The way to solve internal control safety

First, let's talk about the hot issues in this area. We all know now that the protection has appeared a main direction, that is, from anti-foreign mainly to the main, internal and external defense, more than 70% of the information security incidents for internal personnel and internal collusion for, but also a rising trend. Another hot spot is from a single product protection to system protection, a few products to meet the needs of information security protection of the time has passed, information security construction is not a simple product procurement and system stacking, close integration, collaborative protection to adapt to the current security threats. If you make a bucket, the bucket is a lot of pieces to do together, you have to use a steel hoop together, if not linked together can not do a whole bucket, network security is the case. A third hotspot, from passive defense to active defense. The passive defensive approach of "plugging holes and building walls" can only be impossible. The strategy of "active defense, advance warning" makes security more robust and reliable. From extensive defense to fine-grained defense transition, access control refinement, monitoring audit refinement, encryption requirements refinement, how to control the media, printing how to control, access control, electromagnetic radiation, behavior control. There is also a credibility of the hot spots, including trusted networks, trusted computing and so on.

Sarbanes-Oxley Act, the main purpose is to standardize the listed companies to achieve internal control of enterprises. There are a lot of articles in this bill, such as 302, 404, 409, 802, which are actually closely related to information security. In August 05 Gartner noted in the Sarbanes-Oxley Best Practice Guide that it should include three major areas of compliance, content management, application access, and control. Our core content should be understood as such a word, the core requirements of Sarbanes-Oxley law is actually to achieve internal security.

Here is a talk about the development trend of internal control security technology, just talked about a lot of new development hotspots, the trend can be summed up as follows. Cryptography is the core of the trend, including authentication, authorization, data security, system security, audit, monitoring and so on. The trend of all-round prevention from the original single point of expansion to now the entire intranet, what to do in the internal control, terminal, server, network system, application system, in my system of free media, printing and many other aspects of information related links. Network security requires a full transition to information security. The trend of integrated collaborative defense, in a number of security products and functional modules closely linked to each other, rather than traditional product stacking, security management granularity of more granular to people and behavior.

The following is a talk about the system of internal control security and defense focus. We understand this system has two main core, with the core of password, security management and key management as the core. Triple Defense includes: Information source security, application boundary security, transmission channel security. corresponding to see is to do the defense network terminal, the server provides the application how I protect it, in the two between how to achieve the security of the path of credibility, so generally speaking the guiding ideology of this system is two things, safety tube, dense pipe, the construction of triple defense system.

Under the guidance of this defensive thought, the defense focus is divided into the following eight aspects: Identity authentication and authorized access, just like between people in the beginning to have trust, know who you are, confirm your identity before giving you what rights, or to give you what access rights, this is a truth. Terminal authentication and the security of the machine, now the terminal is more general is the user name and password of Windows, in fact, as long as the dessert can be all buttoned up, simple is that I can tell you to go in, then need to do integrated deployment, so the introduction of terminal monitoring and behavior audit, The other is terminal access authentication and monitoring, data data backup security and Exchange, server control and system strengthening, media management and combat control, mobile notebook control, as well as in the whole network often see is easy to get a U disk can enter the intranet, as well as mobile notebook management, in our life , in addition to fixed PC, there are mobile notebooks and never networked stand-alone how to manage, this is the defense focus of the eight aspects (PPT).

Identity authentication and authorization access, including server group Access Protection, there are many application systems are more urgent needs is that each application system has a set of accounts, do a better unit cover Day said that the use of employees in the design of the brand at the beginning of the unified establishment of these accounts. And do the bad are the user to go up to add information and then get an account, so very slow. Certificate certification includes Windows domain, and so on, certificate-based authentication is more suitable for the current certification requirements, inexpensive, and there are many things can be done above. The development support of API mainly refers to provide a set of customizable information on the basis of identity authentication and authorization access.

Terminal authentication and local security, just talked about the boot certification, the personal File Protection, in fact, in the personal computer will be more or less set up a private directory, workshop, work version and private related directories, and company-related companies hope that this data do not lose, do not disclose, So the security of the file is also very important, who can access it, who can get my computer after my data, which requires mandatory access control and access control combined with data encryption method to do. In addition to limiting your users, consider building the platform's own security.

The other is the terminal monitoring and behavior audit. Our current notebook or PC has a lot of peripherals, including storage class, Network class, print class and so on, in fact the simplest point is that the information can be passed out of the port is the focus of terminal monitoring, I need to defend which exit can go out, like a back-shaped water pipe, If the hose is punctured, the water will leak out, so the computer's peripheral port is like the hole in the water pipe has been mended, the real need to fetch water when it can be controlled to dial away.
Just talked about the authentication, authorization, monitoring three aspects, the following data defense Security Exchange, how we effectively control the space, or in the effective space to do encryption control, information synchronization and its own system audit. Complete the process of information exchange, the establishment of this system can do data exchange after the audit, do not travel to the field can be directly with the certification token, login my information, take my content. server control and system reinforcement, we can carry out the implementation of the program according to the user area, such as I now have a, B, C, D four programs, corresponding to 1, 2, 3, 44 administrators, so you can flexibly configure the administrator to manage which programs. Media management and printing control, divided into two aspects: Media authentication and encryption control, as well as printing control. Media certification, in addition to access to the intranet in addition to the need for certification, control This method is also more, due to the time of the certification of this piece is not much to say. There is the certification on the above need to encrypt, I have lost the media after the way. Mobile notebook and stand-alone, which requires centralized management and collection of money, offline control and evidence extraction, such as the overall encryption technology, port closure technology, timing lock Foundation and so on.

Here are some typical applications: Many people share the application of the computer, the user has a key can roam around, go everywhere, sharing the resources of the computer, whether it is the network or the local. Mobile Office applications, such as I mentioned just now, we can take a business trip with a personal data authentication token, which can reach the data is always in the range I can access, identity certification can achieve the purpose of the visit. Development Center source Code management, mainly divided into three aspects: the centralized storage of security, personal terminal output control, behavior audit, the security is responsible for all related to safety events and centralized summary of the platform.

Finally, I summarize, internal control security is the trend of information security development, and is a complex systems engineering, need to do the design of the system, focused on the implementation, step-by-step, because it is impossible to all things one-step, is a dynamic process of evolution, so we need to do the planning of the system, and then the implementation of step-by-step, Focus on the in-depth.