Evelyn del Monte's presentation on "Justifying IT Spend on Security" during Computerworld Philippines' Executive Briefing on Information Security in October.

1. “ Context Aware and Adaptive Security” - The Future of Information Security Evelyn P. Del Monte Enterprise Manager [email_address]

2. The Issue of Security

3. Static Network Security Physical Security = Network Security

4. Heartland Data Breach Exposes 100 Million Accounts Lawsuit Filed Over CardSystems Data Breach Hannaford Breach May Have Exposed Millions to Fraud USDA Admits to Massive Data Breach; 63,000 Affected WellCare Flubs Data Privacy for 10,000 Georgians Commerce Bank Database Hacked Advance Auto Data on 56,000 Customers Exposed WellPoint Data Breach Affects 128,000 Clients Hackers Tap Western Union ; 20,000 Affected Hacker Infiltrates UCLA ; Data on 800,000 Stolen Network Breaches are Common…

7. The New Approach “ Context-Aware Adaptive Security”

10. Why Context, Why Now? All these layers encompass physical or logical entities (objects) – packets, machines, applications, services, users, groups, transactions and so on. Information security can be thought of as the enforcement of a series of policies (in other words, a set of security policy enforcement points) to enable action between different entities in an IT stack, with the goal of protecting the confidentiality, integrity, availability, authenticity and accountability of the information and workloads being handled among them.

11. Security decisions occur when an entity at any layer on the left side wants to take an action on an entity on the right side.

13. In static IT infrastructures, ownership became a proxy for trust. Because we owned and controlled most of the pieces, information security policy enforcement points were typically only placed at the perimeter between something we owned and something we didn’t own (and, therefore, didn’t trust). This model of trusting “us” (we own it, we control it) and not trusting “them” (they own it, they control it) and placing security policy enforcement points only where we had a handoff between us and them has worked reasonably well, but is coming under extreme pressure. This model fails in a world where we increasingly don’t own all the pieces of our business and IT infrastructures.

15. Real-Time Context Leads to Measures of Trustability Every element of our computing stack will need to be treated with a degree of uncertainty and skepticism. Security decisions that were largely black and white, and where policies were set statically inadvance, become decisions with a multitude of shades of gray made dynamically at the time the request is made. Instead of perceived absolute trust (which we never really had), we will shift to a paradigm that embraces variable levels of trustability – adaptive and context-aware security policy enforcement mechanisms that help us answer the real question: “ Do I have enough trust in the entities involved to take the requested action at my current level of risk tolerance and given the current context to allow the action to take place?”

22. Thank you