Integration of Physical and IT Logical Security at Identity Summit Dubai UAE. Presented by Jorge Sebastiao from eSgulf.

1. Integrating Physical & Logical Security Jorge Sebastião, CISSP, ISP, BSLA Founder and CEO “ Security is:… a continuous skilled process which safeguards your business value…” Jorge S., 1999

5. Signal also applies to cars of other colors

6. Signal also applies to cars of other colors

8. Data Center

9. Threats and risks Human faults Operational disruptions Software Faults In-compatability Fraud Forgery Access Control Espionage Illegal copying Virus Natural phenomena Fire, Smoke, Explosion Destruction, Sabotage Power Failure Water Damage Leakage Theft Vandalism Delivery Problem Service Disruption Loss of Key personnel Notice to quit, Sickness

10. Security as: TPP Technology Process People

15. Security = Time Protection Detection Response SECURITY P>D+R Anti-virus VPN Access Control Firewall Intrusion Prevention Managed Services CIRT Patch Mgmt Vulnerability Testing Intrusion Detection CCTV Log Correlation

16. Securing the System Effective security requires a balanced application of all methods Personnel System Security Computer Security Physical Security Process Encryption

17. Security Continuous process ASSESS ARCHITECT APPLY ADMINISTER Business Risk Controls Maturity

18. Integrated Security Management Business Security Management Physical Security Management ICT Security Management

19. Security Management Processes

20. Convergence APPLY

21. Identity and Access Management Strategic Context Physical Security Network / System Application / Data Suppliers, Partners, Customers Employees

23. Identity and Access Management Interoperability Control Loosely-coupled, Dynamic exterior Tightly-coupled, Persistent interior Intranet Extranets Customers Partners/Suppliers Employees Consumers Internet

24. Identity and Access Management Flexibility Intranet Extranets Internet Control Customers Partners/Suppliers Employees Consumers Federation, Cooperation Integration

25. Physical Security Physical Security Sprinkler hallon Alarm System UPS CCTV System Intrusion Detection Intercom Evacuation Physical Access Control Elevator Fire HVAC Lighting Power Mgmt

26. Physical Security Architecture

27. Biometrics Example

28. Storage SMART CCTV + biometrics Corporate LAN / WAN / VLAN Internet

29. Records Physical Protection

30. Physical Security

33. Logical Security Physical Security Data Encryption Host Intrusion Detection Antivirus Perimeter Security Network Intrusion Detection Remote Client VPN Access Control Remote Clientless HTTPS Disaster Recovery Content Filtering Anti-spam Intrusion Prevention Wireless Security Network / System Application/Data

34. Architecture Layers Extended Perimeter Perimeter Layer Control Layer Resource Layer Identity & Access Mgmt Physical Security Integrated Directory Security Management Policy Management Remote Employees Consumers Partners Customers Suppliers

35. Identity and Access Management Context Business policy: legal, liability, assurance for transactions Relationships to organization Applications/Services: access control and authorization Identity and information Presentation/Personalization: Identification Relationships Authentication: Identity (Person)

36. Architecture and Infrastructure Directory Access Mgmt Portal/Device Identity Mgmt Policy Propagation Administration Control Access Resources Authentication Authorization User Device? Applications Platforms Databases Physical Services

38. Where to spend? High Low Excessive Exposure Low High R I S K SECURITY INVESTMENT Excessive Cost Appropriate Security

39. Return On Investment (ROI)? ROI Curve Security Investment ROI design= 21% ROI implementation= 21% ROI testing= 12% ROI

40. Security Architecture Incidence Response Operational Monitoring Administration Change Procedures Guidelines Roles and Responsibilities Incident Reporting Physical Dynamic Controls Selection Policy Configurations Baselines Standards Awareness Education Training Logical BIA Mapping Perimeter Architecture InfoSec Policy Security Organization Conceptual P > D + R Strategy Scope Executive InfoSec Policy Steering Committee Contextual Time (Risk Management) Technology Process People

41. Beyond Technology

42. Knowledge Base Incidence Response Applying the Knowledge Incidence Response Multiple Sources of Information Partners, Vendors, CERT ,… Internal Security Research Internet, Mailing lists and other sources ADMINISTER

43. Integrated P+D+R Enterprise Security Management Routers Switches Firewall N-IDS H-IDS IPS Hosts Antivirus Access Ctrl Biometrics Smart Cards Power UPS Fire CCTV P-IDS Alarms Others…. 1.Logs 5. Response 2. Encrypted Logs 3. Analysis 6. (Ongoing) Patching Incidence Response Knowledge 4. Alerting

44. Incidence Response Incident Response Analyse Contain Eliminate Restore Lessons Policy Refine Policy Continuous Monitoring T-1 T 0 T 1 T 1 T 3 T 4 T N Communicate

45. Integrated Infosec Framework Vulnerability & Risk Assessment Assess, Audits VA, Pen-Testing, Risk Technology Strategy & Usage Technology, Tools Policy Insfosec Policy, Standards Security Architecture and Technical Standards Technical Architecture Technical Standards, Baselines Security Model Information Classification and Controls Administrative and End-User Guidelines and Procedures Implementation and Configurations Administration Guidelines and Procedures Recovery Processes Incidence Response Processes Enforcement Processes Compliance Mgmt Processes CEO, Senior Management ISMS, Information Assets, IT Infrastructure Awareness, Training, Education Monitoring Processes Monitoring Processes Security Strategy Business Initiatives & Processes Business Initiatives & Processes Vulnerabilities Threats

49. ?