2014. All Rights Reserved. Information and Communications Technology

Transcription

1 Defense-in-Depth has Become Extinct or Information Security in the Post-Enterprise World BSides Ottawa 2014 Dr. Lawrence G Dobranski P.Eng. Director ICT Security University of Saskatchewan 1

2 The University of Saskatchewan is a member of the U15, the top 15 research universities in Canada. 22,500 students from 100 countries (2013) 16:1 student to faculty ratio Annual budget of $1B $9.2 million annually in scholarships and bursaries > 120 Graduate Degree Programs ~ 200 Undergraduate Programs 2

3 Information & Communications usask Open, de-perimeterised environment 15,000 mobile users connecting daily via a ubiquitous wireless network Most of them BYOD (Bring Your Own Device) Includes: private cloud multiple data centers high performance research computing petabytes of storage multi-gigabit connections to the Internet and international research networks 3

4 Mobile & U of S 4 ~15K Personal Mobile Devices Daily (2013) ~3.5K Access Points (2013) Cloud Services include: Travel & Expense Management Student Employment Responsible Disclosure Survey Tools Crowd Funding iusask Award winning university service app for mobile devices

5 IT Consumerization, BYOD, and Cloud Services represent a significant technology & societal disruptor and the arrival of the Post Enterprise World BYOD IT Consumeriz -ation People, Process, Technology Cloud Services 5

6 Personal Mobile Devices 6 Mostly termed BYOD for bring your own device Represented by the convergence of mobile computing: Laptop, netbook, palm top, tablet, phone A matter of size and battery life Computing power no longer a limitation Stakeholders have multiplied: Carriers (maybe more than one) 3 rd party content (multimedia, software, services) Other relying parties: Employer (more than one) School Personal

7 Cloud Computing 7 Architectures: Public Private Hybrid Service Oriented: Software as a Service Platform as a Service Applications as a Service Security as a Service And yes: Malware as a Service Business Models: Free (if I can mine your data) Commercial (pay for it) Corporate (a cloud for the enterprise) Personal (really?)

8 BYOD & Cloud A Multi-Dimensional Risk Problem Not just a technology problem Technological solution does not address the entire risk spectrum. Business perspective is critical. Does not recognize de-perimeterisation or context of use. At Risk: Confidentiality, Integrity, Availability of information and services Personally-identifiable information (aka Privacy) Business survivability The user, the enterprise, the carrier, and 3 rd party information and services 8

9 BYOD & Cloud Risk Environment Banning BYOD or Cloud Services usually just forces them underground Going underground: Hides the threat Hides the risk Better to manage it rather than ban it Need to support controlled, secure access to data and services No matter how accessed or how provisioned 9

10 All Rights Reserved. Information and Communications Technology BYOD & Cloud a disruptive technological evolution Eradication of boundaries That are traditionally used to define the enterprise Separate trusted and untrusted domains no longer clear Defense-in-depth going extinct Context of use How, why, where, what, when regarding data and service access Evolution to the mobile, social media, always-on society Data Application Host Internal Network Perimeter Physical De-perimeterisation Policies, Procedures, Practices

11 11 De-perimeterisation Concept originally championed by The Open Group s Jericho Forum Traditionally, organizations relied upon boundaries and perimeters to provide security, different areas of trust. BYOD and Cloud Services mean that the boundaries have changed or do not exist. Now not just who is inside your perimeter, accessing the data, but who, where, how, and with what.

12 Moving Beyond a Perimeter Security Model Before BYOD & Cloud Hard perimeter Clear policy enforcement points Defense-in-depth strategy Only organizational supplied hardware & software on the network Able to answer: Who is accessing? How they are accessing? Where are they? Clear whose device and who owns the data Threats understood Compliance achievable After BYOD & Cloud Soft perimeter Policy enforcement points are now vague Hardware & software can be organizational, personal, or 3 rd party No longer clear: Who is accessing? How they are accessing? Where are they? Not clear whose device and who owns the data Lack of clarity regarding threats Compliance what does it mean? 12

13 All Rights Reserved. Information and Communications Technology Mitigating the De-perimeterisation Risk After BYOD & Cloud Mitigate Soft perimeter Policy enforcement points are now vague Hardware & software can be organizational, personal, or 3rd party Discretionary Access Control Not clear whose device and who owns the data Lack of clarity regarding threats Compliance what does it mean? BYOD & Cloud Mitigation Sandbox Applications and Data Application Integrity Policy enforced at application and data boundaries Mandatory access control for servers and infrastructure Compliance requires clear policy/procedures/processes Enhanced, context aware authentication/authorization Security Awareness Critical Do you know where your organization s data is?

14 Context of Use, aka Mobility 14 A significant business driver by itself Institutions want to be agile, to be accessible, and to support collaboration No matter where their users are No mater what device they are using Expanding to include however they are accessing data and services Focus is giving ubiquitous access to organization data, networks, services, and applications To be agile, responsive, and value-providing anywhere at any time

15 Context of Use No Longer Just Who Traditionally IAM only addresses Who is accessing the data? Privileges: Discretionary access control We know who you are, we trust you Now need to ask How is the data being accessed? Who is delivering the data and service? Where is it being accessed from? Location and device critical What expectations are there for the data s confidentiality, integrity, and availability? Who owns and controls the data? Who owns and controls the device? Is the security policy/security compliance adaptable based on these considerations? Who do you trust? 15

16 Where The context of the mobile device and the service provided must be reflected in the authorizations granted to the authenticated user. How Why Context of Use When Who What 16

17 The Context of Use Dilemma Before BYOD & Cloud Hard perimeter Clear policy enforcement points Defense-in-depth strategy Only organizational supplied hardware & software on the network Able to answer: Who is accessing? How they are accessing? Where are they? Clear whose device and who owns the data Threats understood Compliance achievable Jurisdiction clear After BYOD & Cloud Soft perimeter Policy enforcement points are now vague Hardware & software can be organizational, personal, or 3 rd party No longer clear: Who is accessing? How they are accessing? Where are they? Not clear whose device and who owns the data Lack of clarity regarding threats Compliance what does it mean? Jurisdiction not clear 17

18 All Rights Reserved. Information and Communications Technology Mitigating the Context of Use Risk After BYOD & Cloud Mitigate Soft perimeter Policy enforcement points are now vague Hardware & software can be organizational, personal, or 3rd party No longer clear: Who is accessing? How they are accessing? What are they using to access? Where are they? Not clear whose device and who owns the data Lack of clarity regarding threats Compliance what does it mean? Jurisdiction more clear BYOD & Cloud Mitigation Sandbox Applications, Data, & Services Security from a data perspective Application Security Policy enforced at application and data boundaries Mandatory access control for servers and infrastructure Compliance requires clear policy/procedures/processes Enhanced, context aware authentication/authorization Security Awareness Critical Do you know where your organization s data is?

19 Regulatory & Legal Issues Most regulatory & compliance regimes: Built for a traditional defense-in-depth model Corporate owned, or at least controlled devices, on a corporate owned or managed network No acknowledgement of BYOD or Cloud Based Services Multiple stakeholders Multiple jurisdictions How owns the data? Who controls the data? Are you sure? Whose jurisdiction? 19

20 Security, Privacy, & Audit in a BYOD 20 Consider: User in country A & Cloud World Whose company s HQ is in country B Using a mobile device from a carrier in country C Accessing servers located in country D Containing data of citizens of country E Using software from a firm located in country F Regarding a transaction with a firm located in country G So whose jurisdiction/policies applies?

21 And the survey said Work based on a survey of 750 security professionals in Canada Professionals from the ITAC Cyber Security Forum Basis for DSc dissertation 21

22 Research Question What are the critical factors influencing information security professionals perceptions of information security risks and threats in BYOD environments? 22

23 Independent and Dependent Independent Variables Context of Use Variables Compliance Security Controls Security Awareness Dependent Variable Information Security Professionals Perception of Risk Due to BYOD De-perimeterisation 23 23

24 Importance-Performance Analysis Technique to measure importance and performance of attributes Developed originally by Myers and Alpert (1968) Successfully extended to other domains Output recognizable as the familiar four quadrant graph Based in part on Importance-Performance Analysis by Martilla and James, 1977, as featured in A critical evaluation of importance-performance analysis by Azzopardi and Nash,

25 Importance Performance Analysis Applied to Risk Analysis Scale Likelihood Low High 1 Extremely unlikely 2 Unlikely 3 Neutral 4 Likely High IV I High 5 Extremely likely Likelihood Medium Risk (Risk Mitigation Required) High Risk (Sustain Risk Mitigation) Scale Impact 1 No consequence 2 Minor consequence 3 Moderate consequence 4 Major consequence 5 Critical consequence Low III Low Risk (No change in Risk Mitigation) Low II Medium Risk (Curtail Risk Mitigation) High Low Impact 25

26 Research Site: Data Collection Cyber Security Forum of the IT Association of Canada Approximately 750 information security professionals across multiple industries and domains Research instrument: 15 threat attributes 7 demographic questions 84 responses received, 64 deemed to be valid 26

27 BYOD Threat Attribute Ratings Number Attribute Description Owner of the device controls the context of use, not the organization. 2 Loss of policy enforcement points. 3 Device handling personal and work data simultaneously. 4 Device will be used to access networks which the organization cannot control access. 5 Security perimeter now at data level. Verification of the implementation of security controls may not be 6 possible. 7 8 A copy of data of interest to the organization may only exist on the device and not within the organizational network. Security policy on device is not in the control of the organization. 9 Lack of clear boundaries/areas of trust Organization administrators not controlling the configuration of the device connecting to the organization's network. Cannot completely wipe the device because it contains personal data that may or may not be backed up 12 Data on the device may not be encrypted Device may not have a password or a password of appropriate strength. Lack of user understanding that the use of personal mobile device can expose organization to significant risks. Lack of user understanding of where the device is used affects the risk to the organization's assets.

28 BYOD Risk Results Number Attribute Description Risk σ Rank 1 Owner of the device controls the context of use, not the organization Loss of policy enforcement points Device handling personal and work data simultaneously Device will be used to access networks which the organization cannot control access Security perimeter now at data level Verification of the implementation of security controls may not be possible A copy of data of interest to the organization may only exist on the device and not within the organizational network Security policy on device is not in the control of the organization Lack of clear boundaries/areas of trust Organization administrators not controlling the configuration of the device connecting to the organization's network Cannot completely wipe the device because it contains personal data that may or may not be backed up Data on the device may not be encrypted Device may not have a password or a password of appropriate strength Lack of user understanding that the use of personal mobile device can expose organization to significant risks. Lack of user understanding that where the device is used effects the risk to the organization's assets

29 Risk Surfaces 29

30 Thank you! 30 Lawrence Dobranski, DSc, MBA, MSc (Eng), (306)