Model Information Security
Planning
By
Mohammed Ashfaq Ahmed
•

Adopt multilayered security
model
Follow defense-in-depth strategy
Defense-in-depth: design from inside out
but tested from the outside in,
Information lies at core and most reliable
protection element lie close to it
Penetration of attackers occurs from
outside in
Seven layer security model…
It covers both the security of information as well as
the security of the information system
The layers of the model are

Information at the core

Cryptographic method layer

Verification and authentication layer

OS hardening layer

Information system architecture and design

Web services layer

The 8 ps of security layer

Benefits of this model..





vigorously protects information
Will slow down perpetrators as they
attempt any attack
Discourage attackers
Assist in identification of hackers
Low cost and effective
1. Information at the core..
Information reside at the core of the model
Why information at the core why not
information system
Reason..
The information system is too vast and
cannot be narrowed sufficiently

Information has many properties like
disguise, protect, authenticate, test..

The most important and interesting quality of
information is changing state and still retaining
all of its semantic value
These factors allows us to effectively manage the
information
2. Cryptographic method layer..



It is the second layer and actually the
most important from a security
countermeasure point
It represents a formidable barrier that
coats and protects information
It uses the properties of information
Advantages..




Cryptography disguises information
Cryptographic methods are extremely
complex and require significant time
and cost to break
it provides an elegant linkage to the
authentication and verification layer
Cryptographic layers are many and
varied
3.Authentication and verification layer..


1.
2.
It is closely related to cryptographic layer
It has two distinct parts
The inner authentication and verification
which pertains to the information
exclusively
Ex. Digital signatures, code signing, etc.
The outer half which provides an
authentication and verification for the
information system
Ex. Password, access controls, etc
Authentication is the process of determining if
the information presented is real or fake

1.
2.
Authentication techniques usually take
advantage of any of the following four
factors to authenticate access to
information
Possession factor: something you have that
grant access to information
ex: smartcard, token etc.
Biometric factor: something that you are
that identifies you uniquely
ex: finger print, face print, DNA etc.
3. Knowledge factor: something you know
that is secret
Ex. Password, username etc.
4. Integrity factor: something that allows
the authentication routines to
authenticate your actions after you are
admitted access
Ex. Message authentication code( mac’s)

Authentication techniques can be used
either directly with information or as a
part of information system
Verification is the one-to-one process of
matching the user by name against an
authentication template, maintained by
trusted third party and provide the
authentication status

My Question……?
Answer

The model is design from the inside out
and tested from outside in. It mean that
information is at the core to the model
ant the most reliable protection
elements of the plan are placed closest
to it. penetration by attackers occurs
from outside in, this concept is known
as defense in depth.