TUT 190 Understanding Policy-Driven Security Management Jim Allred Vice

TUT 190 Understanding Policy-Driven Security Management Jim Allred—Vice President, Marketing Net. Vision

What is IT Security Policy? Definition: A policy is a set of (rules/standards-based) configurations and access controls that affect the overall stance of a user, group, device or application Effective security policy incorporates both businesslevel security objectives (risk mgt. ) and real-world security issues (the daily security battle) 2 © March 9, 2004 Novell Inc.

What’s in it for Me? • I’m not in charge of Security Policy ! • It just sounds like more work ! • I don’t need it to do my job ! 3 © March 9, 2004 Novell Inc.

Why Policy-based Security? • Policy-based IT Security Mgt. is here to stay-it won’t go away • IT Security is a Process-not a Product or Project • Embrace it! 4 © March 9, 2004 Novell Inc.

Benefits of Policy Management • Ensuring end-users follow the rules • Compliance with regulations & standards (HIPAA, GLBA, FISMA) • Formal structure for ongoing security mgt. (Process not Product or Project) • Success tied to system-not people • Functional separation of security mgt. duties 5

“Effective” Security Policy Requirements • Robust Policy Framework • Successful Policy Deployment • Compliance Tracking • Policy Process must include effective vulnerability monitoring and patch management 6

Inside NVPolicy Resource Center Policy Creation/Deployment Technical Standards Awareness/Training Vulnerability Management Research & Security Tool kits 7

NVPRC –A Web-Hosted ASP Model ASP Software or Consulting Anytime-Anywhere Access Limited Availability (24 X 7 X 365) No software/hardware to Software/hardware install & maintain infrastructure costs Quick & Easy Expensive training/support learning curve Security life-cycle approach Sustainable Risk Mgt. 8 Becomes Outdated or Dies Product or Project

Security Policy “Framework” • Clearly defines value of information assets • Represents organization-wide priorities • States business requirements that will drive security activities • Hierarchical approach to link policies with risk mgt. strategies 9

Framework Components Information Program Security Charter Asset & Identification Classification Policy Asset Polic Protection y Threat & Monitoring Assessment Policy Standard s Procedure s Top level governance document Establish Riskmanagement objectives Establish Executivelevel visibility & support Empower Security organization 10 Establish Formal Information Security Program Establish organizational Governance & accountability Balance security costs with risk tolerance Dictates effective administration and enforcement

Framework Components Information Security Program Charter Asset & Identification Policy Classification Asset Polic Protection y Threat Assessment & Monitoring Policy Standard s Procedure s Net. Vision information Security Policy Framework Asset Identification & Classification Policy Asset Protection Policy Asset Management Policy Acceptable Use Vulnerability Assessment & Management Policy Threat Assessment & Monitoring Policy Security Awareness Policy 11

Framework Components Information Security Program Charter Asset & Identification Policy Classification Asset Polic Protection y Threat Assessment & Monitoring Policy Standard s Procedure s • Standards Procedure s Firewall Protection • Unix Protection • Standard • Net. Ware Protection • Standard Windows 2000 Protection Standard • • 12 • • Technical Asset Protection Standards 802. 11 Wireless Ethernet Protection Standard • • • Web Server Protection Standard IP Router Protection Standard

Framework Components Information Security Program Charter Asset & Identification Policy Classification Asset Polic Protection y Threat Assessment & Monitoring Policy Standard s Procedure s Technical Security Configuration Procedures How to set up a piece of equipment properly 13 Windows NT How to configure an operating system or Service Server Windows NT Workstation Solaris 2, 6, 7 How to Install a Security software Tool How to lock down a particular device or Server and 8

Security Tool Kits • 14 NVPolicy Resource Center offers turnkey templates from which to build customized information security policies, including best practices for complying with HIPAA, GLBA, FERC, FISMA and much more

Security Awareness & Training • NVPRC automates policy distribution, awareness and tracking Assures everyone knows their roles and responsibilities in Security Reliable, track-able distribution system- Secures against “Social engineering” threats Provides compliance data for legal and regulatory audits 15 email based Built-in Training Modules/Enduser Quizzes/Presentation Templates Prevents version-control issues associated with hardcopy manuals

Vulnerability alerting & patch management • NVPRC automates vulnerability management process Industry’s most Complete vulnerability alerts database Profile-based alert system— Provides Task-management automation including rolebased administration Provides Prioritized system for managing vulnerabilities 16 No fire hose! Provides mitigation tactics and patch links Provides metrics-based scoring system to gauge your success

Net. Vision’s Solution Net. Vision Integrated Security Policy Management • Integrated Security Policy Management™ – Integrating Business Policy, Active Auditing and Automated Policy Enforcement™, and Behavior Management. • 17 Net. Vision’s Mission: Improve the repeatability and quality of security processes.

Integrated Security Policy Management™ • Security today requires a multi-layer approach • Perimeter Security, by itself, is not complete Control Layer – Provides Identity based Policy Management across layers – Protects from the insideout • 18

Integrated Security Policy Management™ Net. Vision’s Security Solutions Package • Intrusion & Access management • Vulnerability & Configuration mgt. • Administration and Identity Management • Policy Creation/Deployment NVMonitor Real-time intrusion Prevention NVAssess NVIdentity Proactive. Vulnurability Management User Identity & Access Management Active Auditing and Automated Policy Enforcement Policy Resource Center 19

Key differentiators • System level integration not an application – Does not matter what application is used to manage the environment • Policy and Process are integrated • Security Policy creation at a business level, implementation/automation, and operation must be integrated – Policy is incomplete when not tied to identity and role 20

Integrated Security Policy Management™ Responds proactively with automated responsesinsuring policy compliance on monitored systems. Monitored Systems Oss Web. Servers Databases Application Servers Firewalls Flexible Automated Responses Launch Script Launch Application Alerting Reporting Archiving Secure audit trail Override-saving files Override-changes to ACL Reversal of changes Restore desired state Disable perpetrator Synchronize password changes ERP Systems NVMonitor Real-time intrusion Prevention NVAssess Proactive. Vulnurability Management User Identity & Access Management Active Auditing and Automated Policy Enforcement RESPOND COLLECTS granular real-time event data & queried batch data with complete archived audit trails. Data Filter Yields only pertinent security data COLLECT Real-time Event Data Queried Audit Data COMPARE NVPolicy Resource Center Enterprise Security Policies Best-practices COMPARES real-time and batch date against security policy Continuous Behaviour Auditing Performs real-time access control and intrusion management by policing usage of rights 21 NVIdentity State & Access Auditing Identifies current state of user and application access rights and permissions compared to desired state.

NVPolicy Resource Center (Security Policy Creation & Deployment) • Methodology – How to go about building a corporate policy infrastructure • Building Blocks – Best practices • Documentation – Assemble documents and get signoff • Education – Teach users their roles and responsibilities 22

NVIdentity (User Administration & Identity Management) • Globalizing Identity – User Identity Management – Group Management – Password Management • Globalizing Administrative tasks – User Creation – User Modification – User Disabling/Deletion 23

NVAssess – (Vulnerability & Configuration Management) • Achieving Compliance – Exports compliance checks from NVPRC – What about our configuration is incorrect? – Query for: password compliance, group rights, access to files, server configuration – Fix it! Actions coupled to reports automatically remediate compliance issues • Reporting – Shows Current State of Compliance with stated policies • Policy Templates – Group multiple compliance reports and policies 24

NVMonitor – (Real-time intrusion & Access management) • • Behavior Monitoring – Compare activity against acceptable behaviors • Automated Remediation – Prevent unacceptable activity from becoming a liability • 25 Real-Time alerting – Learn about activity as it happens – Logging for auditing and forensic purposes Monitoring Activity & compliance in Real-time

Vision. View+Console – (Viewing Policy – Advanced Reporting and Mgt. ) • Web-based mgt. -anytimeanywhere access • The big questions – How are we doing? – Are we compliant? • • 26 Tuning Security Policy and Processes Security Audits

Product Demonstration 1. Policy Resource Center 2. NVAssess 3. NVMonitor 4. Vision. View™Policy Console 5. NVIdentity 27

Promotion • Password Self-Service Manager™for e. Directory • FREE • Permanently FREE product-no license time-out • Available as FREE download or on CD • Requires email request to obtain activation key • Free email support for install and configuration • Grab it and tell your friends! 28

29

Brainshare 2004 Platinum Sponsor See us in the Brain. Share Sponsor Hall #P 715 for outrageous prizes, contests and cool free stuff! 30

General Disclaimer This document is not to be construed as a promise by any participating company to develop, deliver, or market a product. Novell, Inc. , makes no representations or warranties with respect to the contents of this document, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc. , reserves the right to revise this document and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes. All Novell marks referenced in this presentation are trademarks or registered trademarks of Novell, Inc. in the United States and other countries. All third-party trademarks are the property of their respective owners. No part of this work may be practiced, performed, copied, distributed, revised, modified, translated, abridged, condensed, expanded, collected, or adapted without the prior written consent of Novell, Inc. Any use or exploitation of this work without authorization could subject the perpetrator to criminal and civil liability. 32 © March 9, 2004 Novell Inc.