Winkler Cloud, ORCON, and Mobility

357 views
307 views

Published on

This presentation was given to The Research Board (Gartner) in Orlando FL April 2013

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
357
On SlideShare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
3
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Winkler Cloud, ORCON, and Mobility

  1. 1. Keeping Data Confidential Beyond the Enterprise: “...Would you like some ORCON with your data?" Vic Winkler CTO Covata USA, Inc Reston, Virginia© Cocoon Data Holdings Limited 2013. All rights reserved.
  2. 2. mini-bio • Author “Securing the Cloud: Cloud Computer Security Techniques and Tactics” May 2011 (Elsevier/Syngress) • CTO “Self-Defending Data” www.Covata.Com Reston VA | Sydney Australia • Published Researcher Secure Operating System Design, Network Monitoring, Intrusion Detection, Information Warfare (PRC Inc., Northrup) • Security Design & Engineering Sun Grid Compute Utility, Network.Com, The Sun Public Cloud (Sun Microsystems) Government & Defense Customers (Booz Allen Hamilton, Sun Microsystems, PRC) • Contact: work: Vic.Winkler@Covata.Com personal: Vic@VicWinkler.COM© Cocoon Data Holdings Limited 2013. All rights reserved.
  3. 3. The Point of this Talk • You already know this: - Vulnerabilities and Exploits are Inevitable - The Perimeter is dead. Long live the Perimeter - BYOD and Cloud Undermine Enterprise IT • Unfortunately: - The data itself remains unprotected (inconsistent crypto) - The goal isn’t just security – it’s control over your data - DRM | IRM | ORCON extend your control over data - Persisting Control for X-domain and Ad-hoc Sharing? ORCON© Cocoon Data Holdings Limited 2013. All rights reserved.
  4. 4. What is Hacking? • One definition: Focusing on the “protective” qualities of cardboard and ignoring the door Which is the better defense: A Glass Door …Or a Castle? Answer: It depends on what you seek to protect from whom© Cocoon Data Holdings Limited 2013. All rights reserved.
  5. 5. A “Not-so” Accurate History of Security© Cocoon Data Holdings Limited 2013. All rights reserved.
  6. 6. A “Not-so” Accurate History of Security© Cocoon Data Holdings Limited 2013. All rights reserved.
  7. 7. Cloud Computing: A Newer Model for IT© Cocoon Data Holdings Limited 2013. All rights reserved.
  8. 8. Cloud Computing: A Newer Model for IT© Cocoon Data Holdings Limited 2013. All rights reserved.
  9. 9. Where Responsibility Resides© Cocoon Data Holdings Limited 2013. All rights reserved.
  10. 10. Your Limits as a Tenant© Cocoon Data Holdings Limited 2013. All rights reserved.
  11. 11. …A Closer Look© Cocoon Data Holdings Limited 2013. All rights reserved.
  12. 12. Organizational Control© Cocoon Data Holdings Limited 2013. All rights reserved.
  13. 13. Vendor Transparency© Cocoon Data Holdings Limited 2013. All rights reserved.
  14. 14. Many “Concerns”: Cloud Security • Insecure Interfaces & APIs Assess provider’s security model. Check if strong auth., access controls and crypto are used. • Malicious Cloud Provider Employee Lack of provider transparency as to processes and procedures can raise concern of provider’s insider threat problem. • Concerns about Shared Infrastructure Monitor for changes, follow best practices, conduct scanning and config audits. • Data Loss & Leakage Encrypt. Verify APIs are strong. Verify provider backups are appropriate. • Account or Service Hijacking Use “safe” credentials, 2+-factor, monitor. • …A Public Service isn’t for Everyone And Yet: Compared to most enterprises, Amazon, Rackspace and Google have superior IT security implementations and procedures.© Cocoon Data Holdings Limited 2013. All rights reserved.
  15. 15. Cyber Security? (…Maybe Data Finally Deserves it’s own Protection) • Networks & Infrastructure: Hard to keep safe “Current security efforts focus on individual radios or nodes, rather than the network, so a single misconfigured or compromised radio could debilitate an entire network” (DARPA) …Is it a fantasy to believe you can secure everything? …And keep it so? Is there a “keep it simple stupid” strategy that can work? • IT is always changing BYOD – A new attack vector. Trade-offs against corporate “control” • Rescind -or- retract data you shared or a recipient? • The social phenomenon (OMG) (We are doomed)© Cocoon Data Holdings Limited 2013. All rights reserved.
  16. 16. Motivation for Data-Level Encryption • Protecting the Network & Nodes Perimeter complacency… (oh wait, it’s “dead”) But …what about the data itself? • My Backup is on Your Email Server • Encryption Stovepipes • Full Disk Encryption vs. Data Level© Cocoon Data Holdings Limited 2013. All rights reserved.
  17. 17. “Goldilocks was Here” (“just right”)© Cocoon Data Holdings Limited 2013. All rights reserved.
  18. 18. Access Controls: A Comparison© Cocoon Data Holdings Limited 2013. All rights reserved.
  19. 19. What is ORCON? • U.S. Intelligence Community - Desired “Originator Control” in Closed-Network Information Sharing Examples: Rescind Access; Prevent Forwarding • Does not Exactly Align with Classic Access Controls - MAC – Mandatory Access Controls (User Clearance : Data Classification) - DAC – Discretionary Access Controls (Usually too simple such as “UGO”) - Capability Based – Defines access rights (Akin to a “file descriptor”, process oriented) - Role Based – Aligns well with “pools of users” problems • …ORCON is a big part of what you really want ORCON Control over Data© Cocoon Data Holdings Limited 2013. All rights reserved.
  20. 20. ORCON is Related to: DRM & IRM • DRM or IRM solutions expand on access controls with “rights” • Rights can be anything (download, forward, print,…) • Commercial systems typically use PKI Which is messy; Which has limits; Which gets complicated • Examples: Oracle Entitlement Server; EMC’s Documentum; Microsoft DRM; AD Rights Management Services • These are typically “heavyweight” and entail “services drag” • They require integration with your workflow …unless you are happy using default applications like Sharepoint© Cocoon Data Holdings Limited 2013. All rights reserved.
  21. 21. “Sharing Should Just Work”© Cocoon Data Holdings Limited 2013. All rights reserved.
  22. 22. Use of a Cloud-Based Key Service© Cocoon Data Holdings Limited 2013. All rights reserved.
  23. 23. Encryption in the Workflow© Cocoon Data Holdings Limited 2013. All rights reserved.
  24. 24. How it Works© Cocoon Data Holdings Limited 2013. All rights reserved.
  25. 25. ORCON … • But does it have to be “Originator” control? No. 1) The enterprise might need to specify default controls for: All data that is shared between identified individuals All data that is sent to specific external entities Specific recipient devices 2) Enterprise DLP systems might need to be bypassed (encrypted content) Thus: Encrypted content must meet certain standards Certain content may warrant additional specific controls 3) The enterprise might “attach” additional ORCON (for instance, by a DLP) • ORCON is a flexible framework for persisting controls© Cocoon Data Holdings Limited 2013. All rights reserved.
  26. 26. Options: Enable the Workflow or App© Cocoon Data Holdings Limited 2013. All rights reserved.
  27. 27. The Nature of Risk© Cocoon Data Holdings Limited 2013. All rights reserved.
  28. 28. The Point of this Talk • You already know this: - Vulnerabilities and Exploits are (ABSOLUTELY) inevitable - The perimeter (REALLY) is dead. Long live the perimeter - BYOD and Cloud (IRRESISTABLY) undermine enterprise IT • Unfortunately: - The data itself remains unprotected (inconsistent crypto) - X The goal isn’t just security – it’s control over your data - DRM | IRM | ORCON extends your control - For X-domain and ad-hoc use ORCON Persisting Control over Data© Cocoon Data Holdings Limited 2013. All rights reserved.
  29. 29. Thank You! Work Vic.Winkler@Covata.Com Personal Vic@VicWinkler.com On: Google+ & LinkedIn© Cocoon Data Holdings Limited 2013. All rights reserved.

×