1.
932

2.
Vinay Bansal Lead Security Architect, Web and Application Security Cisco Systems iFront Internet Conference 2009 2010 2011 Security in Web 2.0, Social Web and Cloud 2012

3.
Objective at iFront Today <ul><li>Growth in Social Web, Web 2.0, Collaboration </li></ul><ul><li>Thinking: Information Centric Security </li></ul><ul><li>Cisco Stories </li></ul><ul><li>How Cloud Computing is changing IT </li></ul><ul><li>Emerging Trend : Borderless Enterprise </li></ul>

4.
Who am I <ul><li>Lead Security Architect for Cisco’s Web and Application Architecture Team (Infosec) </li></ul><ul><li>16+ years architecting, developing and securing IT systems </li></ul><ul><li>MS in Computer Sciences – Duke University </li></ul><ul><li>What do I help protect at Cisco … </li></ul>

5.
Cisco IT and Supported Web Applications <ul><li>Total Users: </li></ul><ul><ul><li>Customers (500k+), Partners (20k+) </li></ul></ul><ul><ul><li>Employees and Vendors (~90 k) </li></ul></ul><ul><li>Business Revenue: </li></ul><ul><ul><li>95%+ Cisco Revenue </li></ul></ul><ul><li>People: Cisco IT (10,000) </li></ul><ul><ul><li>Employees = 3,000 </li></ul></ul><ul><ul><li>Contractors (Vendors/Temp) = 7,000 </li></ul></ul><ul><li>Applications : </li></ul><ul><ul><li>1500 Internal/External Web Applications (~50% external) </li></ul></ul><ul><ul><li>280 ASPs (Application Service Providers) </li></ul></ul><ul><li>Web Infrastructures </li></ul><ul><ul><li>Cisco.com (CCO) and CEC (Intranet) </li></ul></ul><ul><ul><li>1300+ Enterprise DB instances </li></ul></ul><ul><li>Attacks: </li></ul><ul><ul><li>Millions per day </li></ul></ul>

6.
What is Social Web, Web 2.0 and Collaboration?

7.
What is Web 2.0? <ul><li>Buzzword - !! </li></ul><ul><ul><li>Social, Participation, Collaboration </li></ul></ul><ul><li>“ Aggregation of Improvements in Web Application space in last few years…” </li></ul><ul><li>“ .. Applications that harness network effects to get better the more people use them.” -Tim O’Reilly* </li></ul>

8.
Web 2.0 - User Generated Data Who is providing the majority of content for these popular Web sites? - Users

9.
Rich User Experience <ul><li>Interactive </li></ul><ul><li>Personalized </li></ul><ul><li>Simple </li></ul><ul><li>Quick </li></ul><ul><li>User Focused </li></ul><ul><li>… . </li></ul>Usability and Interface beyond traditional Web-pages

10.
Harnessing Collective Intelligence Architecture of participation Application that gets better with more people using it

11.
Social Web Connecting People

12.
Let’s twist these connections Users End Points Enablers Providers Data

13.
Information Centric Security Users Data 1. Identify User, Authentication 2. Access to which data, Authorization 3. Secure Data Transfer : Encryption 4. Data Center Security 5. Data on Client : Client End Point Security

14.
User’s Security Concerns (Social Sites) <ul><li>Privacy of my data </li></ul><ul><ul><li>Credit Cards </li></ul></ul><ul><ul><li>Address, Email,.. (Personally Identifiable Information) </li></ul></ul><ul><ul><li>Personal Details (email, phosts, IMs,….) </li></ul></ul><ul><ul><li>Authentication Credentials (userids, passwords) </li></ul></ul><ul><li>End Device Security </li></ul><ul><ul><li>No Trojans, Unwanted programs </li></ul></ul><ul><li>Data Ownership (perception) </li></ul><ul><ul><li>Forums, Wikis, Blogs </li></ul></ul>Users

15.
Application Provider’s Security Priorities <ul><li>Stability , Business Continuity </li></ul><ul><li>Protection of their Intellectual property </li></ul><ul><li>Compliance to Regulations </li></ul><ul><li>What they really want to do </li></ul><ul><ul><li>Push out the liabilities to user via Privacy and Acceptable Use Policy </li></ul></ul><ul><ul><li>Build Additional Services on users behavior (targeted advertisements) e.g. Google Email, banner adv. </li></ul></ul><ul><ul><li>Track User behavior , usage pattern </li></ul></ul><ul><ul><li>Keep their social applications more open </li></ul></ul>

16.
Regulations protecting end users Privacy Intellectual Property Business Continuity Regulatory Compliance HIPPA – Health PCI – Credit Cards EU Directive - …. Users Providers

17.
Digital Rights and Data Privacy Challenges <ul><li>Openness/Social Collaboration </li></ul><ul><ul><li>contradicts privacy? </li></ul></ul><ul><li>Digital Rights Management ( DRM ) </li></ul><ul><ul><li>who “owns” the data? </li></ul></ul><ul><ul><li>how do you protect your intellectual property? </li></ul></ul><ul><li>Collective content creation </li></ul><ul><ul><li>difficult to assign data ownership </li></ul></ul><ul><li>Global Web (Data Access anywhere from anywhere ) </li></ul><ul><ul><li>- privacy laws/regulations vary </li></ul></ul>

18.
Malware Spread via Web 2.0/ Social Web <ul><li>Drive by Installs (via Web Browsers) </li></ul><ul><ul><li>Increasing concern for malware infections </li></ul></ul><ul><ul><li> Google Research : Malicious URLs 0.3% to 1.3% in 8 months </li></ul></ul><ul><li>Malware authors exploit the very thing that makes Web 2.0 so successful – the user’s trust . </li></ul><ul><li>Multiple redirects on sites </li></ul><ul><ul><li>Advertising space on page changes multiple hands </li></ul></ul><ul><li>Browser or plug-in vulnerabilities exploited </li></ul><ul><ul><li>Browser is the platform </li></ul></ul>Growing Challenge for Enterprises and users

19.
Cisco Story - 1 <ul><li>Threat 1: Employees using public Social Web </li></ul><ul><ul><li>E.g. Yammer, Facebook, MySpace </li></ul></ul><ul><li>Provide internal Collaborative Resources (within enterprise) </li></ul><ul><ul><li>C-vision (internal YouTube) </li></ul></ul><ul><ul><li>Ciscopedia (Wikipedia) </li></ul></ul><ul><ul><li>Internal Wiki/Forums/Blogs </li></ul></ul><ul><ul><li>Directory 3.0 (Connections, Communities) </li></ul></ul><ul><ul><li>Cisco Telepresence </li></ul></ul><ul><ul><li>WebEx Connect </li></ul></ul><ul><ul><li>… </li></ul></ul>

20.
Cisco Story – 1 .. Cont. <ul><li>Clear guidelines on expected behavior (external Social Web) </li></ul><ul><ul><li>Identifying yourself </li></ul></ul><ul><ul><li>Handling Confidential Information </li></ul></ul><ul><ul><li>Copyrighted Content </li></ul></ul><ul><ul><li>Using common sense </li></ul></ul><ul><li>Awareness /Training </li></ul><ul><ul><li>Videos </li></ul></ul><ul><ul><li>Executive Messaging </li></ul></ul>

21.
Cisco Story - 2 <ul><li>Threat 2: Web Browsing Initiated Malware </li></ul><ul><li>Monitoring Outgoing Web Traffic </li></ul><ul><ul><li>Ironport’s Web Security Appliance </li></ul></ul><ul><li>Browsers and plug-ins patching (priority) </li></ul>

22.
Cisco Story - 3 SDLC Secure Coding Training Application Vulnerability Assessment (AVA) Architecture Review Application Firewall Threat 3: How to continually improve Application Security? Tying Application Security Practice with Software Development Life Cycle (SDLC)

23.
Cloud Computing and Security Challenges

24.
Cloud Computing? <ul><li>IT resources and services </li></ul><ul><li>abstracted from the underlying infrastructure </li></ul><ul><li>elasticity of resources </li></ul><ul><li>utility model of consumption and allocation </li></ul>

25.
Cloud : A big shift for IT <ul><li>“ Does IT Matter ?” , Nicholas G Carr floated this “ Bombshell ” idea in 2004 </li></ul><ul><li>Cloud commoditizing IT infrastructure and services </li></ul><ul><li>Could mean death for individual IT departments in small to medium enterprises </li></ul>Public Cloud Private Cloud

26.
Types of Clouds Software as a Service (SaaS) Platform as a Service (SaaS) Infrastructure as a Service (SaaS)

27.
Cloud Computing : Security Risks …1 <ul><li>Data move outside the Enterprise </li></ul><ul><ul><li>Cloud vendor custodian of data </li></ul></ul><ul><ul><li>Encryption (Key Management) </li></ul></ul><ul><ul><li>Backups of data (Multi – tenant) </li></ul></ul><ul><ul><li>Alternate/Secondary use of data </li></ul></ul><ul><li>2. Shared Infrastructure </li></ul><ul><li>- Assume ( Logical security = Physical Security ) </li></ul>

28.
Cloud Computing : Security Risks …2 <ul><li>3. Regulations and Cross Country laws </li></ul><ul><li>- Cloud vendors spread their data/operation geographically </li></ul><ul><li>4. Security Breach </li></ul><ul><li>- Responsibility to investigate </li></ul><ul><li>- Monitoring, logs </li></ul><ul><li>5 . SLAs </li></ul><ul><li>- High Penalty for security incident </li></ul><ul><li>6. Strong Federated Authentication </li></ul>

29.
Cloud Computing : Security Risks …3 <ul><li>7. Software Licensing Issues </li></ul><ul><li>- Enterprise licenses , how do they apply in cloud </li></ul><ul><li>8. Reliance on ongoing security audits of the vendor </li></ul><ul><ul><li>Third party risk assessments </li></ul></ul><ul><ul><li>Keep check on security practices, internal policies, standards </li></ul></ul><ul><li>9. Security dependence on developers </li></ul><ul><ul><li>convenience vs. security </li></ul></ul><ul><ul><li>development environments accessible on the Internet </li></ul></ul>

30.
Emerging Trend : Borderless Enterprises

31.
Borderless Enterprise Enterprise Virtualization Communication & Collaboration Remote Desktop (RDE) VNC & Term Server VMWare App/Svc Resiliency Mobile Device Evolution Platform Option Expansion Ubiquitous Connectivity (WiFi, VPN) Global Workforce Sharing & IP Telephony Platforms Web 2.0 Real-time & Customized Interaction Emerging Business Models “ Any Device, Anywhere” 2001-7 2008 2011 * 2010 2009

32.
Drivers for Borderless Enterprise *Single Source of Truth **Born in 1980’s - early 90s

33.
Borderless Enterprise : Security Risks Services Data Assets “ Trusted” Internal Externalizing Trend Externalized Services Company Owned User Owned

34.
Emergence of End Point Reputation based Security <ul><li>Inside Enterprise </li></ul><ul><li>External Enterprise </li></ul><ul><li>Virus Scanner </li></ul><ul><li>Local Firewall </li></ul><ul><li>Disk Encryption </li></ul><ul><li>Which data/services accessed </li></ul><ul><li>Enterprise </li></ul><ul><li>End User </li></ul><ul><li>Public/Kiosk </li></ul>Location Behavior Device Ownership Local Policy Simple Userid/Pwd

35.
Cisco: Achieving Borderless Enterprise <ul><li>Think - Information Centric Security </li></ul><ul><ul><li>Concept: (App/NW Hardening -> Information Hardening) </li></ul></ul><ul><ul><li>How to classify information </li></ul></ul><ul><li>More Reliance on End Point Security </li></ul><ul><ul><li>Each device capable of protecting itself </li></ul></ul><ul><li>Granular Identity Management </li></ul><ul><ul><li>Device Identity </li></ul></ul><ul><ul><li>Dynamic shifts in identity and access (Federation) </li></ul></ul><ul><li>Dynamic Traffic Inspection and Control Capabilities </li></ul><ul><ul><li>Non intrusive monitoring </li></ul></ul><ul><li>Security Bar raised for Intranet/ Internal Systems </li></ul><ul><li>Shifting Security Zones </li></ul><ul><ul><li>(Physical  Logical) </li></ul></ul>

36.
Summarizing and Looking Forward <ul><li>Web 2.0, Social Web, Collaboration … Security Challenges </li></ul><ul><li>Think … Information Centric Security </li></ul><ul><li>Cloud Computing ….. A big shift for IT </li></ul><ul><li>Borderless Enterprise … Enterprise Data Everywhere </li></ul>

37.
“ Our adversaries only have to be right once .”

38.
Contact Information <ul><li>Vinay Bansal </li></ul><ul><li>Information Security Architect </li></ul><ul><li>Corporate Security Programs Organization </li></ul><ul><li>Cisco Systems, Inc. </li></ul><ul><li>(vinay.bansal@cisco.com) </li></ul>