Professional Documents
Culture Documents
Design and printing: GRFICAS ALSE Arcipreste de Hita, 3 24004 Len (Spain) info@alse.com.es
Summary
1. Foreword . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2. Presentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
7
9
3. Background . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
4. Origins and bases of the Taxonomy . . . . . . . . . . . . . . . . . . . . 13
4.1. Methodology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
4.2. Final model of the Taxonomy . . . . . . . . . . . . . . . . . . . 19
4.3. Scope of products and services . . . . . . . . . . . . . . . . . . 23
5. Cards of ITC security products . . . . . . . . . . . . . . . . . . . . . . . . . 37
5.1. Anti-Fraud . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
5.2. Anti-malware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
5.3. Technical and forensic auditing . . . . . . . . . . . . . . . . . . 47
5.4. Digital authentication and certification . . . . . . . . . . . 51
5.5. Contingency and continuity . . . . . . . . . . . . . . . . . . . . . 55
5.6. Confidential information control . . . . . . . . . . . . . . . . 59
5.7. Network traffic control . . . . . . . . . . . . . . . . . . . . . . . . 63
5.8. Firewalls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
5.9. Legislative and regulatory compliance . . . . . . . . . . . . 71
5.10. Event management . . . . . . . . . . . . . . . . . . . . . . . . . . 75
5.11. Access and identity management and control . . . . . 79
5.12. Security in mobility . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
Summary 5
1. Foreword
The ICT security market is a market which, over the recent years, is experiencing profound changes, not only in terms of turnover, but also in qualitative terms, as a result of the continuous technological advances, the progress in legislation and the new social and business conceptions regarding security. Furthermore, the number of technological threats increases progressively in a trend that has remained unchanged in recent years. Urged by this circumstance, the security industry has made an amazing effort to offer modern products (goods and services) and security solutions which would be capable to face the arising of new challenges, characterized by an increasing complexity and diversity; a challenge involving the companies, which design and make the security products and solutions, and the end-users, who acquire them and use them in their daily activity. It is always possible to benefit from adverse situations by turning a complex scenario into new business opportunities, in a way that these security threats would also favour the appearance of new market niches. This context gives a boost to the development and innovation of products and solutions which adapt themselves better to the needs and resources of the users: individuals, companies, public administrations and other entities. INTECO wants to help the European industry of security to face these challenges with, among other means, this Taxonomy of ICT Security Solutions, developed with a focus on European markets. The Taxonomy is the result of the search for a classification, grouping and functional structuration of all the existing security products and solutions focused in a global enterprise security market. Likewise, a deeper research for a common language which allows the approximation between supply and demand has been made, so that customers and suppliers could speak in the same terms and use the same concepts, always taking users into account, who want to have a security good or service which suits their needs and resources. In this respect INTECO is confident that this new Taxonomy, as a conceptual basis for the INTECOs Catalogue of ICT Security Solutions and Companies, will be a useful tool for the ICT security sector in a global market. It will also be the expression of the Institutes commitment with the security market development, and with the promotion of the international competitiveness.
Foreword
We want to show our most sincere gratefulness for the received support to the business associations, public administrations, certification laboratories and professional publications, especially, to the Spanish Technological Platform of Security Technologies and Trust (eSEC) for their valuable contributions. We are conscious that there is still a long way to go, since only we have passed through the first stages of this journey. But we are sure that these steps will lead us to achieve the strategic aim this Taxonomy pursues, which is no other than to reinforce the role of the ICT security industry within the global markets.
2. Presentation
The National Institute of Communication Technologies, PLC (INTECO) is a state-owned company assigned to the Ministry of Industry, Trade and Tourism (MITYC) through the State Secretariat for Telecommunications and the Information Society (SETSI). INTECO is a centre of technological development and innovation of public interest that develops actions at national and international level. Its foundation in the year 2006 assumed an important effort directed towards the dissemination of the new Information and Communication Technologies (ICT) in Spain and towards the enforcement of the industrial sector, in clear tune with the European initiatives. Its main goal is to serve as an instrument to promote and develop the Information Society, with special activities in the field of innovation and the development of projects linked to the ICT, based on three fundamental pillars: applied research, provision of services and training. For this, INTECO carries out actions in accordance with three areas of specialization: Technological Security. Provision of services of security of information and citizens, SMEs and Public Administrations; performance of researches on the evolution of information security and networks in Spain; and promotion of supply looking for rapprochement with the demand of solutions and security services. Accessibility. Social inclusion based on policies of accessibility and equity of all the citizens in view to the possibilities of the Information Society. Software Quality. Promotion of the competitiveness of the software and services industry by promoting the improvement of quality and certification of companies and professionals of software and Information Society services engineering. The strategy of INTECO is based on three fundamental cores: The promotion of the Trust in the Information Society Services, increasing the trust of the citizens, organizations and companies, particularly of the SMEs, in the services of the Information Society and boosting in this way the use of the information technologies. 9
Presentation
The provision of services for the Public Administrations in the areas of specialization with the consequent creation and contribution of added value that would lead to better public services. The promotion of the innovation and value in all the fields of action, a sign of identity of INTECO as a technological institute. One of the most important activities developed by INTECO is the elaboration of a Catalogue of ICT Security Solutions and Companies, on which this Taxonomy of ICT Security Solutions is based, representing the core topic of this document.
10
3. Background
In the year 2006 the Show-Room of Security Technologies (Security Technology Demonstration Centre) of INTECO started up, with a set of very clear aims, among which the boost and development of the Spanish ICT security market were emphasized. In order to achieve this goal a collection of actions was planned. Among them, it was crucial the elaboration of a Catalogue of ICT Security Solutions and Companies. During its design it was observed that the ICT security market, not only the national but thean international markets, with focus in the European market. All of these markets had been taken as a reference of design, and the result was huge amount of available security solutions, which were the basis for the establishment of a set of categories of products and services that eventually became the Taxonomy, as presented in this document. Since guarantees of success were essential when managing to establish a classification adapted to the market, it was necessary to bear in mind not only questions relating to the products and services to classify, but it was also fundamental for this classification to be understandable, functional and useful both for the market and for the users themselves, addressees, after all, of the different security solutions that were offered. On the other hand, as we were studying more in depth the design of this classification, Taxonomy from here on, it was understood that this might be much more than just a classification, it might be the universal language of the ICT security market, a common language that could be spoken by all the actors of the market. This language could also became a link between them, increasing their relationship and therefore fostering the market itself. All this gave the Taxonomy an enormous range of possibilities; however, the challenge was tremendous and very complex, since there were already existing classifications and categorizations of solutions, products, services and security technologies, and the way to achieve to improve what already existed was not clear at all. The approaches were many and diverse, and all of them were seemingly correct and suited the intention and scope for which they were designed. There was necessary to have a fundamental guideline, a starting point, that came from the ICT security market itself. If a useful for the market classification must to be done, it was necesar to
11
Backgound
study the market itself and to find out the best way to establish a useful and comprenhensive classification for all the different actors in the market. Taking all these assumptions into account, in September 2007 the Taxonomy began, with a preliminary classification obtained from a first market analisys. which saw the light incorporated in the first version of the Catalogue of ICT Security Solutions and Companies; it is here when the lifecycle of the Taxonomy, as we know it, started. Throughout this document, we will get to know more about the design and elaboration of the Taxonomy, with a essay and error basis and fundamented in the huge amount of information extracted from the market by the ICT Security Enterprise and Solutions Catalogue which has been essential to the progressive refinement of the Taxonomy and the development of a robust dising totally adapted to the market and their needs.
12
As we have seen in the background, the first version of the Taxonomy is born of the necessity to have a classification of the different ICT solutions existing in the Spanish market, with the aim to carry out a cataloguing of them, but at the same time contributing a structuring of the market, which contributes better coherence and organization to all the set. In order to understand the development and evolution of the Taxonomy, we are going to know more thoroughly the process that was taken to obtain the development. The contents of this section are structured as follows: The state of the art of the classification products and services STIC Design foundations: the market as reference
The state of the art of the classification products and services STIC
For the carrying out of this taxonomy we have had in mind different classifications, among them the ones of IDC in the publication Western Europe Global Security Market (Hardware, Software, Services) Forecast, 20072011, directed to quantify the market of the ICT security, the classification of the NIST (National Institute of Standards and Technology) in the publications Guide to Selecting Information Technology Security Products and Guide to Information Technology Security Services focused on the purchase of the security solutions in the field of administration, also different taxonomies and classifications of laboratories and national and international companies. 13
existing ICT security solutions of the Spanish market, also European and international markets, and on the other hand, a study of different denominations and uses of the security solutions that we can find in the Spanish market was carried out. From the information gathered with these two routes, a set of fundamental premises of design was established, which would be used as a guide during the design of the Taxonomy. These premises were the following: The number of categories, both for products and services, had to be sufficiently wide as not to leave any solution without being associated to a certain category, but with a relatively low conceptual level; that is to say, to establish more technical categories. The denominations for each of the categories, both of products and services, had to be as common as possible, whether for suppliers of security solutions or for the users, in the way that it would facilitate the identification and recognition by both sides, with the smallest learning effort possible. For it, terms of daily or frequent use both for the industry and for users were searched for. It had to be possible that all the existing products and services could be assigned to, at least, one category of product or service. Likewise it was fundamental to design categories preventing that a product could be assigned to more than one category, as far as possible, thus reducing the complexity when carrying out the cataloguing of solutions. When facing the important challenge of creating a suitable classification of ICT security products and services, the first problem arising was to decide what should be the point of departure, i.e. what element had to be the reference starting point in order to establish the basic premises of design of the classification. We eventually found the response in the ICT security market itself, both national and international. The security market had to be the reference. Apart from these requirements, it was essential to establish a clear definition of each of the categories chosen as part of the classification, since one of the problems which we had to face during the selection of these categories was that in many occasions a clear differentiation among several categories did not exist: there were collisions with one or more categories or there were cases in which the selected categories had
14
different conceptual levels. In this way, some could include others or vice versa and it was necessary to homogenize this level as much as possible to obtain a set of categories with the same conceptual level. Another problem that we found, had to do with deciding about the conceptual level, i.e. whether to opt for more technical categories or for higher-level categories. We can find an example of the above mentioned ideas in the categories associated to firewalls. There are many types of firewalls and it was necessary to come to an agreement, so that, though it might have been possible to choose for a category of a high conceptual level containing all types of firewalls, for instance, a category called simply Firewalls, in that moment we chose to establish various categories of firewalls, these categories being of a lower conceptual level but closer to the user. As we will see later on, this approach was not a very good choice and in the second version of the Taxonomy an opposite process has been implemented, creating categories of major conceptual level which provide the classification with greater flexibility and simplicity. In addition, it was necessary not to lose sight of other existing classifications and take them into account; therefore, the used methodology required an important research work as for classifications of existing ICT security solutions, which allowed examining the different approaches of classification, among which we can find the following: Functional. Classifications in which the categorization and classification of solutions is done paying attention to the functionalities of the product or service. Technological. Classifications in which the categorization and classification of solutions is performed paying attention to the technologies which a product or service incorporates. End-user. Classifications in which the categorization and classification of solutions is carried out paying attention to the end users needs and criteria. Thanks to all this information it was possible to establish a set of objectives that were supposed to be reached during the design of the Taxonomy, that pointed out below: To simplify the classification of Products and Services as much as possible trying to achieve a relatively reduced number of categories. 15
Establishment of the conceptual level more suitable that would provide the Taxonomy duration and stability in time against changes that happen in the market. To provide major flexibility to the Taxonomy by means of the incorporation of several levels of categories which could be adapted to an environment as changing as the ICT security market is. To establish the concept of scope, which we will see later on, both for products and for services. It allows adding one more dimension to the classification of products and services. Below we describe each of them more in detail.
Simplification
In practice a relatively high number of categories incorporates complexity to the cataloguing, that is why a reduced number of entries to the Taxonomy is chosen, with the aim: To facilitate the task of classification. When classifying a certain product or service, we reduce the number of categories to which it is associated. We can observe the tendency of the security products and services to incorporate every time more functionalities, and therefore security products and services every time more complete are offered to the market. Having the previous thing in mind, the reduction of number of categories for products and services simplifies enormously the subsequent cataloguing and definitely the use of Taxonomy.
16
Conceptual level
The conceptual level refers to the fact that the categories may have distinct conceptual levels. For instance, as for the firewalls we could establish two types of categories: Firewalls category Network-level firewalls category Firewalls category constitutes a more general category, which therefore allows to include in it any type of firewall, since it simply refers
to any product which has the capacity of firewall protection, but without specifying which kind of firewall. In the case of Network-level firewalls, it makes reference to a specific type of firewalls, in this case, Network-level, and therefore only the firewalls that operate at this level can be incorporated in this category. It is therefore a category of a minor conceptual level. In connection with the conceptual level, which has been seen more practical and simple to establish categories with major conceptual level; it is to say, more general. In this way it is possible to reduce considerably the number of categories.
Increasing flexibility
Another very important feature which had to be improved has to do with flexibility when adding new categories to the taxonomy, in a way that this is flexible enough to adapt itself to the changes of the security market. From the point of view of flexibility, the problem faced by the Taxonomy is that a certain part of it cannot be continuously varying, as it is the case of categories of products and services. If new products and services emerge, they must be associated to some of the existing categories or otherwise we will come across a problem. In order to solve this, work in two directions has been carried out. The first one relates to the conceptual level: when creating more general categories, we achieve that every category is able to hold more types of products and services, thus limiting the risk that new products and services cannot be associated to any category. On the other hand, two category levels are established: the first one is the one we already know, in which we may find the main categories of products and services, and the second one would be the different subcategories or types. For instance: If we pay attention to Firewalls category and Network-level firewalls category we have a perfect example of category and subcategory or type. In this case, the primary category would be Firewall, including every product offering this protection technology, while Network-level category is a subcategory or specific type of firewall. The interesting thing about subcategories or types is that these are able to vary much more often than the main categories, since they are not
17
fixed, unlike categories, and consequently we have much more flexibility, enabling the classification to adapt itself to the market changes.
4.1. Methodology
We can establish three basic pillars on which the elaboration of the Taxonomy was based. The pillars are: 18 The knowledge and experience accumulated by the INTECOs ShowRoom of Security Technologies on the market of ICT security solutions, The Catalogue of ICT Security Solutions and Companies of INTECO and The collaboration of all the actors of the Spanish security market.
19
Products STIC
First level of the Taxonomy
Services STIC
Product
Tecnical auditing Business contingency and continuity Compilance with legislation Outsourcing of security services Training Management of security incidents Implementation and certification of regulations Planing and implementation of infrastructures
20
Contingency and continuity Confidential information control Network traffic control Firewalls Legislative and regulatory compliance Event management Access and identity control and management Security and mobility Encryption systems and tools
Subcategories or types
A feature that gives a lot of flexibility to the Taxonomy is that it has a third level of classification in the shape of subcategories, which, unlike the primary categories, are thought to be able to change and adapt to the market transformation. In the following graphic we see an example of subcategory belonging to the primary product category Firewalls
Firewalls
Web content filter Corporate firewall Web application firewall IM firewalls Personal firewall UTM VPN (ipsec, ssl) Parental control
21
Scope
Origins and bases of the Taxonomy The incorporation of the scope both to products and services enables to establish the field of application for each category of product or service. We can see the different scopes for products and services respectively in the following graphic.
Products
Access and identity management Work place security Application and data security System security Network security
Services
Individuals Organizatin
Taxonomy
All the elements described in the previous sections, give as a result of the combination the picture that you can find next and that contains the model of the Taxonomy of ICT Security Solutions.
TAXONOMY OF PRODUCTS CATEGORY OF PRODUCT
Anti-fraud: Anti-phishing, Anti-spam, UTM Anti-malware: Anti-virus, anti-spyware, UTM Technical and forensic auditing: Technical auditing tools, Forensic auditing tools,intrusion test, secure erase (tools), management of patches and vulnerabilities, tune-up Digital authentication and certification: Digital certification tools, smartcard and eID card tools Contingency and continuity: Disaster recovery tools, backup systems, virtualization Confidential information control: confidential information control (outbound), UTM, Information leakage prevention Network traffic control: PSP control, Network traffic monitoring and reporting, bandwidth control, QoS, UTM Firewalls: Web content filters, corporate firewall, web application firewall, IM firewall, personal firewall, UTM, VPN ipsec, ssl, IDS, IPS, parental control Legislative and regulatory compliance: LOPD, LSSI, risk management, SGSI, ILM Event management: security event management, SIM, SIEM Access and identity control and management: corporate network access control Security in mobility: mobile devices, Wi-Fi wireless networks Encryption systems and tools: messaging encryption, secure storage
Field of application
Access and Workplace Application identity and data management security security System security Network security
22
Field of application
Individuals Organization Information Infrastructure Business
Training
Incident management Implementation and certification of regulations: certification and accreditation, security policies, security plans, risk management
23
Planning and implementation of infrastructures:
When determining the scopes of products and services it was seen that it was possible to use the scope as a guide or roadmap to help the users of security products and services at the moment of carrying out its implementation or when determining where the security should be applied inside the organizations. As for the products, five different scopes were specified: Access and identity management Workplace security Application and data security System security Network security These five scopes are arranged on the basis of a hypothetical process of implementation of security products in an organization, beginning with the access and identity management and finishing with the implementation of network security. In the case of services, wider or conceptually more general areas of application were established, since the services themselves can be applied broadly, not only to ICT systems and infrastructures, but on many occasions also to individuals or to business. For services the following scopes were established: Individuals, Organization, Information, Infrastructures and Business. The result of the combination of the categories of products and services with its respective scopes is a bidimensional model of Taxonomy, that is to say, the Taxonomy incorporates information about the physical environment or context in which the diverse products and services are used as a new dimension. If we represent the Taxonomy with the categories and the scope, we obtain a chart like the one below:
24
Alcance 1 Category 1
Alcance 2
Alcance 3
Alcance 4
Like we have said, from the point of view of the implementation of security services and products, the scopes work as a roadmap or guide which can be used by organizations in order to establish where to carry out the implementation. But the truth is that the scopes do not have a beginning or an end. There is no scope that can always be taken as a starting or reference point. It depends on each particular case that one scope or another will be chosen as the place where it is necessary to perform the implementation. The manner in which the scopes are organized can be assimilated as a graph like the one below:
25
WORKPLACE SECURITY
NETWORK SECURITY
SYSTEM SECURITY
The scopes, in addition, make possible a simpler accomplishment of the search for security solutions, since we use not only the category as a criterion of search but we can also use other information, like what infrastructures we try to protect or in what area of our organization we need to implement security. The sequence of search, when finding a security service or product, might be as follows: 1. To establish the area of the product or service 2. To decide if we look for a product or service or for a complete solution 3. To determine the category of product or service that best suits our needs 4. To identify the solutions which meet the previous criteria. The scopes of products and services are described below.
These mechanisms are responsible for establishing the permissions and checking the access to local or remote systems and applications; for assigning, maintaining and controlling the profiles of the users according to the specific utilization of ICT resources each user is assigned; monitoring the use of resources by the users, etc. Analogically to the physical world, and sometimes with similar formats, the mechanisms (keys, cards) that we have to apply or use to secure and gain access to those resources necessary to carry out our action fall into this scope. The end user (technicians and people in charge of security in the companies) requires at this level that the security products would be able to safeguard their identity and that of the computers under their control against abuses (intrusion, phishing), thus accessing with confidence and using the data, applications, systems and networks they need in order to carry out their activities and daily work.
Workplace security
Once we have overcome the first level, it is necessary to have security guarantees in the most immediate element, the systems of the devices constituting the workplace. Under the denomination of Workplace security we find the security applicable to the operating systems of the fixed, portable and mobile devices (computers, peripheral devices, phones, PDAs, TDT workstations (Digital Terrestrial Television) which are in the front line before the ICT user. After the users have been identified and their permissions established the security of the systems of the devices constituting our workplace is guaranteed. Within this scope many categories are included, and the majority of these also share other scopes. Generally the security products of this scope work to protect the users and their equipment from the possible security incidents which may appear (attacks against the operating system, software clients, browsers). They are, particularly, the products which provide security in the local environment, in the available software and hardware and are often controlled by the end user. Frequently the security mechanisms of these products include functions for monitoring the software updates in our systems, warning on potential attacks, etc. The end user and the technician (and the people responsible for the security in the companies) require at this level that the computer systems of the workplaces they use (mobile phones, PDAs, laptops, hard drives) 27
are safe from any attack against its content, any attack which makes them unable for the use they were installed, which facilitates the stealing of data or the monitoring of the users non-permitted activity or which turns them, without the users conscious consent, into elements of networks with malicious activities.
28
The end-users and the professionals in charge of security require that the applications and data handled by the security products at this level are protected against any attack which could compromise data integrity, allow non-permitted spreading of data, particularly personal data, affect the functioning of applications and endanger, direct or indirectly, the systems where these are executed. In addition, they demand that, in the event of a security incident which affects their work (and consequently the business, in the case of companies), these security products permit to restore the activity as soon as possible.
System security
Interrelated with the previous level, just like the Workplace Security products, but with a lower level of complexity and addressed to technicians and system administrators, we find the System Security tools. At this level the user needs to take those technical and organizational steps which should protect the companys computer systems (servers, shared storage elements and other peripheral elements) in a centralized way against security incidents, both preventively and reactively. The technologies applied at this level are frequently useful to apply monitoring methods and auditing mechanisms. The control of these security mechanisms is generally a responsibility of the system operators, who work in harmony with the organizations security strategies and policies. The tools mainly included in this scope are tools for corporate servers, tools for the restoration of systems in the event of security incidents for centralized storage systems, and tools for the implementation of technical audits for systems and security event management, although it can also hold other related security products. The end-user, the technician and the people responsible for the security of the companies demand that these security products should preventively protect the systems, and inidrectly their contents, and allow, in the event of an incident, the monitoring and correction of security flaws.
29
Network security
Finally, the Network Security level includes the security elements directly applicable to networks in all their expressions: LAN, WAN, VLAN, WiFi These products will guarantee that the user will be able to trust the transport between the computer terminal elements which interface with
the user and remote servers or other stations, independently from the intermediate elements (routers, switches...) The main tools included in this sphere of application are network firewalls, virtual prvate networks, prevention and intrusion detection systems, tools for the protection of wireless networks and mobile devices and network traffic monitoring tools, although it can also holds other security related products. The products within this scope are at the mercy of changes in technology and, specially, of the dramatic increase in the use of mobile devices and applications. The end-user, the technician and the people responsible for the security of the companies demand that the security products at this level guarantee security in remote access of computers between networks and in the transmission of information through the mentioned networks, allowing only authorized users to monitor, analyse and control incoming and outgoing traffic and guaranteeing the maintenance of connectivity of the computers linked together. 30
technologies are included in the scope, especially all which relate to the good practices in the use and application of the technology within the work process. The involvement of workers at the moment when the security policies and procedures are fulfilled is fundamental to improve the security level of the organization. Likewise, the services of training on the utilization of security devices are found in this scope. A specific security-related section concerning individuals is the compliance with legislation in the area of personal information. This scope, besides other related ones, is applied to the tools facilitating this regulatory compliance in the companies. Furthermore, there is a growing number of abuses against security coming from inside the companies. The services which prevent, detect and offset this type of attacks fall into this scope. The users and companies demand the services of this scope to protect the company against unwanted internal activities, to improve the security that the ICT users can contribute with their knowledge, and to guarantee the security of the individuals and their identities and credentials (both of workers and users) in the use of the ICTs.
31
Organization
Origins and bases of the Taxonomy The next level of scope of services, the organization, refers to the security services related to the organizational system of the company: functions, responsibilities and procedures. The services under this scope take as an objective the application of organizational measures of security: permissions and duties, compliance with legislation, security operations, etc. This scope is closely linked to the previous one, since it is the individuals who are the addressees of complying with and enabling compliance with the security rules and standards to increase the companys security degree. An important collection of services under this scope is targeted to the maintenance of the activity in case of attack, the restoration of the activity and the search for the causes of the security failure. There are also services which will record the companys activity to demonstrate the regulatory observance of the legislation: services through the Internet and services for the protection of the personal data of its workers and of the users of its services.
The companies demand the services in this scope to grant the security guarantees of the organizational functioning, supervision and record of the companys activity based on the ICTs and facilities for the resolution of security problems which allow the continuity of the activity.
Information
In this scope we find the security services which directly enable the protection and retrieval of the data and information of the company. The information in electronic format represents one of the most important assets in the company. The aim of the information security is to ensure the confidentiality, the integrity and the availability of this information; to prevent the information from being accessed by unauthorized people or systems, to protect the information from being altered without authorization, both when it is filed and when it is being transferred or used and to guarantee that the information is accessible, in time and manner, for all those who need it. An important group of services under this scope will allow the exchange of confidential information and the trustworthy identification of its origin. 32 Also, the services targeted at the protection against losses of information fall into this scope: those which permit information backups and its subsequent retrieval, those which prevent non-permitted diffusion of information and those which apply protection measures against the loss of workstations and other devices. The companies demand these services to protect the information during its whole lifecycle: from its creation, when it is stored in different media and devices, in the exchange of it, and up to its secure destruction.
Infrastructure
Another scope, infrastructures, groups the security services applied to the equipment of the company. Under this scope we may find the services directed to the selection, implementation and operation of the security products in all their categories. The services which permit to detect the potential security breaches in the ICT infrastructure and those providing the operation of the security equipment and the management of the security incidents are also included in this scope.
The companies demand the services under this scope to give an external solution to its technical lacks in the area of security and to provide them with external mechanisms in the shape of operation and maintenance of equipment or staff or a mixture of both.
Business
The scope of business refers to security services relating to business in all its expressions. Under this scope we find the services that facilitate the necessary organizational changes for the adaptation of the security plans and policies within the companies and organizations. We may also find the establishment of good practice concerning the information security, which have positive influence on the improvement of the productive processes, giving them reliability and security, and allowing the saving of costs and the reduction of unavailability times of its own services. The companies demand these services the adaptation of their business processes and the application of standards and security mechanisms which should guarantee the continuity of them and, consequently, minimize the losses in case of atacks or security disasters.
33
The Taxonomys has been useful as a classification element for the great majority of security solutions.
Taxonomy: Cards ITC security products Taxonomy: Cards ofof ICT security products
The cards for the following categories of products are described next:
Product
Anti-fraud Anti-malware Tecnical and forensic auditing Digital authentication an certification
37
Contingency and continuity Confidential information control
Firewalls Legislative and regulatory compliance Event management Access and identity control and management Security and mobility Encryption systems and tools
Taxonomy
5.1. Anti-fraud
DESCRIPTION What is it?
Anti-fraud tools are designed to protect users from abuses which use the so-called social engineering practices. One of the aims of the social engineering is to obtain, by means of tricks, user data (passwords, e-mail accounts) in order to use them to conduct fraudulent activities in the Internet. These abuses consist of, among others, the stealing of personal information and bank data and identity theft, using for it different methods such as bank fraud (phishing), websites redirection (pharming), unsolicited e-mail (spam) or malware designed for this purpose (software which records keystrokes keyloggers, password collectors,) The more frequent fraud attempts come through forged messages (access to financial services, fraudulent job offers, lottery, prizes and gifts,) The data obtained this way are used to perpetrate frauds or to trade with this information to be used in activities pursuing to achieve financial benefits, which is generally detrimental to the misled user. Online fraud is a threat which makes use of multiple techniques and different incoming channels (Internet services, malware) but it is especially characterized by exploiting users confidence and their difficulty to distinguish what is legal and what is not.
39
TYPES Subcategories
We can find the following subcategories within this category: Anti-phishing tools Secure browsing tools UTM tools (Unified Threat Management) and appliance format tools (device incorporating several security tools) We can find anti-fraud tools aimed to workstation protection as a part of solutions integrated with other tools within the so-called security suites, or as products with specific functionality sold separately. Anti-fraud Taxonomy Anti-spam tools
Taxonomy
Cards of ITC security products Anti-fraud
There are also products of this type with specific formats directed towards the full protection of organizations, that is, corporate protection tools. As for their distribution, they are found both as software and appliance integrated hardware products, which generally include diverse security tools in only one device.
40
NETWORK SECURITY
WORKPLACE SECURITY
SUBCATEGORIES - Definitions
Some basic definitions of the various subcategories included in these anti-fraud tools are: Anti-phishing tools: they protect against bank fraud initiated through electronic mail. False emails are used as social engineering tools to obtain user information making you believe they come from authentic sources like, for instance, your specific bank, and asking you for account data, access credentials, etc. Anti-spam tools: aimed to filter unsolicited e-mail, also known as junk e-mail. Anti-fraud Taxonomy
Taxonomy
Cards of ITC security products Anti-fraud
Secure browsing tools: aimed to protect users when browsing the net, supervising those accessed sites by means of white/black lists (permitted/non-permitted), reputation systems and other mechanisms like heuristic systems, proactive detection systems and tools for stopping attempts of pharming or redirection to unsolicited websites. They are also used to restrict browsing on banned sites (for instance for children or P2P downloads). UTM and appliance tools: UTMs consist of servers or devices, sometimes specific appliances, which integrate different security solutions with only one management interface. The term appliance refers to hardware platforms designed with a specific functionality; as for security appliances, this functionality is usually intended to protect electronic mail, browsing or both of them, but not necessarily with unified management, as happens with the so called UTMs. It is usual to find complete anti-fraud solutions linked to other categories, like in UTM-format antimalware.
42
5.2. Anti-malware
DESCRIPTION What is it?
They are tools aimed to the protection of computer systems: servers, PCs, laptops, mobile devices, etc., against any kind of malicious software which could affect them (viruses, trojans, worms, spyware, etc.) Malicious software or malware is a threat which uses multiple methods and different incoming channels: websites, e-mail, instant messaging, P2P networks, external data storage devices (USB flash drives, external hard drives, CDs, DVDs) P2P networks, etc. and open ports in our computer. Among others, these channels are used by the malware to infect computer systems and spread throughout them, affecting the use they are meant for in different ways (stopping actions, controlling uses, slowing down systems, executing non-permitted actions). Anti-malware tools are widely spread and the oldest existing security tools.
43
TYPES Subcategories
Anti-malware products correspond to the following subcategories: Anti-virus tools Anti-spyware tools UTM tools and appliance format tools (device which integrates several security tools) Anti-malware tools aimed to workplace protection are usually integrated with other tools as in the so-called security suites, or as specific products sold separately. Taxonomy Likewise, there are products of this type for overall protection of organizations, i.e. providing a corporate anti-malware protection. We can also find these products as software or as appliance-integrated solutions providing various security tools in only one device. Anti-malware
Taxonomy
Cards of ITC security products Anti-malware
They include protection against threats coming from the Internet (web browsing, electronic mail, instant messaging, file downloads, electronic bank) and when using external devices like USB flash drives, external hard drives, etc.
NETWORK SECURITY
WORKPLACE SECURITY
SUBCATEGORIES Definitions
Some basic definitions of the various subcategories included in anti malware tools are: Anti-virus tools. These are the oldest tools within anti-malware category. Originally intended for the protection against viruses, their application has evolved towards the protection from different variants of viruses and other types of malware (trojans, worms). The protection techniques have also evolved, becoming increasingly complex for the detection of new malware. Anti-spyware tools. These are antimalware tools for fighting against marketing or advertising software which is usually installed in the Anti-malware Taxonomy
Taxonomy
Cards of ITC security products Anti-malware
computer due to merely browsing the Internet or using the electronic mail. It is a type of malware which, although not always dangerous, is indeed annoying as it spies on our activity and slows down our computer. UTM and appliance tools. UTMs consist of servers or devices, and sometimes specific appliances, which integrate different security solutions with only one management interface. The term appliance refers to hardware platforms designed with a specific functionality; as for security appliances, this functionality is usually intended to protect electronic mail, browsing or both, but not necessarily with unified management like in the so-called UTMs. Both, appliances and UTMs are usually aimed at the protection of small, medium or big-size networks. It is usual to find complete anti malware solutions linked to other categories, like in UTM-format anti-malware.
46
Witihin these tools we can find the following subcategories: Log analysis tools Port analysis tools Patch and vulnerability analysis tools Password auditing tools Network auditing tools System auditing tools Data recovery tools (trace recovery) Software testing tools / Web applications (in design stage) Taxonomy
TAXONOMY OF ICT SECURITY SOLUTIONS
TYPES Subcategories
Taxonomy
Cards of ITC security products Tecnical and forensic auditing
48
SCOPE application
The scope is the context where the security functionalities implemented by the different solutions could be applied. Those in which technical an forensic tools could be applied are shown below in the dark boxes.
Taxonomy
SYSTEM SECURITY
NETWORK SECURITY
WORKPLACE SECURITY
Taxonomy
Cards of ITC security products Tecnical and forensic auditing
SUBCATEGORIES - Definitions
Log analysis tools. These tools aim to analyse the activity logs stored in every type of system in order to find out the cause of an incident. Port analysis tools. These tools aim to locate or detect ports open in the systems which are analysed or to detect possible security breaches in the systems and devices connected to the network. Patch and vulnerability analysis tools. Tools aimed at identifying applicatons and systems which have not been updated, as well as vulnerabilities. Password auditing tools. Applications designed to perform password analyses, brute strength attacks, dictionary attacks, etc. The objective is to determine whether the organizations password policy is being satisfied and to detect weak passwords or passwords which do not meet the policy requirements. File auditing tools. Tools aimed at recording and anlysing the activity on the systems files and data. 50 Network auditing tools. Tools designed to conduct full audits of the communication infrastructures, detecting possible open ports, vulnerable services, visible network resources, connected computers and systems, possible vulnerabilities, missing patches and updates, etc. System auditing tools. Tools aimed at auditing systems, namely desktop computers and laptops. Data recovery tools (trace recovery). Tools intended to recover incident traces which may have been erased intentionally or accidentally. Secure development tools. Tools which enable to apply secure development methodologies and standards during the lifecycle of software development and, particularly, of web applications in order to prevent the launching into the market of applications vulnerable to known abuses.
TYPES - Subcategories
Within this product category we may find the following subcategories: Generation and issue of digital certificates Electronic signing of documents, emails or others. Smart cards and associated devices Digital authentication and identification through digital certificates. We may find these products as both hardware, like smart cards readers, or software, digital signing of documents, authentication verification of the integrity of these documents, etc. We may also products intended to the identification and authentication of users organizations through digital certificates. and and find and
These solutions generally combine a hardware device with a software system which interacts with a public-key infrastructure for which a trustworthy entity providing the guarantee of the certificates is responsible in order to check and apply the certificates.
Taxonomy
Taxonomy
Cards of ITC security products Digital authentication and certification
SCOPE - Application
The scope is the context where the security functionalities implemented by the different solutions could be applied. Those in which digital authentication and certification tools could be applied are shown below in the dark boxes.
NETWORK SECURITY
WORKPLACE SECURITY
SYSTEM SECURITY
Taxonomy
Cards of ITC security products Digital authentication and certification
SUBCATEGORIES - Definitions
Generation and issue of digital certificates. Tools which enable the creation and issue of digital certificates, as well as the infrastructure required for the maintainance and management of all the aspects concerning the digital certifcates. Electronic signing of documents, emails or others. Tools which allow signing every kind of electronic documents and tools which may be used in electronic procedures. Smart cards and associated devices. Tools, basically hardware, which enable the use of digital certificates in a device, as is the case of smart cards and their use in environments and scenarios through card readers, RFID devices, etc. Digital authentication and identification of individuals through digital certificates. Tools aimed at verifying the identity of a certain user or organization through the use of digital certificates, determining the identity and performing an authentication based on this digital identity. They allow the access to facilities and premises, etc.
54
55
TYPES - Subcategories
Within this category of product we may find the following subcategories: Tools of management of contingency and continuity plans Backup tools Tools of rapid deployment of infrastructures Virtualization security Taxonomy System recovery tools
Taxonomy
Cards of ITC security products Contingency and continuity
NETWORK SECURITY
WORKPLACE SECURITY
SUBCATEGORIES - Definitions
Some basic definitions of the different subcategories included in this product category are provided next: Taxonomy Tools for the management of contingency and continuity plans. Tools which enable the management, in all their stages, of contingency and continuity plans during design, implementation, monitoring and continuous improvement, during the incident and during the recovery. System recovery tools. Tools designed to enable the fast recovery of systems and applications in the event of a security incident.
Taxonomy
Cards of ITC security products Contingency and continuity
Backup tools. Tools aimed at allowing the quick recovery of data and information in the event of a security incident. They enable to automate the generation of backups of data, software, operating systems and to schedule their frequency, characteristics (total, incremental, partial, encrypted) and lifecycle. They also facilitate the recovery of data in the event of accidental or deliberate loss. Tools for the rapid deployment of infrastructures. Tools aimed at enabling the rapid deployment of backup infrastructures if the current ones are lost, in order to reduce to the mnimum the times of activity interruption. Virtualization security. The mechanisms and technologies which provide security to the virtualized systems are included in this subcategory.
58
TYPES - Subcategories
Within this category of product we may find the following subcategories: Data Leakage Protection tools (DLP) Information Lifecycle Management tools (ILM) Tools for the control of access to removable storage devices. These tools are generally designed as hardware devices and to a lesser extent as software, and are aimed to both users and organizations.
59
Taxonomy
Taxonomy
Cards of ITC security products Confidential information control
SCOPE - Application
The scope is the context where the security functionalities implemented by the different solutions could be applied. Those in which confidencial contents control tools could be applied are shown below in the dark boxes.
NETWORK SECURITY
WORKPLACE SECURITY
SYSTEM SECURITY
Some basic definitions of the different subcategories included in this product category are: Data Leakage Prevention tools (DLP). Tools which prevent the accidental or deliberate diffusion of the organizations information, independently from its actual state (stored, in transit, or in use). Information LifeCycle Management tools (ILM). Tools which enable to manage the whole information lifecycle, and among their features we find the capacity to implement policies and mechanisms to manage the level of confidentiality of the information, its field of use and its validity. Tools for the control of access to removable storage devices. Tools aimed at controlling the physical and logical access to ports and other removable devices (USB drives) in order to avoid the stealing of information.
SUBCATEGORIES - Definitions
Taxonomy
63
Taxonomy
Taxonomy
Cards of ITC security products Network traffic control
SCOPE Application
The scope is the context where the security functionalities implemented by the different solutions could be applied. Those in which network traffic control tools could be applied are shown below in the dark boxes.
NETWORK SECURITY
WORKPLACE SECURITY
SYSTEM SECURITY
SUBCATEGORIES - Definitions Bandwidth management and control tools. Tools designed for the efficient and appropriate use of available bandwidth, whose availability may be affected by an inadequate use of the communication infrastructures. They permit to restrict and control its use, according to the security policies and the organizations needs. Network traffic control Monitoring and reporting tools. Tools intended to supervise communication infrastructures, detecting breakdowns, service failures, inappropriate use of infrastructures, anomalous behaviours, overloads and all types of incidents which may compromise the availability of communications. They can also generate reports that provide accurate information on what happens and thus to be able to make decisions to act in the best way when facing an incident. P2P control tools. Tools designed to block and control traffic through P2P networks, instant messaging and other applications using network resources. They normally block and restrict user access to these services, monitoring the type of information transmitted.
Taxonomy
5.8. Firewalls
DESCRIPTION What is it?
These products are designed to protect systems and devices connected to the network. They allow to establish a security perimeter and to guarantee secure communications in order to prevent from unauthorized access and attacks coming from external networks and from the Internet. This category includes products which ensure that the communications going to and coming from the corporate or home network meet the established security policies. For this, they trace and monitor communications, blocking traffic, detecting anomalous behaviours and abuses and avoiding unauthorized intrusions. Those tools which enable to spread the corporate network to distant environments, e.g. remote offices, generating secure communication links, are also included in this category.
TYPES - Subcategories
Within this product category we may find the following subcategories: Network-level firewalls Application-level firewalls Personal firewalls Virtual Private Networks (VPNs) Corporate firewalls UTM firewalls (Unified Thread Management) and firewalls in appliance format. Intrusion Prevention System (IPS) / Intrusion Detection System (IDS) Content filters There are many types of firewalls and they are usually classified according to the communication protocol layer in which they work. We find the so-called network-layer firewalls, which represent the majority of the commercialized firewalls and which are characterised by controlling communications at a network level.
67
Taxonomy
Firewalls
Taxonomy
Cards of ITC security products Firewalls
We may also find application-level firewalls, which are able to monitor not only connections, but also specific protocols and applications. This type of firewall is more usual in the corporate environment. An example of this would be the firewalls for instant messaging or for web applications. IPSs and IDSs (Intrusion Prevention System / Intrusion Detection System) are included in this type of products, carrying out a real-time analysis of connections and protocols in order to determine whether an incident is occurring or is about to occur. We also find within this category the Virtual Private Networks (VPNs), which allow expanding the organizations security perimeter to remote offices or distant users. Another way of classification may be according to their scope of protection, i.e. whether aimed at protecting the workplace or the whole organization. As to their format, they may be presented integrated in application software, as is the case of browsers, being part of operating systems or as specific hardware devices, or integrated with other security functionalities as with UTM or appliance format tools.
68
SCOPE - Application
The scope is the context where the security functionalities implemented by the different solutions could be applied. Those in which firewalls tools could be applied are shown below in the dark boxes.
NETWORK SECURITY
WORKPLACE SECURITY 69
SYSTEM SECURITY
SUBCATEGORIES - Definitions
Taxonomy Firewalls Network-level firewalls. Firewalls operating in the network-level layer. These represent the majority of firewalls, e.g. personal or corporate firewalls. It is the more widely spread type of firewall. Application-level firewalls. Firewalls operating above the network level layer. They are able to process information at network or protocol application level, e.g. instant messaging firewalls, web browsing firewalls or P2P traffic firewalls.
Taxonomy
Cards of ITC security products Firewalls
Personal firewalls. Firewalls designed for the protection of a personal computer or workstation. Virtual Private Networks (VPNs). It is a technology that is usually incorporated as a characteristic of the corporate firewalls or firewalls targeted to the protection of networks in various computers. VPNs are really useful to interconnect the offices or facilities of an organization, when they are geographically located in different places, by means of the creation of encrypted tunnels through the Internet and using address translation methods. Corporate firewalls. Firewalls designed to completely protect the organizations network. They differ from the personal or workstation firewalls in their power and capacity of process, which is necessary to control and manage the thousands of incoming and outgoing daily connections in a corporate network. This type of firewalls may function both at network level and application level. UTM firewalls and firewalls in appliance format. UTMs (Unified Thread Management) consist of servers and devices, or specific appliances sometimes, integrating different security solutions with only one management interface. The term appliance refers to hardware platforms designed with a specific functionality; as for security appliances this functionality is usually aimed at the protection of electronic mail or browsing or both, but not necessarily with unified management, as occurs with the so-called UTMs. Both appliances and UTMs are usually intended to the protection of small, medium and large networks. It is usual to find solutions with firewalls joined to other categories like antimalware or antispam in UTM or appliance format. Intrusion Prevention System (IPS) / Intrusion Detection System (IDS). They are tools used to detect and prevent unauthorized accesses to an equipment or network. There are IPSs and IDSs for computers and networks. They both monitor the traffic to determine and prevent suspicious behaviours. They are frequently integrated with firewalls which perform the function of blocking suspicious traffic. Content filter. Tools to control, restrict and limit the access to web contents. They are useful to configure conditions when accessing the Internet through browsers.
70
TYPES - Subcategories
Particularly, some of the more used tools are: Tools for the compliance with legislation: Data protection, Electronic Commerce, Tools for the compliance with regulations: ISMS (ISO 27001), Risk Analysis and Management and other security standards and regulations.
Taxonomy
Taxonomy
Cards of ITC security products Legislative and regulatory compliance
NETWORK SECURITY
WORKPLACE SECURITY
SYSTEM SECURITY
SUBCATEGORIES - Definitions Legislative compliance tools. Tools aimed at facilitating the legislative compliance as regards the information security within organizations. Among these laws we can find the EU Data Protection Directive 95/46/EC and the Electronic Commerce Directive 2000/31/EC and its national implementations, and information society boosting or the information property national laws, These tools allow carrying out the management, monitoring and control of the legal duties concerning security, the using of guides and good practice and the automating of duties.
Taxonomy
Taxonomy
Cards of ITC security products Legislative and regulatory compliance
Regulatory compliance tools: Tools aimed at facilitating the compliance and implementation of regulations concerning the organizations information security. Among these standards and regulations we can find ISMSs (Information Security Management Systems, ISO 27001), Risk Analysis and Management and other security standards and regulations. These tools enable to carry out the management, monitoring and control of security regulations and good practice.
74
TYPES - Subcategories
Within this product category we may find the following subcategories: Security Event Management (SEM) Security Information Management (SIM) and Security Information and Event Management (SIEM) It is possible to classify these products as complete or partial incident management tools, i.e. tools which support the management of incidents throughout all their stages or products which do it only in certain stages; for instance, products which may help the detection, prevention, analysis, mitigation of consequences, recovery, etc. A tool of this type is generally made up of a server / appliance and SEM/SIM/SIEM software. They are normally built under a client/server architecture and we will have the client (web client, graphic client) in our machine.
75
Event management
Taxonomy
Taxonomy
Cards of ITC security products Event management
objective is to provide support throughout all the stages of the process of management of a security incident, including the early detection of activity indicating risk of incident, or the very detection of the incident, its analysis, actions to minimize its impact, its investigation or prevention, as well as minimizing its implications once thay have occurred. They facilitate the risk management, permit to carry out the control and monitoring of the activity and contribute reports useful for the decision making process.
SCOPE - Application
The scope is the context where the security functionalities implemented by the different solutions could be applied. Those in which event management tools could be applied are shown below in the dark boxes.
NETWORK SECURITY
WORKPLACE SECURITY
SYSTEM SECURITY
SUBCATEGORIES - Definitions
Securitiy Event Management (SEM). Tools aimed to respond to security incidents, supporting the organizations in any of the stages of a security incident. Their benefits include the sending of all the events to a centralized system which will permit: To access all the logs (activity records) with only one interface Event management To provide a system of secure filing and storage of the records of the different events To generate reports in order to extract the useful information from the logs To monitor and investigate events according to their significance by means of alerts and notifications to the interested agents and actors To detect events in multiple systems To protect against an accidental or deliberate erase of the logs
Taxonomy
Taxonomy
Cards of ITC security products Event management
SIM / SIEM. A SIM/SIEM device collects or receives logs (activity records) from all the monitored devices, storing them for the long term and allowing the investigation for a forensic analysis. These logs are stored and sealed in a way that they can not be manipulated without being discovered. That is to say, in the event of needing to present logs as legal evidence, we will be able to present them as inalterable and valid evidence. Depending on the technology the manufacturer uses, this may be done with hashes, timestamps, encryption, etc. In order to carry out easy and complete log exploitation, the received events must be classified. All this makes up the basic and indispensable intelligence of a SIM/SIEM tool. A SIM/SIEM tools added value consists of: Reports Alerts Correlation rules In addition, they facilitate the obtaining of logs as legal evidence, provide log backups and are useful to adjust to the regulations (PCI, ISO, HIPAA, etc) thanks to the reports obtained from them.
78
TYPES - Subcategories
This category comprises the following subcategories Corporate network access control toools Tools for the management of identity and authentication and authentication servers Single Sign-On tools We may classify the products within this category according to their scope of application, e.g. tools for the workplace or for an organization, the latter depending on the number of users it is able to manage. There are also products aimed at managing federated identity (interdependent among diverse organizations) and intended for large networks. According to their functionalities, they are classified in the above mentioned categories. Furthermore, we may find specific functionality tools like the management of roles and profiles, the application of security policies, directory services, integration with work flows, auditing and reports. Taxonomy In addition, according to the technology used for the identification of users, we can find identity management products based on public key cryptography, symmetric cryptography or specific mechanisms or algorithms. As for the way of delivery, these are usually software products for application in systems and networks which are able to integrate, for the identification of users, specific hardware as tokens, smart cards and RFID (RadioFrequency Identification) cards. 79 Access and identity management and control
Taxonomy
Cards of ITC security products Access and identity management and control
SCOPE - Application
The scope is the context where the security functionalities implemented by the different solutions could be applied. Those in which access and identity management and control tools could be applied are shown next in the dark boxes.
NETWORK SECURITY
WORKPLACE SECURITY
SYSTEM SECURITY
SUBCATEGORIES - Definitions
Network Access Control tools. Tools designed to provide mechanisms to administrate and control the access of users and other networks to corporate network services. They usually include a prevention function against intrusions and inappropriate uses and a policy reinforcement function based on the identity, roles and permissions of users. Identity management and authentication. Tools focused on identity management which contribute a centralized repository of users and allow the centralized authentication and authorization to the systems and resources of an organization. They apply profiles, roles and resource use policies to the users. Likewise we can find here the authentication servers. Single Sign-On tools. Tools which enable the access to different systems or locations by means of a shared mechanism of identification (Single Sign-On). This is achieved through the diffusion of one single identity and its association to the distinct services and resources of an organization.
Taxonomy
TYPES - Subcategories
Within this product category we may find the following subcategories: Security for mobile devices Security for wireless networks
83
Taxonomy
Taxonomy
Cards of ITC security products Security in mobility
It is advisable to use tools for the protection of the information contained in mobile devices against theft or loss, when this information is sensitive or significant for the organization, not only for it being lost but also because it may end up in someone elses hands.
SCOPE - Application
The scope is the context where the security functionalities implemented by the different solutions could be applied. Those in which security in mobility tools could be applied are shown below in the dark boxes.
NETWORK SECURITY
WORKPLACE SECURITY
SYSTEM SECURITY
SUBCATEGORIES - Definitions
Security for mobile devices. Tools designed to protect the information, applications and systems of these devices. For the security of mobile devices they also apply the previous general categories, particularly those of anti-fraud and anti-malware. Security for wireless networks. Tools aimed at protecting access and connection to wireless networks, incorporating mechanisms of access control, encryption, etc.
Security in mobility
Taxonomy
TYPES - Subcategories
Within this product category we may find the following subcategories: Communication encryption tools Tools for the encryption of information stored in hard drives and other external storage devices Encryption systems and tools We may classify these tools depending on the information they protect; that is to say, depending on whether they are protecting information in transit throughout communication networks or information stored in hard drives, USB drives or other types of storage devices. According to the time when data are encrypted and desencrypted, we can distinguish between real-time encryption and non-real-time encryption. Real-time encryption normally uses less robust algorithms, as is the case of communications through the Internet, or dedicated hardware, as it is the case of hard drives incorporating chips for the real-time encryption and desencryption of information. They may be found both as software or hardware depending on their scope of application. They are intended both for individual use and for corporate use or for use in huge fleets of computer equipment (PDAs, laptops). 87
Taxonomy
Taxonomy
Cards of ITC security products Encryption systems and tools
SCOPE - Application
The scope is the context where the security functionalities implemented by the different solutions could be applied. Those in which encryption systems and tools could be applied are shown below in the dark boxes.
NETWORK SECURITY
WORKPLACE SECURITY
SYSTEM SECURITY
SUBCATEGORIES - Definitions
Tools for the encryption of communications. Tools which protect in transit information in applications of: instant messaging, electronic mail, web browsing, etc. They permit to hide the information in attached messages and files so that they can be securely transmitted through an insecure network such as the Internet is. Tools for the encryption of hard drives and storage media. Tools aimed at the encryption of every kind of storage media: hard disk drives (of servers, personal computers and workstations), external hard drives and USB flash drives. Taxonomy
TAXONOMY OF ICT SECURITY SOLUTIONS
Product
Tecnical auditing Business contingency and continuity Compilance with legislation Outsourcing of security services Training Management of security incidents Implementation and certification of regulations
93
Taxonomy
95
TYPES - Subcategories
Technical auditing Within this category of services we may find the following subcategories: Intrusion Test or PenTest Analysis of vulnerabilities Password auditing Forensic auditing Availability and performance test Management of patches and vulnerabilities Taxonomy
TAXONOMY OF ICT SECURITY SOLUTIONS
Ethical hacking
Taxonomy
Cards of ITC security services Technical auditing
PHASES - Roadmap
Generally for this category we can find the following phases: Audit Plan Design. The audit scope, objectives and times are defined during this stage. Audit implementation. All the technical analyses, either preventive or subsequent to a security event or incident, are implemented in this stage. Analysis and elaboration of reports. Once the information is collected, this is supervised and analysed, and then a result report is elaborated, which will show a range of recommendations and measures to improve security and detected vulnerabilities.
96
INDIVIDUALS
BUSINESS
ORGANIZATION
97 INFRASTRUCTURES INFORMATION
SUBCATEGORIES - Definitions
Technical auditing Intrusion Test or Pen-Test. Security audit services aimed at detecting potential incoming channels to the organizations ICT infrastructures. Ethical hacking. Services which use the habitual methods of hackers and cyber-criminals as tools for the analysis of the security of organizations and companies without causing any damage. Analysis of vulnerabilities. Audit services enabling to determine vulnerabilities in systems, infrastructures and applications; as well as weak passwords or other security holes.
Taxonomy
Taxonomy
Cards of ITC security services Technical auditing
Forensic auditing. Audit services, subsequent to a security incident, targeted to identify its causes. Sometimes the results are used as legal evidence. Performance and availability test. Audit services focused on checking the availability of communication infrastructures with respect to performance, denial of services and reliability. Management of patches and vulnerabilities. Services aimed at the automation of the required system update, preventing from the exploitation of vulnerabilities detected in other systems.
98
99
TYPES - Subcategories
Within this category of services we may find the following subcategories: Remote backups Secure custody and filing of information and storage media Backup centres (design, installation, maintenance) Business contingency and continuity implementation, checking and testing) plans (elaboration,
Information lifecycle management (ILM) We can find in this category business concultancy services as well as technological consultancy services, in order to provide recovery and support mechanisms against disasters.
Taxonomy
Assessment and analysis of impact on business in the event of an emergency, disasters or security incidents (Business Impact Analysis / Assessment)
Taxonomy
Cards of ITC security services Business contingency and continuity
PHASES - Roadmap
Generally for this category we can find the following phases: General plan design. Services targeted to the contingency plans definition, its scope, objectives and metrics. Situation analysis and auditing. Services aimed at determining the current situation of the business or organization as regards the risks to business contingency and continuity. Implementation process. Elaboration of a project for the implementation, stages, resources, cost, etc. of the business contingency and continuity plan. Implementation. Implementation of plans, measures, systems and policies, etc. with respect to business contingency and continuity. Checking and testing. Services for the assessment of the previous implementation, management system tests, backups, backup systems. Continuous improvement and maintenance. Services aimed at the supervision and continuous improvement of the plans, systems, policies and infrastructures implemented in order to face contingency situations and enable business continuity.
100
SCOPE - Application
The scope is the context where the security functionalities implemented by the different solutions could be applied. Those in which business contingency and continuity services could be applied are shown below in the dark boxes.
INDIVIDUALS
INFRASTRUCTURES
INFORMATION
SUBCATEGORIES - Definitions
Remote backups. Services which permit an organization to manage and automatedly make backups, which are stored outside your organization, of the information necessary for the business and for the information systems handling it; they also permit the restoration of the backup copy if necessary (accidental or deliberate destruction of data).
Taxonomy
Taxonomy
Cards of ITC security services Business contingency and continuity
Custody and secure filing of storage and information media. Storage services with strong security measures and with a distant location out of the organization of any kind of media and information. Backup centres (design, installation, maintenance). Services targeted to the design and start-up of support or mirror installations which permit the organizations to have secondary infrastructures against the loss of primary infrastructures. We also find global services allowing having installations which may substitute the installations themselves in case of serious incidents damaging or disabling the organizatons infrastructures. Business contingency and continutiy plans (elaboration, implementation, checking and testing), Services for the design and implementation of measures and plans related to the response against incidents and disasters affecting the companies information and their technological means. They allow re-establishing business continutity. In this category those services aimed at testing and verifying plans, policies, services and infrastructures implemented with the objective of providing the organizations with business contingency and continuity mechanisms are also included. Business Impact Analysis / Assessment (BIA). It is used in case of emergency, disasters or security incidents. Services targeted to conduct impact analyses against security incidents compromising bussiness acitvity. Information Life Cycle (ILM) This subcategory, though linked to Contingency and Continuity category, is included in the Compliance with Legislation category.
102
TYPES - Subcategories
Within this category of services we may find the following subcategories, which all relate to legislation concerning security: Legislation auditing Adaptation and compliance with legislation (implementation) Legislation consultancy Assistance to companies which are being inspected by the corresponding national or international agency charged of Data Protection law enforcement 103
PHASES - Roadmap
For this category we may find the following general phases: Design of the plan for adaptation to legislation. To determine the legislation to observe, its objectives, stages and times. Situation analysis and audit. To determine the current business and organization situation with respect to the legislation to observe. Implementation project. To elaborate the project of adaptation, stages, resources, overall costs, solutions, etc. Implementation. Adaptation process, including legal, technical and organizational measures. Taxonomy
Taxonomy
Cards of ITC security services Compliance with legislation
Internal audit. Internal evaluation, carried out by staff from the organization, of the implementation, tests on the implemented measures, revision of associated documents. External audit. If required by the legislation, it is highly recomendable to perform an external analysis of the organizations actual situation with regard to its compliance with the applicable legislation. Continuous improvement and maintenance. Continuous supervision and improvement of the previous implementation and adaptation, in order to maintain legislative adaptation and compliance.
INDIVIDUALS
BUSINESS
ORGANIZATION
105
INFRASTRUCTURES
INFORMATION
SUBCATEGORIES - Definitions
Legislation auditing. Services aimed at carrying out audits regarding the level of compliance with the legislation applicable to a company or organization. They allow to getting a clear image of its situation and act consequently. Adaptation and compliance with legislation (implementation). Services aimed at carrying out the adaptation of companies and organizations to the applicable legislation, implementing legal, technical and organizational measures.
Taxonomy
Taxonomy
Cards of ITC security services Compliance with legislation
Legislation Consultancy. Services advising companies and organizations about the compliance with legislation concerning security. They enable these to have reliable and updated information with respect to the application of the current legislation to its business. Assistance to companies which are being inspected or accused. Services aimed at helping those companies and organizations which find themselves in the process of inspection or accusation regarding possible failure to comply with the applicable legislation.
106
TYPES - Subcategories
Within this category of services we may find the following subcategories: Managed security (perimeter security, VPN (Virtual Private Network), intrusion detection, secure mail) Outsourcing of staff Backup centres and data custody centres
107
PHASES - Roadmap
For this category we may find the following general phases: To define the security services to outsource. The organization or company wanting to outsource some of these security activities evaluate what processes, infrastructures and staff may be outsourced, from multiple points of view like costs, administration and management complexity, needed staff. Outsourcing project. It consists of assessing the project, its particpants and the service provision details, the levels of required services.
Taxonomy
Taxonomy
Cards of ITC security services Outsourcing of security services
Service provider. In this stage it is established and chosen the provider of services, or the type of service provider to meet all the identified needs and desired service levels. Revision and level of service. Throughout the contractual relation with the provider of services, a revision and analysis is implemented regarding the service level offered and achieved, in order to detect weaknesses or possible improvements, both in the services themselves and in the level of service offered.
SCOPE - Application
The scope is the context where the security functionalities implemented by the different solutions could be applied. Those in which outsourcing of security services could be applied are shown below in the dark boxes.
INDIVIDUALS
BUSINESS
ORGANIZATION
INFRASTRUCTURES
INFORMATION
109
SUBCATEGORIES - Definitions
Managed security. Overall or partial outsourcing of the security services, as well as management, supervision and administration of services and infrastructures. This outsourcing may be implemented in situ or remotely. Outsourcing of staff. Outsourcing of staff in charge of security, so that a specialized company contributes workers and expert security knowledge. Backup centres. They are offered as services enabling to count on installations which may substitute the very installations in the event of serious incidents damaging and disabling the organizations infrastructures.
Taxonomy
6.5. Training
DESCRIPTION What is it?
They are services targeted to offer training as regards information security, both for professionals and users, as well as for organizations and companies. The training is structured in different levels according to the target trainees: professional or home users, managers, technicians; or according to the aims of the training: awareness-raising, general or specialized training. On the other hand, the training services can be on-site or through platforms of eLearning or online training in the Internet.
TYPES - Subcategories
Within this category of services we may find the following subcategories: Awareness-raising Academic education in the field of security (masters, bachelors, post graduate studies, specialities...) Technical training in specific security solutions Training for the certification of professionals (CISA, CISSP) 111
PHASES - Roadmap
For this category we may find the following general phases: Design of the training plan. During this stage the training aims and scope and the resources, periods and evolution of the plan are determined. Taxonomy Training. During this phase the training is carried out, on-site or with the help of e-learning tools, as well as the monitoring and assessment of the training activity progress. Examination and evaluation of the acquired knowledge. It is evaluated, if appropriate, the level of learning and knowledge the participants have acquired in the training. In this phase the accreditation is obtained in case of formal training or training for the certification of professionals.
Training
Taxonomy
Cards of ITC security services Training
Analysis and elaboration of report. If appropriate, especially as regards training for companies, it is fundamental to make a report of results, evaluating the acceptance of the training by the participants, so that it enables the continuous improvement of the training. ADDRESSEES Who is it aimed at? At companies facing processes of establishment of security systems and policies. At companies that have to fulfil the regulations. At companies with information security equipment. At security professionals who want to be certified in the field of security.
SCOPE - Application
The scope is the context where the security functionalities implemented by the different solutions could be applied. Those in which training services could be applied are shown below in the dark boxes.
INDIVIDUALS
BUSINESS
ORGANIZATION
INFRASTRUCTURES
INFORMATION
113
SUBCATEGORIES - Definitions
Awareness-raising. These are services of training directed to the awareness-raising of users, creating a conscience of good practice and use of the infrastructures and resources of organizations and companies. Academic education in the field of security. (masters, post-graduate studies, specialities ). Training services offered by authorized training centres that make possible to obtain specific certifications in the field of information security. Technical training in specific security solutions. These are specialized training services with the aim of training technicians or workers of the distribution channels on specific security solutions and tools. These services also train system administrators and technicians of different organizations when acquiring security solutions and products. Taxonomy Training
Taxonomy
Cards of ITC security services Management of security incidents
Professional certification. Training services offered by accredited and certified organizations, which make possible to obtain specific certifications (CISA, CISM, CISSP) and are highly demanded in the professional area.
114
TYPES - Subcategories
Within this category of services we may find the following subcategories: Security incident prevention services Security incident detection services Security incident resolution services Management of security incidents
PHASES - Roadmap
For this category we may find the following general phases: Identification and evaluation of incidents Coordination with external sources Forensic investigation Definition and execution of programmes and procedures regarding incident management Development and maintenance of system configuration profiles Taxonomy
Taxonomy
Cards of ITC security services Anti
Isolation of affected systems and platforms Technical assistance for event enalysis Elimination of the causes of incidents and their consequences Corrective actions Recovery and back to normal performance Preventive support and post-incident support
SCOPE - Application
The scope is the context where the security functionalities implemented by the different solutions could be applied. Those in which management of security incidents services could be applied are shown below in the dark boxes.
INDIVIDUALS
BUSINESS
ORGANIZATION
INFRASTRUCTURES
INFORMATION
117
SUBCATEGORIES - Definitions
Management of security incidents Security incident prevention services. Services for the prevention of security incidents, like, among others: awareness-raising, definition of good practice and security policies, definition of business contingency and continuity plans, backup procedures, installation of firewalls Security incident detection services. Services for the detection of security incidents which usually consist of antimalware software installation, IDS, network monitoring, and management of logs and security events. Security incident resolution services. Services for the resolution and reaction in the event of security incidents arising. They usually consist of backup restoration procedures, malware removal and forensic audit. Taxonomy
119
TYPES - Subcategories
Within this category of services we may find the following subcategories: Security and compliance audits Risk analysis Information Security Management Systems Security policies and plans Certification and accreditation The services related to these subcategories are focused on facilitating the complete or partial management of the implementation. Taxonomy Implementation and certification of regulations
PHASES - Roadmap
For this category we may find the following general phases: Implementation plan. It refers to the selection of the type of regulation to implement and the establishment of objectives, resources, times, costs, etc.
Taxonomy
Cards of ITC security services Implementation and certification of regulations
Audit and analysis of the situation. In this step the situation of the organization is studied with respect to the regulations intended to be implemented, to obtain a picture of the situation as complete and detailed as possible. Situation report and scope of the works to perform. From the information obtained in the audit the necessary measures and actions are detailed. Regulation implementation. Specific works of implementation, elaboration of documents, training of the workers, elaboration of policies, etc. Revision and internal audit. It is an internal process of revision of the performed implementation. It means to check the performed works, to identify deficiencies and to carry out the necessary improvements. External audit and certification. The external audit refers to the process of revision performed by entities external to the organization, in which is necessary to obtain a certificate accrediting the validity with the corresponding implementation regulations. The certification means the obtaining of the certificate once the auditing is over. Maintenance and continuous improvement. Cyclical and constant process of revision of the implemented regulations and continuous improvement process.
120
SCOPE - Application
The scope is the context where the security functionalities implemented by the different solutions could be applied. Those in which implementation and certification of regulation services could be applied are shown below in the dark boxes.
INDIVIDUALS
BUSINESS
ORGANIZATION
INFRASTRUCTURES
INFORMATION
Taxonomy
Cards of ITC security services Implementation and certification of regulations
SUBCATEGORIES - Definitions
Security and compliance audits. These services provide revision and verification, on the basis of some known standards, of the levels of security and compliance with policies and regulations. Risk analysis. These services perform the evaluation of the risks faced by an organizations assets (related to information) as regards their importance for the business processes and activity. Information Security Management Systems. These services perform the implementation of the so-called ISMSs or Information Security Management Systems, according to the current regulation. The ISMSs allow facing, in an organized way, the information-related security incidents in the organizations. The ISMS implemented in accordance with the standard ISO/IEC 27001 can be certified. Security plans and policies. Services directed to those workers in charge of developing and maintaining strategies and activities targeted at guaranteeing the ICT security. They are focused on determining directives, technologies, times, resources and metrics from the point of view of the business. Certification and accreditation. These services pursue to obtain the corresponding certificates associated to the implementation of certain regulations which accredit that an organization has performed an implementation in conformity with specific regulations.
122
TYPES - Subcategories
Within this category of services we may find the following subcategories: Infrastructure planning Infrastructure implementation Taxonomy Planning and implementation of infrastructures Infrastructure management
PHASES - Roadmap
For this category we may find the following general stages: Consultancy and previous analysis. Analysis of the organizations security level, which can be in depth or cover only a certain part of the organization.
Taxonomy
Cards of ITC security services Planning and implementation of infrastructures
Selection of required infrastructures and security solutions. From the detected needs the best infrastructures and security solutions are selected. Technological implementation planning. A planning of the implementation is made, with terms, costs and other issues regarding how the implementation may affect the different business processes and the activity of the organization. Infrastructure implementation. The installation, parametrization and start-up of the security solutions and infrastructures are undertaken. Training and documentation elaboration. Once the implementation phase is over, and sometimes parrallel to this, it is carried out the elaboration of documentation and the training of the organizations staff. Management and maintenance. The management and maintenance can be a process implemented both by workers of the organization itself, and by an external company or by a combination of both. 124 Implementation check. Finally it is possible to perform a periodical review intended to maintain the security levels achieved and to adapt the company to the prospective changes of the organization.
INDIVIDUALS
BUSINESS
ORGANIZATION
INFRASTRUCTURES
INFORMATION
The risk associated to investment on security technology decreases, by having a certain methodology or professional advice for its selection.
SCOPE - Application
The scope is the context where the security functionalities implemented by the different solutions could be applied. Those in which planning and implementation of infrastructures services could be applied are shown below in the dark boxes.
SUBCATEGORIES - Definitions
Infrastructure planning. Services helping companies and organizations to perform an appropriate design of infrastructures and security solutions needed for target security levels. Infrastructure implementation. Services to carry out the implementation of security solutions and infrastructures in the organizations. Infrastructure management. Services for the management of security solutions and infrastructures either externally or in situ. As we have seen throughout this document, the taxonomy is conceptually difficult, since behind its design there is an enormous variety of issues and aspects which must be considered. It is not a mere classification. However, although the underlying design and concepts may be relatively complex, its outcome is highly useful, as the Taxonomy represents a mighty tool if one knows how to use it. This section precisely considers all those features and qualities which make the Taxonomy a really useful instrument either for the security consultant, the distributor or the home user. Let us see how it can help all of them and what we can expect of the Taxonomy from a practical point of view. Many of these issues have already been explained in previous sections, but now we will summarize and describe briefly those concepts which can be extremely functional and practical in day-to-day use. 127
Taxonomy
Taxonomy
The taxonomy in practice
and services can be part of this catalogue absolutely for free. Being able to have a catalogue like this means an enormous breakthrough for the security market, since any company or user can look for the solutions they need or for the organizations providing them in the nearest area.
A common language
The Taxonomy is a powerful tool to homogenize the market as regards the way in which we refer to the different security solutions existing in it. One of the problems we are attempting to resolve is to achieve that a consultant, technician, marketing adviser or user, when talking about an specific type of security solution, e.g. a firewall, makes use of the same concept and that this concept includes the same characteristics and definitions. Therefore, it is a matter of using the Taxonomy as a common language for all market actors. In this sense, the Taxonomy is an extremely powerful marketing tool because it enables the solution provider to speak the same language as the user does and, likewise, allows the user to be able to understand what solution he is offered and whether this is really adequate for their problem or scenario.
128
Comparison
When the user is looking for solutions he or she also tries to compare. It is a natural and logical process when choosing and searching for the
best solution. Within an increasingly competitive market as the security market is, it is necessary to facilitate the comparison among products, services or solutions. The Taxonomy, through establishing a set of completely defined categories, the characteristics of each being defined as well, facilitates the possibility to establish comparisons among solutions belonging to the same category. This makes the search for solutions easier for users, consultants or people responsible for security solutions, since all of them look for the best solution by analysing the different features they include. As we have seen throughout this document, the taxonomy is conceptually difficult, since behind its design there is an enormous variety of issues and aspects which must be considered. It is not a mere classification. Apart from the practical aspects already mentioned, there are other issues to discuss; however, what is important is that we think that it is undeniable that the Taxonomy can be a really powerful tool to give a boost to the market and also for everyday use. It is this duality what makes the Taxonomy an essential element which we must promote to the maximum, as the benefits are huge for all the actors in the security market. The general guidelines on which the Taxonomy is based have been given throughout this document and we hope that it is used as a germ of a far more ambitious taxonomy, but without losing sight of its fundamental objective and its raison dtre: to achieve a more competitive and innovative security market, better adapted to the needs of users and organizations. 129
Final notes
Taxonomy
www.inteco.es