Cyber in the Cloud & Network

Enabling Offense and Defense

Mark OdellApril 28, 2015

Agenda

• Security - need for change• What is different• Challenges• Typical use cases• What if…• Emerging capabilities

Future of Computing Security

• Predictable?• Not really, but opportunity rich!

• Present situational awareness• Cloud, multiple instances with different control and

governance models• Nearly ubiquitous connectivity• Smart phones and wearable devices• Automobiles that are online, potentially participating in

a mobile office experience

In the Clouded World

• Computing essentially happens everywhere• The enterprise has no physical or concrete boundary• Different devices participate in the enterprise and user

experience• Devices may participate in multiple enterprises

Distributed Enterprise is the Norm

Cloud → Change in IT Security

• Traditional IT Paradigms under stress• Not only about the device, network protection and

prevention, or ‘defense in depth’ strategies• Our data is everywhere, multi-jurisdictional

• How to maintain mission resiliency with better IT?• Enable both offense and defense• Cloud technology ‘abstracts’ reality – interferes with

traditional boundary & containment approaches• Virtualized network, storage, machines, resources

• Provides accelerated dynamic response to needs

Is flexibility an advantage? It depends….

Servers

End DevicesMulti-Cloud

Protected Data

Multi-Provider

Tough Problems

• Multi-dimensional platform integrity (compute, storage, network)

• Deployable ‘STIG-ability’ in the virtual world• Dynamic patch management & operations• Software defined network• Volume management & content protection

• How to protect sensitive information?• No matter where the data is• Or what is processing

• Application authenticity• Is the application compromised?• Is this the right application?

Current Situation – Typical Use Cases• We care about financial transactions, medical records, legal

documents, detecting fraud, IDAM authenticity, etc.• Content confidentiality, assurance, non-repudiation, transactional

pedigree, separation of concerns and duties• Conventional host based security models

• Determine identity within trusted governed domain or application • Explicit rights in localized context • Persona: identity has context, rights defined within domain,

different in another domain, rarely identity transferable with assurance (gov’t PKI bridge, cert attributes)

• E.g. maintaining logon IDs to web sites• Host is responsible for identity controlled access

• Applicable to well controlled contiguous environments

Controlled host and network environments are no longer the norm with cloud, ubiquitous networks, global business

What if We Had…

• Offline revocation of credentials• Data that knows where it has been• Conditional processing data (including multi-factor)• Offline content protection that

• Works anywhere• Host independent

• Next generation electronic signatures • Smart signed applications & content

• More than installation license integrity• Run-time integrity

What Should we Anticipate?• Application trust for multi-jurisdictional transactions and content

manipulation• Next Gen Certificates mean more than authenticity

• Implied credentials, membership associations• Multi-domain rights adjudication

• Message payload, context, and forgery resistance• Transactional sequencing integrity and assurance

• Content protection beyond transport and rest• Transport ‘man-in-the-middle’ assumes an intercept• Endpoint & identity forgery (malware)• Content hostage

• Should an application (or machine) know where it is running to determine trust of the surroundings?

• Does an application need to travel with its own mini-trusted OS for integrity?

Emerging Capabilities

• Application resiliency• Cloud based forensics• Legacy application migration

• Transformation not re-hosting• Achieving appropriate continuous security posture

• Upgrades and enhanced software defined infrastructures (network, compute, and storage)

• Offense and Defense on agile platforms and environments

• Maintaining configuration and control over a changing environment and knowing what change is correct - all the time

Emerging Capabilities (cont’d)

• Dynamic Operations, Infrastructures, and Participants• Sensitive data sharing across coalition, assured

delivery – on a hostile commercial platform• Commercial examples

• Healthcare medical records• Financial transactions

• Content, rights management & IDAM• Joint and dynamic coalition partners – smarter data

tagging• Data is the new platform

Questions?