Knowing where the safe zone is ovum october 22 2013

Mark Skilton, Professor of Practice in Information Systems
Management, Warwick Business School, UK

Warwick Business School

Knowing where the safe zone is - Defining
perimeter access strategies for an enterprise
The modern enterprise today has many connections, relationships and
services. Information technology has enabled communication, social
communities and transactions to create opportunities for new types of
value. But this has also changed the types of risks and security issues as
bring your own device (BYOD) and the many types of cloud services have
shifted responsibilities. Do you know where the access perimeter of your
company security is? How do you define risk and value of new
technology?
What are the opportunities and challenges of new
technologies and on legacy operations?
This presentation will look at ways to define the new business – technology
boundaries and the risk and challenges of managing new technology
across these boundaries.


Overview
Knowing the safe zone – perimeter strategies

What is your business ecosystem?
Describing your security risk and opportunity
Managing opportunities – API management
Managing access - connectivity
The future ?

Overview

Overview
Knowing the safe zone – perimeter strategies

What is your business ecosystem ?
The future ?

Overview

Business Ecosystem
the challenges we face

Old model
Business and IT use of
software and hardware assets
Project based development
lifecycle
Platforms and networks
Transformational advisory and
governance
Security controls and audit
service monitoring

Why business ecosystems ?

New model:
Data plethora of data types
and sources
Multi-channel Service
marketplaces
Devices and “things”
Focus on intelligent processes
and monetization
Compliance and pervasive
automated monitoring of
security

Objects in the Internet of Things
There are potentially billions of objects that could connect through IP addresses and network protocols to
identify , exchange and collaborate services.

Devices

Tags, Sensors and
platforms

Products
Content
Services
Money

Places
and
Machines

Era of Internetworking - Where is
the perimeter ?
Internet

Switches

Tier 1 Networks

NSPs

Network Peering
and Interconnections

Tier 2 ISP

Tier 2 Network

IP Backbone

IXP

Examples of ISP services include email, FTP, webhosting

ISPs

Internetworking

Satellite
Public Switched
Telephone
Networks

PTSN

Tier 3 networks
(ISP)

Cable
Operators

DSL, T1, T3 Leased Lines

Wide Area
Network WAN

4G (3G LTE/SAE)
Gateways
Gateways

3G / 3.5G

Femtocell

Wifi

Gateways

InfraRed
Local
Area
Network
LAN

GPS

Bluetooth

Mobile Devices

RFID

Sensors

Proximity,
Smart Card

+ 2.5 Billion Internet Users 2013
Representing 35% World
Population


1.7 billion mobile devices sold in 2012, and
6.8 billion subscriptions equivalent to 96
percent of the world population


Internet video accounting for 61 % of
total internet data (cisco)

Social Media
Is driving
massive online
Video growth


1 in 4 people around world use at least one
form social networking = 1.7 Billion in
2013
1 in 3 people = 2.55 billion global audience
by 2017
all the geo-tagged locations of uploaded Flickr photos by concentration.

Where is the perimeter ?
No. People
in Organization

Ave No. of social
network
connections

No. Hours
Online
Formal

Yourself

No. of Devices
per person


Near to you Your Network

No. of
networks

informal/formal

Your Extended Network

No. applications
and web sites
Visited, used

What is your Organization
estimated perimeter node score ?
Formal

X

Average
No. of Devices
per person

X

3

Average
No. People
in Organization

500

X

No. of
system
networks

X

informal/formal

Ave No. of
social
network
connections

X

X 3 X 300 X

No. applications
/ Web sites
Visited, used

10

13,500,000
Illustrative only

X

Average
No. Hours
Online

X 5
67,500,000

What is your personal estimated
perimeter node score ?
Formal

Average
No. of Devices
per person

5

X

No. of
system
networks


Ave No. of
social
network
connections

X

No. applications
/ Web sites
Visited, used

X 5 X 2000 X 10

Assume International Travel x5 per year
Assume travel 3 times per week
Assume WIFI, 3G/4G networks
Illustrative only

X

informal/formal

300,000

X

Average
No. Hours
Online

X 10
3,000,000

What is a secure perimeter ?
Controlled access
No. People
in Organization

Compliant


Secure
Controlled
system
No. of Devices
networks
per person
Controlled social
network
connections

Configured/standards

Continuous
access and use
state monitoring

?
Managed

Data is getting more complex

Structured data
Semi-structured data
Unstructured data
Data |
Increasingly
Externalized
And metadata

Your edge profile data
Your message payload
data
Your behavioral metadata
- co-presence
Your transient data –
travel in physical and
virtual space
Embedded Data shelf life
value
(“productization of data”)

Connectivity is changing
Example programmable web have collected a database of Open
APIs. Many companies use APIs to establish connectivity services with their
web sites

Open APIs
And Closed
(Proprietary)
APIs

Managed APIs can be problematic if the API specification is changes by the Provider impacting
on the users of that API. APIs are a common method for many Cloud system service connections.

Enterprise Technology is externalized
“as a service” points Protection Points System Access ports
Web access
Corporate / Private Network

Internet
Network services

Backend services
External Firewall

Devices

Network

Network

Mobile applications
Mobile Data

Internal Firewall
G
A
T
W
A
Y

APIs

Applications

Data

Active Directory
API Management gateway

Identity ?
Access provisioning

Authentication and Data Privacy ?

VPN Tunnel

Usage Policy Governance, compliance, and controls
“AS A SERVICE”

Perimeter definitions – heat mapping
Market segments
and entities

Social Network
Channels

APIs

Own data and IP

Your Enterprise Networks

3rd party data and IP

3rd party Networks

Staff, products,
Services, assets,
facilities
SPAN Of CONTROL

Risk - Impact
* USB Investment research

Federated Devices
Authorization
Management

Certification
Processes and services

“ ID Theft every 79
Seconds (*)

DR and BC
Management

Risk Scorecard
Today
Cloud
Corporate Risk
5 4

Describing risk
Risk
Management 4

5
Corporate
Reward

4
3 2

3

3

2
1
Risk Awareness
5

3

0

4

2
Risk Impact 4
Severity

2
2

4
Risk impact
Probability

Degree of
Collaboration

Information
4Security Level
Requirement

API Management

Examples Mashery an Intel Company, provide a secure appliance and software
system for managing API connectivity to multiple devices and services
Web GUI to manage
the API policies and use

Appliance is used to Manage
access to APIs

Cloud Aggregator Broker –
Orchestrator
Example : Mulesoft Cloud Hub – enabled integration of multi-cloud integration
Apps
Stores

Where
is the
Perimeter?
Contract
Perimeter
versus
Technical
Perimeter

Example Network Traffic Monitoring for
Virtualized compute environments
Example Net Optics Phantom Virtualization Tap
Monitoring of Inter-VM
traffic across all best-ofbreed hypervizors in
virtual computing
environments.
The Phantom Monitor
component installs in the
hypervizor for total traffic
visibility.
Use with virtual or
physical Intrusion
Detection Systems (IDSs),
protocol analyzers, layer2 and Later-3 probes, and
other devices.
Network Traffic
Monitoring Appliance

Example Intrusion Prevention System (IPS)
Example McAfee Network Security Platform
User Identification

Key Features
Threat Prevention
Botnet detection
Behavior-based analysis
Malware protection
Forensic analysis integrated
Scalable web-based management
Application Identification

Device identification
IP de-fragmentation and TCP stream
reassembly
Anomaly detection
Inspection of virtual environments
DoS and DDoS prevention
File reputation, IP reputation, Geolocation
Protocol tunnelling support , IPv6,
V4-. MPLS

Example Cloud Environment
Application Performance management
Example Compuware APM. Monitors applications across physical and virtual
networks and environments. can be deployed easily into private, public or
hybrid cloud applications via either BYOL (bring your own license) or elastic,
consumption based models.

Application response times
User Experience
Real time and synthetic load testing

Martini model: Any IP, any device,
any time anywhere

Jericho Forum, The Open Group

Cloud “as a services” Security
Solutions
Device Security

Proxy Controls / Appliances

Device
Authentication
Security

Endpoint
Device
Management

Strong
Password
Control

Subscriber account security

API Usage
Port Network
connect
Device Connect

Fillters

Intrusion
Prevention
System (IPS)

Chargebacks
/Billing
Controls

Service
Metering
Controls

Web Store
Front

Cloud Service security Status

Anti virus
Anti Spam

Security
Information

Cloud
Service
Reporting

management
(SIM)

Data Loss
Prevention
(DLP)
Mobile
Device
Management
(MDM)

Single Signon

Wipe data
when Lost

Remote
Application
Control

Token PKI,
SSH Keys
Controls

User Group,
Directory
Management

Application
Virtualization
(Secure VDI)

Network
Monitoring

Network
Transport
Encryption
(VPN)

Hypervizor /
VM
Monitoring

Database
Monitoring

Cryptographic controls
Data
Encryption

External Example
http://wwwclouage.com

Cloud Monitoring

Identity and
Access
Management

Virtualization Isolation services
Cloud
Storage
Virtualization

Internal

Authentication / Authorization

Application
Usage
Monitoring

Service Level
Outage
Monitoring

PaaS Development and XaaS Deployment
Service
Configuration
management

Code
Version
Encryption

Code/VM
Deployment
Encryption

Overview
What is your business ecosystem ?
The future ?

Overview

Identity is going to get much more broader and personal

The future?

Mental Health
Physiology
Dreaming
Genetics
Activity
Drugs
Drink
Sleep
Diet

The future?

The surface underneath
The security layer pervades everywhere
Enterprise operating models will need underpinned of legal
and security strategies to support and validate an increasingly
externalized business model
API Management

Network
management

Intrusion
Management
Application
Management

Identity and access
Management

Encryption
Management

Compliance and IP
Management

Holistic Governance , Risk &
Compliance for ecosystems
Security is critical in moving IT services that are potentially no longer under the enterprise control or on
premise. The following diagram looks at On-premise and Off premise security controls .
Risk
Management

Compliance

Monitoring Management

Audit

Security Governance
Personnel Security
Management

Security Policy
Management

Access Management
Identity
Management

Firewall
Management

Validate

Log, Analyze, Event management

Test
Regime

Business Continuity
Management

Availability Management
Backup
Management

Disaster Recovery
Management

Identify
Translate

Incident Management

Security Operations
Asset
Digital Rights
Management
Management

Administrationn

Privilege, Deploy, Decommission, Dispose

Encryption
Management

Security Controls
Private Network
Management

Portability Management

Secure Development/Operations
Coding Standards

Code review

Unit Test

Publish/
Versions

Conclusions

Knowing where the safe zone is - Defining perimeter access
strategies for an enterprise
Scaling of business technology will drive changes in cultural and
legal issues as data and usage shifts toward social network based
economy
Cloud enabled commodization and “on stop contract/less” but may
alter risk profile complexity
There will be a variant of technologies to manage externalized
Identity and usage access
–
–
–
–

API Management
Social network usage in processes
Data analytics for usage behaviors
A combination of both

Technologies will enable wider Identity profiles challenging legal
boundaries of access and usage
The future?

Knowing where the safe zone is ovum october 22 2013

Knowing where the safe zone is ovum october 22 2013

Recommandé

Recommandé

Contenu connexe

Tendances

Tendances (20)

En vedette

En vedette (20)

Similaire à Knowing where the safe zone is ovum october 22 2013

Similaire à Knowing where the safe zone is ovum october 22 2013 (20)

Dernier

Dernier (20)

Knowing where the safe zone is ovum october 22 2013