When did the organization begin adopting a layered approach to information security, and why did it take that approach?
On a basic level, we've had a layered approach to information security for well over a decade, if you accept the argument that firewalls and antiviral systems constitute a layered approach.
The SEC has had an Internet presence since 1996. This, along with the shift away from mainframe architecture, necessitated the transition to a layered approach. The organization has developed a hardened outside with very few connections in. Our business model is to take in reports and trade data from the SROs [self-regulatory organizations] such as NASD [an organization that regulates the securities industry, formerly called the National Association of Securities Dealers] and other financial entities.
We utilize a lock-box model - many users but one recipient who holds the key to unlock the contents - to allow the data to be delivered by many entities securely using a secure copy program, with encryption enabled. The data is then fetched using [Secure Shell, an open-source program that enables computers on a network to securely share files using authentication] and stored in our internal data servers for analysis and use by the various offices.
Agency regulations prohibit you from talking about specific vendors and products, but can you tell us what type of technologies the SEC uses?
From the front door, we utilize router ACLs [access control lists, which specify TCP/IP ports and sources that are allowed or denied access] and firewalls to the desktop, workstation firewalls, and antivirus/spyware products. In between, the SEC has placed intrusion detection and prevention systems to alert us to malicious activities and to shut that activity down before it does harm. The truth is that there is no silver bullet. Religiously monitoring the changing threat pattern is a key requirement for success.
When we look at the functions of each of these technologies, you see that they are all focused on a niche. This is due to the changing business requirements of our users, the staff of the SEC, which is mostly lawyers and accountants. [For example, many of the users now need to view streaming media provided as part of a corporate announcement by one of the SEC's registrants.] The steel door that was the firewall is now a screen that lets in only those items that fit. But even then things get through, and that is where host-based tools such as firewalls and protection against malware on the desktop become critical.
How have these technologies been deployed; what has been the process involved?
This has been an evolutionary process for the SEC. The organization started building firewalls using the old Firewall Toolkit [a set of proxies that help organizations build their own firewall]. It then grew to utilizing commercial products as the requirements for monitoring and availability became more critical. Organizations have to look seriously at their ability to monitor and manage these devices and products. Without appropriate monitoring, you may create a secure infrastructure but put your users out of business.
The SEC has been working toward the use of ITIL [Information Technology Infrastructure Library, a framework of best practice approaches in the management of I.T. infrastructure]. This requires a disciplined approach to planning releases of our systems and applications, including security. Security is so integral to our infrastructure that making changes to even minor settings can have a large ripple effect. Testing thoroughly is really the only way to ensure that you do not miss anything. The ITIL framework will give us the structure to improve our overall communications and results.
What are some of the major challenges involved in a layered security approach?
The major challenge for us is to ensure the availability of our applications and systems. Our user community, which is made up of lawyers and accountants, expects things to be working. The products that we have deployed have to be built with not just protection in mind but availability as well. Our intrusion prevention system has a fail-safe mechanism to ensure that in a fault condition, traffic still flows. Some might say this is a bit risky, but availability is critical. This is why we have addressed this through redundant network paths and hardware.
What are the people issues involved with a layered security approach?
As our working environment has become more complex, we've found that people have a tendency to become subject-matter specialists. This is fine, except when the subject-matter expert is on vacation. So, one of the critical practices we've begun is cross-training. All subject-matter experts are expected to maintain a current list of procedures and tips. As part of regular team meetings, we set aside one meeting a month for cross-training and skill maintenance.
We put a great deal of effort into training; more than 99% of all SEC personnel received annual security training in 2006, covering the most common security issues such as passwords and how to protect SEC data, and we answer any policy question posed via e-mail almost immediately so that users aren't left hanging. In short, we've found you can minimize the need for a heavy hand in policy adherence by working very hard to maintain a proactive, rather than reactive, stance.
Has the organization suffered security breaches either before or after adopting layered security, and if so, how were they handled?
The agency has suffered, along with other government agencies, the handle-rattling [searching for unsecured entrances] that goes from scans and pings. What I mean by this is the continual probing and poking of our network and security devices by outsiders.
Our biggest challenge is keeping up with the volume of users. [The main SEC Web site] provides much of the public with access to EDGAR filings. [EDGAR, the Electronic Data Gathering, Analysis and Retrieval system, is used by entities required to file forms with the SEC.] Just the everyday use of that site puts our resources to the test. While information technology is, of course, a significant vector for security breaches, it's important to understand that many security breaches don't involve technological failures at all. Rather, you need to be prepared for the growth and volume of serving the public's need for information.
How has having a layered security strategy helped the SEC prevent attacks?
A layered approach does not prevent attacks per se; rather it is about not allowing them to be successful in hitting the target. When you use the number of products that we have to deliver services to our user community, there will always be vulnerabilities. By employing layers of defense, we basically are creating moats that have to be crossed. This will slow down attacks and allow us to detect them.
How much budget is the organization devoting annually to information security?
The overall I.T. budget is about $100 million for fiscal 2007. The information security budget is between $5 million and $10 million. The budget for security has grown over the last three years to help modernize and strengthen our internal controls, very similar to private companies as they address Sarbanes-Oxley compliance. Going forward, our security budget will probably trend with inflation, though we do see a need for funds in fiscal year 2008 to address IPv6 [Internet Protocol Version 6, the next-generation Internet protocol] implementation as mandated by the Office of Management and Budget.
What's your philosophy in constructing an information security architecture?
It's a mistake to construct an architecture aimed at combating your "biggest threat." You need to build your systems to address your threats, period. Obviously, risk-based approaches are necessary when resources are not unlimited, but you can make an enormous mistake by narrowly tailoring your approach. An example of this is the explosion of botnets and phishing. Two years ago, the issue was script-kiddies [inexperienced crackers who use scripts and programs developed by others to launch attacks]. The issues are constantly shifting.
What advice do you have for organizations that are considering a similar layered approach to security?
You need to get buy-in from your top managers. Without that commitment from your leadership, you can't win. I do not mean just your I.T. management, either. Our CIO, Corey Booth, has been extremely supportive, but in addition our chairman, Christopher Cox, had made one of his top priorities the improvement of our security and internal controls. It is this demonstration of support that makes everyone throughout the organization step forward and lend a hand.
One word of caution is not to just go out and buy product. The market has matured, but vendors move at different paces in terms of product revisions and upgrades. Our model is for steady, deliberate pace of change. So, we look for vendors with one or maybe two updates a year, rather than one a month. Changes that are not controlled are recipes for error or worse.
Комментариев нет:
Отправить комментарий