Upload
roger-phillips
View
215
Download
0
Embed Size (px)
DESCRIPTION
Future of Computing Security Predictable? Not really, but opportunity rich! Present situational awareness Cloud, multiple instances with different control and governance models Nearly ubiquitous connectivity Smart phones and wearable devices Automobiles that are online, potentially participating in a mobile office experience
Citation preview
Cyber in the Cloud & Network
Enabling Offense and Defense
Mark OdellApril 28, 2015
Agenda
• Security - need for change• What is different• Challenges• Typical use cases• What if…• Emerging capabilities
Future of Computing Security
• Predictable?• Not really, but opportunity rich!
• Present situational awareness• Cloud, multiple instances with different control and
governance models• Nearly ubiquitous connectivity• Smart phones and wearable devices• Automobiles that are online, potentially participating in
a mobile office experience
In the Clouded World
• Computing essentially happens everywhere• The enterprise has no physical or concrete boundary• Different devices participate in the enterprise and user
experience• Devices may participate in multiple enterprises
Distributed Enterprise is the Norm
Cloud → Change in IT Security
• Traditional IT Paradigms under stress• Not only about the device, network protection and
prevention, or ‘defense in depth’ strategies• Our data is everywhere, multi-jurisdictional
• How to maintain mission resiliency with better IT?• Enable both offense and defense• Cloud technology ‘abstracts’ reality – interferes with
traditional boundary & containment approaches• Virtualized network, storage, machines, resources
• Provides accelerated dynamic response to needs
Is flexibility an advantage? It depends….
Servers
End DevicesMulti-Cloud
Protected Data
Multi-Provider
Tough Problems
• Multi-dimensional platform integrity (compute, storage, network)
• Deployable ‘STIG-ability’ in the virtual world• Dynamic patch management & operations• Software defined network• Volume management & content protection
• How to protect sensitive information?• No matter where the data is• Or what is processing
• Application authenticity• Is the application compromised?• Is this the right application?
Current Situation – Typical Use Cases• We care about financial transactions, medical records, legal
documents, detecting fraud, IDAM authenticity, etc.• Content confidentiality, assurance, non-repudiation, transactional
pedigree, separation of concerns and duties• Conventional host based security models
• Determine identity within trusted governed domain or application • Explicit rights in localized context • Persona: identity has context, rights defined within domain,
different in another domain, rarely identity transferable with assurance (gov’t PKI bridge, cert attributes)
• E.g. maintaining logon IDs to web sites• Host is responsible for identity controlled access
• Applicable to well controlled contiguous environments
Controlled host and network environments are no longer the norm with cloud, ubiquitous networks, global business
What if We Had…
• Offline revocation of credentials• Data that knows where it has been• Conditional processing data (including multi-factor)• Offline content protection that
• Works anywhere• Host independent
• Next generation electronic signatures • Smart signed applications & content
• More than installation license integrity• Run-time integrity
What Should we Anticipate?• Application trust for multi-jurisdictional transactions and content
manipulation• Next Gen Certificates mean more than authenticity
• Implied credentials, membership associations• Multi-domain rights adjudication
• Message payload, context, and forgery resistance• Transactional sequencing integrity and assurance
• Content protection beyond transport and rest• Transport ‘man-in-the-middle’ assumes an intercept• Endpoint & identity forgery (malware)• Content hostage
• Should an application (or machine) know where it is running to determine trust of the surroundings?
• Does an application need to travel with its own mini-trusted OS for integrity?
Emerging Capabilities
• Application resiliency• Cloud based forensics• Legacy application migration
• Transformation not re-hosting• Achieving appropriate continuous security posture
• Upgrades and enhanced software defined infrastructures (network, compute, and storage)
• Offense and Defense on agile platforms and environments
• Maintaining configuration and control over a changing environment and knowing what change is correct - all the time
Emerging Capabilities (cont’d)
• Dynamic Operations, Infrastructures, and Participants• Sensitive data sharing across coalition, assured
delivery – on a hostile commercial platform• Commercial examples
• Healthcare medical records• Financial transactions
• Content, rights management & IDAM• Joint and dynamic coalition partners – smarter data
tagging• Data is the new platform
Questions?