1 / 28

The Prime Directive - I

Protective Measures at NATO Headquarters Ian Davis Head, Information Systems Service NATO Headquarters Brussels, Belgium. The Prime Directive - I. NATO information… …shall be managed as a corporate resource to support NATO [business]… … throughout its life-cycle...

jcoon
Download Presentation

The Prime Directive - I

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Protective Measures at NATO Headquarters Ian DavisHead, Information Systems ServiceNATO Headquarters Brussels, Belgium

  2. The Prime Directive - I NATO information… …shall be managed as a corporate resource to support NATO [business]… … throughout its life-cycle... Extract from NATO Information Management Policy

  3. The Prime Directive - II NATO information… …shall be protected… …to ensure its confidentiality, integrity and availability throughout its life-cycle... Extract from NATO Information Management Policy

  4. What is NATO? • An alliance of 19 nations... • ...and EAPC, PJC & NUC • The forum for consultation and decisions on security matters • A facility for co-operation in other matters

  5. NATO HQ Activities POLITICAL CONSULTATION COORDINATION OF ACTIVITIES CONSULTATION PROGRAMME MANAGEMENT HEADQUARTERS ADMINISTRATION

  6. AGENDAS DOCUMENTS NOTES DECISION SHEETS MEETING ATTENDEES: CREATE, REVIEW, APPROVE NATO HQ STAFF: CREATE, COLLATE, MANAGE DOCUMENTS COMMENTS The Consultation Process CONSULTATION requires INFORMATION requires INFORMATION MANAGEMENT requires INFORMATION SECURITY

  7. Transformation of NATOsince 1989 • Political • NATO > EAPC > OTHERS • Information Technology • Mainframe > LAN > WAN [> Internet] • Security • Confidentiality > Integrity & Availability

  8. NATO HQ Organisation NATIONAL/ PARTNER DELEGATIONS MILITARY REPRESENTATIONS NAC EAPC MILITARY COMMITTEE INTERNATIONAL STAFF INTERNATIONAL MILITARY STAFF

  9. NATO DOMAIN EAPC DOMAIN Security Domains MEMBER NATIONS MILITARY COMMANDS NATO AGENCIES NATO HQ DELEGATIONS MILREPS INTERNATIONAL STAFFS PARTNER MISSIONS INTERNATIONAL ORGANISATIONS PARTNER NATIONS INDUSTRY ACADEME MEDIA OTHER NATIONS GENERAL PUBLIC EXTERNAL DOMAIN

  10. NATO HQ Approach to Security • Separate regime for each domain • Same process: • Adherence to NATO Policy • Structure • Objectives • Principles • Countermeasures

  11. Structure • Formality: • separation of functions • documentation • Security as system functionality: • design • development • testing • Managed throughout life-cycle • configuration management

  12. Separation of Roles Security Accreditation Authority accreditation inspections • Operating Authority • system development • system installation • system operation • system maintenance • Security Authority • risk analysis • security SOPs • equipment approval • audits

  13. Documentation • Security requirements statement • Security operating procedures • Interconnection agreements

  14. Objectives • Protecting NATO information against loss of: • Confidentiality • Integrity • Availability • By either accidental or deliberate act

  15. Definitions • Confidentiality • disclosure of information to unauthorised parties • Integrity • modification of information • Availability • destruction of data • denial of service (access to data)

  16. Principles - I • Risk management • Minimality • Least privilege • Self-protecting nodes • Defence-in-depth • Implementation verification

  17. Risk Management • Use of approved methodology • Analysis of: • Threats • Vulnerabilities • Risk Assessment • Countermeasures • Residual Risk

  18. Threats & Vulnerabilities Requirements Risk Analysis Cost Countermeasures Residual Risk Risk Management Risk assessment

  19. Residual Risk RISK IDENTIFIED BY RISK ASSESSMENT RISK COVERED BY COUNTER MEASURES Residual Risk:Risk accepted due to cost/difficulty of countermeasures

  20. Principles - I • Risk management • Minimality • Least privilege • Self-protecting nodes • Defence-in-depth • Implementation verification

  21. Principles - II • Minimality • only enable those services required • Least privilege • users only given functions & authorizations they need • COTS software must be managed

  22. Principles - III • Self-protecting nodes • each network node protects itself • regards other nodes as untrusted • Defence-in-depth • no reliance on one single measure • Implementation verification • regular review of security posture • change/configuration management

  23. Countermeasures PHYSICAL PERSONNEL PROCEDURAL TECHNICAL

  24. Countermeasures - I • Physical • separation of domains • restrict access to information stores • data redundancy • Personnel • careful selection of staff • education • beware the “insider” threat

  25. Countermeasures - II • Procedural • standard operating procedures • need-to-know separation • inspections & reviews • configuration management • Technical • certified products • access controls & audit tools • firewalls & filters • anti-virus software

  26. Conclusions • Information systems are critical to operations • Security: • is an integral part of the overall system • must be managed throughout entire life-cycle • requires structure & method • requires a balanced mix of a wide variety of techniques

  27. Outgoing Traffic (Web) Maximum Line Capacity Incoming Traffic (email) Denial of Service Attack (flooding line)

More Related