrating them or deny-ing service to others. In order to determine whether aparticular packet is part of a legitimate interaction,these firewalls build and use state tables with infor-mation from all seven layers of the Open SourceInterconnection (OSI) reference model. Statefulinspection firewalls are critical for protecting majornetworks.

Appendix BTypes of Firewalls and OpenSystems Interconnection (OSI)Layers of Operation

B-1

Table B-1Types of firewalls and OSI layers of operation

Type Layer of operation (OSI model)

Packet filters Network

Circuit-level gateways Session

Stateful inspection firewalls Network, transport, potentially others

Application proxy servers Application

Application Proxy ServersApplication proxy servers (proxies) are application-layer firewalls. Proxies provide security by breaking thedirect connection between client and server, concealing network topology, and (in many cases) providingaccess control and communication security. Proxies add overhead by dividing each client-server connectioninto two connections, but they can also reduce network congestion by caching frequently used web pages.Proxy server software can run on dedicated or shared general-purpose systems, or it can be prepackagedas part of a proxy appliance. Some proxies mediate web access only; others handle a wide variety of pro-tocols.

Forward proxies are placed in the client systems used to access the Internet an the Internet itself. Forwardproxies can restrict Internet access, serving as one element of a layered defense against external attacks oninternal systems. Forward proxies can be used to authenticate users and establish secure communicationsessions with them. Reverse proxies are placed between Internet-facing applications and their users.Application users must communicate with the application through the proxy. Users may not be aware of this,since they use the application's domain name (for example, www.myapp.com) as they would with direct,non-proxied access. However, the Domain Name System (DNS) resolves the domain name to the IP addressof the proxy rather than the application. Figure B-1 shows forward and reverse proxy configurations.

Firewall Network ArchitecturesThere are three basic architectures of firewalls on networks: dual-homed host, screened host, and screenedsubnet. A dual-homed host (Figure B-2) has two NICs, each connected to a different network segment. Thefirewall controls traffic between the two networks. For example, in a very simple network, the firewall couldallow selected outbound traffic from a subset of hosts and selected inbound traffic from the Internet toanother group of hosts. Systems, like firewalls, that are properly secured against access from untrusted net-works, such as the Internet, are called bastion hosts. Host security is discussed in the Trusted Infrastructurechapter (Chapter 4).

A screened host firewall (Figure B-3) is protected by a packet-filtering router that sits between the firewalland an untrusted network. The router's access control list (ACL) can be configured to allow traffic that meetsspecific source, destination, direction, port, and protocol criteria. Because the firewall receives only pre-screened data, it can perform more detailed tests, such as stateful packet inspections, without adverselyaffecting network performance.

Although both dual-homed host and screened host firewalls provide basic security, most organizationsrequire additional protection from attacks that originate on the Internet. The screened subnet (Figure B-4)network architecture includes a screened host firewall. It also segregates internal systems from systemsattempting to access them from the Internet or another untrusted network. The Internet-accessible systems,configured as bastion hosts, are placed in a buffer zone or DMZ directly behind the screened host firewall.The internal systems are segregated from the Internet-accessible systems in their own subnet, which is sepa-rated from the DMZ by a router, a firewall, or both. In this way, a minimum of three devices must be com-promised before an external attacker can reach an internal system.

Figure B-1Forward and reverse proxy configurations

Intranet Internet

External UserReverse ProxyInternal WebApplicationServer

External WebApplication Server

Forward ProxyInternal User

B-2

Protected Network

Internet

Firewall (Bastion Host)

IP routing/forwarding disabled

Protected Network

Internet


Router only permits tra!c to/from Bastion Host

Protected Network

Internet


Router only permits tra!cto/from DMZ network

B-3

Figure B-2Dual-homed host

Figure B-3Screened host firewall

Figure B-4Screened subnet

AAA (Triple-A) servers authenticate network users,authorize them to use particular network resources,and audit their network usage. AAA servers providea central control point for external network access,and they work with various types of network accessservers that interact with users and collect their cre-dentials. All AAA servers must support a client-serversecurity model in which:

• The network access server collects users' creden-tials and requests authentication from the AAA serv-er.• The AAA server returns authorization informationand other parameters.• The network access server sets up a connectionand writes an audit record.

AAA protocols must support multiple authenticationmethods, including user name and password, andmultiple types of token authentication. They must alsobe extensible to accommodate future securityrequirements. There are three major AAA protocolstoday: RADIUS, Terminal Access Controller AccessControl System+ (TACACS+), and DIAMETER (a playon the RADIUS acronym).

RADIUSRADIUS, the most pervasive protocol, providesstraightforward, efficient, and extensible services forauthenticating individuals using a variety of creden-tials. It is available in a variety of implementations;however, it has no support for group membership,password management, account expiration, or eventmonitoring. Secondary authentication servers mustbe added to perform these functions in RADIUSenvironments. RADIUS uses User Datagram Protocol(UDP), which does not provide guaranteed deliveryof messages between the network access server andthe AAA server. It also does not, in its standardform, provide for confidentiality of client-server com-munication.

TACACS+TACACS+ uses encrypted TCP packets for secureand reliable communication between clients and theAAA server, and it also logs system events such asaccess privilege changes. TACACS+ supports a widerange of security features compared to RADIUS,including group membership and privileges.TACACS+ can specify packet-filtering rules andaccess control lists (ACLs) for each session. However,TACACS+ is primarily a Cisco Systems protocol, andTACACS+ clients are principally Cisco appliances. Inaddition, its enhanced feature set and use of TCPgive it greater network traffic overhead thanRADIUS.

DIAMETERDIAMETER is designed to overcome the limitations ofRADIUS. It operates in a peer-to-peer mode; there-fore, AAA servers can initiate requests themselvesand handle transmission errors. It is also based onUDP, with enhancements for more reliable transport.Its other enhancements include support for roaming,cross-domain and brokered authentication, addi-tional authenticable protocols, and enhancedsecurity - including confidentiality and protectionagainst replay attacks.

Appendix CAuthentication,Authorization andAuditing (AAA)Servers

C-1