1.1. People Process & Technology Security

Lefatshe has grown from a pure breed security company and has maintained the subject of ICT security at the core of its service offering and focus. At the heart of all good business innovations provided by ICT is the need for an ICT platform that offers optimisation and compliance through best ICT management services. At the heart of best ICT management services is the need for end-to-end security services. Lefatshe knows from experience that you can't deploy technologies alone to protect networks, hosts, applications, and content. It is also required that you establish comprehensive security programs that also include people and process to: develop security policies, plan future security architecture, and train users on their roles and responsibilities. In addition, best practices require that you automate critical management functions, to ensure proper deployment of technical systems and receive auditing/monitoring information that provides warnings or indications of potential problems. Some of the solutions we offer include:

• People Process and Technical Security Architecture,
• People Process and Technical Security Management Strategy,
• Information Security Program Development and Execution,
• Integrated Audit Trails and Integrity Assurance (ECT Act Compliance)
• Configuration, Patch, and Vulnerability Management
• Security Information/Event Management Systems (SIEM) and log management
• Aggregating Data for Analysis, Monitoring, Reacting, and Reporting
• Preventing Social Engineering, (Focus on People & Process)
• Security Awareness and Training

1.2. Perimeter Security

Although the protection of information, software and systems extends far beyond the firewall and the perimeter layer, perimeter protection remains an essential part of the security service offering. Lefatshe has many large-scale clients who require solutions that incorporate both distributed and federated security architectures and zones that span multiple organisational and geographical domains. In addition to preventive controls, our clients employ a variety of monitoring solutions to continually assess the state of security. These protections are deployed both in traditional network environments and evolving virtual environments and present numerous challenges that Lefatshe has proven to solve and manage very effectively. Some of the perimeter and infrastructure security solutions we offer include:

• Centralised & Federated Policy Management Administration (PMA)
• Distributed policy enforcement points (PEPs)
• Layered protections, including network zones and other separation approaches
• Cable & Wireless Network Security
• Virtualisation Security
• Network Attached Service Security
• Network, Host & Fixed/Mobile End-point Firewalls
• Network, Host & Application Intrusion Detection and Prevention Systems (IDS/IPS)
• "Unified Threat Management" (UTM) & Response Management
• Perimeter Behavioural Analysis (Part of SIEM)

1.3. Host and Fixed/Mobile Endpoint Protection

Lefatshe has grown its host and endpoint protection offering winning some of the largest implementations in the public sector to date. Lefatshe has also kept abreast of the data centre consolidation and virtualisation that is changing our clients environments and their host-protection requirements and challenges. Our solutions take into account the reality of increased mobility and remote access, and the need for identifying and assessing endpoints, ensuring their availability, confidentiality and integrity, and preventing harmful activity resulting from increasingly sophisticated threats. Here are some of the related solution offerings we include:

• Integrated Asset Management (Identification of Fixed & Mobile Endpoint Systems)
• Assessment, Enforcement, Quarantine, and Remediation Mechanisms for Hosts as well as Fixed & Mobile end points.
• Fixed & Mobile Endpoint Malware Defence
• Host & Fixed/Mobile Endpoint Firewall Management

1.4. Content Security

As collaboration practices and mobile storage devices place increasing demands on content management to handle content mobility content security must move from the traditional content management systems and repositories that once held content in one place and move closer to content i.e. to become embedded within sensitive content. In addition, content carries its own threats, such as unwanted information (spam), attacks (malware) or unwanted intrusions (spyware). Lefatshe's Content security takes all these considerations into mind when formulating strategies for our clients integrating best-of-breed tools and suites to manage these threats and vulnerabilities holistically. Some of our solution offerings include:

• Fixed & Mobile Content Life-cycle Management
• Data Leakage (Detection and) Prevention (DLP)
• Information & Data Classification (Meta-tagging)
• Integrity & Confidentiality Assurance (PKI)
• Privacy Assurance (File, Folder, and Disk Encryption)
• Fixed & Mobile End-Point Protection (Anti-Virus, Spam, Spyware & Malware)
• Messaging (E-Mail and IM) Filtering,
• Web Filtering
• Digital Rights Management Technologies

1.5. Application and Data Service Security

As the perimeter security layer is penetrated by business demands to access internal systems using web services for example, threats and attacks are moving into core systems and targeting applications and databases. Although most enterprise application and database products embed security while designing, creating, and testing software the need for creating an automated and centralised/federated policy enforcement and reconciliation capability as part of a Security Information/Event Management System (SIEM). As part of an end-to-end Application and Data Service Security Assurance offering Lefatshe solutions include:

• Code Integrity & Authenticity Assurance (Object Signing)
• Securing the Software Development Lifecycle (Sec-SDLC)
• Code Scanning and Analysis
• Web Application (Web Service Management) Firewalls
• Service Oriented Architecture Security (SOA-Sec)
• Service Oriented Architecture Governance (SOA-Gov)
• Database Auditing, Monitoring, and Transparent Encryption
• Identity & Access Management (IAM) Integration

1.6. Identity & Access Management (IAM)

Gartner Group and other industry analysts will tell you that approximately 70% of threats come from inside the firewall i.e. beyond the perimeter. Lefatshe has learnt from experience that this requires a more granular and measured control of users inside the perimeter of a network and predominantly refer to employees thus making Identity and Access Management one of the most important components of security. Furthermore Lefatshe has seen how an increasing number of ICT security audits fail as a result of IAM related challenges. IAM has also proven to be a significant contributor to end-user experience and the direct cost of relationship management for an organisation, be that a client, partner, supplier or employee.

• Identity Management (IdM): Identity management refers primarily to how a person (most commonly), system, application or resource is identified for use by people, processes and systems alike. IdM primarily refers to the management of the identity life-cycle and the secure distribution of such information for user management, authentication, authorisation, access control, auditing, profiling and personalisation to name a few identity related/driven services. Lefatshe continues to perform analysis of industry best practices, technology and market trends for identity management best-fo-suite vendors and best-of-breed vendors and their respective value adds for our different client requirements.



• Access Management (User Management and Provisioning): Refers to the life-cycle management of organisation (business) and ICT roles, subscriptions, accounts and the related digital identities that define these arrangements. Access management also refers to user management functions such as centralised, delegated and self-service identity administration. Access management also involves administrative and authorisation workflow to manage the automated provisioning (and de-provisioning) of subscriptions, accounts, access rights (physical and logical), and other resources. Exchange of identity and attribute information between federation partners. Access management also refers to the access management and integration of identity attributes via protocols and (virtual/meta-directory applications) which support management of user information and provisioning (and integration) of identity and entitlement information in turn to applications which need to authenticate and authorise users.

Lefatshe has grown this competence to cover the following subjects:

• Identity Life-cycle Management
• Identity Management Best-of-Suite vs. Best-of-Breed Selection
• User Administration & Life-cycle management
• Identity Driven Relationship Management
• User Provisioning
• Centralised vs. Delegated Administration
• Password & Provisioning Self-Service
• Password Synchronisation
• Administrative and Authorisation Life-cycle Workflow
• Digital Identity Protection

1.7. Authentication

Authentication is essentially how a known identity authenticates who they are (or it is) using hundreds of potential ways that as a given person (or other entity) they can authenticate their identity. Central to this capability is the trusted evaluation of identity assurance measures and authentication procedures to prove the reliability of such authentication.

Lefatshe has become and expert in combining tools and techniques for reducing the number and diversity of authentications to which a single individual or process must submit. The ability to combine a number of different authentication techniques into a given solution based on the end users need to be authenticated, differentiates our solution from others that often seek one (strong or weak) authentication for all users either leaving the most sensitive users vulnerable to identity theft due to a weak authentication systems or providing strong authentication to all users when only a few were necessary resulting in unacceptably high costs. Some of the areas of expertise in authentication we offer include:

• Password & Known Secret Management
• Reduced Sign-On - RSO (AKA Single Sign-On - SSO)
• Multi-factor authentication
• Biometric Authentication
• PKI (Digital Certificates)
• Smart Card & Match-on Card Authentication
• One time passwords
• Smart Tokens
• Kerberos & Other Token Based Systems
• Federated Identity Based Authentication (e.g. Liberty Alliance)

1.8. Authorisation

Once we can be assured of a users identity and authenticity we must establish what they are entitled to - this in its simplest form is the challenge Authorisation management. This includes the need for granular management of user entitlements, credentials, and attributes.

Lefatshe provides best practice tools and techniques for granting, managing, reviewing, revoking, and using authorisation rules/policies (entitlements). Authorisation tools and techniques vary from vendor to vendor and again have their merits as best of suite and best of breed. Essentially they all manage Access Control as part of an Identity and Access Management solution integrating authentication and authorisation via common directory services. Some of our solution offerings include:

• Granular Authorisation Management
• Central, Distributed & Federated Policy Management and Administration
• Roles & RBAC (See Below for More Detail)
• Standards
• Extensible Access Control Markup Language (XACML)
• WS-Policy
• SPML
• Others

1.9. Roles & RBAC

At the heart of managing granular authorisation is the growing use of roles and role based access control (RBAC). Roles are also used for determining how to profile users (employees, clients, partners or suppliers) and personalise their individual view of given information systems and portals for example. Techniques for identifying the set of roles a business must support in order to characterise its relationships with employees, clients, partners, and suppliers are the basis for automating how each in their given roles can access information, systems and even physical gates and doors.

Lefatshe provides methods and tools for creating roles and managing their lifecycles to meet both simple and complex role management challenges including the assignment of entitlements to roles and methods for measuring the effectiveness of role-based systems. Lefatshe also provides methods and tools for discovering existing roles based on patterns of activity by existing users in our clients environment. Key to the success of role management is the successful architecture of role hierarchies and the mapping organisational change on role hierarchy and on assignment of individuals to roles. This forms the bases for separation of duties and is one of the fastest growing areas of demand from our clients needing more effective financial controls to avoid audit failures. Lefatshe continues to grow its competence in role management and offers the following related solutions:

• Role Life-Cycle Management
• Role Discovery
• Role Mapping
• ICT roles
• Organisation (Business) Roles
• Privilege Roles
• Separation of Duties

1.10. Privacy

Section 14 of the South African Constitution of 1996 states, "Everyone has the right to privacy. Data protection laws are closely related to privacy laws and while there is currently no all-encompassing privacy or data protection legislation in South Africa (Yet) it is due in a planned privacy bill aimed at achieving EU approval. At present, Chapter 8 of the ECT Act sets out the universally accepted data protection principles describing how personal data, as defined in the ECT Act, may be collected and used. This presents a useful guideline for forthcoming legislation that will bring South Africa in line with international and EU standards on privacy.

Lefatshe has worked with and researched emerging tools and practices that govern the collection, use, and storage of personal data. The creation of policies and procedures that enable compliance with global and forthcoming local privacy regulations has become a subject of strategic importance in future-proofing our clients in terms of privacy compliance and data protection. Addressing issues relating to identity theft and phishing to protect system users and business applications is a current challenge we address for our clients today. Defining clear policies and controls for the use and storage of personal information in IT systems has become mandatory for most of our client in both the public and private sector.

Looking forward - Privacy enhancing technologies, including un-linkable authentication systems, privacy-compliant data mining & BI systems and anonymous message routing will become key technologies for allowing the harmonisation of business requirements vs. privacy constraints. Business and legal agreements supporting protection of private information will form the foundation of successful privacy management that if performed now will ensure compliance in the future at no extra cost or threat of disruptive change. Use of personal information in the context of relationships (defined by roles in agreements) whose rules explicitly govern uses and disclosures of information will become an essential part of automated privacy compliance assurance in the future.

• Future-proof Privacy Policy Formulation
• Local Privacy Legislation Compliance
• EU & OECD Privacy Guidelines Alignment
• Anonymity Management
• Identity Theft Prevention
• Identity Fraud Prevention
• Anti-Phishing & Pharming
• Data Leakage Prevention
• Role-based Profiling

1.11. Federation

As an increasing number of organisations seek to offer traversal access of systems to other organisations clients and employees ( government and private sector alike ) a need to manage users in a distributed but trusted manner becomes mandatory. The ability to give a limited access to systems by outsiders based on the trust of a partner organisations assertions of the users known identity and entitlement - having authenticated to an agreed level of strength is a growing requirement that can be fulfilled today.

Lefatshe has expertise, methodologies and tools, for establishing working business arrangements, and legal structures which support sharing identity information across organisational boundaries to achieve the above challenges. Lefatshe can demonstrate how cost reduction and increased efficiency can be realised by relying on third-party sources of identity and attribute information that are often better than an organisations own. Lefatshe has studied and implemented proven systems leveraging protocols for federated authentication and the exchange of identity attributes and entitlements across organisational boundaries using SAML and WS-* token formats and protocols for implementing such identity federations. Lefatshe will assist our clients in handling the essential people and process aspects such as privacy issues, governance, and business structures supporting successful federation relationships. Lefatshe can assist our clients in setting up federation "hub and spoke" federation based Identity Service Provider (ISP) models amongst others dealing with the provisioning of administrative account authority between federation members. Some of the areas we cover in our federation solution offering include:

• Federation Architecture & Strategy (Business & Technology)
• Identity Federation Standards
• Liberty Alliance (ID-FF, ID-WSF etc.)
• SAML Security Assertion Markup Language
• ADFS - Active Directory Federation Services
• WS-Federation
• WS-Trust & Security Token Service (STS) model