Contenu connexe

Similaire à GCCS-Unplugged Secure and private communication and collaboration(20)


GCCS-Unplugged Secure and private communication and collaboration

  1. Secure and private communication and collaboration OpenNovations & Kolab Systems AG
  2. About OpenNovations ● >13 years experience in open source, open standards and security. ● Clients in (international) Government, SME, startups. ● Project lead for openSUSE Conference and Kolab Summit (1-4 May 2015)
  3. About Kolab Systems AG ● Patron of the Kolab collaboration suite ● Based in Zurich ● Offers scalable and secure collaboration software. ● 100% open source and open standards
  4. Topics ● Platforms ● Technical aspects – Standards ● What is missing? ● How to organize?
  5. Communication and collaboration software needs external exposure ● Cross network communication ● Authentication (identity management) ● Spam, security issues. ● Old developments – PGP, S/MIME ● Adoption still not very widespread. ● New developments – DKIM, DMARC, DANE
  6. Current offerings focus on availability and price ● Competition on file storage size ● Cross device information access ● Hosted by cloud vendors – Integration with existing infrastructure minimal ● SLA's only focussed on uptime, availability – No security, privacy, etc. ● Especially when personal accounts are used. ● Data ownership? Copyright?
  7. Platforms
  8. What solutions that cover both do exist? ● What open source groupware and collaboration solutions work? – Kolab? – Zimbra? ● Not fully open source ● Why does open source matter? – Transparency – Vendor lockin – Exit strategy / sustainable data
  9. Security === open source ● Only way to validate fit-for-purpose and implementation ● Maximum exchange of knowledge – Learn from others' mistakes ● Would you trust a proprietary fully closed source medical operation? – Or rather, would a doctor trust another doctor to operate on him/her if he wouldn't know exactly what he/she was doing?
  10. Functional areas ● Secure collaboration covers several functional area's – Email – Calendar – Todo lists – File storage – VoIP, chat ● What's missing?
  11. Document collaboration ● ODF is the standard – LibreOffice – WebODF ● Both cover different use cases. – But are equally important ● Use cases for both?
  12. Secure storage ● Server side encryption? – Trust the admin? ● End to end encryption? – Key management? – Web access? ● Browser security model weak. ● Host your own? – VPS? Do you also control the platform? ● Any ideas?
  13. Secure exchange ● PGP? S/MIME? – Hard to implement? ● SSL / TLS / STARTTLS? – Only transport, it helps, but no identity validation ● Do you use it? Or something else?
  14. Secure documents ● Storage is one thing, access another. – WebDAV as secure as HTTP(s)? ● Large file support not ideal – CMIS? ● Syncing? – Only for small sets of files ● Else you'll create your own network DdoS ● Security of the reader/writer apps? – Temporary storage? ● Use cases?
  15. Chat and voice ● Unified communications ● Carriers also not focussed on security ● Most chat apps use centralized servers – Some even store chat sessions ● End to end encryption – Mostly PR.
  16. What is still missing?
  17. How to improve this? ● New standards? ● New technologies? ● Legislation? – US / EU Privacy legislation? ● Security versus privacy? – This has been the pov of the Dutch government
  18. (New) standards ● DMARC, DKIM, SPF, DANE? – All focussed on improving the reliability of the transport ● PGP, S/MIME – Message confidentiality and integrity ● How come adoption still is very low?
  19. New technologies? ● Quite a lot of crowd funding campaigns for – Secure email storage – End to end encrypted file storage ● Is this really new? ● Are they proven technology? – “Old” technologies are battle tested. ● Perhaps the focus should be more on improving existing (and quite wide spread) technologies.
  20. Legislation ● New EU Privacy directive ● ENISA guidelines ● In Dutch government – ARBIT – Parlementairy inquiry (Elias committee) ● Trends are strongly towards open source software – Netherlands: Motion Vendrik (2002), yesterday motion Oosenbrug & Gesthuizen – International adoption (UK, Sweden, etc). ● International treaties? – TTIP? DMCA?
  21. Security versus privacy ● There appears to be some tension between security and privacy – Not from an individual persons' point of view ● The more private, the more secure – From government point of view ● Issues with wiretapping ● Lawful interception?
  22. Which areas are still missing? ● Secure one time data/document sharing ● Improved crypto for web mail ● PKI Integration into all different apps ● Two factor authentication across applications ● Other ideas?
  23. How to organize secure collaboration platforms for individuals?
  24. Host it yourself ● Feels good – Your data under your own control ● But is it really? – How technically skilled are you really? – How much time do you spend on maintainance? – Is your server platform really secure?
  25. Hire a hosting company? ● Outsourcing security and availability – Professionals working on the platform ● But do you really trust them?
  26. Community hosting! ● Organize in communities! – Pay someone (or two) to actually do maintainance – Get enterprisegrade support for your platform – Host your own hardware (colocated?), know your platform ● But still, keep it between a (small) known group of people – Stay in control of your data!
  27. Questions / suggestions ?
  28. Contact! Hans de Raad Kolab Systems AG