International Journal of Information Technology and Computer Science (IJITCS)
IJITCS Vol. 5, No. 4, 8 Mar. 2013
Cover page and Table of Contents: PDF (size: 427KB)
A Proposed Model for Datacenter in -Depth Defense to Enhance Continual Security
Full Text (PDF, 427KB), PP.55-67
Views: 0 Downloads: 0
Author(s)
Index Terms
Defense in Depth, Information Security, Threats, Attack, Risk Management, Datacenter Continuity
Abstract
Defense in Depth is practical strategy for achieving Information Assurance in today’s highly datacenter environments. It is a “best practices” strategy in that it relies on the intelligent application of techniques and technologies that exist today. The strategy recommends a balance between the protection capability and cost, performance, and operational considerations. This paper provides an overview of the major elements of the strategy and provides links to resources that provide additional insight. Companies need to address the security challenges of datacenter using a comprehensive defense-in-depth strategy. No single security solution will keep a determined thief from the goal of compromising the hardware or software given enough time and resources. Applying multiple layers of system security will slow the progress made by a thief, and hopefully, force the thief to abandon the pursuit, at the least, resale of the stolen property, and at worst, of confidential corporate data. The Defense in depth is the concept of protecting a Datacenter with a series of defensive mechanisms such that if one mechanism fails, another will already be in place to thwart an attack. In this paper, the main focus is given to highlight the security aspects of data center from perspectives of threats and attacks from one side and approaches for solutions from the other side. The paper also proposes an effective and flexible distributed scheme with two salient features. Our scheme achieves the integration of continual security improvement and Security Risk localization. This paper deals with the implementation of defense in depth at a strategic, principle-based level and provides additional guidance on specific sets of controls that may be applicable to support an organization’s defense in depth initiatives. The paper will present in Section (1) the Defense in depth concept, Section (2) Threats, Adversaries, Motivations, Classes of Attack and Vulnerability Analysis, Section (3) Information Security Assurance, Defense in Multiple Places, Layered Defenses, Security Robustness, Section (4) Design Goals and finally proposed solution and provide The IT Security Role & Functional Matrix.
Cite This Paper
Nashaat el-Khameesy, Hossam Abdel Rahman Mohamed, "A Proposed Model for Datacenter in -Depth Defense to Enhance Continual Security", International Journal of Information Technology and Computer Science(IJITCS), vol.5, no.4, pp.55-67, 2013. DOI:10.5815/ijitcs.2013.04.07
Reference
[1]Smith, C. L. /Understanding concepts in the defense in depth strategy, Paper presented at the IEEE 37th Annual International Carnahan Conference on Security Technology-14-16 October 2003
[2]Bass, T., & Robichaux, R. / Defense-in-depth revisited: qualitative risk analysis methodology for complex network-centric operations. Paper presented at the IEEE Military Communications Conference (2001)
[3]Bakolas, E., Saleh, J. H. “Augmenting defense-in-depth with the concepts of observability and diagnosability from Control Theory and Discrete Event Systems.” Reliability Engineering and System Safety,, pp. 184–193, Vol. 96, Issue 1, 2011
[4]Souppaya, Murugiah, Kent, Karen, NIST SP 800-92, Guide to Computer Security Log Management, 2006, http://csrc.nist.gov/publications/PubsSPs.html.
[5]Peterson, Dale, Intrusion Detection and Cyber Security Monitoring of SCADA and DCS Networks, ISA, 2004, http://whitepapers.techrepublic.com.com/whitepaper.aspx?&docid=126355&promo=100511.
[6]CCSP Secure Intrusion Detection and SAFE Implementation, United States, Library of Congress ISBN: 0-7821-4422-5 © 2004 SYBEX Inc
[7]Suarez, G. / Challenges affecting a defense-in-depth security architected network by allowing operations of wireless access points (WAPs). Paper presented at the Symposium on Application and the Internet Workshops, Orlando, Florida , 27-31 January 2003
[8]Workman, M / Gaining Access with Social Engineering: An Empirical Study of the Threat, Information Systems Security, 16(6), pp. 315-331,(2007)
[9]Nashaat el-Khameesy,Hossam Abdel Rahman/ A Proposed Model for Enhancing Data Storage Security in Cloud Computing Systems, Journal of Emerging Trends in Computing and Information Sciences,VOL. 3, NO. 6, June 2012
[10]Debar, H. and Viinikka, J/ Security Information Management as an Outsourced Service, Computer Security, 14(5), pp. 416-434 (2006)
[11]Scarfone, Karen, and Mell, Peter, NIST SP 800-94, Guide to Intrusion Detection and Prevention Systems (IDPS), 2007, http://csrc.nist.gov/publications/PubsSPs.html.
[12]Byoungkoo Kim, Seungyong Yoon, and Jintae Oh, “Multihash based Pattern Matching Mechanism for High-Performance Intrusion Detection”, International Journal of Computers Issue 1, Volume 3, 2009.
[13]CCSP Secure Intrusion Detection and SAFE Implementation, United States, Library of Congress ISBN: 0-7821-4422-5 © 2004 SYBEX Inc
[14]Saira Beg, Umair Naru, Mahmood Ashraf , Sajjad Mohsin/ Feasibility of Intrusion Detection System with High Performance Computing: A Survey,International Journal for Advances in Computer Science, Volume 1, Issue 1-December 2010
[15]ISO/IEC, “Information technology – security techniques – information security management systems – requirements,” ISO/IEC 27001:2005(E), October 15, 2005.
[16]ISO/IEC, “Information technology – security techniques – code of practice for information security management,” ISO/IEC 27002:2005(E), June 15, 2005
[17]ISO/IEC, “Information technology – security techniques – ISM guidelines for e-government services,” ISO/IEC NP 27012, November 8, 2008
[18]Chien-Cheng Huang,Kwo-Jean Farn,Frank Yeong-Sung Lin/ A Study on Information Security Management with Personal Data Protection, 2011 IEEE 17th International Conference on Parallel and Distributed Systems
[19]Dhillon, G. and Torkzadeh, G/ Value-focused assessment of information System Security in Organizations, Information Systems Journal, 16(3), pp. 293-314 (2006)
[20]Federal Information Security Management Act of 2002, Section 301: Information Security, http://csrc.nist.gov/drivers/documents/FISMA-final.pdf.
[21]Harley Kozushko, “Intrusion Detection: Host-Based and Network-Based Intrusion Detection Systems”, 2003
[22]http://infohost.nmt.edu/~sfs/Students/HarleyKozushko/Papers/IntrusionDetectionPaper.pdf
[23]Alma Whitten/Making Security Usable, School of Computer Science, Carnegie Mellon University, 5000 Forbes Avenue Pittsburgh, PA 15213-3890
[24]Koskosas, I.V., Charitoudi, G. and Louta, M/ The Role of Culture to Information Systems Security Management: A Goal Setting Perspective, Journal of Leadership Studies, 2(1), pp. 7-36 (2008)
[25]Albrechtsen, E/ A Qualitative Study of Users’ View on Information Security, Computer and Security, 26(4), pp. 276-289 (2007)
[26]CCSP Secure PIX and Secure VPN Study Guide SYBEX Inc, United States, Library of Congress ISBN: 0-7821-4422-5 © 2004 SYBEX Inc
[27]Wilson, Mark, and Hash, Joan, NIST SP 800-50, Building an Information Technology Security Awareness and Training Program, 2003, http://csrc.nist.gov/publications/PubsSPs.html.
[28]Ross, Ron, et al., NIST SP 800-37, Revision 1, Guide for Applying the Risk Management Framework to Federal Information Systems, 2010, http://csrc.nist.gov/publications/PubsSPs.html and Ross, Ron, et al., NIST SP 800-39, Managing Information Security Risk, 2011, http://csrc.nist.gov/publications/PubsSPs.html.
[29]Siponen, M., Pahnila, S. and Mahmood, A. Employees’ Adherence to Information Security Policies: An Empirical Study, in IFIP International Federation for Information Processing, Vol. 232, New Approaches for Security, Privacy and Trust in Complex Environments, eds. Venter, H., Eloff, M., Labuschagne, L. Eloff, J.von Solms, R., (Boston: Springer), pp. 133-144, (2007)
[30]Von Solms, R. and Von Solms, S.H / Information Security Governance: A Model based on the Direct- Control Cycle, Computers and Security, 25(6), pp. 408- 412 (2006)
[31]Grance, Tim, et al., NIST SP 800-61, Computer Security Incident Handling Guide, 2004, http://csrc.nist.gov/publications/PubsSPs.html.
[32]Ioannis V. Koskosas, Nikolaos Asimopoulos /Information System Security Goals, International Journal of Advanced Science and Technology Vol. 27, February, 2011
[33]Paul Rubel, Michael Ihde, Steven Harp, Charles Payne/ Generating policies for defense in depth Computer Security Applications Conference, 21st Annual, 10 pp. – 514, 9 Dec. 2005
[34]Christopher J. May, Josh Hammerstein, Jeff Mattson, and Kristopher Rush /Defense in Depth: Foundations for Secure and Resilient IT Enterprises, The Software Engineering Institute is a federally funded research and development center sponsored by the U.S. Department of Defense. ©2006 Carnegie Mellon University-September 2006
[35]Jay Ramachandran , Designing Security Architecture Solutions -Copyright © 2002 John Wiley & Sons, Inc. 605 Third Avenue, New York
[36]Duijm, N. J. “Safety-barriers diagrams as a safety management tool.” Reliability Engineering and System Safety, Vol. 94, No. 2, 2009, pp. 332–341.
[37]Koskosas, I.V/ Goal Setting and Trust in a Security Management Context, Information Security Journal: A Global Perspective, 17(3), pp. 151-161 (2008)