IT-Security Governance and Technology

Transcription

1 Dr. Christoph Wall electronic Administration and Services IT-Security Governance and Technology HERUG,

2 After computers got started 2

3 and went beyond their predicted numbers 'I think there is a world market for about five computers' Remark attributed to Thomas J. Watson (Chairman of the Board of IBM),

4 to connect people around the globe 4

5 I had a dream. VtÇ çéâ Ñ vàâüx ã{tà ã ÄÄ ux fé Ä Å àäxáá tçw yüxx Jim Morrison 5

6 But then I woke up 6

7 to find myself faced with the need for: IT-Security! 7

8 Europe needs it 8

9 Germany needs it 9

10 The Freie Universität Berlin needs it (IT Strategy ) Quality and Flexibility for Information and Processes Comprehensive Offer of Information Mobile Information Smart Processes Secure Data Sustainable Use of Resources Content Users 10

11 What is IT-Security? 11

12 Fundamental Values of IT-Security Confidentiality: information that is confidential must be protected against unauthorized disclosure Availability: services, IT system functions, data and information must be available to users as required Integrity: data must be complete and unaltered 12

13 Elements of an IT-Security-Management-System Governance Risk assessment or analysis: A risk analysis provides information on the probability of the occurrence of a damaging event and what negative consequences the damage would have. Security policy: In a security policy the security objectives and general security safeguards are formulated in the sense of the official regulations of a company or a public authority. Detailed security safeguards are contained in a more comprehensive security concept. Technical Authentication: When a person logs in on a system, the system runs a check in an authentication process to verify the identity of the person. The term is also used when the identity of IT components or applications is tested. Authorisation: Authorisation is the process of checking whether a person, an IT component or an application is authorised to perform a specific action. Data protection: Data protection refers to the protection of personal data against misuse by third parties. Data backup: Data backup involves making copies of existing data to prevent its loss. 13

14 Governance: Risk assessment for FU IT-Systems 14

15 Governance: Guidelines and Directives Essentially, procedures or policies are implemented to tell people (administrators, users and operators) how to use products to ensure information security within the organization. Wikipedia 15

16 16

17 Stakeholders of the IT-Organization Central IT Providers IT Security Officer Data Privacy Commissioner Co-determination council Faculties / Departments 17

18 Directive for handling security incidents IT Sicherheit

19 Alarm chain IT Sicherheit

20 Technology: SAP Functionality to support IT-Security - Identity Management - Event-based onboarding - Authentification - SSO with User Name/Password - Role based Authorization - Design of User-Roles - Workflow for role allocation - Layers of security for Web-Portal-Access to SAP backend - Security Optimazation Self-Service (SOS Report) - e.g. Segregation of duties - Action log for intrusion detection - Identity Management - Automatic user deactivation - Backup and Restore Support 20

21 Identity Management Identity FU Berlin, Juni

22 User Lifecycle Management Stage 1 modify Identity FU Berlin, Juni

23 Create/modify (Onboarding & Berechtigung) Staff Faculty Administration Role Personell Data HR User FUDIS (FU Account) IdM Role Role User SLcM Student User Business Partner HIS Studenten Student Role Department User ERP User SAP Web Identity FU Berlin, Juni

24 Cascading role design Identity FU Berlin, Juni

25 IdM role provisioning workflow 1) Anforderung Identity FU Berlin, Juni

26 26

27 Single Sign On 27

28 Security layers for SAP access Internet DMZ Internal Domain ume.logon.security.relax_domain.level = 0 Webdispatcher URL-Filter 1 4 NW 7.3 Portal 5 2 SSO ZEDAT Webdispatcher ERP 604 URL-Filter dnsname2.elsa.fu-berlin.de 3 Abap-Webdynpro Trusted relationship 1 url-filtering to restrict access exclusive for elsa-portal traffic 2 Shibboleth-based single sign on 3 Smart design of DNS name 4 Authorization check Shibboleth-based Authentification Data Access 5 Certificate-based trusted relationship between portal and backend DSAG-Technologietage

29 29

30 Future Potential: Strong Authentification 30

31 Security Audit Log: Configuration (SM19) 31

32 Security Audit Log: Analysis (SM20) 32

33 The SOS Report The SAP Security Optimization Service is a comprehensive support service that identifies security risks for your SAP system and helps you to determine the appropriate measures to protect it from these risks. The security checks of SAP Security Optimization are performed for the following security aspects: - Availability: ensuring that a system is operational and functional at any given moment - Integrity: ensuring that data is valid and cannot be compromised - Authenticity: ensuring that users are the persons they claim to be - Confidentiality: ensuring that information is not accessed by unauthorized persons - Compliance: ensuring that the system security set-up is in accordance with established guidelines 33

34 SOS 34

35 Risks are pointed out 35

36 36

37 Examples for Authentification Alerts 37

38 User Lifecycle Management: Deactivation modify Identity FU Berlin, Juni

39 Deactivation of Users Staff Faculty Personell Data HR User FUDIS (FU Account) IdM User SLcM Student User Business Partner Students User ERP Exmatriculation User SAP Web Identity FU Berlin, Juni

40 Business continuity: Backup and restore support 40

41 IT-Security-Management-System reloaded Governance Risk assessment or analysis: A risk analysis provides information on the probability of the occurrence of a damaging event and what negative consequences the damage would have. Security policy: In a security policy the security objectives and general security safeguards are formulated in the sense of the official regulations of a company or a public authority. Detailed security safeguards are contained in a more comprehensive security concept. Technical Authentication: When a person logs in on a system, the system runs a check in an authentication process to verify the identity of the person. The term is also used when the identity of IT components or applications is tested. Authorisation: Authorisation is the process of checking whether a person, an IT component or an application is authorised to perform a specific action. Data protection: Data protection refers to the protection of personal data against misuse by third parties. Data backup: Data backup involves making copies of existing data to prevent its loss. 41

42 Information policy 42

43 Big job to do? Get on with it! 43

44 Dr. Christoph Wall Boltzmannstr Berlin Germany