The Standard

IT Service Provisioning

This chapter provides details about the areas in the clusters “IT Service Provisioning”, “Customer and Users”, “Networks” and “Data Center” of the taxonomy. A more in-depth profile is provided for each IT Security Standard. These profiles explain the challenges with respect to information security and summarize major security objectives. In addition, other area dependencies are briefly explained.

Remark: The structure of the standards uses a simple model with a provider of IT services on the one hand and users with or without their own corporate network on the other (customer). Therefore,

  • in most cases, users are employees of the IT service provider’s customers or any other people commissioned by the IT service provider’s customers to do similar work,
  • the term users may also apply for employees of the IT service provider if they use corporate IT services produced and provided by the IT service provider (for own purposes).

The individuals engaged in the production and provisioning of IT services are called operations personnel (administrators). These people are employees of the IT service provider or other people commissioned by the IT service provider to do such work.

Networks Communication of users (from their LAN or from remote) to consume IT services that are centrally produced (in a data center)
IT Security StandardAbbr. IT components and major areas
Wide Area Network Security
WANAll the means for transporting data between users and between users and IT systems in data centers including direct network links, Internet access, bandwidth, MPLS.

Scope and Content:

  • The IT service provider provides IT services using systems which reside in a data center operated by the IT service provider or at the client’s premises. Users (mainly employees of the customer) require a connection to systems in the data center in order to consume or otherwise use the IT services. The Wide Area Network is the sole connection between the users and the data center systems.
  • In most cases the WAN is only a means for data transport. Particularly if public or 3rd party networks are used, no specific security features can be taken for granted. As a result, data protection is conducted at the end points of the WAN.
  • As a result and unlike other areas: The security features provided here are not an integral part of the overall system security independent from who provides them. In total, they (except for availability and quality of service) can be replaced by security features at the end points of the WAN. However, this case is out of scope in this standard.

Goals and Objectives:

  • With the customer’s needs in mind, security objectives for the confidentiality, integrity, authenticity, and quality of service (including availability) are to be defined. Reasonable measures shall then be selected to protect the WAN service being provided.
  • The protection of networking shall be effective and purposeful and precaution shall be taken so that possible impacts are confined as possible. Therefore, networks should be segmented into sub-networks where each answers a specific or similar purpose and meets similar security needs. Parameters that guide such segmentation include security objectives, types and rights for access, purpose and users as well as the relation of such users (e.g., differentiation into customers, organizations, groups, etc.). Networks serving different purposes such as development or testing on the one hand and service provisioning on the other should also be separated.
  • Parts of the total network such as segments differ in the level of control, trustworthiness and attack potential. Therefore, it is required that an analysis of these parameters be performed and each part or network segment be assigned to a category. For instance, wireless networks are usually considered to be non-secure.
  • Parts of the total network such as segments differ in the level of control, trustworthiness and attack potential. Hence, the traffic shall be controlled by security gateways which separate the two. Such control may include intelligence and filters as appropriate. The security gateways and other network components shall themselves appropriately be protected. Interference with measures particularly taken on the application level shall be avoided to limit or prevent impacts.
  • Authorized operations personnel (administrators) shall have means to securely conduct the administration of the networks in a consistent way. Unauthorized people are excluded from accessing administrative functions and services.
  • The possibility and probability of attacks shall be reduced by means that reduce the attack surface. Hence, network segments with a higher level of control, trustworthiness or a potentially lower attack potential shall disclose as little information as possible to other networks especially those of third parties or to the Internet. Service and protocols that are not used should not be made available.

Primary External Support:

  • None
Networks Communication of users (from their LAN or from remote) to consume IT services that are centrally produced (in a data center)
IT Security StandardAbbr. IT components and major areas
Corporate Provider Access
CPAAll IT equipment between the WAN and the data center LAN, i.e., the communication periphery of the data center. This includes packet filter firewalls, switches and routers, VPN gateways and intrusion detection / prevention (IDS/IPS) solutions.

“Transportation level” only: application-related IT equipment comes under Gateway and Central Services (GCS).

Scope and Content:

  • The Corporate Provider Access is the user-side interface or periphery of the data center and provides the communication bridge between users (coming from the WAN) and the IT services produced by the IT service provider with systems which reside in a data center operated by the IT service provider or at the client’s premises.
  • The IT systems and components for IT production are directly connected to an internal data center network (DCN). They are to be screened from the potentially hostile WAN environment by components in the Corporate Provider Access area.

Goals and Objectives:

  • The Data Center network (DCN) and the public or 3rd party network (WAN) differ in the level of control, trustworthiness and attack potential. Hence, inbound and outbound traffic shall be controlled by security gateways which separate the two.
  • An encrypted communication channel shall be terminated if users require such a secure tunnel for WAN transfer to ensure confidentiality, integrity and authenticity of data exchanged. This includes the appropriate key management and a unique digital identity for a VPN gateway. Users (such as employees of the IT service provider’s customers) shall be allowed to securely connect, whereas non-authorized individuals shall be excluded.
  • Attacks (here understood as potentially hostile access mostly from WAN) shall be detected as far as possible. Malicious communication, data or executable code shall be detected. Negative effects shall be mitigated or avoided as appropriate.
  • Possibility and probability of attacks (mostly from WAN) shall be reduced by means that reduce the attack surface of the data center periphery and its elements. Specific information about the data center internals such as internal addresses and the like shall be masked or screened from the WAN so that this information cannot be retrieved from the WAN side.

Primary External Support:

In terms of security, Corporate Provider Access (CPA) additionally requires functionality that is centralized or needs to be supplemented with functions on an application level (above transportation):

  • The Corporate Provider Access uses the functions and the services of “Gateway and Central Services (GCS)” for the authentication of users and of a User LAN Periphery as such.

In addition, all IT equipment resides in a data center which provides physical security:

  • The Corporate Provider Access uses the functions and the services of “Data Center Security (DCS)” since all IT equipment resides in the data center and is therefore physically protected.
Networks Communication of users (from their LAN or from remote) to consume IT services that are centrally produced (in a data center)
IT Security StandardAbbr. IT components and major areas
Gateway and Central Services
GCSAll IT equipment that is centrally provided for specific communication such as e mail and for user authentication. This includes e mail security and archiving, other communication services, file sharing as well as directory services, LDAP, other authentication servers, web SSO and identity federation services, application level gateways including proxies and reverse proxies and web application firewalls (WAF).

“Application level” only: purely transport-oriented “gateways” come under Corporate Provider Access (CPA).

Scope and Content:

  • The Corporate Provider Access (CPA) area provides the communication bridge between users (coming from the WAN) and the IT services produced in a data center. Such systems and components require specific security services (authentication, etc.) which should be centrally provided.
  • IT systems and components that deliver IT services to customers (coming from the WAN) reside in the data center. Such systems and components require specific security services for application specific treatment of data being transferred (filtering, etc.) which should centrally be provided.
  • The IT service provider also provides communication and front-end services for their customers. These services must easily be accessible from the WAN or make direct connections to the WAN. This may require placing them in a central zone on the data center’s periphery. Examples are services for e-mail security and other such communication means.

Goals and Objectives:

  • Secure communication and usage of applications require prior authentication of users or the user site. Hence, these services are provided to calling parties that allow the validation of credentials and the authentication of users. Their use is restricted to authorized IT systems which reside in the “central service area” (Corporate Provider Access).
  • Similar services may also be provided for other authorized IT entities (such as applications and perhaps computer systems) residing in the data center. The functionality for (server-based) single sign-on enhances the ease of use and possibly also security because passwords may be handled better by users.
  • IT services or applications such as e-mail, web services and others shall be protected from being tampered with malicious code, malicious communication requests and the like. Hence, specific services are provided that filter and clean data streams transferred through the “central service area” (Corporate Provider Access) and that remove or repair or at least signal suspicious, dangerous or illicit requests and communication. Additional services may also remove unsolicited, undesired or disruptive messages (in case of e-mail known as SPAM) from the data stream being forwarded and, in this way, help to maintain the availability of the IT services.
  • The confidentiality, integrity and authenticity of e-mails shall be maintained in case of critical business communication. Hence, specific services are provided that feature encryption functions or apply and validate digital signatures on behalf of the sender or recipient.
  • Sensitive information about network or application internals shall be hidden from the WAN whenever possible. Complex application functionality shall be reduced in order to reduce possible occurrence and exploitation of vulnerabilities. Applications which reside in the data center can be isolated from direct access from WAN in order to make attacks harder. Loads shall be shared in order to avoid peak loads that affect performance and availability. Clients that utilize applications in the data center from the WAN may reduce associated risks when using a known gateway system (as proxy).

Primary External Support:

  • The Gateway and Central Services uses functions and services of “Corporate Provider Access (CPA)” since the latter mediates the communication with the WAN and provides basic security functionality

In addition, all IT equipment resides in a data center which provides physical security:

  • The Gateway and Central Services uses functions and services of “Data Center Security (DCS)” since all IT equipment resides in the data center and is therefore physically protected.
Networks Communication of users (from their LAN or from remote) to consume IT services that are centrally produced (in a data center)
IT Security StandardAbbr. IT components and major areas
User LAN Periphery
ULPAll IT equipment between the user LAN and the WAN, i.e. the users’ central communication periphery. This includes site-to-site gateways, firewalls, intrusion detection/prevention (IDS/IPS) solutions and domain services.

Scope and Content:

  • The users’ office workplaces (desktop computers and notebooks) are directly connected to an internal corporate network (LAN). The User LAN Periphery provides the bridge to the outside world to access public networks such as the Internet or to consume IT services produced by the IT service provider with systems which reside in a data center operated by the IT service provider or at the client’s premises.
  • The internal corporate network (LAN) may also contain business-critical central services or business-critical back-end systems which are accessed and used from the workplaces from within the LAN without mediation of the User LAN Periphery. An examples of this is print servers. However, this case is out of scope. All business-critical central services and back-end systems reside on the data-center side whether or not it is owned by the IT service provider.

Goals and Objectives:

  • The corporate network and the public or 3rd party network (WAN) differ in the level of control, trustworthiness and attack potential. Hence, inbound and outbound traffic shall be controlled by security gateways which separate the two.
  • Secure communication is also possible over public, potentially unsecure networks (WAN). In order to maintain the confidentiality, integrity and authenticity of transmission, in this case, all data transfer between the corporate network and a gateway shall be encrypted after authentication of that gateway which will mediate the access to the sought IT service. This includes appropriate key management and a unique digital identity for a VPN gateway.
  • Attacks (here understood as potentially hostile access mostly from WAN) shall be detected as far as possible. Malicious communication, data or executable code shall be detected. Negative effects shall be mitigated or avoided as appropriate.
  • The possibility and probability of attacks (mostly from WAN) shall be reduced by means that reduce the attack surface of the customer’s corporate network periphery and its elements. Specific information about the network internals such as internal addresses and the like shall be masked or screened from the WAN so that this information cannot be retrieved from the WAN side.
  • An inventory shall be provided of all IT equipment (in particular office workplaces) that is authorized to attach to the User LAN. It shall provide means to control membership and access to the User LAN and the resources it provides. Authentication and name resolution services are typically also provided. These services are set up and used to guarantee the controlled use of the User LAN’s resources while preventing unauthorized access. All IT security solutions (including further services such as software distribution services) shall be actively managed in order to maintain their level of security.

Primary External Support:

  • The User LAN Periphery uses functions and services of “Corporate Provider Access (CPA)” to set up a secure VPN tunnel through the WAN.

  • The User LAN Periphery uses functions and services of “Gateway and Central Services (GCS)” for the authentication, authorization and accounting of the User LAN Periphery as such.
Networks Communication of users (from their LAN or from remote) to consume IT services that are centrally produced (in a data center)
IT Security StandardAbbr. IT components and major areas
Remote User Access
RUAAll client components that are used to securely communicate via the WAN or the Administration Network, or to securely connect to IT services that are centrally produced (in a data center). This includes VPN clients, authentication tokens and other such tools.
“Transportation level” only: other equipment comes under Office Workplace Security (OWS) and Mobile Workplace Security (MWS).

Scope and Content:

  • The IT service provider provides IT services using systems which reside in a data center operated by the IT service provider or at the client’s premises.
  • Users must have secure access to IT services from remote locations (customers’ premises, mobile, etc.) over potentially non-secure or even public networks. Here the users’ workplace (desktop, notebook or other mobile device) is directly connected to such a network (usually WAN) and not to a corporate protected network (usually LAN).
  • Special case: remote access for administration and maintenance of IT systems and components.
    In this case, the users are operations personnel (administrators) who connect to selected data center areas and its components in order to perform management and maintenance tasks.

Goals and Objectives:

  • Users (such as employees of the IT service provider’s customers) shall be allowed to securely connect to select IT services produced in the data center. Non-authorized individuals shall not gain access to these systems and functions.
  • All data transferred between the user and the IT service shall be protected from manipulation and eavesdropping.
  • Users shall be equipped with a credential (means for authentication) that is compliant with the security requirements of the IT service being consumed. If necessary, single sign-on can be supported by client technology (ESSO).
  • Special case: remote access for administration and maintenance of IT systems and components.
    In this case strong authentication shall be used and logging is mandatory.
  • Note that all these security services shall be provided independent of whether the IT service provides additional security services such as authentication and encryption or not. This means that secure communication is terminated at a “central service area” (SSL/TLS or IPSEC) in front of the IT service.

Primary External Support:

  • The Remote User Access uses functions and services of “Corporate Provider Access (CPA)” for the termination of the secure communication at a “central service area” (SSL/TLS or IPSEC) in front of the IT service.

Additionally, in the case of remote access for customers:

  • The Remote User Access uses functions and services of “User Identity Management (UIM)” for the definition, modification and retirement of digital identities. On this basis, the remote access is established.

Additionally, in the case of remote access for the IT service provider’s administrational personnel (administrators):

  • The Remote User Access for administrators uses functions and services of “Provider Identity Management (PIM)”. This includes the definition and administration of administrator entitlements and the enforcement (using LDAP, AD or PKI services) being realized by cooperation as appropriate.

Note that client software components run on the Office Workplace or Mobile Workplace, so that their services are also used:

  • The Remote User Access uses functions and services of “Office Workplace Security (OWS)” or “Mobile Workplace Security (MWS)” since client software for remote access is being executed on these devices. The support may include central management.
Data Center Equipment and means for the production of central IT services (location: data center)
IT Security StandardAbbr. IT components and major areas
Data Center Security
DCSAll physical and environmental security aspects of a data center. It does not include IT security equipment except for that relating to entrance control and the like.

Scope and Content:

  • The IT service provider provides IT services using systems which reside in a data center operated by the IT service provider or at the client’s premises.
  • The IT service provider’s data centers are facilities where critical and sensitive information is being processed.

Goals and Objectives:

  • Theft of and damage to and unauthorized interference with IT systems and data residing in the data center shall be prevented. Security barriers (such as walls, controlled entry gates, and reception desks) and secure areas (with specific entrance and access control) are examples of security measures used for this assurance. Regarding entrance and access, all groups of individuals are considered, including guards and other onsite workers, maintenance and support personnel, guests or visitors from the IT service provider and other companies, as well as possibly rescue and governmental people. Security checks of individuals or a code of conduct may also be applied. Physical barriers are not limited to entrance. For instance interception and damage of internal cabling is hindered appropriately, e.g., by physical means. Supervision or surveillance might also be used on the premises and inside.
  • In particular, delivery and loading areas shall be protected to prevent theft and unauthorized installation of equipment. Import to and removal of items and equipment from the data center shall be done in a supervised way.
  • Offices and desks and cabinets residing there shall appropriately be protected to prevent theft or damage of material and data. This especially applies to the reception desk since this room or area may contain critical equipment such as access control cards and computers with access to security systems.
  • IT systems shall be protected from power failures and other disruptions caused by failures in supporting utilities. Their operating environment shall be controlled in a way that allows undisturbed operation.
  • The data center and its components shall appropriately be protected against damage from fires, floods, earthquakes, explosions, civil unrest, and other forms of natural or man-made disasters.

Primary External Support:

  • None
Data Center Equipment and means for the production of central IT services (location: data center)
IT Security StandardAbbr. IT components and major areas
Data Center Networks
DCNAll networks and network equipment within the data center that is used to connect Computer Systems (to each other, to the data center’s external interface, and with Storage) as well as connect operations personnel (administrators) to Computer Systems, Storage and Operations Support equipment.
Note that all that network and network equipment is “inside the firewall”. Connectivity between the IT service provider’s data centers is also included.

Scope and Content:

  • The IT service provider provides IT services using systems which reside in a data center operated by the IT service provider or at the client’s premises. These IT systems and components for IT production are directly connected to an internal data center network (DCN). One data center may have more than one physical data center network being connected to it or to each other.
  • Users (mostly employees of customers) are seen to access IT services from the WAN via the Corporate Provider Access area.
  • Operations personnel (administrators) access IT systems and components from the Administration Network.
  • The Data Center Network is also used to interconnect all other IT systems and components within the data center as appropriate. For instance Storage is connected to Computer Systems in this way.
  • Especially, the so-called twin core data centers require a secure connection in order to allow the data exchange between the two data centers.

Goals and Objectives:

  • Systems of different customers may use the same physical data center network. In order to ensure confidentiality and integrity and prevent any other interference, different customers and their communication are separated (using VLAN technology). Depending on the customer’s requirements, further separation into multiple segments (security zones) is possible.
  • Operations personnel (administrators) shall be able to administrate customer and other IT systems and therefore have the ability to access them. In order to maintain the separation aforementioned, the administration network is logically separated to distinguish access to different customers. Depending on the customer’s requirements, further separation is possible. Note that such access can originate from shared or dedicated networks and components.
  • The customer computer systems need to be connected to the central storage. In order to maintain the separation when sharing the access to central storage, a storage network is used and segmented (using VLAN technology) to distinguish the access of different customers, systems and services.
  • Information about the network segmentation and ways to access them (notably IP addresses) are provided for the administration of the Corporate Provider Access (CPA) to allow the access of users and for the administration to allow operations personnel to access IT systems, including storage on the basis of the Administration Network Security (ANS). Request for changes in the Data Center Networks may come from those adjacent areas (CPA and ANS).
  • Networks and network segments that are located in the data center are much more protected from physical access than others outside. Hence, the latter are considered as not secure and all communication via outside networks (such as traffic between twin-core data centers) shall appropriately be protected against eavesdropping and manipulation.

Primary External Support:

  • The Data Center Networks uses the functions and the services of “Provider Identity Management (PIM)” for the definition and administration of administrator entitlements and their enforcement.

In addition, all equipment resides in a data center which provides physical security:

  • The Data Center Networks uses the functions and the services of “Data Center Security (DCS)” since all network equipment and internal cabling reside in the data center and are therefore physically protected.
Data Center Equipment and means for the production of central IT services (location: data center)
IT Security StandardAbbr. IT components and major areas
Computer Systems Security
CSSAll parts of the IT stack except user applications, centralized storage and middleware including runtime environments and databases. Computer Systems comprises physical computers with operating systems and system virtualization software such as hypervisors.

Scope and Content:

  • The IT service provider provides IT services using systems which reside in a data center operated by the IT service provider or at the client’s premises.
  • Computer Systems is considered as the lower part in the total IT stack that comprises all elements from the computer hardware on up, but without the application.

Goals and Objectives:

  • The change of configurations and settings which have a potential effect on multiple users or comprehensive services or whole subsystems must require authorization. That is, access to all administrative functions of operating systems, hypervisors, etc., requires authorization.
  • Users who are not intended to perform administrative tasks must not have administrative privileges.
  • The integrity of non-mainframe computer systems shall be maintained by usage of anti-virus and malware scanners. The latter cannot be disabled by end-users without notice and must regularly be provided with appropriate, update information. Their status needs to be reported.
  • Computer systems communicate with other IT systems which they do not control. As a result, they may control inbound and outbound traffic and decide which protocols and services can be used and by which applications.
  • In order to prevent any interference, customer data communication, communication with storage, and access for administration should be isolated using separate network interfaces. Computer systems that do require direct access to the Internet may have an additional and separate interface for this purpose.
  • Different applications that simultaneously run on one computer system (typically virtual machines (VMs) each comprising one or more applications and an operating system) are securely separated which allows for the sharing of resources without an unwanted or illegal flow of information or any other illegal interference between them.
  • The access to and the communication with any virtualization software (hypervisor or virtual machine monitor) shall strictly be controlled and only be accessible by authorized operations personnel (administrators).
  • Incorrect configurations and tampering with the configuration and other settings of operating systems and virtualization software can be detected so that corrective measures can be initiated.
  • Virtual machines that are no longer needed on a physical machine shall immediately be deleted from the computer system and resources such as main storage shall be cleaned from residual data before being assigned to another virtual machine. However, the virtual machine file system images might be retained on centralized storage (e.g., NAS or SAN) for archival purposes or for restarting the virtual machine at a later time if required by the contractual agreements with the customer.

Primary External Support:

For dynamic computing environments, there is the following external support for this standard:

  • Computer Systems Security uses functions and services of “Virtual Machine and Software Image Management (VMM)” since dynamic computing environments are controlled and managed as described there.

Typically these Computer Systems do not include persistent storage but use centralized storage:

  • Computer Systems Security uses functions and services of “Database and Storage Security (DSS)”which provides centralized storage for all computer systems not having persistent data storage facilities themselves.

All communication of Computer Systems is done through Data Center Networks:

  • Computer Systems Security uses functions and services of “Data Center Networks (DCN)” that control sources and destinations of communication originating from and directed to Computer Systems.

In addition, all IT equipment resides in a data center which provides physical security:

  • Computer Systems Security uses functions and services of “Data Center Security (DCS)” since all IT equipment for IT service provisioning resides in a data center and is therefore physically protected.

Identities and entitlements for privileged user access are centrally defined:

  • Computer Systems Security uses functions and services of “Provider Identity Management (PIM)”. This includes the definition and administration of administrator entitlements and may include support for the enforcement (e.g., using AD) being realized in their interaction as appropriate.

In addition, the Computer Systems Security relies on related security measures and technologies which are described in other IT Security Standards, namely Operations Support Security (OSS) and Administration Network Security (ANS).

Data Center Equipment and means for the production of central IT services (location: data center)
IT Security StandardAbbr. IT components and major areas
Database and Storage Security
DSSAll centralized storage equipment and software (that is accessed by Computer Systems via Data Center Networks) plus Data Base Management Systems, even if they run on individual Computer Systems. It also contains all resources for backup and disaster recovery.

Scope and Content:

  • The Computer Systems in the IT service provider’s data centers may have no persistent storage since the latter is centralized as Network Attached Storage (NAS), Storage Area Networks (SAN) or the like.
  • Databases are used by applications to store structured data. They consist of a Data Base Management System (DBMS), which may run on a Computer Systems, and the persistent storage.

Goals and Objectives:

  • Mounting, dismounting and other installation, move or removal of media as well as physical and logical partitioning of storage must be controlled and executed with authorization only. Administrative access shall be separated from other exchanges of information.
  • Data in storage systems can be business-critical and shall be maintained or recovered even if the data center operation has been disrupted, for instance, by fire. This is, e.g., achieved by using redundant storage systems which are located in different fire zones or even data centers. Data can be recovered in any case if a backup was made, stored safely and is ready for recovery.
  • Data in storage systems shall solely be made available to the authorized user, customer, application or service. Other entities shall not be able to access or affect this data. Hence, storage is securely separated using means such as access control including the tagging of data for storage and the physical and logical segmentation of the storage system.
  • The change of configurations and settings of databases must require authorization. That is, access to all administrative functions requires authorization.
  • Entities and users accessing databases that are not intended to perform administrative tasks on the databases must not have administrative privileges.
  • Attacks (that is potentially hostile access) shall be detected whenever possible. Malicious communication, data or executable code shall be detected. Negative effects shall be mitigated or avoided as appropriate.
  • Activity with the database and compliance of configuration might be monitored or checked regularly to provide evidence and enable corrective actions as appropriate.
  • The integrity of software components and of major settings and the actuality of software should be maintained by the usage of appropriate means such as scanners.
  • Databases are accessed from the external which they do not control. As a result, they may control communication and decide which functions and services can be used and what entities are authorized to do so.

Primary External Support:

All communication of storage components is done through Data Center Networks:

  •  Database and Storage Security uses the functions and the services of “Data Center Networks (DCN)” as a fundamental communication infrastructure between customers, IT systems and applications.

In addition, all IT equipment resides in a data center which provides physical security:

  • Database and Storage Security uses the functions and the services of “Data Center Security (DCS)” since all IT equipment for databases and storage resides in a data center and is therefore physically protected.

Identities and entitlements for privileged user access are centrally defined:

  • Database and Storage Security uses the functions and the services of “Provider Identity Management (PIM)”. This includes the definition and administration of administrator entitlements and may include support for the enforcement (e.g., using AD) being realized in their interaction as appropriate.
Data Center Equipment and means for the production of central IT services (location: data center)
IT Security StandardAbbr. IT components and major areas
Operations Support Security
OSSAll procedures, tool sets and utilities that are used by operations personnel (administrators) for basic data center operations. This includes software for systems management, IT asset and life-cycle management, IT service management as well as for service availability and performance management.

Scope and Content:

  • There are several types of IT systems and components which together provide the required IT services to customers. These IT systems and components need to be set up, organized, configured and differently managed in order to maintain and optimize service provisioning.

Goals and Objectives:

  • The availability of IT systems and components, services or features is an essential requirement, often for security as well. Therefore, the required IT equipment shall be made available (procured, installed, and integrated) and can principally be used. An inventory is required to be able to control this process and to maintain the integrity and the configuration of IT equipment.
  • The configuration of IT systems and components is critical with respect to security. It shall be ensured that a configuration can be created, changed or deleted solely by operations personnel (administrators) authorized to do so. Secret configuration data such as cryptographic keys must be kept confidential. Configuration must be documented and all configuration data and information is kept available and stored centrally (outside the IT systems and components concerned).
  • Capacity management ensures that resources (such as IT equipment, IT services) are usable and provided in an optimal way so that demands can be met. This requires appropriate controls as well as the ability to track the availability and the utilization rate, analyze historic data, and make evaluations for future planning.
  • Performance management has the target of optimizing the efficiency and the quality of an IT service through the management of resources. As a result, latencies, downtimes and the like are low and the accessibility of IT services will be high. This is achieved with the appropriate controls for resource management.
  • Monitoring capabilities are the basis for operations, capacity management, performance management and any troubleshooting. Disruptions and failures shall be analyzed so that corrections can be made.
  • The fulfillment of service level agreements must be monitored and appropriate information must be gathered and maintained in order to measure the degree of achievement and improvement with appropriate key performance indicators.
  • Notification, data analysis, decision taking, remediation and review are principle steps in many areas. Processes are designed and standardized, and roles and responsibilities are assigned in order to ensure accuracy and quality as described elsewhere. Moreover, automation is important. This requires the provisioning of appropriate IT supporting systems and tools which need to be kept functional.

Primary External Support:

The secure use of IT supporting systems depends on the correct assignment of roles, rights and responsibilities.

  • Operations Support Security uses the functions and the services of “Provider Identity Management (PIM)”. This includes the definition and administration of administrator entitlements and may include support for the enforcement (e.g., using AD) being realized in their interaction as appropriate.

All IT supporting systems reside in a data center which provides physical security.

  • Operations Support Security uses the functions and the services of “Data Center Security (DCS)” since all IT equipment resides in the data center and is therefore physically protected.

Data Center Equipment and means for the production of central IT services (location: data center)
IT Security StandardAbbr. IT components and major areas
Application and Application Management Security
AMSAll software that produces the primary IT services for users. It does not include platforms and infrastructure services. Applications sit on top of Computer Systems. Middleware such as runtime environments (e.g., .NET) is also included, except for Database Management Systems.

Scope and Content:

  • The IT service provider provides IT services using systems which reside in a data center operated by the IT service provider or at the client’s premises. Applications reside on top of Computer Systems and provide the IT service for customers in accordance with their business requirements. All other IT systems and components can be seen as being a platform only.

Goals and Objectives:

  • Reflecting the customer’s needs, security objectives for the confidentiality, integrity, authenticity, accountability, and quality of service (including availability) are to be defined. Compliance requirements shall be considered thereby.
  • The security of applications depends on the environment in which they are used. Hence, security objectives shall be split into those for the application itself and for its environment. The latter may include requirements for secure networking with, e.g., encryption of transmitted data, filtering of data streams or limitations for using specific networks.
  • The change of configurations and settings which have a potential effect on multiple users or on general functionality that goes beyond intended usage must require authorization. That is, access to all administrative functions requires authorization. This is also applicable for support and monitoring.
  • The confidentiality of each part of executable code is not ensured. Therefore, confidential data such as credentials (e.g. passwords) shall not be hard-coded. In order to minimize errors or dysfunction (and to facilitate industrial production) all information and parameters about the computing environment should be externalized and set as variables which can easily be changed. Applications should support backup and recovery of their data with defined run-time status if any. System stoppage should not lead to an unrecoverable or non-secure state.
  • Web Services are provided to the calling party or requester only. This may require prior authentication and should allow logoff. The web service may be totally stateless. In the other case, different sessions of different users or of the same user shall be separated and transactions correctly be identified.

Primary External Support:

The application runs on top of computer systems and uses centralized storage.

  • Application and Application Management Security (AMS) uses the functions and the services of “Computer Systems Security (CSS)” since applications run on top of computer systems and perform all computation, networking and storage using functions being provided.
 
  • Application and Application Management Security (AMS) uses the functions and the services of “Database and Storage Security (DSS)” since applications use centralized storage.
  • Data Center Equipment and means for the production of central IT services (location: data center)
    IT Security StandardAbbr. IT components and major areas
    Virtual Machine and Software Image Management
    VMMAll procedures, tool sets and utilities that are used by operations personnel (administrators) to deploy, start, stop, move and otherwise manage Virtual Machines that run on Computer Systems.
    All procedures, tool sets and utilities that are used to generate and configure software images (engineering of images) and for archiving as well as the inventory of these images. Software images comprise those for operating systems and those for applications.

    Scope and Content:

    • In dynamic computing environments, operating systems and applications are not installed in the traditional way. Instead, an executable image (memory copy) is produced and adapted and then archived. For execution, it is retrieved from the archive and copied onto one physical machine. Then computing and networking resources are configured; software variables are set and the hypervisor is instructed to start the software.
    • While the software is running, resources such as computing cycles or main memory are dynamically assigned to a running software image as required since different software (virtual machines) can simultaneously run on one physical machine. If a virtual machine requires more resources than available, it can be moved to another physical machine with available resources.

    Goals and Objectives:

    • The integrity and correct configuration of software images is not only essential for correct operation of the software. Moreover, this shall ensure that different security policies are observed, namely those of the customer, of the application and of the service provider as well as any regulation specific to the corresponding IT service delivery infrastructure. Hence, the engineering process (creation, production of images) shall correctly identify and assign images in all management activities, prevent unauthorized changes and manipulations and maintain relations between files, descriptive information, scripts, configurations and the like. Image engineering considers the necessity of patching and related management activities.
    • The integrity and correct configuration of computing and networking resources is not only essential for correct operation of IT service. Moreover, this shall ensure that different security policies are observed, namely those of the customer, of the application and of the service provider as well as any regulation specific to the corresponding IT service delivery infrastructure. Hence, resource configuration shall be as designed and unauthorized change and manipulation is prevented. Configuration includes network interfaces and addresses, memory and other resources being allocated, parameters and variables of operating system, middleware and applications and other settings as required.
    • Similar due care is required in the provisioning or distribution of images onto physical machines and their start, stop and move from one to another physical machine.
    • The ability of the IT service provider to fulfill contractual duties and service level agreements heavily depends on the assurance, that the demanded computing resources for a virtual machine are available if needed. Hence, security controls should be implemented that prevent resource exhaustions through other virtual machines on the same physical host.
    • Virtual machines that feature different levels of criticality or accessibility may be decided to run on physical separate systems or in different platforms. Examples are business-critical back-end systems versus less critical supporting ones or business-critical back-end systems versus systems that can directly be accessed from the WAN.

    Primary External Support:

    • The Virtual Machine and Software Image Management uses the functions and the services of “Computer Systems Security (CSS)” since the latter contains the Hypervisor or virtual machine monitor (VMM) which actually performs the virtualization and separation of applications and their data on one physical machine.

    Identities and entitlements for privileged user access are centrally defined:

    • The Virtual Machine and Software Image Management uses the functions and the services of “Provider Identity Management (PIM)”. This includes the definition and administration of administrator entitlements and may include support for the enforcement (e.g., using AD) being realized in their interaction as appropriate.
    Data Center Equipment and means for the production of central IT services (location: data center)
    IT Security StandardAbbr. IT components and major areas
    Administration Network Security
    ANSAll networks and other equipment that allow operations personnel (administrators) to connect to the data center and its components remotely in order to perform management and maintenance tasks. This includes network security plus jump servers and centrally provided services such as authentication services.
    Note that the use of such equipment is confined to administrators only.

    Scope and Content:

    • The IT service provider provides IT services using systems which reside in a data center operated by the IT service provider or at the client’s premises.
    • The IT service provider needs administration networks to manage the IT systems.

    Goals and Objectives:

    • Operations personnel (administrators) shall be allowed to securely connect to selected data center areas and its components in order to perform management and maintenance tasks. Non-authorized individuals shall not gain access to such systems and functions.
    • The integrity of customers’ systems and information shall be retained when accessed by individuals from the admin network. Continuity of service is retained by averting deliberate attacks or manipulations through the admin network which could cause a system outage.
    • Systems operated for different customers, for different security zones of a customer or for different services shall be separated so that they cannot interfere or compromise one another. In particular, the authorization for one customer or customer security zone may not automatically allow access to another.
    • Users of customers’ systems shall not be able to access the administration network, and thereby potentially access the IT service provider’s Corporate Network, the company’s management servers or other customers’ systems.
    • The ability for the IT service provider to fulfill contractual duties may depend on the availability and correct functioning of the IT management facilities including the administration network. Hence, critical systems and functions shall be available in a way that allows appropriate service delivery. Precautions to restore settings or components might be needed.
    • The ability for the IT service provider to fulfill contractual duties may require confinement of the impact of possible security incidents. Hence, it may be necessary to take further precaution such as the separation of elements with different levels of trust or functionality and the like.
    • Administrators shall be allowed to securely connect to selected components of the administration network in order to perform management and maintenance tasks. Non-authorized individuals shall not gain access to such systems and functions.
    • Misuse, intended manipulation or other hostile activity shall appropriately be logged to allow supervision of status and corrections if required. Integrity of such evidence data shall be maintained. This also applies for configuration data. Litigation shall be avoided or backed, respectively.

    Primary External Support:

    • Administration Network Security uses the functions and the services of “Data Center Networks (DCN)” to secure communication within the data center and for the separation of customers and services, respectively.

  • Administration Network Security uses the functions and the services of “Provider Identity Management (PIM)”. This includes the definition and administration of administrator entitlements and the enforcement (using LDAP, AD or PKI services) being realized in their interaction as appropriate.
  • Administration Network Security uses the functions and the services of “Remote User Access (RUA)” to provide the equipment needed at the client side (administrators’ workplace) to get authenticated (e.g., a smart card) and connected (e.g., VPN client software and remote access).
  • Data Center Equipment and means for the production of central IT services (location: data center)
    IT Security StandardAbbr. IT components and major areas
    Provider Identity Management
    PIMAll procedures and regulations, IT systems and services that are used to create and manage the digital identities including rights and other attributes for operations personnel (administrators).

    Scope and Content:

    • Operations personnel (administrators) access applications, servers, networks, and other equipment in order to conduct administration tasks necessary to maintain the provisioning of IT services to customers. Such access shall be enabled in a controlled way while preventing abuse, etc. Therefore, digital identities including rights and other attributes for users are required. Organizational, procedural and personal means are necessary in addition.

    Goals and Objectives:

    • The assignment of digital identities, roles, rights (entitlements), and other attributes shall follow a controlled process with application, check-up, clearance, and provisioning. User registration and approval is one key element which also determines the quality of security which can be achieved.
    • Reproducibility and accountability are essential when controlling access of users to IT resources. Hence, the management of digital identities, roles, rights (entitlements), and other attributes shall be conducted tool-based, using solutions for workflow and administration and at least partly automated means for provisioning (of identities, rights, etc., to target components).
    • Credentials are chosen and possibly changed according to the corresponding security policies. This includes the strength of authentication methods. Help desk and user self-services (if any) shall be designed not to undermine security.
    • Roles and responsibilities shall be defined and documented in accordance with business and the IT service provider’s IT security policies. Entitlements shall be designed for business (on some abstract “role” level) and then assigned to individuals. Business tasks or roles shall be described and approved before being implemented in access rights.
    • Administrators shall be given appropriate guidance as well as education, training and the like in order to empower them to appropriately use the means being provided and to follow the rules and procedures and to adhere to policies. Consequences and disciplinary action in case of violations should be known.
    • Screening, empowerment and disciplinary action shall be embedded into the whole human resources management processes. This begins with check before employment and the hiring. Terms and conditions of employment shall consider security obligations etc. Termination or change of employment shall also be considered since rights must securely be revoked and assets must be returned, for instance.

    Primary External Support:

    • None
    Customer and users Equipment and means used by customers and users (location: users’ premises or mobile)
    IT Security StandardAbbr. IT components and major areas
    User Identity Management
    UIMAll procedures and regulations, systems and services that are used to create and manage the digital identities including rights and other attributes for users. The digital identities of a person are described as “personalized identity objects” which are assigned to other identity objects like location, organization, legal entity, etc. These identities are managed in the so called Identity Management Life-Cycle. The IDM service is the basis for real-time access management.
    Note that authentication services are mostly provided as a central service (refer to Gateway & Central Services (GCS)). All client components for authentication and secure networking are under Remote User Access (RUA)

    Scope and Content:

    • Users (mostly employees of the IT service provider’s customers) finally consume the IT services and thereby access applications, servers, networks, and possibly other equipment. Such access shall be enabled in a controlled way while preventing abuse, etc. Therefore, digital identities including rights and other attributes for users are required. Organizational, procedural and personal means are necessary in addition.

    Goals and Objectives:

    • The assignment of digital identities, roles, rights (entitlements), and other attributes shall follow a controlled process with application, check-up, clearance, and provisioning. User registration and approval is one key element which also determines the quality of security which can be achieved.
    • Reproducibility and accountability are essential when controlling access of users to IT resources. Hence, the management of digital identities, roles, rights (entitlements), and other attributes shall be conducted tools based using solutions for workflow and administration and at least partly automated means for provisioning (of identities, rights, etc., to target components).
    • Credentials are chosen and possibly changed according to the corresponding security policies. This includes the strength of authentication methods. Help desk and users-self services (if any) shall be designed not to undermine security.
    • Roles and responsibilities shall be defined and documented in accordance with business and the user organization’s IT security policy. Entitlements shall be designed for business (on some abstract “role” level) and then assigned to individuals. Business tasks or roles shall be described and approved before being implemented in access rights.
    • Users shall be given appropriate guidance as well as education, training and the like in order to empower them to appropriately use the means being provided and to follow the rules and procedures and to adhere to policies. Consequences and disciplinary action in case of violations should be known.
    • Important note: The customers of the IT service provider are responsible for human resources management, user registration and other internal processes of the customers’ organization. The IT service provider can only provide regulation and management tools according to policies and practices which the customer is responsible for.

    Primary External Support:

    • None
    Customer and users Equipment and means used by customers and users (location: users’ premises or mobile)
    IT Security StandardAbbr. IT components and major areas
    Office Workplace Security
    OWSAll software and equipment that is used to protect desktop computers and the data and software stored and processed there.
    Note that Office Workplaces may also be provided in a virtualized way and hosted as “application” in the data center.

    Scope and Content:

    • Users (mostly employees of the IT service provider’s customers) have desktop or notebook computers in their offices which are used to work on this machine locally and to connect to IT services provided on servers.
    • The users’ office workplaces (desktop computers and notebooks) are directly connected to an internal corporate network (LAN). Though this LAN may also contain central servers and the like, major business-critical central services and back-end systems reside on the Data Center side whether or not it is owned by the IT service provider. The access to and use of these IT services on the workplaces is mediated by the User LAN Periphery as the bridge between the LAN and the WAN.

    Goals and Objectives:

    • Users shall not be able to access other office workplace computers than their own. Access to and usage of office workplaces requires authorization. Users shall be equipped with a credential (means for authentication) that is compliant with the security requirements of the use of the office workplace and data and applications being processed. Re-authentication may be required after some period or time of user inactivity.
    • The correct configuration of office workplaces shall be maintained. The change of configurations and settings of an office workplace should require authorization. That is, access to all administrative functions (especially of the BIOS and of the operating system) requires authorization. Users are not intended to perform administrative tasks and must not have administrative privileges.
    • User-defined software shall not be executed since this may cause security breaches or at least violate corporate policies. Hence, installation of privileged software requires authorization or is performed by a privileged administration process from remote. Software in centrally managed office workplaces is not updated using services in the public Internet and related communication channels regarding error messages should not be used.
    • Office workplaces shall only be used in the intended way. Remote control, e.g., of cameras and other recording devices is completely disabled or restricted to prevent abuse.
    • The integrity of office workplaces shall be maintained by usage of anti-virus and malware scanners. The latter cannot be disabled by users without notice and must regularly be provided with appropriate update information. Their status needs to be reported.
    • Office workplace computers communicate with the external (its environment) which they do not control. As a result, they may control inbound and outbound traffic and decide which protocols and services can be used and by which applications.
    • Office workplaces may be equipped with means for encrypting files, file containers, virtual drives, hard disk partitions, or the whole hard disk. Hard disk encryption (either partitions or complete) must be enforced, not allowing users to disable this function. Implementation of such features depends on the criticality of the office workplace and data and applications being processed as well as on the office environment and risks associated with it.
    • Office workplaces may be equipped with means to detect attacks (that is potentially hostile access). Negative effects may then be mitigated or avoided as appropriate.
    • Web browsers are powerful tools and work as presentation layer, application front-end or multi-media player. Malicious communication, data or executable code should be detected. Negative effects shall be mitigated or avoided as appropriate.
    • E-mail client software and office software may be supplemented by encryption functions, means to apply digital signatures or tools to control information flow (known as data leakage or loss prevention or as Enterprise Digital Rights Management or DRM solutions). The necessity of such features depends on the security policies to be applied. E‑mail client software may also provide functions for automatic treatment of unsolicited or undesired e-mail messages (known as SPAM).
    • Office workplaces should be provided with means for backup and restoration of data. The necessity depends on the criticality and the amount of this data being stored locally.
    • If office workplace computers are used outside the internal corporate network (LAN) then connections to networks should be set up through an encrypted channel for secure remote access to the required IT service. Physical locks and LCD privacy filters may also be provided.

    Primary External Support:

    • Office Workplace Security uses the functions and the services of “User LAN Periphery (ULP)”, which provides the bridge to the outside world to access public networks such as the Internet or to consume IT services produced by the IT service provider with IT systems which reside in a data center owned and operated by the IT service provider or at the client’s premises.
     
  • Office Workplace Security uses the functions and the services of “User Identity Management (UIM)” for the definition, modification and retirement of digital identities. On this basis, the access to the workplace and to LAN resources is mostly established.
  • Though designed to connect to the corporate LAN in the first place, Office Workplaces may also utilize virtual private network technology (e.g., using SSL) to securely connect to remote IT services:

    • Office Workplace Security uses functions and services of “Remote User Access (RUA)” for the set‑up of an encrypted channel for secure remote access to IT services which are produced using IT systems which reside in a data center owned and operated by the IT service provider or at the client’s premises.
    Customer and users Equipment and means used by customers and users (location: users’ premises or mobile)
    IT Security StandardAbbr.IT components and major areas
    Mobile Workplace Security
    MWSAll software and equipment that is used to protect mobile computers and the data and software stored and processed on these. This includes notebook computers and different types of smart phones.
    Note that mobile workplaces may also be provided in a virtualized way and hosted as “application” in the data center.

    Scope and Content:

    • Users (mostly employees of the IT service provider’s customers) have mobile devices such as smart phones at hand which are used to connect to IT services provided on servers. They may also use such devices to securely phone using means to being publically available as part of standard mobile telecommunication services.
    • The users’ mobile devices directly connect to public networks (called WAN in our terminology) which are not under any control of the users’ organizations or of the IT service provider. This is the main difference to the Office Workplaces. Mobile device only exceptionally connect directly to an internal corporate network (LAN).

    Goals and Objectives:

    • Reflecting the customer’s needs, security objectives for the confidentiality, integrity, authenticity, and accountability are to be defined. Thereby types of usage should be defined such as office bound, home worker, occasionally mobile, or “road warrior”. It is also important to understand how the mobile device connects (locally, wireless LAN, wireless UMTS/LTE, etc.) and what kind of data is stored, processed and transmitted.
    • Considering the latter, mobile workplaces (notebooks, smart phones) are to be protected appropriately. Other devices such as flash drives, portable disks, and multimedia devices should be treated accordingly. Security measures should combine user education, device protection, connection security and data protection as appropriate.
    • The correct configuration of mobile workplaces shall be maintained. The change of configurations and settings of a mobile workplace should require authorization. Configuration includes but is not limited to log on and device unlock, network and other log requirements, synchronization and connection facilities, backup, and application installation and management.
    • Precautions shall be taken if a mobile workplace computer gets lost in order to prevent a security breach or mitigate the possible impact. It must be clear what kind of data is stored on what devices. Strategies for backup and possibly recovery shall exist.
    • The goals and objectives developed for the Office Workplace Security (OWS) shall be examined in order to find out which are valid, should be applied, and can reasonably be afforded for Mobile Workplaces.

    Primary External Support:

    Connections to networks are made through remote access:

     

    • Mobile Workplace Security uses the functions and the services of “Remote User Access (RUA)” for the set‑up of an encrypted channel for secure remote access to IT services which are produced using IT systems which reside in a data center owned and operated by the IT service provider or at the client’s premises.

    Digital identities and entitlements are used:

    • Mobile Workplace Security uses the functions and the services of “User Identity Management (UIM)” for the definition, modification and retirement of digital identities. On this basis, the access to the workplace and to LAN resources is mostly established.

    Though designed to use the remote access connection in the first place, also Mobile Workplaces may also utilize a docking station, for example, for connecting to the corporate LAN:

    • Mobile Workplace Security uses the functions and the services of “User LAN Periphery (ULP)” which provides the bridge to the outside world to access public networks such as the Internet or to consume IT services produced by the IT service provider with IT systems which reside in a data center owned and operated by the IT service provider or at the client’s premises.