Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Interactivity Tips
-Ask a question -Download PDF copy of slides -Visit show floor/booths/chat areas
Security Today
The whitelist, blacklist, non-spoofed, non-spam, encrypted, secure, authenticated solution 1. whitelist, just let your friends into the club 2. blacklist, keep your enemies at bay 3. non-spoofed, URL who you trust 4. non-spam, prevent overload 5. encrypted, no fear messaging 6. secure, no fear computing 7. authenticated, Whom do you trust?
Mainframe
PC
LAN
Internet
Open Source
Java
Cloud
NBT
Public Cloud
Provided by an external, third party Typically many other users Minimal guarantees of availability, QoS BYO Storage, DR, and Security
Private Cloud
When your enterprise creates its own cloud Typically much more customized Built within your enterprise baseline security Deliver enterprise SLA/QoS Charged back as other IT
Hybrid Cloud
Private Cloud augmented with Public cloud Cloudbursting for sudden increases in demand Transient to short-term Is Increase Real or Just a Blip? Economic alternative to capacity planning (perhaps)
The Answer:
ISO 7498-2
Who are you? (Identification and Authentication) What can you do? (Access control, Authorization) Keep secrets secret (Data Confidentiality) Keep data correct (Data Integrity) Know your correspondent (Non-repudiation)
(1989)
Access Control
What can you do? Role-based only works in broad terms
No successful comprehensive RBAC solutions MIT: 14,000 people, 35,000 roles, average user had eight roles DuPont: 20,000 employees, defined roles for about half, reached 45,000 roles, quit GM: IDM Leader at Catalyst Number of roles approaches number of individuals
Data Confidentiality
How much encryption is enough?
Avoid cost/benefit analysis Very large estimate * very small likelihood = Undefined result (Numerical analysis)
If the value of the data exceeds the cost of obtaining it, the data is not secure.
Data Integrity
Note that once you have encrypted the information, you have protected its integrity Data integrity without encryption the checksum on a download
Is this install safe? Has it been altered?
Non-Repudiation
A concept from law, not from information security Can we prove either
A) Are you the author of this message? B) Did you receive this message?
Clueful Solutions
PKI, SSH, SSL Kerberos (how to authenticate when the network is not trusted?) Sentinel (good-looking but fake data) Code and Other Laws of Cyberspace (Lessig)
Law, Economics, Social Pressure, Architecture
Next Steps
Audit Your Environment (Use ISO 7498-2) Think Like a Crook Expose Security Presumptions Principle of Least Privilege Avoid Role-Based Security Avoid Risk Quantification
Todays Agenda
2:00-2:30 ET eWEEK Labs Workshop 2: Identity Management in the Cloud 3:00-3:45 ET Industry Roundtable: Preparing For the Application Adoption Revolution Be sure to visit our sponsor spaces and network in our lounge area