Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
What security model towards 2020?
Hong Kong Information Security Summit 2016
Gérôme [email protected]
@gbillois
Chadi [email protected]
@chadihantouche
© WAVESTONE 2
Tier one clientsleaders in their industry
2,500 professionalsacross 4 continents
Among the leading independentconsultancies in Europe,
n°1 in France
Paris | London | New York | Hong Kong | Singapore* | Dubai*
Brussels | Luxembourg | Geneva | Casablanca
Lyon | Marseille | Nantes
In a world where permanent evolution is key to success, we enlighten and partner our clients in making their most critical business decisions
© WAVESTONE 3
Win the digital race with digital trust
PROVEN EXPERTISE
/ Digital Risk Strategy & Compliance/ Safe Business Transformation / Security Design & Program Management/ Identity, Fraud & Trust Services/ Penetration Testing & Incident Response/ Business Continuity & Resilience
ACTIONABLE INSIGHTS
/ Industry-specific risk mapping/ AMT Master plan methodology/ Startups & Innovation Radars/ CERT-W
Digital trust is a key business enabler that will put you ahead to win the digital transformation race
Wavestone Cybersecurity & Digital Trust
Our clientsBoard, Business, CDO, CIO, CISO, BCM
400+Consultants & Experts
1,000+Engagements per
year in 20+ countries
© WAVESTONE 4
Let’s state THE OBVIOUS
© WAVESTONE 5© WAVESTONE 5
CONNECTIVITY AND OPENNESS
THREAT REGULATIONS SKILLS
© WAVESTONE 6
Whatwe have
SO FARdone
© WAVESTONE 7
1995 - 2005: A centralized Information SystemPREVIOUS SECURITY MODEL
Corporate network
Internet
Partners
IndustrialControlSystems
Partners providing services within the company IS
Few business specific network
Some mobile users
© WAVESTONE 8
The fortress security model
A strong wall
A unique and secure entry point
But free movement inside the city…
Palmanova Fortress (Italy)
© WAVESTONE 9
2005-2015: An increasingly open Information SystemPREVIOUS SECURITY MODEL
Corporate network
Internet
IndustrialControl Systems
Cloud
Partner
DC
Customer’s devices
Employee’s corporate or personal devices
A perimeter that needs to be more open
Critical internal resources are isolated and tightly secured
© WAVESTONE 10
The Airport security model
Airport hall is open by default
Additional controls to reach the aircraft
Critical zones are highly controlled
Gatwick Airport (UK)
© WAVESTONE 11
Whywe need
CHANGEto
© WAVESTONE 12
Towards 2020
Cloud is a reality, even for critical business applications
Agile methods and DevOps are a reality
Current methods and security practices don’t keep pace with this new operating mode
© WAVESTONE 13
Towards 2020: a decentralized information system
Corporate network
Regulated & Legacy
Partners
Cloud 1
IndustrialControl Systems IoT &
on-boardsystems
ShadowIT
Startups
Employee’s corporate or personal devices
Blockchains
Cloud n
Server-lessApps
ContainerApps
Customer’s devices
Internet
Data is moving everywhere, and is accessible through multiple means
© WAVESTONE 14
A new model
Where you keep the responsibility to detect incidents and respond globally
With data everywhere
With apps executed by many third parties
© WAVESTONE 15
A new security model: the Airline
With aircraft and passengers everywhere
Where you trust an airport to manage your crews, your passengers and your aircraft
Where your operation centre follows your fleetand manages incidents and crises
© WAVESTONE 16
EmbracetheAIRLINE
MODEL
© WAVESTONE 17
Know your passengers1
© WAVESTONE 18
1
/With a growing number of regulations, everything isnot possible
IT-related RegulationsPrioritize your risks
/ Learn how to manage and share the keys (CertaaS, KMS,Blockchain trust services…)
Data ProtectionEncryption is key
Know your most critical assets
/ Identify critical and regulated data only
/ Ask your senior management and lawyers for theTOP 10
Key Assets and Data IdentificationCare for the essential
© WAVESTONE 19
Choose trusted airports and build your stops2
© WAVESTONE 20
2 Choose trusted contexts and build your apps
/Grow a Purple Team
/ Bug bounty
Control and auditAttack yourself continuously!
/ Assess host trustworthiness with standardmetrics
/ A IATA equivalent for Cloud is missing, but whoknows for 2020?
Execution EnvironmentLearn how to trust
/May be the key to patch management nightmare andnever-corrected vulnerabilities
Secure Continuous IntegrationChange is stability
/ Join the pizza teams
/Help the product owner to prioritize the backlog
/ Bring controls closer to the devs
Agile SecurityBe agile like a 2020 developer
© WAVESTONE 21
Get your plane to fly safely3
© WAVESTONE 22
3 Get your data to move securely
/With standard protocols
/ Integrate users, machines and objects
/ Expose IAM API to dynamically provision, removeand verify identity
IdentityExtend the scope and open your ID
/ Build a referential for devices and servers
/ Check ownership and security level statically ordynamically
Devices ConformityEvaluate to trust
Based on:
/Data and apps criticality
/ Users and devices identity
/Devices conformity
Build your Operational CenterAdopt a dynamic security model
© WAVESTONE 23
Applications dynamically allow processing depending on the trust levelTHE AIRLINE SECURITY MODEL
Corporate network
Regulated & Legacy
Partners
Cloud 1
IndustrialControl Systems IoT &
on-boardsystems
ShadowIT
Startups
Employee’s corporate or personal devices
Blockchains
Cloud n
Server-lessApps
ContainerApps
Customer’s devices
Internet
Identities and devicesconformity referential
A case-by-case assessment of the trust level
© WAVESTONE 24
Applications dynamically allow processing depending on the trust levelTHE AIRLINE SECURITY MODEL
Corporate network
Regulated & Legacy
Partners
Cloud 1
IndustrialControl Systems IoT &
on-boardsystems
ShadowIT
Startups
Employee’s corporate or personal devices
Blockchains
Cloud n
Server-lessApps
ContainerApps
Customer’s devices
Internet
Same principle for machine to machine data exchange
© WAVESTONE 25
Google BeyondCORP
Cloud SecuritySoftware DefinedPerimeter
Alliance
© WAVESTONE 26
THE LOST BATTLEof
Legacy
Use specific gateways to enable the model for legacy
Do not try to initiate a migration of all your legacy systems
Legacy will shrink by itself and embrace a Cloud-based model
© WAVESTONE 27
Now that you are a big airline4
Photo credit: Ho-Yeol Ryu - http://www.homato.com/
© WAVESTONE 28
4 It's time for security automation!
/ IOC and Threat Intelligence
/ Sector-specific ISACs
IntelligenceShare it!
/ Cloud Security packages & stores(Amazon/Azure…)
/ Software Defined Security
Automated Security Roll-outScale protection to the IS speed
/ Endpoint Security Automation
/ SOC extension (Cloud, Apps, ICS and IoT)
/ Incident Response Automation
/ Identity Analytics
/Machine/Deep Learning
Automated Detection and ResponseScale detection to the attackers speed
© WAVESTONE 29
The decentralized information system is centrally watched with ability to push security rulesTHE AIRLINE SECURITY MODEL
Corporate network
Regulated & Legacy
Partners
Cloud 1
IndustrialControl Systems IoT &
on-boardsystems
ShadowIT
Startups
Employee’s corporate or personal devices
Blockchains
Cloud n
Server-lessApps
ContainerApps
Customer’s devices
Internet
All events are centrally collected and analyzedwith machine learning principles
Threat intelligence enhance surveillance
Security rules are pushed through Software Defined Security and Endpoint Detection & Response
© WAVESTONE 30
The decentralized information system is centrally watched with ability to push security rulesTHE AIRLINE SECURITY MODEL
Corporate network
Regulated & Legacy
Partners
Cloud 1
IndustrialControl Systems IoT &
on-boardsystems
ShadowIT
Startups
Employee’s corporate or personal devices
Blockchains
Cloud n
Server-lessApps
ContainerApps
Customer’s devices
Internet
CASB
The operation center could even be in the cloud (through a Cloud Access Security Broker)
© WAVESTONE 31
Netflix FIDOSIMIAN ARMY
DARPA CyberGrand Challenge
© WAVESTONE 32
Meetyour NEW CREW
© WAVESTONE 33
New team members
Agile SecurityChampion
Data Scientist
Intelligence specialist
Cybersecurity Program Manager
Security RegulationInterpreter
© WAVESTONE 34
New team membersAgile Security
Champion
Data Scientist
Intelligence specialist
Cybersecurity Program Manager
Security RegulationInterpreter
Target new communities
Recruit internaltalentHow to grow the team?
Adopt a new posture
Build career path…and do not forget your current team!
© WAVESTONE 35
Crédits icônes : www.icons8.com
DATA
WILL BE EVERYWHERE
DETECT AND
RESPOND
GLOBALLY
LEARN HOW
TO TRUST
DYNAMICALLY ASSESS
IDENTITY AND
CONFORMITY
INVEST IN
SKILLS
FOCUS ON
MOST CRITICAL
ASSETS
AUTOMATE SECURITY
Gerome Billois
[email protected] @chadihantouche
[email protected] @gbillois
Chadi Hantouche
REINVENT
APPLICATION
SECURITY
thesecurity
AIRLINEmodel
Images credits: www.icons8.com
www.flaticon.com