Holes in the Whole: Crafting Security for the Pervasive Web by Stikeleather


Published on

James Stikeleather, Chief Innovation Officer at Dell Services, gave an engrossing talk on the future of security. The consequences of the Web’s evolution are actually a co-evolution, he said, wherein people are becoming more co-dependent on technology and we are restructuring how we see data (augmented reality); while technology is becoming contextual, dependent on who is making the request, how and when they are making it, and what their intentions are in making it.

In such a fluid environment trust is essential, but can there realistically be trust? We have created an untrustworthy environment, Mr. Stikeleather said, and the tipping point will be smart phones in the enterprise. This technology in particular is creating greater cracks in a complex environment that exhibits a model that is destined to ultimately fail. Additionally, government and enterprise can’t agree on what the world should look like from a security perspective due to differing cultural concepts in cyberspace. What’s needed is a “Law of the Commons”: We’ve created rules for shared international usage of the world’s oceans and for outer space, and cyberspace should be no different.

At the end of the day, everything is an economic survival issue, Mr. Stikeleather said. The real value of the Web has been network effects. If we were to lose trust in privacy and security, we would lose the currency of that global network exchange and the associated economic model, which in turn could actually mean the collapse of the global economy, he said. And a catastrophic event is likely to happen, he predicted. What will the world without trust look like? A Feudal Cyber World: white lists, locked clients, fixed communication routes, locked and bound desktops, limited transactions, pre-established trading partners, information hoarders, towers of Babel.

We have a unique opportunity with Cloud, Mr. Stikeleather said, to get it right early and put thought into what the underlying structure of Cloud needs to look like, and how to conduct the contextual nature of evolving technology. Meantime, people should own the right to their own identity and control their information; and we need to secure data by protecting it within content.

Published in: Technology
  • Be the first to comment

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Holes in the Whole: Crafting Security for the Pervasive Web by Stikeleather

  1. 1. Holes in the Whole: CraftingSecurity for the PervasiveWebJim StikeleatherChief Innovation OfficerDell Services
  2. 2. December 2007 EG Conference Global Marketing2
  3. 3. Evolution of the WebKevin Kelly’s view from 2007• Web’s first 5,000 days – People expected “TV, only better” – Impossible to imagine Wikipedia, Facebook – Economic models• December 2007 – 100 billion clicks per day – 294 billion emails sent daily – 55 trillion links – 255 exabytes of magnetic storage – 5% of global electricity consumption• Magnitude equivalent of a human brain Global Marketing 3
  4. 4. Evolution of the WebKevin Kelly’s projection from 2007• Web’s next 5,000 days – Doubling every two years › 6 billion human equivalents by 2040 – Mobility – Digital universe fuses into physical world – Our devices are windows into the Web – Internet creating a “global brain”• In December 2010 – 2 billion users – 107 trillion emails sent – 47 billion text messages per day – 35 billion “client” devices (5 billion phones) – 13 billion indexed pages (est. half of total static) › Over 1 trillion dynamic pages• After 2007 hard numbers disappear Global Marketing 4
  5. 5. Consequences of Web’s EvolutionKevin Kelly’s view from 2007 – Not just a better Web• Three Outcomes – Embodying the machine – Restructuring the architecture – Codependence on new technology › Just as we depend on alphabets• Emergence of Global Brain – Smarter – Personalized – Pervasive• Individuals must be transparent to gain benefits Global Marketing 5
  6. 6. Consequences of Web’s EvolutionA view from today• Three Modifications – Disembodying information: Big Data – Restructuring us: Augmented reality – Co-evolution: Multisensory computing › Allosphere (UCSB)• The Pervasive Cloud – Ecology instead of organism • Mantras – Good enough – Contextual instead of singular – Zero failure – Everything as a Service – Zero patience – Zero input• Transparency as a necessary condition – Zero price – Unlimited information• Trust needed for transparency – Unlimited depth – Privacy? Global Marketing 6
  7. 7. Can There Be Trust?• “In 2008, there were so many viruses being created that Symantec needed to write a new signature every 20 seconds. In 2009, it changed to every 8 seconds.” Cyber Warefare, Jeffrey Carr• 6,000,000 new botnet infections per month McAfee Labs• Drastic increase in Malware (McAfee Labs) – 2007 - 16,000 new pieces of malware per day – 2008 - 29,000 per day – 2009 - 46,000 per day• Sophos’ Security Threat Report: 23,500 new infected web pages found every day -- equates to one infected website every 3.6 seconds• 61% of the top 100 Web sites have either hosted or been involved in malicious activity over the last six-month period. Websense• 87% of PC’s have spyware on them. On average, those with spyware have 28 different versions. Forrester Research Global Marketing7
  8. 8. Do We Even Know What Is Really Going On? Source: Open Security Foundation DataLossDB (Data does not include U.S. Secret Service) Proofpoint study: Email is top source of data loss (IP); social media and mobile Source: Protect-data.com survey devices larger threat Global Marketing8
  9. 9. The Tipping Point: An Explosion ofSmartphones in the Enterprise is Imminent• Worldwide Shipments of Smartphones Moves Towards 1 Billion by 2015. InStat• Mobile Devices are the New Client Systems.• RIM Dominance of the Enterprise is over.• 9 Pieces of Malware & Spyware per 100 mobile devices. Lookout Global Marketing9
  10. 10. Why Our Current Model Will (continue to) Fail:• – – – – –• – – – –• – – –• –• – 10
  11. 11. Dystopian Consequences of Trust Loss• Saeculum Obscurum (dark age), a phrase first recorded in 1602• Not just after fall of Roman, but also Minoan and Mycenaean civilizations• The knowledge gained was lost; for 100s of years, life was governed by superstitions and fears fueled by ignorance; the economy ground to a halt• Jared Diamond concludes that the basic factors of civil success are size and density of population, technology, and specialized institutions• Jane Jacobs asks why do even successful cultures fail? “Losers are confronted with such radical jolts in circumstances that their institutions cannot adapt adequately, become irrelevant, and are dropped”• Fukuyama – All economics is based on trust 11
  12. 12. A Feudal Cyber World• White lists• Locked clients• “Fixed” communication routes• Locked, bound virtual desktops• Limited transactions• Fixed transactions• Pre-established trading partners• Artificial us-versus- them• Towers of Babel• Haves / have nots / disenfranchisement• Information hoarding (guilds)• Little information liquidity• Hierarchical processes 12
  13. 13. Trust in Cyberspace requires data to protect itself• Kelly • Russell Ackoff – Link Computers, share packets – Data – Link Pages, share links Add presentation – Link Data, share ideas – Content Semantic web Add context – Link Things, share experience – Information Add process – Knowledge Add experience – Understanding Add reflection – Wisdom Data wrapped in presentation armor becomes self- protecting content 13
  14. 14. DRM Models―Embedding Governance, Risk Management,Compliance and Security into the Delivery FabricA new GRCS architecture: Hardware, System Software and Development Environmentsbased on Rights (Restrictions) Expression Language(s).• Policy Administration Point (PAP): Manages • Authentication Service: Verification of the security and or compliance policies identity of a party which generated some data• Policy Decision Point (PDP): Evaluates and issues authorization decisions • Confidentiality Service: Protection of information from disclosure to those not• Policy Enforcement Point (PEP): Intercepts intended to receive it users access request to a resource and enforces PDPs decision. Secured • Location Service: Identifies where data is applications (see below) may act as their stored, has been used, where users saw/used own PEP it, etc.• Policy Information Point (PIP ): Provides • Validation Service: Provides a third level of external information to a PDP, such as LDAP assurance before granting access to attribute information resources or information assets• Encryption: On-demand • Authorization Service: Process by which one determines whether a principal is• Identity Service: Used for initial access to allowed to perform an operation cloud-provided services • Encryption Service: Encryption/decryption with audit 14
  15. 15. Precursors? How we might get there? What’s “secure” depends on the goals of the system. Do you need authentication, accountability, confidentiality, data integrity? Each goal suggests a different security architecture, some totally compatible with anonymity, privacy and civil liberties. In other words, no one “identity management and authentication program” is appropriate for all Internet uses.• Hardware exemplars: • An Archetype: MPEG 21 REL – Policy Information Points / Location – Provides rights to information that can be Services (GPS) packaged within machine-readable – Policy Enforcement Points (biometrics licenses, guaranteed to be ubiquitous, / Bluetooth phones) unambiguous and secure, which can then – Encryption Points / Services (secure be processed consistently and reliably. flash) – Modular design provides inherent – CPU Keys extensibility of the language and is designed to be:• Software exemplars: Flexible – enabling the creation of licenses – SAML to support any kind of business model – XACML Scalable – enabling the creation of profiles – Hashed Binaries to support a wide variety of devices – Pedigreed Binaries Extensible – enabling the creation of specific, autonomous extensions for use in – Stateless Sessions vertical markets, both open and closed – ReSTful Sessions Technology agnostic – enabling support for any kind of proprietary or standardized enforcement technology15
  16. 16. What it might look like••• •• – –• – • • – • – • – • – 16
  17. 17. Let’s thinka little more impossibly!Thank you