Safety Type
Security management is embedded in all aspects of the MOF model. Each level must adhere to the established security policy, including the ASP internal security policy and the security policy agreed with the customer in the SLA. For each level, security must involve:
of confidentiality
Integrity
Availability of
The maintenance of security is a huge cost to the ASP, but without good security, there will be a greater cost, because it will cause customers to lose confidence. The purpose of security management is to ensure business continuity and minimize damage to ASP security.
For more information about the Microsoft operational framework process model, see http://www.microsoft.com/enterpriseservices/MOF.htm.
MOF and ITIL
MOF recognizes that it is well documented in the IT Infrastructure Library (ITIL) of the British Central Computer and Telecommunications Bureau (COMPUTER and Telecommunications Agency, CCTA) Current industry best practices in service management.
CCTA is an executive branch of the British government that develops and develops best practice recommendations and guidelines for the application of information technology in service management and operations. To achieve this goal, CCTA tracks and validates best practices in IT service management globally by tracking the projects of leading IT companies.
MOF combines these collaborative industry standards with specific guidelines for running on the Microsoft platform and applies them to a variety of business scenarios. MOF extends ITIL practices to support distributed IT environments and current industry orientations, such as application hosting, mobile device computing, and web-based transactional and e-business systems.
ASP Security Management Overview
Goal
The goal of security management is to manage certain levels of security on ASP's solutions, including managing responses to security incidents. By doing so, security management ensures continuity and protects the information of the ASP and its customers, and helps minimize damage to ASP security.
Why is security management important to ASPs?
Providing customer solutions is the most important goal for ASPs. Without it, ASPs have nothing to do. It is essential for ASPs to securely share information with customers and create secure solutions.
Delivery and reception of information is the key to the existence of ASP. Any threat or information processing will directly endanger the ASP. Whether it involves information confidentiality, correctness, timeliness, or the availability of solutions, threats that pose a risk must be prevented by security measures. Here is a question about the structure of the ASP. This means that structural risks need to be addressed by a structured approach.
Security management helps the ASP to identify and implement countermeasures for security risks.
Customers who choose ASPs increasingly want to be confident that the selected ASP can ensure the security of their solutions. Gartner Group's J.pecatore (df-10-0972,2000 year February) has made clear some of the issues that customers may ask their ASP solution providers. Examples are as follows:
"Does ASP provide redundancy and load-balancing services for firewalls and other critical security factors?" ”
"Does the ASP conduct external penetration testing at least quarterly (or by an experienced consulting company) and conduct internal network security audits at least once a year?" ”
"Can ASP produce written requirements for customer network security (and ASP audit procedures) to ensure that other ASP customers do not compromise the ASP backbone?" ”
"Does the ASP provide a written strategy to consolidate the WEB and other server operating systems?" If an ASP configures a client application on a physical server, does it have a documented control step to ensure separation of data and security information between client applications? ”
"How does an ASP check the security of scripts and integrated code added to the commercial applications it provides?" ”
"Does the ASP provide intrusion detection services based on application or transaction?" ”
"Does ASP perform background checks on people who can access servers and applications as administrators?" ”
"Can an ASP produce a documented process for evaluating OS and application vendor security alerts and installing security patches and service packs?" ”
"Can an ASP show documented steps for intrusion detection, incident response, and event escalation/investigation?" ”
"ASP is a member of the incident Response and security group forum?" Or does it use a security service provider that is a member of the forum? ”
"Does the employee with ASP security management have an average of more than three years of experience in information/network security?" ”
The affirmative answer to the above question is very important. An ASP that can do so will have a competitive advantage.
For more information about the topics in this chapter, see the ITIL Library Security Management part or ITIL Security Management book in http://www.itil.co.uk/(ISBN 0 11 33001 4 X).
Detailed information about the Gartner Group paper can be found in the Critical security Questions to a ASP (Df-10-0972,j.pecatore,gartner group,2000 year February).
The time that ASP performs security management
Security management should be an issue that any ASP always pays attention to. Whenever a solution or environment changes, the ASP should take the time to check the security measures adopted. Depending on customer requirements, the response to a specific customer solution may need to be changed. Personnel training and safety testing should always be considered. Because in the attack, there is no time to think again.
Basic concepts of ASP security management
Security management is the process of managing defined security levels based on the settings in the information and ASP solution security policy. This includes the management of responses to breaches of security practices. You can control attacks without worrying about the continuity of ASP and ASP customer business, and it's an art to be able to deal with malicious side attacks.
Security management relies to a large extent on security policies. These strategies can be generated from a variety of sources. The strategies to consider when designing security are:
External customer requirements as defined in the service level agreement
External legal requirements for security
External vendor Security Policy
Internal ASP Security Policy
Internal/external security policies in the context of integration of ASP and customer environments
For each solution, the ASP must define a security policy. The strategy should be based on the most reliable combination of the above.
According to customer demand, even the basic structure of the design will be very different. Three security designs are usually used:
Special. ASP solutions and security measures are fully end-to-end controlled by the ASP. Typically, this means that the ASP has complete control over all of the infrastructure components, including a private network connection between the ASP and the customer.
Public. ASP solutions and security measures are partially controlled by the ASP. Typically, this means that the ASP has control over its own site, but does not guarantee control over the public network that is used to provide the solution. However, ASPs can use technologies such as virtual private networking (VPN) to connect ASP to customer security.
Mixed. The solution is a combination of the previous two kinds. Both "private" and "public" solutions are used. When ensuring a secure solution, both ASP and customer are involved.
There are five levels of this process that need to be improved following the MOF model:
Planning. Planning activities include ways to establish an SLA security component based on customer requirements, internal and external policies, and legal requirements. While talking to customers, it may be necessary to identify or adjust internal security policies. Of course, it is up to the ASP to decide whether to do so. The result of this level is a security plan that includes security policy and all aspects of the design (basic structure, people, steps, environment, base contract, and so on).
Implement. The implementation level performs all necessary security measures to comply with the security components defined in the SLA. When necessary, this phase also enforces the changed internal security policy.
Evaluation. Evaluation is essential to end the security management process. It concerns the state and effectiveness of the measures adopted and the policies identified.
Maintenance. The maintenance of security measures is based on the results of periodic inspections, insights into the changing risk situation, and changes to SLAs or other conditions.
Control. Control activities can organize and direct the security management process itself. Control activities define sub processes, functions, roles, responsibility assignments, organizational structure, and reporting structures. It is the engine of the process and ensures continuous improvement.
The security management process must continuously improve itself. New solutions, new technologies, new people, new steps, and negligence can cause attackers to compromise the security solutions that are installed.
The following diagram represents a security process as a process that is constantly being improved based on policies and protocols.
