Information Assurance(IA)
A Systematic & Systemic practice of assurance-modeling that guarantees protection of systems, information & managing information risks such as Confidentiality, Integrity, Availability, Auditing (Authentication /Authorization/Logs etc) & Non-repudiation in relation to the use, processing, storage & transmission of information, restoration of systems/services and the corresponding/inter-related systems, their processes used for protection capabilities(s)
2. Intent & Content
Generate enough interest & value
proposition to share & impart
knowledge on Information Assurance
& Reliability Architecture Workshop
A Precursor
3. AGENDA
Basics
What is Assurance & other Classifications (Information Assurance, Quality
Assurance, Systems Assurance, Assurance levels etc)
Significance of Cyber Security and Information Assurance & Reliability
Engineering
Infusing Information Assurance into Systems Engineering and or Acquired
Systems
Tailoring an Assurance model – Precursor/High Level demo
4. AGENDA
Advanced Concepts (Future Work Shop contents)
Designing Reliable Systems for Information Assurance
How to tailor Systems Assurance into specific domain (short-circuiting)
Building Assurance Frameworks (Systems, Applications & Processes)
How to tailor Systems Assurance into eco-system(s) as a practice (hard-
wiring-the-circuit)
Measuring Assurance of a System - How do you measure Assurance in your
eco-system or in a specific domain
6. Quality
A System’s or a component’s capability to fulfil specified action/function (a.k.a. fit-to-purpose)
Reliability(Generic)
Capability of a System/Component to fulfil specified actions or required state based on agreed
parameters/standards during an agreed/defined time period under presumed operational conditions
Reliability of Systems & Information
The degree of probability that the deployed protective measures of a system would continue to protect the
Systems & Information against specified threats & attack and will remain accessible and consistent under
specified conditions under specified interval of time.
Fault Tolerance
capability of a system to satisfy its specified action even in the presence of faults(limited /unlimited is
subjective)
Availability
capability & probability of a system will be intact to perform its specified functions even in the presence of
failures at any point in time
DEFINITIONS
7. Assurance
Declaration of a positive statement against a system, intended to give trust & reliability i.e., a promise
through qualitative & verifiable parameters for reliability that the security/safety features, practices,
procedures of a system accurately mediates & enforces intended desired actions/results under agreed
conditions of operating environment
Information Assurance(IA)
A Systematic & Systemic practice of assurance-modeling that guarantees protection of systems,
information & managing information risks such as Confidentiality, Integrity, Availability,
Auditability(Authentication /Authorization) & Nonrepudiation in relation to the use, processing, storage
& transmission of information, restoration of systems/services and the corresponding/inter-related
systems, their processes used for protection capabilities(s) (to be discussed difference between IS & IA)
Safety Assurance (SfA)
The measure of providing confidence that acceptable risk for the safety of personnel, equipment, facilities
& public during & from the performance of operations is being achieved
Software Assurance (SwA)
The measurable confidence that the system functions as intended and is free of exploitable
vulnerabilities, either intentionally or unintentionally designed or inserted as part of the system at any
time during the life cycle
DEFINITIONS
9. NEED FOR ASSURANCE & RELIABILITY
When you a buy a product or service…you request “high
quality” and “high reliability”
How do you measure it? What is “high”?
How long? Reliability: 0.99 for 5 years, 0.999 for 4 years…
Time dependent quality…reliability
How do companies predict reliability and estimate warranty?
10. NEED FOR ASSURANCE & RELIABILITY
How about availability?
One shot devices …Missiles?
Most important characteristics of a product, it’s a measure of
its performance with time
In Oct-2006, the Sony Corporation recalled up to 9.6 million of
its personal computer batteries, cost of $429M
Products are discontinued due to fatal accidents (Pinto,
Concord)
11. NEED FOR ASSURANCE & RELIABILITY
How do companies predict reliability and estimate warranty?
Supposing a system consists of components which will not fail with a
probability of 99% (p=0,99) and which are connected in series. Then the
probability that the entire system will not fail changes with the number of
components as follows:
10 components lead to a survival probability of 90.40%,
20 components lead to a survival probability of 81,71 %,
30 components lead to a survival probability of 73,86 %,
40 components lead to a survival probability of 66,76 %,
50 components lead to a survival probability of 60,35 %,
100 components lead to a survival probability of 36,40 %
What will happen if a system consists of thousands of components?
12. NEED FOR ASSURANCE & RELIABILITY
How do companies predict reliability and estimate
warranty?
Hyundai chose to woo buyers in America by promising quality
and reliability. It issued an ambitious new warranty, good for
five years (ten on the engine and transmission), then challenged
its engineers to back that up with flaw-proof cars.
The early sign are they have delivered. Hyundai has
trimmed its warranty provision from 5.7% to just
1.8% of its revenue… Thanks to early ALT predictions
Companies do use Assurance & Reliability as Unique Selling Point
15. NEED FOR INFORMATION ASSURANCE & RELIABILITY
When we already have Information Security as a Domain/as a Vertical/ as
Profession & Program then why do we need Information Assurance
Frameworks or Program
Executive management do need to know the degree or level of
security that they achieved against the invested monies
CISO organization and the Security professional do need provide
“Assurance on Information Security” to Executive Management
Time & again Executive Management would like to have quantification
of information security –how much are our systems/applications are
secure ?? (Hence Information Assurance & Level of Information
Assurances)
16. NEED FOR INFORMATION ASSURANCE & RELIABILITY
Many colorful reports, spreadsheets cannot provide the promise or
reliability what Information Assurance Frameworks can provide,
since IA Frameworks do contain verification capabilities inherently
Current Information Security practices rely more on claims made by
manufacturers of security tools, resulting in surprises
Only Information Assurance Frameworks can provide the guaranteed
level of promise of reliability of security systems, since IA frameworks
do not rely on reports but information assurance is achieved
through verification measures built as part of system development
or deployment
It is time Security Teams/Professionals ask our selves “do we have
Systematic & Systemic Security practices across our IT
ecosystem ?? Can we give Guarantees on Information Security
17. NEED FOR INFORMATION ASSURANCE & RELIABILITY
Systematic & Systemic coverage of the system weakness space
A key step that feeds into the rest of the process – if not properly done, rest of the process is
considered ad-hoc
Reduce ambiguity
associated with system weakness space Often due to requirements and design gaps that
includes coverage, definitions and impact –
Objective and cost-effective assurance process
Current security risk assessment approach is in-sufficient, due to lack of traceability and
transparency between high level security policy/requirement and system artifacts that
implements them
Effective and systematic measurement of the risk
Today, the risk management process often does not consider assurance issues in an integrated
way, resulting in project stakeholders unknowingly accepting assurance risks that can have
unintended and severe security issues – Actionable tasks to achieve high confidence in system
trustworthiness
21. RELIABILITY & FAULT TOLERANCE
Failure (Fault)- Wrong or "missing" function of a component
Failure causes
Design failure
Manufacture failure
Operation failures
Failures due to disturbances
Wearing failures
Random physical failures
Handling failures
Maintenance failures
The concepts of Failure Mode, Effect Analysi(FMEA) & FaultTree Analysis (FTA) are a must for InformationAssurance &
Reliability, but these two complex subjects are too much for this introductory presentation
30. RELIABILITY TERMINOLOGY
I Fear for
These failures/
Attacks
I want
Assurance for
I need any/all
/some of
These actions
Dependability
MODELING - CASE FOR ASSURANCE & RELIABILITY
35. RELIABILITY TERMINOLOGYMODELING - ASSURANCE & RELIABILITY ARCHITECTURE
Iterative across
Stages, per each
Component & its
sub-components
till the top-
assurance
objective is met
37. ASSURANCE & RELIABILITY-MANAGEMENT EXPECTATIONS
The afore mentioned management’s expectations are in realityArchitectural parameters, but they still stand valid for IA as is
–Table Source --SABSA
39. RELIABILITY TERMINOLOGYMODELING ASSURANCE FOR VULNERABILITY MGMT
This is JUST
AN EXAMPLE
Claims
&Verification
Claims
&Verification
Claims
&Verification
Claims
&Verification
Claims
&Verification
Claims, Solutions &
Verification
40. References:
1. http://conferences.computer.org/stc/2014/papers/5034a026.pdf
2. http://www.omg.org/news/meetings/tc/berlin-15/special-events/iiot-presentations/Campara.pdf
3. https://www.techopedia.com/definition/5/information-assurance-ia
4. Reliability Engineering - 7th Edition - Alessandro Birolini
5. Wiley.Practical.Reliability.Engineering.5th.Edition
6. ISOIEC-21827-CMMIAndAssuranceAug2-Moss-Richardson
7. Enterprise Information Systems Assurance And Systems Security Managerial & Technical Issues
8. Enterprise Architecture Information Assurance Private Sector
9. Fundamentals of Reliability Engineering and Applications
10. Handbook of Reliability Engineering by Hoang Pham
11. Information Assurance Dependability and Security in Networked Systems
12. Information Assurance Architecture
13. Information Assurance Technical Framework NSA
14. Handbook Reliability Engineering, Chief- Of The Bureau Of Naval Weapons, 1964 Edition
15. Software Assurance Maturity Model 1.0 – OWASP
16. Handbook of Research on Contemporary Theoretical Models in Information Systems