Systems and System Boundaries
This series of white papers is presented as a public service by Mindteck Consulting as part of its ongoing effort to help businesses achieve a higher information security posture. Each article is written to focus specifically on one topic to be as specific and useful as possible.
System Auditing, Security Assessment, C&A and even PCI Audits have many things in common despite some notable differences. All these processes start from a common point, normally a snapshot of an organization at a particular point in time. They all then evaluate the enterprise and its electronic assets to arrive a final point, whether that point is a Pass/Fail or a numerical score or a Risk Rating is irrelevant for our purposes. A problem common to all these assessment methodologies is Defining Systems and System Boundaries.
A "System" is defined as "a regularly interacting or interdependent group of items forming a unified whole " and also as a "any network component, server, or application included in or connected to the ... data environment ." Using these definitions works in about 90% of instances that we are likely to encounter. The remaining 10% is tough. The difficult part comes when we are faced with technology that introduces situations that don't easily fit our common notions of what a "System" is. And without a crystal clear idea of what systems exist within a particular organization, it is next to impossible to define their boundaries. It is in these areas of uncertainty, or grey areas, that we prove our worth as Information Security Professionals. Some examples of particularly difficult instances, along with the ways that we have dealt with them, follow.
Virtual Machines
There was a day not so long ago where a computer was either a server or a workstation. One computer, one function (server or workstation), one OS and therefore one "System". But these lines began blurring a few years ago with the release of VMWare, Xen, Windows Virtual Machine and the like. Now it was possible for one computer to hold multiple Operating Systems each running in its own, protected and isolated instance (or so the story went). This situation posed and continues to pose perhaps the greats problem to defining systems that IS Professionals face today. For this first example we had to re-think our definition of what a "System" is, but the thought process freed us to expand our thoughts about exactly what constitutes a computer system.
A client was looking for a pre-PCI audit. They were a small shop and it was obvious that they were very concerned about controlling their IT costs. They ran a dozen servers, all with Virtualization Software installed, so that these 12 physical servers actually housed 31 different Operating Systems. The particular server which housed the database with credit card information also had 2 additional instances of the virtualization software, thus one server actually housed 3 separate OS's. (A word of explanation about software virtualization is needed here. There are a bewildering array of virtualization products on the market that can virtualize everything from a single internet session to the entire Operating System. Our client used this latter type of software, virtualizing two Windows XP's and one Redhat Linux installation. This type of virtualization solution is called "native" or "full virtualization".) One of the Windows XP Server instances housed the client's Point of Sale (POS) software and database of credit card information. Access to this particular server was controlled by a firewall Access Control List (ACL) as well as 2 factor authentication by the user. The pool of potential users was very small at only 3 individuals. Initially this seemed like a very easy case and it looked like it would easily fall within the PCI DSS Standards. However, the server virtualization is the "fly in the ointment" because the PCI DSS Council had not yet fully addressed virtualization. We sought some guidance from the PCI forums as well as relying on our own experience in evaluating this machine more closely. We audited each logical instance of a computer "system" on the server, but tempering this evaluation with the knowledge that these logical instance do not exist in a vacuum and that each one is deeply dependent on the hardware and software resident on the box.
Once we replaced our traditional ideas of "systems" equating to one physical computer, we began to think in terms of "logical instances". While this method of dealing with computer systems is not without problems, it has helped our practice immensely with our auditing assignments.
Article Source: http://EzineArticles.com/?expert=Chaz_Sowers
By Chaz Sowers
Tidak ada komentar:
Posting Komentar