Information Assurance & Reliability Architecture

Information Assurance & Reliability Architecture Srikar Sagi

Intent & Content

Generate enough interest & value proposition to share & impart knowledge on Information Assurance & Reliability Architecture Workshop A Precursor

AGENDA Basics  What is Assurance & other Classifications (Information Assurance, Quality Assurance, Systems Assurance, Assurance levels etc)  Significance of Cyber Security and Information Assurance & Reliability Engineering

 Infusing Information Assurance into Systems Engineering and or Acquired Systems  Tailoring an Assurance model – Precursor/High Level demo

AGENDA Advanced Concepts (Future Work Shop contents)  Designing Reliable Systems for Information Assurance How to tailor Systems Assurance into specific domain (short-circuiting)  Building Assurance Frameworks (Systems, Applications & Processes) How to tailor Systems Assurance into eco-system(s) as a practice (hardwiring-the-circuit)  Measuring Assurance of a System - How do you measure Assurance in your eco-system or in a specific domain

DEFINITIONS

DEFINITIONS Quality A System’s or a component’s capability to fulfil specified action/function (a.k.a. fit-to-purpose)

Reliability(Generic) Capability of a System/Component to fulfil specified actions or required state based on agreed parameters/standards during an agreed/defined time period under presumed operational conditions

Reliability of Systems & Information The degree of probability that the deployed protective measures of a system would continue to protect the Systems & Information against specified threats & attack and will remain accessible and consistent under specified conditions under specified interval of time.

Fault Tolerance capability of a system to satisfy its specified action even in the presence of faults(limited /unlimited is subjective)

Availability capability & probability of a system will be intact to perform its specified functions even in the presence of failures at any point in time

DEFINITIONS Assurance Declaration of a positive statement against a system, intended to give trust & reliability i.e., a promise through qualitative & verifiable parameters for reliability that the security/safety features, practices, procedures of a system accurately mediates & enforces intended desired actions/results under agreed conditions of operating environment

Information Assurance(IA) A Systematic & Systemic practice of assurance-modeling that guarantees protection of systems, information & managing information risks such as Confidentiality, Integrity, Availability, Auditability(Authentication /Authorization) & Nonrepudiation in relation to the use, processing, storage & transmission of information, restoration of systems/services and the corresponding/inter-related systems, their processes used for protection capabilities(s) (to be discussed difference between IS & IA)

Safety Assurance (SfA) The measure of providing confidence that acceptable risk for the safety of personnel, equipment, facilities & public during & from the performance of operations is being achieved

Software Assurance (SwA) The measurable confidence that the system functions as intended and is free of exploitable vulnerabilities, either intentionally or unintentionally designed or inserted as part of the system at any time during the life cycle

NEED FOR ASSURANCE & RELIABILITY

NEED FOR ASSURANCE & RELIABILITY  When you a buy a product or service…you request “high quality” and “high reliability”

 How do you measure it? What is “high”?  How long? Reliability: 0.99 for 5 years, 0.999 for 4 years…  Time dependent quality…reliability  How do companies predict reliability and estimate warranty?

NEED FOR ASSURANCE & RELIABILITY  How about availability?  One shot devices …Missiles?  Most important characteristics of a product, it’s a measure of its performance with time  In Oct-2006, the Sony Corporation recalled up to 9.6 million of its personal computer batteries, cost of $429M  Products are discontinued due to fatal accidents (Pinto, Concord)

NEED FOR ASSURANCE & RELIABILITY  How do companies predict reliability and estimate warranty?  Supposing a system consists of components which will not fail with a probability of 99% (p=0,99) and which are connected in series. Then the probability that the entire system will not fail changes with the number of components as follows:

10 components lead to a survival probability of 90.40%, 20 components lead to a survival probability of 81,71 %, 30 components lead to a survival probability of 73,86 %, 40 components lead to a survival probability of 66,76 %, 50 components lead to a survival probability of 60,35 %, 100 components lead to a survival probability of 36,40 % What will happen if a system consists of thousands of components?

NEED FOR ASSURANCE & RELIABILITY How do companies predict reliability and estimate warranty? Hyundai chose to woo buyers in America by promising quality and reliability. It issued an ambitious new warranty, good for five years (ten on the engine and transmission), then challenged its engineers to back that up with flaw-proof cars. The early sign are they have delivered. Hyundai has trimmed its warranty provision from 5.7% to just 1.8% of its revenue… Thanks to early ALT predictions Companies do use Assurance & Reliability as Unique Selling Point

NEED FOR ASSURANCE & RELIABILITY

NEED FOR INFORMATON ASSURANCE & RELIABILITY

NEED FOR INFORMATION ASSURANCE & RELIABILITY When we already have Information Security as a Domain/as a Vertical/ as Profession & Program then why do we need Information Assurance Frameworks or Program  Executive management do need to know the degree or level of security that they achieved against the invested monies

 CISO organization and the Security professional do need provide “Assurance on Information Security” to Executive Management  Time & again Executive Management would like to have quantification of information security –how much are our systems/applications are secure ?? (Hence Information Assurance & Level of Information Assurances)

NEED FOR INFORMATION ASSURANCE & RELIABILITY  Many colorful reports, spreadsheets cannot provide the promise or reliability what Information Assurance Frameworks can provide, since IA Frameworks do contain verification capabilities inherently

 Current Information Security practices rely more on claims made by manufacturers of security tools, resulting in surprises  Only Information Assurance Frameworks can provide the guaranteed level of promise of reliability of security systems, since IA frameworks do not rely on reports but information assurance is achieved through verification measures built as part of system development or deployment  It is time Security Teams/Professionals ask our selves “do we have

Systematic & Systemic Security practices across our IT ecosystem ?? Can we give Guarantees on Information Security

NEED FOR INFORMATION ASSURANCE & RELIABILITY Systematic & Systemic coverage of the system weakness space A key step that feeds into the rest of the process – if not properly done, rest of the process is considered ad-hoc Reduce ambiguity associated with system weakness space Often due to requirements and design gaps that includes coverage, definitions and impact – Objective and cost-effective assurance process Current security risk assessment approach is in-sufficient, due to lack of traceability and transparency between high level security policy/requirement and system artifacts that implements them Effective and systematic measurement of the risk Today, the risk management process often does not consider assurance issues in an integrated way, resulting in project stakeholders unknowingly accepting assurance risks that can have unintended and severe security issues – Actionable tasks to achieve high confidence in system trustworthiness

BENEFITS OF INFORMATION ASSURANCE & RELIABILITY ARCHITECTURE

Software Engineering

Compliance

Operations (NOC/SOC)

Software Engineering

RELIABILITY & FAULT TOLERANCE

RELIABILITY & FAULT TOLERANCE  Failure (Fault)- Wrong or "missing" function of a component  Failure causes  Design failure  Manufacture failure  Operation failures  Failures due to disturbances  Wearing failures  Random physical failures  Handling failures  Maintenance failures The concepts of Failure Mode, Effect Analysi(FMEA) & Fault Tree Analysis (FTA) are a must for Information Assurance & Reliability, but these two complex subjects are too much for this introductory presentation

RELIABILITY & FAULT TOLERANCE

RELIABILITY & FAULT TOLERANCE

INFORMATION SECURITY & ASSURANCE RELATIONSHIP

INFORMATION SECURITY & ASSURANCE RELATIONSHIP

INFORMATION SECURITY & ASSURANCE RELATIONSHIP

INFORMATION SECURITY &RELIABILITY ASSURANCE TERMINOLOGY RELATIONSHIP

MODELING INFORMATION ASSURANCE & RELIABILITY ARCHITECTURE

RELIABILITY TERMINOLOGY MODELING PROCESS-INFORMATION ASSURANCE & RELIABILITY

MODELING - CASE FORRELIABILITY ASSURANCE TERMINOLOGY & RELIABILITY I want Assurance for

Dependability

I Fear for These failures/ Attacks

I need any/all /some of These actions

MODELING- CASE FOR ASSURANCE & RELIABILITY

MODELING- CASE FOR ASSURANCE & RELIABILITY

MODELING- CASE FORRELIABILITY ASSURANCE TERMINOLOGY & RELIABILITY

MODELING – EVIDENCE FORRELIABILITY ASSURANCE TERMINOLOGY & RELIABILITY

RELIABILITYARCHITECTURE TERMINOLOGY MODELING - ASSURANCE & RELIABILITY

Iterative across Stages, per each Component & its sub-components till the topassurance objective is met

MANAGEMENT’S EXPECTATIONS FOR ASSURANCE & RELIABILITY PARAMETERS

ASSURANCE & RELIABILITY-MANAGEMENT EXPECTATIONS

The afore mentioned management’s expectations are in reality Architectural parameters, but they still stand valid for IA as is –Table Source --SABSA

MODELING INFORMATION ASSURANCE & RELIABILITY FOR VULNERABILITY MANAGEMENT

TERMINOLOGY MODELING ASSURANCERELIABILITY FOR VULNERABILITY MGMT Claims &Verification Claims &Verification

This is JUST AN EXAMPLE

Claims, Solutions & Verification

Claims &Verification Claims &Verification

Claims &Verification

References: 1. http://conferences.computer.org/stc/2014/papers/5034a026.pdf 2. http://www.omg.org/news/meetings/tc/berlin-15/special-events/iiot-presentations/Campara.pdf 3. https://www.techopedia.com/definition/5/information-assurance-ia 4. Reliability Engineering - 7th Edition - Alessandro Birolini 5. Wiley.Practical.Reliability.Engineering.5th.Edition 6. ISOIEC-21827-CMMIAndAssuranceAug2-Moss-Richardson 7. Enterprise Information Systems Assurance And Systems Security Managerial & Technical Issues 8. Enterprise Architecture Information Assurance Private Sector 9. Fundamentals of Reliability Engineering and Applications 10. Handbook of Reliability Engineering by Hoang Pham 11. Information Assurance Dependability and Security in Networked Systems 12. Information Assurance Architecture 13. Information Assurance Technical Framework NSA 14. Handbook Reliability Engineering, Chief- Of The Bureau Of Naval Weapons, 1964 Edition 15. Software Assurance Maturity Model 1.0 – OWASP 16. Handbook of Research on Contemporary Theoretical Models in Information Systems