SlideShare une entreprise Scribd logo

Information Assurance & Reliability Architecture

Srikar Sagi
Srikar Sagi

Information Assurance(IA) A Systematic & Systemic practice of assurance-modeling that guarantees protection of systems, information & managing information risks such as Confidentiality, Integrity, Availability, Auditing (Authentication /Authorization/Logs etc) & Non-repudiation in relation to the use, processing, storage & transmission of information, restoration of systems/services and the corresponding/inter-related systems, their processes used for protection capabilities(s)

Technologie
1  sur  41
Télécharger pour lire hors ligne
Information Assurance & Reliability Architecture
Intent & Content Generate enough interest & value proposition to share & impart knowledge on Information Assurance & Reliability Architecture Workshop A Precursor
AGENDA Basics  What is Assurance & other Classifications (Information Assurance, Quality Assurance, Systems Assurance, Assurance levels etc)  Significance of Cyber Security and Information Assurance & Reliability Engineering  Infusing Information Assurance into Systems Engineering and or Acquired Systems  Tailoring an Assurance model – Precursor/High Level demo
AGENDA Advanced Concepts (Future Work Shop contents)  Designing Reliable Systems for Information Assurance How to tailor Systems Assurance into specific domain (short-circuiting)  Building Assurance Frameworks (Systems, Applications & Processes) How to tailor Systems Assurance into eco-system(s) as a practice (hard- wiring-the-circuit)  Measuring Assurance of a System - How do you measure Assurance in your eco-system or in a specific domain
DEFINITIONS
Quality A System’s or a component’s capability to fulfil specified action/function (a.k.a. fit-to-purpose) Reliability(Generic) Capability of a System/Component to fulfil specified actions or required state based on agreed parameters/standards during an agreed/defined time period under presumed operational conditions Reliability of Systems & Information The degree of probability that the deployed protective measures of a system would continue to protect the Systems & Information against specified threats & attack and will remain accessible and consistent under specified conditions under specified interval of time. Fault Tolerance capability of a system to satisfy its specified action even in the presence of faults(limited /unlimited is subjective) Availability capability & probability of a system will be intact to perform its specified functions even in the presence of failures at any point in time DEFINITIONS
Assurance Declaration of a positive statement against a system, intended to give trust & reliability i.e., a promise through qualitative & verifiable parameters for reliability that the security/safety features, practices, procedures of a system accurately mediates & enforces intended desired actions/results under agreed conditions of operating environment Information Assurance(IA) A Systematic & Systemic practice of assurance-modeling that guarantees protection of systems, information & managing information risks such as Confidentiality, Integrity, Availability, Auditability(Authentication /Authorization) & Nonrepudiation in relation to the use, processing, storage & transmission of information, restoration of systems/services and the corresponding/inter-related systems, their processes used for protection capabilities(s) (to be discussed difference between IS & IA) Safety Assurance (SfA) The measure of providing confidence that acceptable risk for the safety of personnel, equipment, facilities & public during & from the performance of operations is being achieved Software Assurance (SwA) The measurable confidence that the system functions as intended and is free of exploitable vulnerabilities, either intentionally or unintentionally designed or inserted as part of the system at any time during the life cycle DEFINITIONS
NEED FOR ASSURANCE & RELIABILITY
NEED FOR ASSURANCE & RELIABILITY  When you a buy a product or service…you request “high quality” and “high reliability”  How do you measure it? What is “high”?  How long? Reliability: 0.99 for 5 years, 0.999 for 4 years…  Time dependent quality…reliability  How do companies predict reliability and estimate warranty?
NEED FOR ASSURANCE & RELIABILITY  How about availability?  One shot devices …Missiles?  Most important characteristics of a product, it’s a measure of its performance with time  In Oct-2006, the Sony Corporation recalled up to 9.6 million of its personal computer batteries, cost of $429M  Products are discontinued due to fatal accidents (Pinto, Concord)
NEED FOR ASSURANCE & RELIABILITY  How do companies predict reliability and estimate warranty?  Supposing a system consists of components which will not fail with a probability of 99% (p=0,99) and which are connected in series. Then the probability that the entire system will not fail changes with the number of components as follows: 10 components lead to a survival probability of 90.40%, 20 components lead to a survival probability of 81,71 %, 30 components lead to a survival probability of 73,86 %, 40 components lead to a survival probability of 66,76 %, 50 components lead to a survival probability of 60,35 %, 100 components lead to a survival probability of 36,40 % What will happen if a system consists of thousands of components?
NEED FOR ASSURANCE & RELIABILITY How do companies predict reliability and estimate warranty? Hyundai chose to woo buyers in America by promising quality and reliability. It issued an ambitious new warranty, good for five years (ten on the engine and transmission), then challenged its engineers to back that up with flaw-proof cars. The early sign are they have delivered. Hyundai has trimmed its warranty provision from 5.7% to just 1.8% of its revenue… Thanks to early ALT predictions Companies do use Assurance & Reliability as Unique Selling Point
NEED FOR ASSURANCE & RELIABILITY
NEED FOR INFORMATON ASSURANCE & RELIABILITY
NEED FOR INFORMATION ASSURANCE & RELIABILITY When we already have Information Security as a Domain/as a Vertical/ as Profession & Program then why do we need Information Assurance Frameworks or Program  Executive management do need to know the degree or level of security that they achieved against the invested monies  CISO organization and the Security professional do need provide “Assurance on Information Security” to Executive Management  Time & again Executive Management would like to have quantification of information security –how much are our systems/applications are secure ?? (Hence Information Assurance & Level of Information Assurances)
NEED FOR INFORMATION ASSURANCE & RELIABILITY  Many colorful reports, spreadsheets cannot provide the promise or reliability what Information Assurance Frameworks can provide, since IA Frameworks do contain verification capabilities inherently  Current Information Security practices rely more on claims made by manufacturers of security tools, resulting in surprises  Only Information Assurance Frameworks can provide the guaranteed level of promise of reliability of security systems, since IA frameworks do not rely on reports but information assurance is achieved through verification measures built as part of system development or deployment  It is time Security Teams/Professionals ask our selves “do we have Systematic & Systemic Security practices across our IT ecosystem ?? Can we give Guarantees on Information Security
NEED FOR INFORMATION ASSURANCE & RELIABILITY Systematic & Systemic coverage of the system weakness space A key step that feeds into the rest of the process – if not properly done, rest of the process is considered ad-hoc Reduce ambiguity associated with system weakness space Often due to requirements and design gaps that includes coverage, definitions and impact – Objective and cost-effective assurance process Current security risk assessment approach is in-sufficient, due to lack of traceability and transparency between high level security policy/requirement and system artifacts that implements them Effective and systematic measurement of the risk Today, the risk management process often does not consider assurance issues in an integrated way, resulting in project stakeholders unknowingly accepting assurance risks that can have unintended and severe security issues – Actionable tasks to achieve high confidence in system trustworthiness
BENEFITS OF INFORMATION ASSURANCE & RELIABILITY ARCHITECTURE
Software Engineering Compliance Operations (NOC/SOC) Software Engineering
RELIABILITY & FAULT TOLERANCE
RELIABILITY & FAULT TOLERANCE  Failure (Fault)- Wrong or "missing" function of a component  Failure causes  Design failure  Manufacture failure  Operation failures  Failures due to disturbances  Wearing failures  Random physical failures  Handling failures  Maintenance failures The concepts of Failure Mode, Effect Analysi(FMEA) & FaultTree Analysis (FTA) are a must for InformationAssurance & Reliability, but these two complex subjects are too much for this introductory presentation
RELIABILITY & FAULT TOLERANCE
RELIABILITY & FAULT TOLERANCE
INFORMATION SECURITY & ASSURANCE RELATIONSHIP
INFORMATION SECURITY & ASSURANCE RELATIONSHIP
INFORMATION SECURITY & ASSURANCE RELATIONSHIP
RELIABILITY TERMINOLOGYINFORMATION SECURITY & ASSURANCE RELATIONSHIP
MODELING INFORMATION ASSURANCE & RELIABILITY ARCHITECTURE
RELIABILITY TERMINOLOGYMODELING PROCESS-INFORMATION ASSURANCE & RELIABILITY
RELIABILITY TERMINOLOGY I Fear for These failures/ Attacks I want Assurance for I need any/all /some of These actions Dependability MODELING - CASE FOR ASSURANCE & RELIABILITY
MODELING- CASE FOR ASSURANCE & RELIABILITY
MODELING- CASE FOR ASSURANCE & RELIABILITY
RELIABILITY TERMINOLOGYMODELING- CASE FOR ASSURANCE & RELIABILITY
RELIABILITY TERMINOLOGYMODELING – EVIDENCE FOR ASSURANCE & RELIABILITY
RELIABILITY TERMINOLOGYMODELING - ASSURANCE & RELIABILITY ARCHITECTURE Iterative across Stages, per each Component & its sub-components till the top- assurance objective is met
MANAGEMENT’S EXPECTATIONS FOR ASSURANCE & RELIABILITY PARAMETERS
ASSURANCE & RELIABILITY-MANAGEMENT EXPECTATIONS The afore mentioned management’s expectations are in realityArchitectural parameters, but they still stand valid for IA as is –Table Source --SABSA
MODELING INFORMATION ASSURANCE & RELIABILITY FOR VULNERABILITY MANAGEMENT
RELIABILITY TERMINOLOGYMODELING ASSURANCE FOR VULNERABILITY MGMT This is JUST AN EXAMPLE Claims &Verification Claims &Verification Claims &Verification Claims &Verification Claims &Verification Claims, Solutions & Verification
References: 1. http://conferences.computer.org/stc/2014/papers/5034a026.pdf 2. http://www.omg.org/news/meetings/tc/berlin-15/special-events/iiot-presentations/Campara.pdf 3. https://www.techopedia.com/definition/5/information-assurance-ia 4. Reliability Engineering - 7th Edition - Alessandro Birolini 5. Wiley.Practical.Reliability.Engineering.5th.Edition 6. ISOIEC-21827-CMMIAndAssuranceAug2-Moss-Richardson 7. Enterprise Information Systems Assurance And Systems Security Managerial & Technical Issues 8. Enterprise Architecture Information Assurance Private Sector 9. Fundamentals of Reliability Engineering and Applications 10. Handbook of Reliability Engineering by Hoang Pham 11. Information Assurance Dependability and Security in Networked Systems 12. Information Assurance Architecture 13. Information Assurance Technical Framework NSA 14. Handbook Reliability Engineering, Chief- Of The Bureau Of Naval Weapons, 1964 Edition 15. Software Assurance Maturity Model 1.0 – OWASP 16. Handbook of Research on Contemporary Theoretical Models in Information Systems
Information Assurance & Reliability Architecture

Recommandé

Internet of Things(IoT) & Applications
Internet of Things(IoT) & ApplicationsInternet of Things(IoT) & Applications
Internet of Things(IoT) & ApplicationsGunjan Panara
 
IoT and its Applications
IoT and its ApplicationsIoT and its Applications
IoT and its ApplicationsAbdulla Shaheen
 
Internet of Things (IOT) - Technology and Applications
Internet of Things (IOT) - Technology and ApplicationsInternet of Things (IOT) - Technology and Applications
Internet of Things (IOT) - Technology and ApplicationsDr. Mazlan Abbas
 
Internet of Things
Internet of ThingsInternet of Things
Internet of Thingspkshc01
 
Smart dust
Smart dustSmart dust
Smart dustshusrusha
 
Digital Transformation and IOT
Digital Transformation and IOTDigital Transformation and IOT
Digital Transformation and IOTMatthew W. Bowers
 
IoT - IT 423 ppt
IoT - IT 423 pptIoT - IT 423 ppt
IoT - IT 423 pptMhae Lyn
 
Internet of Things (IoT) - Introduction ppt
Internet of Things (IoT) - Introduction ppt Internet of Things (IoT) - Introduction ppt
Internet of Things (IoT) - Introduction ppt sutrishnakar1995
 

Recommandé

Internet of Things(IoT) & Applications
Internet of Things(IoT) & ApplicationsInternet of Things(IoT) & Applications
Internet of Things(IoT) & ApplicationsGunjan Panara
 
IoT and its Applications
IoT and its ApplicationsIoT and its Applications
IoT and its ApplicationsAbdulla Shaheen
 
Internet of Things (IOT) - Technology and Applications
Internet of Things (IOT) - Technology and ApplicationsInternet of Things (IOT) - Technology and Applications
Internet of Things (IOT) - Technology and ApplicationsDr. Mazlan Abbas
 
Internet of Things
Internet of ThingsInternet of Things
Internet of Thingspkshc01
 
Smart dust
Smart dustSmart dust
Smart dustshusrusha
 
Digital Transformation and IOT
Digital Transformation and IOTDigital Transformation and IOT
Digital Transformation and IOTMatthew W. Bowers
 
IoT - IT 423 ppt
IoT - IT 423 pptIoT - IT 423 ppt
IoT - IT 423 pptMhae Lyn
 
Internet of Things (IoT) - Introduction ppt
Internet of Things (IoT) - Introduction ppt Internet of Things (IoT) - Introduction ppt
Internet of Things (IoT) - Introduction ppt sutrishnakar1995
 
Demystifying Internet of Things
Demystifying Internet of ThingsDemystifying Internet of Things
Demystifying Internet of ThingsQian JIN
 
Internet of things - challenges scopes and solutions
Internet of things - challenges scopes and solutionsInternet of things - challenges scopes and solutions
Internet of things - challenges scopes and solutionsShivam Kumar
 
Introduction to Internet of Things (IoT)
Introduction to Internet of Things (IoT)Introduction to Internet of Things (IoT)
Introduction to Internet of Things (IoT)Mithileysh Sathiyanarayanan
 
zigbee full ppt
zigbee full pptzigbee full ppt
zigbee full pptranjitha mudhiraj
 
IoT Standards: The Next Generation
IoT Standards: The Next GenerationIoT Standards: The Next Generation
IoT Standards: The Next GenerationReadWrite
 
Internet of things (IOT) connects physical to digital
Internet of things (IOT) connects physical to digitalInternet of things (IOT) connects physical to digital
Internet of things (IOT) connects physical to digitalEslam Nader
 
Internet of Things
Internet of ThingsInternet of Things
Internet of ThingsPantech ProLabs India Pvt Ltd
 
Internet of Things and its applications
Internet of Things and its applicationsInternet of Things and its applications
Internet of Things and its applicationsPasquale Puzio
 
Introduction to Internet of Things (IoT)
Introduction to Internet of Things (IoT)Introduction to Internet of Things (IoT)
Introduction to Internet of Things (IoT)Amarjeetsingh Thakur
 
Internet of Things (IoT) - IK
Internet of Things (IoT) - IKInternet of Things (IoT) - IK
Internet of Things (IoT) - IKIlgın Kavaklıoğulları
 
Iot
IotIot
Iot91231501
 
METAVERSE .pptx
METAVERSE .pptxMETAVERSE .pptx
METAVERSE .pptxsatish760383
 
IoT in healthcare
IoT in healthcareIoT in healthcare
IoT in healthcareNikhil Neema
 
IoT for Healthcare
IoT for HealthcareIoT for Healthcare
IoT for HealthcareSenZations Summer School
 
Basic IoT and its Security
Basic IoT and its SecurityBasic IoT and its Security
Basic IoT and its Securityshubh chougule
 
presentation on Edge computing
presentation on Edge computingpresentation on Edge computing
presentation on Edge computingsairamgoud16
 
IoT
IoTIoT
IoTMphasis
 
Privacy and security in IoT
Privacy and security in IoTPrivacy and security in IoT
Privacy and security in IoTVasco Veloso
 
Manet
ManetManet
ManetRajan Kumar
 
Internet of Things ( IoT ) Training
Internet of Things ( IoT ) TrainingInternet of Things ( IoT ) Training
Internet of Things ( IoT ) TrainingTonex
 
17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...
17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...
17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...abhichowdary16
 
Software reliability engineering
Software reliability engineeringSoftware reliability engineering
Software reliability engineeringMark Turner CRP
 

Contenu connexe

Tendances

Demystifying Internet of Things
Demystifying Internet of ThingsDemystifying Internet of Things
Demystifying Internet of ThingsQian JIN
 
Internet of things - challenges scopes and solutions
Internet of things - challenges scopes and solutionsInternet of things - challenges scopes and solutions
Internet of things - challenges scopes and solutionsShivam Kumar
 
IoT Standards: The Next Generation
IoT Standards: The Next GenerationIoT Standards: The Next Generation
IoT Standards: The Next GenerationReadWrite
 
Internet of things (IOT) connects physical to digital
Internet of things (IOT) connects physical to digitalInternet of things (IOT) connects physical to digital
Internet of things (IOT) connects physical to digitalEslam Nader
 
Internet of Things and its applications
Internet of Things and its applicationsInternet of Things and its applications
Internet of Things and its applicationsPasquale Puzio
 
Introduction to Internet of Things (IoT)
Introduction to Internet of Things (IoT)Introduction to Internet of Things (IoT)
Introduction to Internet of Things (IoT)Amarjeetsingh Thakur
 
Basic IoT and its Security
Basic IoT and its SecurityBasic IoT and its Security
Basic IoT and its Securityshubh chougule
 
presentation on Edge computing
presentation on Edge computingpresentation on Edge computing
presentation on Edge computingsairamgoud16
 
Privacy and security in IoT
Privacy and security in IoTPrivacy and security in IoT
Privacy and security in IoTVasco Veloso
 
Internet of Things ( IoT ) Training
Internet of Things ( IoT ) TrainingInternet of Things ( IoT ) Training
Internet of Things ( IoT ) TrainingTonex
 

Tendances (20)

Demystifying Internet of Things
Demystifying Internet of ThingsDemystifying Internet of Things
Demystifying Internet of Things
 
Internet of things - challenges scopes and solutions
Internet of things - challenges scopes and solutionsInternet of things - challenges scopes and solutions
Internet of things - challenges scopes and solutions
 
Introduction to Internet of Things (IoT)
Introduction to Internet of Things (IoT)Introduction to Internet of Things (IoT)
Introduction to Internet of Things (IoT)
 
zigbee full ppt
zigbee full pptzigbee full ppt
zigbee full ppt
 
IoT Standards: The Next Generation
IoT Standards: The Next GenerationIoT Standards: The Next Generation
IoT Standards: The Next Generation
 
Internet of things (IOT) connects physical to digital
Internet of things (IOT) connects physical to digitalInternet of things (IOT) connects physical to digital
Internet of things (IOT) connects physical to digital
 
Internet of Things
Internet of ThingsInternet of Things
Internet of Things
 
Internet of Things and its applications
Internet of Things and its applicationsInternet of Things and its applications
Internet of Things and its applications
 
Introduction to Internet of Things (IoT)
Introduction to Internet of Things (IoT)Introduction to Internet of Things (IoT)
Introduction to Internet of Things (IoT)
 
Internet of Things (IoT) - IK
Internet of Things (IoT) - IKInternet of Things (IoT) - IK
Internet of Things (IoT) - IK
 
Iot
IotIot
Iot
 
METAVERSE .pptx
METAVERSE .pptxMETAVERSE .pptx
METAVERSE .pptx
 
IoT in healthcare
IoT in healthcareIoT in healthcare
IoT in healthcare
 
IoT for Healthcare
IoT for HealthcareIoT for Healthcare
IoT for Healthcare
 
Basic IoT and its Security
Basic IoT and its SecurityBasic IoT and its Security
Basic IoT and its Security
 
presentation on Edge computing
presentation on Edge computingpresentation on Edge computing
presentation on Edge computing
 
IoT
IoTIoT
IoT
 
Privacy and security in IoT
Privacy and security in IoTPrivacy and security in IoT
Privacy and security in IoT
 
Manet
ManetManet
Manet
 
Internet of Things ( IoT ) Training
Internet of Things ( IoT ) TrainingInternet of Things ( IoT ) Training
Internet of Things ( IoT ) Training
 

Similaire à Information Assurance & Reliability Architecture

17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...
17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...
17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...abhichowdary16
 
Software reliability engineering
Software reliability engineeringSoftware reliability engineering
Software reliability engineeringMark Turner CRP
 
Depandability in Software Engineering SE16
Depandability in Software Engineering SE16Depandability in Software Engineering SE16
Depandability in Software Engineering SE16koolkampus
 
Information Security Assurance Capability Maturity Model (ISA-.docx
Information Security Assurance Capability Maturity Model (ISA-.docxInformation Security Assurance Capability Maturity Model (ISA-.docx
Information Security Assurance Capability Maturity Model (ISA-.docxlanagore871
 
Simplifying Security for Cloud Adoption - Defining your game plan
Simplifying Security for Cloud Adoption - Defining your game planSimplifying Security for Cloud Adoption - Defining your game plan
Simplifying Security for Cloud Adoption - Defining your game planSecurestorm
 
Gs Us Roadmap For A World Class Information Security Management System– Isoie...
Gs Us Roadmap For A World Class Information Security Management System– Isoie...Gs Us Roadmap For A World Class Information Security Management System– Isoie...
Gs Us Roadmap For A World Class Information Security Management System– Isoie...Tammy Clark
 
The prominence of it lifecycle assurance
The prominence of it lifecycle assuranceThe prominence of it lifecycle assurance
The prominence of it lifecycle assuranceMaveric Systems
 
第7回VEC制御システムサイバーセキュリティカンファレンス
第7回VEC制御システムサイバーセキュリティカンファレンス第7回VEC制御システムサイバーセキュリティカンファレンス
第7回VEC制御システムサイバーセキュリティカンファレンスchomchana trevai
 
AN EXTENDED SECURITY MEASUREMENT FRAMEWORK FOR OPEN-SOURCE ENTERPRISE RESOURC...
AN EXTENDED SECURITY MEASUREMENT FRAMEWORK FOR OPEN-SOURCE ENTERPRISE RESOURC...AN EXTENDED SECURITY MEASUREMENT FRAMEWORK FOR OPEN-SOURCE ENTERPRISE RESOURC...
AN EXTENDED SECURITY MEASUREMENT FRAMEWORK FOR OPEN-SOURCE ENTERPRISE RESOURC...IJNSA Journal
 
In what ways do you think the Elaboration Likelihood Model applies.docx
In what ways do you think the Elaboration Likelihood Model applies.docxIn what ways do you think the Elaboration Likelihood Model applies.docx
In what ways do you think the Elaboration Likelihood Model applies.docxjaggernaoma
 
CompTIA CySA+ Domain 2 Software and Systems Security.pptx
CompTIA CySA+ Domain 2 Software and Systems Security.pptxCompTIA CySA+ Domain 2 Software and Systems Security.pptx
CompTIA CySA+ Domain 2 Software and Systems Security.pptxInfosectrain3
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
Does Anyone Remember Enterprise Security Architecture?
Does Anyone Remember Enterprise Security Architecture?Does Anyone Remember Enterprise Security Architecture?
Does Anyone Remember Enterprise Security Architecture?rbrockway
 
Walls of Steel, Doors of Wood - Relevance of Application Security
Walls of Steel, Doors of Wood - Relevance of Application SecurityWalls of Steel, Doors of Wood - Relevance of Application Security
Walls of Steel, Doors of Wood - Relevance of Application SecurityAbdul Jaleel
 
Secure Engineering Practices for Java
Secure Engineering Practices for JavaSecure Engineering Practices for Java
Secure Engineering Practices for JavaTim Ellison
 

Similaire à Information Assurance & Reliability Architecture (20)

17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...
17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...
17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...
 
Software reliability engineering
Software reliability engineeringSoftware reliability engineering
Software reliability engineering
 
Depandability in Software Engineering SE16
Depandability in Software Engineering SE16Depandability in Software Engineering SE16
Depandability in Software Engineering SE16
 
Information Security Assurance Capability Maturity Model (ISA-.docx
Information Security Assurance Capability Maturity Model (ISA-.docxInformation Security Assurance Capability Maturity Model (ISA-.docx
Information Security Assurance Capability Maturity Model (ISA-.docx
 
Reliability
ReliabilityReliability
Reliability
 
Simplifying Security for Cloud Adoption - Defining your game plan
Simplifying Security for Cloud Adoption - Defining your game planSimplifying Security for Cloud Adoption - Defining your game plan
Simplifying Security for Cloud Adoption - Defining your game plan
 
Gs Us Roadmap For A World Class Information Security Management System– Isoie...
Gs Us Roadmap For A World Class Information Security Management System– Isoie...Gs Us Roadmap For A World Class Information Security Management System– Isoie...
Gs Us Roadmap For A World Class Information Security Management System– Isoie...
 
The prominence of it lifecycle assurance
The prominence of it lifecycle assuranceThe prominence of it lifecycle assurance
The prominence of it lifecycle assurance
 
第7回VEC制御システムサイバーセキュリティカンファレンス
第7回VEC制御システムサイバーセキュリティカンファレンス第7回VEC制御システムサイバーセキュリティカンファレンス
第7回VEC制御システムサイバーセキュリティカンファレンス
 
Ch3
Ch3Ch3
Ch3
 
Ch3
Ch3Ch3
Ch3
 
AN EXTENDED SECURITY MEASUREMENT FRAMEWORK FOR OPEN-SOURCE ENTERPRISE RESOURC...
AN EXTENDED SECURITY MEASUREMENT FRAMEWORK FOR OPEN-SOURCE ENTERPRISE RESOURC...AN EXTENDED SECURITY MEASUREMENT FRAMEWORK FOR OPEN-SOURCE ENTERPRISE RESOURC...
AN EXTENDED SECURITY MEASUREMENT FRAMEWORK FOR OPEN-SOURCE ENTERPRISE RESOURC...
 
In what ways do you think the Elaboration Likelihood Model applies.docx
In what ways do you think the Elaboration Likelihood Model applies.docxIn what ways do you think the Elaboration Likelihood Model applies.docx
In what ways do you think the Elaboration Likelihood Model applies.docx
 
CompTIA CySA+ Domain 2 Software and Systems Security.pptx
CompTIA CySA+ Domain 2 Software and Systems Security.pptxCompTIA CySA+ Domain 2 Software and Systems Security.pptx
CompTIA CySA+ Domain 2 Software and Systems Security.pptx
 
Ch24
Ch24Ch24
Ch24
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
Safeguarding the Enterprise. A new approach.
Safeguarding the Enterprise. A new approach.Safeguarding the Enterprise. A new approach.
Safeguarding the Enterprise. A new approach.
 
Does Anyone Remember Enterprise Security Architecture?
Does Anyone Remember Enterprise Security Architecture?Does Anyone Remember Enterprise Security Architecture?
Does Anyone Remember Enterprise Security Architecture?
 
Walls of Steel, Doors of Wood - Relevance of Application Security
Walls of Steel, Doors of Wood - Relevance of Application SecurityWalls of Steel, Doors of Wood - Relevance of Application Security
Walls of Steel, Doors of Wood - Relevance of Application Security
 
Secure Engineering Practices for Java
Secure Engineering Practices for JavaSecure Engineering Practices for Java
Secure Engineering Practices for Java
 

Dernier

Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessPixlogix Infotech
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 

Dernier (20)

Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 

Information Assurance & Reliability Architecture

  • 2. Intent & Content Generate enough interest & value proposition to share & impart knowledge on Information Assurance & Reliability Architecture Workshop A Precursor
  • 3. AGENDA Basics  What is Assurance & other Classifications (Information Assurance, Quality Assurance, Systems Assurance, Assurance levels etc)  Significance of Cyber Security and Information Assurance & Reliability Engineering  Infusing Information Assurance into Systems Engineering and or Acquired Systems  Tailoring an Assurance model – Precursor/High Level demo
  • 4. AGENDA Advanced Concepts (Future Work Shop contents)  Designing Reliable Systems for Information Assurance How to tailor Systems Assurance into specific domain (short-circuiting)  Building Assurance Frameworks (Systems, Applications & Processes) How to tailor Systems Assurance into eco-system(s) as a practice (hard- wiring-the-circuit)  Measuring Assurance of a System - How do you measure Assurance in your eco-system or in a specific domain
  • 6. Quality A System’s or a component’s capability to fulfil specified action/function (a.k.a. fit-to-purpose) Reliability(Generic) Capability of a System/Component to fulfil specified actions or required state based on agreed parameters/standards during an agreed/defined time period under presumed operational conditions Reliability of Systems & Information The degree of probability that the deployed protective measures of a system would continue to protect the Systems & Information against specified threats & attack and will remain accessible and consistent under specified conditions under specified interval of time. Fault Tolerance capability of a system to satisfy its specified action even in the presence of faults(limited /unlimited is subjective) Availability capability & probability of a system will be intact to perform its specified functions even in the presence of failures at any point in time DEFINITIONS
  • 7. Assurance Declaration of a positive statement against a system, intended to give trust & reliability i.e., a promise through qualitative & verifiable parameters for reliability that the security/safety features, practices, procedures of a system accurately mediates & enforces intended desired actions/results under agreed conditions of operating environment Information Assurance(IA) A Systematic & Systemic practice of assurance-modeling that guarantees protection of systems, information & managing information risks such as Confidentiality, Integrity, Availability, Auditability(Authentication /Authorization) & Nonrepudiation in relation to the use, processing, storage & transmission of information, restoration of systems/services and the corresponding/inter-related systems, their processes used for protection capabilities(s) (to be discussed difference between IS & IA) Safety Assurance (SfA) The measure of providing confidence that acceptable risk for the safety of personnel, equipment, facilities & public during & from the performance of operations is being achieved Software Assurance (SwA) The measurable confidence that the system functions as intended and is free of exploitable vulnerabilities, either intentionally or unintentionally designed or inserted as part of the system at any time during the life cycle DEFINITIONS
  • 8. NEED FOR ASSURANCE & RELIABILITY
  • 9. NEED FOR ASSURANCE & RELIABILITY  When you a buy a product or service…you request “high quality” and “high reliability”  How do you measure it? What is “high”?  How long? Reliability: 0.99 for 5 years, 0.999 for 4 years…  Time dependent quality…reliability  How do companies predict reliability and estimate warranty?
  • 10. NEED FOR ASSURANCE & RELIABILITY  How about availability?  One shot devices …Missiles?  Most important characteristics of a product, it’s a measure of its performance with time  In Oct-2006, the Sony Corporation recalled up to 9.6 million of its personal computer batteries, cost of $429M  Products are discontinued due to fatal accidents (Pinto, Concord)
  • 11. NEED FOR ASSURANCE & RELIABILITY  How do companies predict reliability and estimate warranty?  Supposing a system consists of components which will not fail with a probability of 99% (p=0,99) and which are connected in series. Then the probability that the entire system will not fail changes with the number of components as follows: 10 components lead to a survival probability of 90.40%, 20 components lead to a survival probability of 81,71 %, 30 components lead to a survival probability of 73,86 %, 40 components lead to a survival probability of 66,76 %, 50 components lead to a survival probability of 60,35 %, 100 components lead to a survival probability of 36,40 % What will happen if a system consists of thousands of components?
  • 12. NEED FOR ASSURANCE & RELIABILITY How do companies predict reliability and estimate warranty? Hyundai chose to woo buyers in America by promising quality and reliability. It issued an ambitious new warranty, good for five years (ten on the engine and transmission), then challenged its engineers to back that up with flaw-proof cars. The early sign are they have delivered. Hyundai has trimmed its warranty provision from 5.7% to just 1.8% of its revenue… Thanks to early ALT predictions Companies do use Assurance & Reliability as Unique Selling Point
  • 13. NEED FOR ASSURANCE & RELIABILITY
  • 15. NEED FOR INFORMATION ASSURANCE & RELIABILITY When we already have Information Security as a Domain/as a Vertical/ as Profession & Program then why do we need Information Assurance Frameworks or Program  Executive management do need to know the degree or level of security that they achieved against the invested monies  CISO organization and the Security professional do need provide “Assurance on Information Security” to Executive Management  Time & again Executive Management would like to have quantification of information security –how much are our systems/applications are secure ?? (Hence Information Assurance & Level of Information Assurances)
  • 16. NEED FOR INFORMATION ASSURANCE & RELIABILITY  Many colorful reports, spreadsheets cannot provide the promise or reliability what Information Assurance Frameworks can provide, since IA Frameworks do contain verification capabilities inherently  Current Information Security practices rely more on claims made by manufacturers of security tools, resulting in surprises  Only Information Assurance Frameworks can provide the guaranteed level of promise of reliability of security systems, since IA frameworks do not rely on reports but information assurance is achieved through verification measures built as part of system development or deployment  It is time Security Teams/Professionals ask our selves “do we have Systematic & Systemic Security practices across our IT ecosystem ?? Can we give Guarantees on Information Security
  • 17. NEED FOR INFORMATION ASSURANCE & RELIABILITY Systematic & Systemic coverage of the system weakness space A key step that feeds into the rest of the process – if not properly done, rest of the process is considered ad-hoc Reduce ambiguity associated with system weakness space Often due to requirements and design gaps that includes coverage, definitions and impact – Objective and cost-effective assurance process Current security risk assessment approach is in-sufficient, due to lack of traceability and transparency between high level security policy/requirement and system artifacts that implements them Effective and systematic measurement of the risk Today, the risk management process often does not consider assurance issues in an integrated way, resulting in project stakeholders unknowingly accepting assurance risks that can have unintended and severe security issues – Actionable tasks to achieve high confidence in system trustworthiness
  • 18. BENEFITS OF INFORMATION ASSURANCE & RELIABILITY ARCHITECTURE
  • 19. Software Engineering Compliance Operations (NOC/SOC) Software Engineering
  • 20. RELIABILITY & FAULT TOLERANCE
  • 21. RELIABILITY & FAULT TOLERANCE  Failure (Fault)- Wrong or "missing" function of a component  Failure causes  Design failure  Manufacture failure  Operation failures  Failures due to disturbances  Wearing failures  Random physical failures  Handling failures  Maintenance failures The concepts of Failure Mode, Effect Analysi(FMEA) & FaultTree Analysis (FTA) are a must for InformationAssurance & Reliability, but these two complex subjects are too much for this introductory presentation
  • 22. RELIABILITY & FAULT TOLERANCE
  • 23. RELIABILITY & FAULT TOLERANCE
  • 25. INFORMATION SECURITY & ASSURANCE RELATIONSHIP
  • 26. INFORMATION SECURITY & ASSURANCE RELATIONSHIP
  • 30. RELIABILITY TERMINOLOGY I Fear for These failures/ Attacks I want Assurance for I need any/all /some of These actions Dependability MODELING - CASE FOR ASSURANCE & RELIABILITY
  • 31. MODELING- CASE FOR ASSURANCE & RELIABILITY
  • 32. MODELING- CASE FOR ASSURANCE & RELIABILITY
  • 33. RELIABILITY TERMINOLOGYMODELING- CASE FOR ASSURANCE & RELIABILITY
  • 34. RELIABILITY TERMINOLOGYMODELING – EVIDENCE FOR ASSURANCE & RELIABILITY
  • 35. RELIABILITY TERMINOLOGYMODELING - ASSURANCE & RELIABILITY ARCHITECTURE Iterative across Stages, per each Component & its sub-components till the top- assurance objective is met
  • 36. MANAGEMENT’S EXPECTATIONS FOR ASSURANCE & RELIABILITY PARAMETERS
  • 37. ASSURANCE & RELIABILITY-MANAGEMENT EXPECTATIONS The afore mentioned management’s expectations are in realityArchitectural parameters, but they still stand valid for IA as is –Table Source --SABSA
  • 38. MODELING INFORMATION ASSURANCE & RELIABILITY FOR VULNERABILITY MANAGEMENT
  • 39. RELIABILITY TERMINOLOGYMODELING ASSURANCE FOR VULNERABILITY MGMT This is JUST AN EXAMPLE Claims &Verification Claims &Verification Claims &Verification Claims &Verification Claims &Verification Claims, Solutions & Verification
  • 40. References: 1. http://conferences.computer.org/stc/2014/papers/5034a026.pdf 2. http://www.omg.org/news/meetings/tc/berlin-15/special-events/iiot-presentations/Campara.pdf 3. https://www.techopedia.com/definition/5/information-assurance-ia 4. Reliability Engineering - 7th Edition - Alessandro Birolini 5. Wiley.Practical.Reliability.Engineering.5th.Edition 6. ISOIEC-21827-CMMIAndAssuranceAug2-Moss-Richardson 7. Enterprise Information Systems Assurance And Systems Security Managerial & Technical Issues 8. Enterprise Architecture Information Assurance Private Sector 9. Fundamentals of Reliability Engineering and Applications 10. Handbook of Reliability Engineering by Hoang Pham 11. Information Assurance Dependability and Security in Networked Systems 12. Information Assurance Architecture 13. Information Assurance Technical Framework NSA 14. Handbook Reliability Engineering, Chief- Of The Bureau Of Naval Weapons, 1964 Edition 15. Software Assurance Maturity Model 1.0 – OWASP 16. Handbook of Research on Contemporary Theoretical Models in Information Systems