Securing administrative interfaces in the security of supply industry
Saarenmaa, Petri (2021)
2021
All rights reserved. This publication is copyrighted. You may download, display and print it for Your own personal use. Commercial use is prohibited.
Julkaisun pysyvä osoite on
https://urn.fi/URN:NBN:fi:amk-2021120724102
https://urn.fi/URN:NBN:fi:amk-2021120724102
Tiivistelmä
There are few legal requirements currently for information technology (IT) systems or infrastructure in Finland. Most, if not all, regulate information systems that are used in national security or in the public sector. This thesis does not attempt to regulate the private sector but attempts to create some recommendations for IT infrastructure for the security of supply industry.
When a house is built, it must be built to code. When building IT systems, there is code involved, but rarely any legal requirements. Often at best, the client or subscriber has a contract or an agreement with the supplier which binds both parties.
The author has done sysadmin work for years and understands the risks related to administrative resources. Arguably the most notable security incident in the near past was the disclosure of the United States intelligence community’s breach of privacy by mass surveillance. The disclosure was made by Edward Snowden who was a systems administrator and contractor for various intelligence agencies. Using his insider information, he gathered information, and released it to journalists. This, in the authors opinion, highlights the delicate nature of systems administrators as well as contractors with similar access rights.
Recommendations put forth in this thesis include building a public key infrastructure (PKI) system and the use of certificates to authenticate different parties, users, and devices, inside an organizations digital environment. Use of hardware security modules (HSM) and hardware-based tokens for private keys - smart cards or equivalent such as Yubikey tokens. The use of digital certificates enables the use of reliable network segmentation via the use of 802.1x, IPsec authentication and other methods. Other recommendations relate to other means of logical segmentation (e.g., Red Forest -model, reverse proxies between management interfaces).
When a house is built, it must be built to code. When building IT systems, there is code involved, but rarely any legal requirements. Often at best, the client or subscriber has a contract or an agreement with the supplier which binds both parties.
The author has done sysadmin work for years and understands the risks related to administrative resources. Arguably the most notable security incident in the near past was the disclosure of the United States intelligence community’s breach of privacy by mass surveillance. The disclosure was made by Edward Snowden who was a systems administrator and contractor for various intelligence agencies. Using his insider information, he gathered information, and released it to journalists. This, in the authors opinion, highlights the delicate nature of systems administrators as well as contractors with similar access rights.
Recommendations put forth in this thesis include building a public key infrastructure (PKI) system and the use of certificates to authenticate different parties, users, and devices, inside an organizations digital environment. Use of hardware security modules (HSM) and hardware-based tokens for private keys - smart cards or equivalent such as Yubikey tokens. The use of digital certificates enables the use of reliable network segmentation via the use of 802.1x, IPsec authentication and other methods. Other recommendations relate to other means of logical segmentation (e.g., Red Forest -model, reverse proxies between management interfaces).