The Blurring of Everything Internet implications on data ... · Dr Meng Chow Kang, CISSP, CISA Director and CISO for Greater China and APJ, Cisco Systems The Blurring of Everything

Dr Meng Chow Kang, CISSP, CISA

Director and CISO for Greater China and APJ, Cisco Systems

The Blurring of Everything Internet –implications on data protection for higher education

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialPresentation_ID 2

Agenda

How are they impacting information security practices

Trends, evolutions – what’s going on around us

What should we do to address the challenges

Focus on higher education


Traditional Organization Border

Corporate Border

Branch Office

Applications

and Data

Corporate Office

Policy

Attackers CustomersPartners


4G3G/+2G/+

At the edges of the Internet …

Increasing bandwidth, in particular, on wireless and mobile networks

Improving security capabilities

Increasing reliability

<10 kbps < 200 kbps 300 kbps – 10 Mbps < 50 Mbps 50 Mbps – 1Gbps

GSM GPRS/EDGE WCDMA HSPA HSPA+ LTE FDD LTE+

TD-SCDMA TD-HSPA TD-HSPA+ TD-LTE TD LTE+

IEEE 802.11nIEEE

802.11rClient authentication

Mutual authentication; Strong encryption

Transforming

the individuals PersonalMobility

Consumerization of corporate network

Proliferation of devices and operating systems

Social networking

Mixed use of personal devices and corporate resources

Proliferation of multimedia contents – videos, pictures, …


Open up new business models

Maximize resources and productivity—

any device, anywhere, anytime

Reduce costs—operational efficiency

Transforming the Enterprise –

the Borderless Network

Access from

AnywhereCollaboration &

Communications

Access

with Any

Device


Mobility and CollaborationIs Dissolving the Internet Border

Corporate Border

Branch Office

Applications

and Data

Corporate Office

Policy

Attackers Customers

Home Office

Coffee

Shop

Airport

Mobile

User Partners


What hasn’t changed?

Need for Nimbleness, Scale, and a Lower Total Cost of Ownership (TCO)


What’re the responses?

• Migrating applications into Data Center ―islands‖

• Adopting Hosted Services (PaaS/SaaS/IaaS)

• Virtualizing Clients and Servers

Organizations, including higher education institutions are responding:


Hosted Services

Cisco Confidential

10

IaaS- w/ Security

- SLA support

PaaS- w/ Security

- SLA support

SaaS- w/ Security

- SLA support

seamless extension

Enterprise ITaaS

Enterprise ITaaS

Enterprise ITaaS

Multi-Tenant SP Cloud




―Trusted‖ Internal Externalizing TrendDMZ

-Collaboration Platforms/WebEx/IWE

-Commoditized Computing

-SaaS/XaaS/PaaS/Cloud

- Internal/External Dependencies

-External Virtualized Storage

-Data Management/Monitoring

-Co-mingled Data/BCP Scenarios

- Increasing Export of Company’s IP

-Converged Identity Sources

-External Personas of Internal Users

-Varying AuthC/Z Capabilities

-Non-integrated Provisioning Controls

-―Any Device‖ w/ External Services

-Personal Mobile Strategy

-Contingent WF Platform Shift

- Increasingly ―Untrusted‖ Clients

AssetsPersonal Mobile

Contingent/ ―Untrusted‖

Laptop Corporate Mobile/PC

―Unknown‖ Mobile/PC

UsersContingent/‖Unknown‖

User

Corporate User

―Non-corporate‖

Users

Data

Corporate IP

Exported Data

Services

Internal Service

Externalized Service

Service Dependencies

Organization Transformation


Cloud Computing Is Dissolving the Data Center Border

Corporate Border

Branch Office

Applications

and Data

Corporate Office

Policy

Attackers

Home Office

Coffee

ShopCustomers

Airport

Mobile

User Partners

Platform

as a Service

Infrastructure

as a ServiceX

as a ServiceSoftware

as a Service


Increasing complexity and sophistication of attacks

Escalating concerns over data losses

Web 2.0 & social networking

Social engineering

Vulnerability exploitations

Mobility

Beyond Windows

“Just landed in Baghdad‖- Rep. Peter Hoekstra,

R-Mich tweets

Secret delegation led by House

Minority Leader John A. Boehner is

not so secret…

http://twitter.com/tahseen55


How to collaborate without borders

Corporate Border

Branch Office

Applications

and Data

Corporate Office

Policy

Attackers

Home Office

Coffee

ShopCustomers

Airport

Mobile

User Partners

Platform

as a Service

Infrastructure

as a ServiceX


as a Service


Collaborate with Confidence

Standards

Technology

Governance

Industry

Consistent baseline; interoperability; manageability

―Baked-in‖ Security in architecture: Endpoint, Infrastructure, and Backend; Leverage; Innovate

Policy, ISMS, awareness, competency, operation readiness & excellence, visibility of risk, partners security

Alliances; public-private sector partnerships

We need to rethink the traditional organizational perimeter and operating boundary, especially away from an over-reliance on Layer 2/3 control methodologies


Governance

Aware and Competence

Visibility of Risk

Operational Readiness and

Excellence

Secure Partners Collaboration and Communications

Info-Security Management

Systems (ISMS)

Information security risk management system

•Understand our risk profile thru’ a management system approach, leveraging ISO/IEC 27001 standards

•Determine & mitigate gaps between requirements and actual practice

Improve awareness and competence

•Regular Security Events and Newsletter – focus on practices

•Mandatory new hires security orientation

•Security training program for critical roles

Improve visibility of risks

•Establish security metrics to align with strategy map

•Rigorous monitoring and active discovery

•Regular reporting

•Regional security watch and analytics

Operational readiness and excellence

•Alignment of security operations with risk management approach

•Establish and improve Service Level

•Introduce formal security testing/drills for critical incidents preparedness

Enable secure partners collaboration

•Understand the partners eco-systems and information flows

•Establish requirements and develop standards of best practices


ISO/IEC JTC 1/SC 27

Security Techniques

Secretariat

Krystyna Passia

Chair: Walter Fumy

Vice Chair: Marijke de Soete

WG 1 Security Management

Convener: Ted Humphreys

Vice Convener:

Angelika Plate

WG 2 Cryptography and Security Mechanisms

Convener: Kenji Naemura

WG 3 Security Assurance

Convener: Miguel Bañón

WG 4 Security Controls and

Services

Convener: Meng-Chow

Kang

WG 5 Identity Management and Privacy Technology

Convener: Kai Rannenberg

Levering Standards


WG 1 Projects and Standards

•ISMS RequirementsISO/IEC 27001

•Overview and vocabularyISO/IEC 27000

•Code of practice for information security managementISO/IEC 27002

•ISMS implementation guidelinesISO/IEC 27003

•Information security measurementsISO/IEC 27004

•ISMS risk managementISO/IEC 27005

•Requirements for bodies providing audit and certification of ISMSISO/IEC 27006

•Guidelines for ISMS auditorsISO/IEC 27007

•Guidelines for auditors on ISMS controlsISO/IEC 27008

•ISM for inter-sector communicationsISO/IEC 27010

•ISMS for telecoms organizations based on ISO/IEC 27002ISO/IEC 27011

•Guidelines on the integrated implementation of ISO/IEC 20000-1 and ISO/IEC 27001ISO/IEC 27013

•Information security governance frameworkISO/IEC 27014

•ISMS for financial and insurance services sectorISO/IEC 27015


ISO/IEC 27001 – Information Security Management Systems (ISMS)

Plan

• Establish & design the ISMS

Act

• Improve & maintain the ISMS

Check

• Monitor & review the ISMS

Do

• Implement & deploy the ISMS

Risk assessment

Risk treatment

Management decision making

Selection and implementation of risk controls

Monitor, review, and re-assess the risks

Make improvements to the risk controls, select more controls


ICT Readiness for Business Continuity (27031)

Cybersecurity (27032)

Information security incident management (27035)

ICT Disaster Recovery Services (24762)

Network Security (27033 Parts 1 to 7)

Application Security (27034 Parts 1 to 5)

Security Info-Objects for Access Control (TR 15816)

Security of Outsourcing (27036)

TTP Services Security (TR 14516; 15945)

Time Stamping Services (TR 29149)

Identification, collection and/or acquisition, and preservation of digital evidence (27037)

Unknown or emerging

information security

issues

Known information

security issues

Information security

breaches and compromises

WG 4 Projects & Study Periods


Bord

erle

ss

Da

ta C

en

ter

3

Bord

erle

ss

Inte

rnet

2

Bord

erle

ss

En

d Z

on

es

1

Architecture for Borderless Network Security

Policy

Corporate Border

Branch Office

Applications

and Data

Corporate Office

Policy(Access Control, Acceptable Use, Malware, Data Security)4

Home Office

AttackersCoffee

ShopCustomers

Airport

Mobile

User Partners

Platform

as a Service

Infrastructure

as a ServiceX


as a Service


Intelligent End Point Traffic Routing

Pillar 1: Borderless End Zone

Persistent Connectivity

Always On, Location Aware

Auto Head-end Discovery

IPsec , SSL VPN, DTLS

Advanced Security

Strong Authentication

Fast, Accurate Protection

Consistent Enforcement

Broadest Coverage

Most OS’s and Protocols

Windows Mobile

Apple iPhone


Always On Security and Protection

Traditional VPN

Protected

Borderless Network Security

Un-Protected


Always On Security and Protection

Anytime, Anywhere, Any Device

Sitting in a Park

Cape Town, South Africa

In the Office

San Jose, California

Sydney, Australia

At a Coffee Shop


Pillar 2: Borderless Security ArrayAdvanced Scanning and Enforcement Capabilities

Access Control | Acceptable Use | Data Security |Threat Protection

Integrated into the Fabric of the Network

Cisco IronPort

Email Security

Appliance

Cisco Adaptive

Security Appliance

Cisco Integrated

Services Routers

Cisco IronPort

Web Security

Appliance

25

VM Software Security Module Hybrid HostedAppliance


HTTP Is the New TCP

Instant Messaging

Peer to Peer

File Transfer

Protocol

Understanding Web Traffic26


Advanced Content Analysis

27

SSN Detection

Rule Is Matched Multiple

Times to Increase Score

Unique Rule Matches Are Met

Matches Are Found

in Close Proximity

Proper Name

Detection


Advanced, Proactive Threat ProtectionCisco Security Intelligence Operations

GlobalThreat

Telemetry

GlobalThreatTelemetry

8:03 GMT Sensor Detects Hacker Probing

Bank Branch

in Chicago

Ad Agency HQ

in LondonISP Datacenter

in Moscow

8:00 GMT Sensor Detects New Malware

8:07 GMT Sensor Detects New Botnet

8:10 GMT

All Cisco Customers Protected

Cisco

SensorBase

Threat

Operations Center

Advanced

Algorithms

© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 28

Higher Threat Coverage, Greater Accuracy, Proactive Protection


App

Server

Database

Server

Web

Server

Physical Security Device

Virtual Contexts

Pillar 3: Secure Virtualized Data Center

App

Server

Database

Server

Web

Server

Hypervisor

Physical Security Device

Virtual ContextsVIRTUAL SECURITY

App

Server

Database

Server

Web

Server

Hypervisor

Connect Physical Security to Virtual Machines with Cisco’s SIA

2Secure Physical Infrastructure1

Embed Security in the Virtual Switch3

Service Chaining


Pillar 4: Enables Rich Policy for ―Ubiquitous‖, Consistent Control

Who? What? When? Where? How?

3Policy On and Off Premise

2Dynamic Containment Policy

1Access

Policy


Industry Collaboration

Nature of Cybersecurity Issues

Occurs on the Internet

(Cyberspace)

Global nature, multiple countries, different policies and regulations, different focus

Multiple entities, simple client

system to complex infrastructure

Weakest link and lowest common

denominator prevail

Highly creative landscape –

always changing

Many overlapping and conflicting needs & issues


Industry Collaboration (cont.)

Two Questions

What are the ―security things‖ that individuals, communities, and organizations need to do while using or leveraging the Cyberspace?

What are the desirable behaviors?

How do we evolve from our existing information security practices?

What should be our security approach?



ITU-T X.1207

Guidelines for Telecommunication Service Providers for Addressing the Risk of Spyware and Potentially Unwanted Software

ISO/IEC 29147

Responsible Vulnerability Disclosure

Developer Highway Code

Examples of Desirable Cybersecurity Behavior



Forum of Incident Response and Security Team (FIRST)

http://www.first.org/

Research & Education Information Sharing and Analysis Center (REN-ISAC)

http://www.ren-isac.net

Telecom ISAC

US, Japan, Korea

Asia Pacific CERT (APCERT)

http://www.apcert.org/

HK CERT

http://www.hkcert.org/

Examples of Information Sharing Networks

http://www.first.org/

http://www.ren-isac.net/



http://www.apcert.org/

http://www.hkcert.org/

FINALREMARKS

Borderless network transformation influencing

changes to enterprises & users

Disrupting common information security

approaches

Need to rethink our approach in at least four

areas – governance, standards, technology,

and industry.

People is key to our respond to these

challenges—continuing education and

awareness are therefore critical

Need to pay particular attention to security

information sharing, organization & individual

responsibility in Cyberspace

―Progress, far from consisting in change, depends on retentiveness. Those who cannot remember the past are condemned to repeat it" -

George Santayana

http://en.wikipedia.org/wiki/File:George_Santayana.jpg

Documents

The Blurring of Everything Internet implications on data ... · Dr Meng Chow Kang, CISSP, CISA Director and CISO for Greater China and APJ, Cisco Systems The Blurring of Everything