1 Australia Germany India Singapore UAE UK USA TELECOM SOFTWARE SECURITY-THE NGOSS APPROACH By Dr. Prem Chand Vice President Mahindra British Telecom 14 Oct 04
1Australia Germany India Singapore UAE UK USA
TELECOM SOFTWARE SECURITY-THE NGOSS APPROACHBy
Dr. Prem ChandVice President
Mahindra British Telecom14 Oct 04
2
Agenda
Industry Expectations
Security Engineering The NGOSS
Approach
Security in Business Collaboration
Provider of Security Services
NGOSS Initiatives
3
Recent security incidents, home land security reports, industry initiatives are indicative of unprecedented demand for security in ICT
Secure software is no longer an option; it is a demand of every customer
The Telecom industry by its strategic investments in quality is recognized as a prime mover of quality software & services
This leadership position will be lost; if we do not make similarforays into security.
Industry needs to answer this demand for secure software
CAN WE CREATE AND RIDE ANOTHER WAVE BY BUILDING FOR THE TELECOM INDUSTRY A PANACEA FOR SECURE SOFTWARE ? YES. THE NGOSS APPROACH !
Background
4
Defense• Facilities• Command & Control Warfare• Information Warfare• Hardened Information Sites• Force Formations• Infrastructure Supporting Armed
Forces
National Core InfrastructureWaterTelecommunicationsTransportGovernanceElectric PowerSpacePorts
Economic, Social & Political• Environment• Crime / Law Enforcement• Healthcare• Safety/Protection• Society / Culture• Economy / Finance / Banking• Political / Diplomatic• Education• Research, Design and Development
Major Commodities• Energy • Food• Chemicals• Raw materials• Irreplaceable components• Human Resource• Mines
Industry• Steel• Military Hardware• Heavy Engineering
Machinery• Electronics• Computers• Software• Information (content, IPR)• Consumer durables• Insurance• Automotive
Intangible Networks• Perceptions• Public confidence• Entertainment• Media• Legal Framework• Privacy• Trust in Institutions
Target Services Foot Print For Telecom Industry
NETWORKED GLOBAL INFRASTRUCTURES
5
Business Collaboration SecuritySecure Outsourcing Destination
Secure ODC Operations
Security Concerns of Large Global Telecom Operations
Provider of the Business Security Services
Prime Mover for Secure Software Development
Security Expectations of the Telecoms
6
Security in Business Collaboration:Secure Outsourcing Overseas Destinations &
Secure ODC Operations
7
Security of the Global Business Foot Print
Business ContinuityDo you have the resources to deal with the financial impact of emergency situations?
Have you identified potential business disruptions? What would a day of downtime cost you?
InfrastructureAre you prepared to deal with security breaches?
Are you aware of potential liability for customer system disruptions?
IdentificationCan you positively identify and control access to your facilities, systems and borders?
Can permissions be changed in real-time?
CollaborationAre you able to securely exchange information with others?
Do you easily comply with industry standards?Do you understand your liability for security breaches?
PrivacyCan you protect the confidential data of your employees or constituents?
Are you familiar with legislation that requires safeguarding of customers personal data?
8
Off-shoring/ ODC/ Developmental Concerns
Managed Security ServicesResources to deal with the impact of emergency situations.
Identified potential business disruptions.
IPR Protection & Digital Rights ManagementTracking Code & Team Personnel, Digital Signing, Logical Separation &
Physical Separation of sensitive Data & Code
Project Level Security ManagementPositive identification and controlled access to facilities, systems and borders.
Permissions and access rules can be changed in real-time.
Security Code ReviewReview & Testing of Software at Source Code/ Binary level
Data Protection / PrivacyProtect confidential data of employees or constituents.
Familiar with legislation that requires safeguarding of customer’s personal data.
ODC Secure OperationsLogical and physical separation of individual projects/ customers.
9
Security of the Day-to-Day Business Operations
Security OperationsPatch Management, Malicious code management, Secure builds,
Configuration Management, Log Analysis
Vulnerability AssessmentAsset Classification, Penetration Testing, Network Security Review
Risk Assessment, Risk Treatment
Identification, Authentication, Access ControlSingle Sign On Solutions, Smart Cards, Biometrics, Digital Certificates
SAP/ CRM/ Application Security Review & Audit Role Based Controls Definition, SAP Hardening/ Internal Controls Review, Assessment &
Audit, BASIS Review, SAS 70 Controls Audit
Business Continuity PlanningContingency Planning, Disaster Planning, Recovery Planning
Information Security Management System/ ISO 17799Risk Assessment, Security Policy Development, Security Improvement Plan
Implementation, Security Training
10
Access
Code
Secure Development Outsourcing - Risk Mitigation
Centralized Security Program Office to manage the secure development outsourcing and risk mitigation. This ensures consistency in security policies and processes that are created and implemented across the entire
environment which can be applied to all Off-Shore partners.
Offshore Development Environment
Establish a trusted partner status
Rigorous BCP/DR
Onsite Production Environment
Throw a cordon around production
systems
Code Security –Storage, transmission,
development
11
Systems Availability
Support Security Compliance and Monitoring
SecurityPolicy
SecurityTechnologyManagement
ExploitationManagement
VulnerabilityManagement
Atta
ck R
espo
nse
Leve
rage
dTe
chno
logy
ManagedVulnerabilities
Threat Updates
Attack SignatureUpdates
Training &Awareness
Firewalls
IntrusionDetection
Monitoring
Systems Host
Scanners
Technology ConfigurationTechnology Trends
Technology Updates
Fault ReportingSecurity Policy
Security Mission
12
Securing Customer Data - Layers of Security
Base Infrastructure
and Information security
Project teams
Secure physical accessSecure physical access
Secure network accessSecure network access
Secure logical access
Secure logical access
Customer information, design, code
Customer information, design, code
Regular backups: onsite and offshore
Dedicated project servers with access control
Secure access to remote servers using authentication
Dedicated and redundant links/routes
Firewalls at all access pointsCentral monitoring for virus
protection and intrusion detection
Security awareness trainingNDA & IPR agreements
Secure data centersSecure project environmentSecure development facility
13
Project Specific BCP & DRP
BCP&
DRP
For a
PROJECT
Ownership
Preparation & Testing
Review
Corporate Head
Project Manager
Corporate Head
Facilitators – Organization Security Team
14
Robust IT Infrastructure
ComprehensiveBCP
ERP/ CRM controlsand assurance for
internal applications
Customer Facing Security
Strategies
Content MonitoringSystem for e-mail
security (CMS)
Code Access & Authorization System for Projects
Centralized Managed Security Service and Incidence Response System
IPR Protection and Digital Rights Management System
Org. wide Single Sign-on
Additional Features
End to End Infrastructure Security
15
Provider of the Security Services:Develop/ Adapt Standards Based Security Services
Framework Across Telecom Software Industry
16
Security Framework Standards for IT Infrastructure
Legal & Regulatory Environment(Banking Act, Evidence Act, Electronic Transactions Act, Computer Misuse Act)
Availability
Accountability
Non- Repudiation
Integrity
Confidentiality
Authorization
Authentication
Processes & MethodsSecurity ServicesArchitecture & Mechanism
Best Practices (Security Organisation, Physical Security, Personnel Security, Operational Security)
Security Policy (Business & Organisation Rules)
Sec
urity
Infra
stru
ctur
e
Net
wor
k S
ecur
ity
Sec
urity
Tec
hniq
ues
Sec
urity
AP
I’s
Sec
urity
Tok
ens
Ris
k A
sses
smen
t
Sec
urity
Mon
itorin
g &
In
cide
nt M
anag
emen
t
Bus
ines
s C
ontin
uity
& D
RP
Sec
urity
Ass
uran
ce &
A
ccre
dita
tion
17
Access Control
• I & A• Authorization• Decision• Empowerment
• Assigning• Binding• Representing
• Communicating & Authenticating• User to host• Peer to Peer• Third Party
Confidentiality• Security Enabled Appl.• Secure Peripherals• Operating Systems• Secure FTP• Security Protocols (IPSec, SSL)
• Location of data• Type of data• Amount/Parts of data• Value of data
• Data Protection• Data Separation• Traffic Flow• Frequency HoppingAvailability• H/W Resources• Software Resources
• Quality of Service• Throughput
• Protection from Attack• Protection from unauthorised use• Resistance to routine failure
Integrity
• Single Data Unit• Stream of Data
Mapping Security Needs of Software Elements
• With proof of origin• With proof of delivery• Auditing Services
Non-Repudiation
Enhanced Telecom
Operations
Shared Info / Data Model
Contracts /Interfaces
TechnologyNeutral
Architecture
Compliance
NGOSS Core Elements
18
Relate Security Goals, Services & the Technology
Identification Authentication Authorization / Access Administer Audit
TechnologyG
oalsServices
Smart Cards
Card Readers
Biometrics
Tokens
User IDs
X.509 Certificates
PKI
DCE / Kerberos
X.509 Certificates
Firewalls
RemoteAccessCryptography
Security Domains
Access ControlAdministration
Certificate Authority
Sign-on
Audit Tools
Monitor/Filter
NetworkIntegrityIntrusionDetection
VirusProtection
Confidentiality
Access
Integrity
Non-Repudiation
Availability
Security Goals: As part of Use-Case Statements of the Overall requirementsDesign: Using COTSImplement: Using Selected Technology
19
IT E
nviro
nmen
t People Processes Technology
Security Management Requirements
• Policy• Certification & Accreditation• Key Management• Access control and management• Readiness Assessment• Security management• Recovery & Reconstruction
• Policies & Procedures• Security Administration• Physical Security• Personnel Security• Monitoring• Training/Awareness
• IA Architecture• IA Criteria (Security,
Interoperability with PKI)
• Evaluated Products• Risk Assessment
Statutory Regulations, Technological Developments &
Management Expectations
Secure Infrastructure& Network
Secure Data & Operations
SecurityManagement
SupportInfrastructureIT
Env
ironm
ent
PANACEA
Operations
•Security Policy•Security Management•Key Management•Certification and Accreditation•Attack sensing and
warming response•Readiness Assessments
eTOM-Styled Use-Cases to communicate RequirementsSID based design model details to communicate the solutionSolution Design implementation specification
20
Supporting Standards
Architecture & Framework for Security ManagementISO 10181 : OSI Security FrameworkISO TR 13335 : IT Security ManagementISO17799 : Code of Practice & Specification for ISMSSS 493 : IT Security FrameworkSSEM/ DoD : System Security Engineering ModeISO 21827 : Security Maturity Model
Development & Implementation Technologies/ Mechanisms Application Protocols : SSL, S- HTTPAuthentication : Kerberos, RADIUS, SAMLCryptography: : RSA, DSA, ECC, DES, AES, SHA- 1Messaging : S/ MIME, PEM, XMLDSIG,XMLENCApplication Security : CORBA, WSDirectory Authentication : ITU- T x.509
21
Security - Adapt Standards ( Contd.)
Methodology StandardsAS/ NZS 4360 Risk ManagementOCTAVE Critical Threat, Asset, and Vulnerability EvaluationOSTMM v2 Penetration TestingISO15408 Evaluation criteria for IT SecurityFIPS PUB 140- 2 Cryptographic ModulesSP 800-55 Security Metrics
Training & CompetenciesCISSP, SSCPCISA, CISM
Financial ServicesCOBITANSI x.9
22
Electronic TransactionsSystems Testing
Electronic TransactionsSystems Testing
Secure Document Management Services
Secure Document Management Services
Licensed Evaluation Facility(NGOSS Components)
Licensed Evaluation Facility(NGOSS Components)
Security Validation(Network, Operations)
Security Validation(Network, Operations)
Inter-operability TestingInter-operability Testing Common Criteria TestingCommon Criteria Testing
Basic Security Integration & Testing FrameworkBasic Security Integration & Testing Framework
Security Policy & Business Process Integration Security Policy & Business Process Integration
Product 1 Product 2 Service 1 Product x
Focus on Testing & Evaluation Framework
23
Industry Leadership Goals
Enhance Software Security Across Products & Services
Meet all requirements for Unique, High Assurance Solutions
Promote Security Across all Business Verticals
Champion Information Security for the Telecom Software Industry
Foster Innovative Customer Driven Security
Develop PoC’s & CoE’s for Telecom Software Security across Industry
24
Develop Comprehensive Security Services Portfolio
Security Process GovernanceDeveloping a security strategy aligned to
business needs and business process controls
Information Security Management Services (ISMS)Business Continuity Planning (BCP)Enterprise Business Assurance
Security Architecture Architecture design capabilities for effective and secure functioning of networks and applications
Secure Network Architecture (SNA)AuthenticationApplication SecurityManaged Security Services (MSS)
Security Technology Operational technologies to maintain secure
access to resources
Security PSO (Professional Services Organization)Secure Transaction ServicesDigital Rights Management
Security AssessmentAssessment capabilities in process improvement
and identifying and eliminating vulnerabilities
SSE-CMM ConsultancyVulnerability AssessmentSecurity Code Audits and Reviews
25
Secure Software Development:Develop Standards Driven Security Engineering Framework-
The NGOSS Approach
26
NGOSS Security Engineering Pervasiveness
Classic INFOSEC Techniques as Applicable to NGOSS
Major System Solution Roles in NGOSS Life Cycle
NGOSSLife
CyclePhases
MajorEngineeringDisciplines
as Applicable to NGOSS
SecurityEngineering
EnterpriseModeling
SystemsEngineering
SoftwareEngineering
HardwareEngineering
TestEngineering
Buye
r/Use
r
Aut
horit
yA
ccre
ditin
g
Cer
tifie
r
Eva
luat
or
Dev
elop
er
Acquisition
Development
Integration
Operation
Maintenance
CO
MP
US
EC
CO
MSE
C
INFO
SEC
Sec
urity
Info
rmat
ion
OPS
EC
27
Design / Development Integration Deployment Operation
E.g. Product EvaluationAssurance,
DevelopmentAssurance
E.g.Assessment, CertificationAssurance,
TestingAssurance
E.g. System Accreditation
Assurance
E.g. SecurityManagement
Assurance
Lifecycle Approach to NGOSS Security
28
Applying Systems Security Engineering to NGOSS
“The systems security engineering process is the process of discovering stakeholders’, customers’ and users’ information protection needs and then designing and making information systems, with economy and elegance, so they can safely resist the forces to which they may be subjected.” [IATF 3.1]
System Engineering
Assess Effectiveness
Implement System
Develop Detailed Design
Design System Architecture
Define System Requirements
Discover Needs
Systems Security Engineering
Assess Information Protection Effectiveness
Implement System Security
Develop Detailed Security Design
Design System Security Architecture
Define System Security Requirements
Discover Information Protection Needs
29
InformationManagementModel [ IMM ]
RevisedIMM
NGOSSMission / Business
Functions
Structured Analysis ofInformation
Applying LeastPrivilege Concept
Threat AnalysisInformationProtection
Policy [ IPP ]
Discovering Information Protection Needs of NGOSS
30
Security Engineering Process Maturity Dimension
Level 1
Performed Informally
Planned &Tracked
Well Defined
QuantitativelyControlled
ContinuouslyImproving
Level 2 Level 3 Level 4 Level 5
SSE-CMM Based Process Maturity Levels
Environment’s Security Guidelines & Process Creation
Assurance
Ass
uran
ceP
roce
sses
Security Model of the SoftwareRis
kP
roc.
Organisation’s Security Processes
Authentication
Eng
inee
ring
Pro
cess
es
We can leverage SSE-CMM to NGOSS
• Assist in defining the desired process maturity levels for the identified areas in NGOSS
• Work out the process improvement plans right from the design phase and put in place a process monitoring and control framework for entire NGOSS life cycle
• Help to evaluate service providers using SSAM appraisals
Classification of Process Areas
31
RequirementCapture
Design / Development Delivery
Secure Software Development Lifecycle
BusinessRequirements
FunctionalRequirements
Coding Testing
Guiding Principles of Software Security
Secure CodingPractices
Security Tests
SecurityFunctional
Requirements
SecurityAssurance
Requirements
EvaluationAssurance
SecurityRisk
Management
This can be applied to NGOSS
32
Tool Driven Development Framework
Secure Software
Development Tools
User Inputs
Security RequirementSpecifications
MS Visio
Development Environment
Secure Codingpractices
Use Case Diagramsimplementing securityClass DiagramsImplementing SecuritySequence DiagramsImplementing Security
Guidelines for Secure CodingPractices in .NET
Queries to the User
Assurance Guidelines
Generating a CM Plan
Assurance Guidelines
Secure DeliveryOperationsLife CycleSupport Guidelines
DesignPhase (to be generatedmanually)
Development Phase
Delivery Phase
Requirement Capture Phase Visual Studio.NET
Practices to be followed for
Assurancemeasures
This can be adapted for NGOSS
33
NGOSS Software Security Framework Goals
Build Software security upfront; avoid bolting it down as an afterthought
Build End-to-End security, collaboratively for all stakeholders
Follow standards & industry best practices across lifecycle
Plug-in legacy & be future proof, evolve a robust framework
Allow global play with local solutions; universalization with least architecture and technology constraints.
As a beginning Formalize Framework Outlines:Examine the work already done by industrySurvey IT Security Standards and frameworks, map their applicability to softwareEstablish the framework outlinesIdentify focus areas & prioritize actions
DeliverablesConsistent, state of the practice and cost effective SOFTWARE SECURITY FRAMEWORKA basket full of guidelines, mandates, clearances, industry best practices, PoCsand a map to navigate across all software building blocks for “Cradle to Grave” support to all stake holders in the Software Security
34
NGOSS Security Framework OutlinesSecurity Framework
Assurance frameworkAssessment of deliverablesAssessment of productsAssessment of environmentEvaluation Assurance related to parts of design, development andoperationDevelopment Assurance related to development stagesTesting Assurance related to tests at each stage of lifecycle
Secure Operations Framework
Metrics
Consultancy FrameworkDesign GuidanceRisk Management Security EngineeringProduct EvaluationCertification & AccreditationClearing House FunctionsAwareness & Education
Secure Operations
35
NGOSS Security Framework Standards
ISO 21827 SSE-CMM for engineering security across SDLC
IATF v 3.1 to complement ISO 17799/ SSE-CMM for Risk Assessment/ Requirement Elicitation
ISO 15408/ Common Criteria to complement ISO 21827/ SSE-CMM for Product/ Service Assurance/ Certification
ISO 15443 (FRISTA) focus on IT assurance
ISI 17799 for building operational controls & audits
NIST SP 800-55 Guidelines for building metrics
36
Initiation Design /Develop
Test / Implement Maintain Dispose
ISO 15408/ CC : Evaluate the products to EAL 2ISO 17799 : Build secure operations/ AuditsNIST TR 13339 : Build Credible metricsITAF 3,1v Build Robust Risk ModelISO 13335 (FRISTA): IT Assurance
ISO 21827/ SSE-CMM : enable security throughoutthe life cycle and ensure that it is applied across
products. Appraisal at SSE-CMM Level 3
Complementary
SDLC
SSE-CMMand CC &ISO 17799
NGOSS Security & Assurance Framework
37
TMF Initiatives
38
Leadership Role of TMF
Secure OperationsAwareness & Education
Clearing HouseCertification & Accreditation
Product EvaluationSecurity Engineering
Requirement &
Design Guidance
Architectural DefinitionSecurity Framework
Risk Management Models
39
TMF Initiatives
Foster a world class Security Practice Framework
Provide thought leadership
Promote Secure Managed Security Services & Secure Web Services.
Align security with software development life cycle
Initiate and promote World Class Secure Software development as per ISO 15408/ ISO 21827/ ISO 17799
Promote secure development sites for offshore work
40Australia Germany India Singapore UAE UK USA
Thank You !
41
Name: Dr. Prem Chand
Company: Mahindra British Telecom Ltd.
Contact Details:
Email: [email protected]
Phone: +91-9811298037/+91-11-26889470/71
Date: 14th October 2004
Session ID: NGOSS 8
Time: 10:15AM – 11:00AM
Title: TELECOM SOFTWARE SECURITY-THE NGOSS APPROACH