Centralized security management of corporate information systems is based on the concept of global security management GSM (Global Security Management).
The GSM concept makes it possible to build an integrated management and protection system for enterprise information resources with the following properties:
- management of all existing protection tools based on the enterprise security policy, ensuring the integrity, consistency and completeness of the set of protection rules for all enterprise resources (security policy objects) and the consistent implementation of the security policy by the protection tools supplied by different manufacturers;
- definition of all information resources of the enterprise through a single (distributed) directory of the enterprise environment, which can be updated both using its own means of describing resources, and through communication with other directories of the enterprise (including via the LDAP protocol);
- centralized, policy-based management of local information protection tools;
- Strong authentication of policy objects in an enterprise environment using PKCS # 11 tokens and PKI public key infrastructure, including the ability to use additional local LAS authentication tools (at customer’s choice);
- extended administration options for access to enterprise resources defined in the directory or parts of the entire directory (with support for the concepts of user groups, domains, enterprise departments), role management as a set of access rights to enterprise resources, introduction of elements of indirect definition of rights through access rights attributes into the security policy (credentials);
- ensuring accountability (registration of all interactions between distributed objects of the system on the scale of the corporate network) and audit, security monitoring, alarms;
- integration with general management systems, infrastructure security systems (PKI, LAS, IDS).
Within the framework of this concept, management based on a security policy – РВМ (Policy based management) – is defined as the implementation of a set of management rules formulated for business objects of an enterprise, which guarantees the completeness of the coverage of the business area by objects and the consistency of the used management rules.
The GSM control system, focused on enterprise security management based on the RWM principles, meets the following requirements:
- enterprise security policy is a logically and semantically related data structure formed, edited and analyzed as a whole;
- enterprise security policy is defined in a single context for all levels of protection as a single whole network security policy and security policy of information resources of the enterprise;
- The number of policy settings is minimized to ease administration of resources and enterprise security policies.
In order to minimize the number of policy settings, the following techniques are used:
- group definitions of security objects;
- indirect definitions, such as definitions based on credential attributes;
- mandatory access control (in addition to fixed access), when the decision on access is determined based on a comparison of the access level that the subject has and the level of confidentiality (criticality) of the resource being accessed.
The GSM management system provides a variety of security policy analysis mechanisms through multi-criteria verification of security policy compliance with formal models of the enterprise security concept.