The Future of Information Security Is Context Aware and Adaptive



Similar documents
Rethinking IT and IT Security Strategies in an Era of Advanced Attacks, Cloud and Consumerization

NGFWs will be most effective when working in conjunction with other layers of security controls.

Readiness Assessments: Vital to Secure Mobility

Content Security: Protect Your Network with Five Must-Haves

Realize That Big Security Data Is Not Big Security Nor Big Intelligence

IBM Endpoint Manager for Core Protection

Securing BYOD With Network Access Control, a Case Study

White Paper. Architecting the security of the next-generation data center. why security needs to be a key component early in the design phase

NETWORK ACCESS CONTROL AND CLOUD SECURITY. Tran Song Dat Phuc SeoulTech 2015

Cisco Security Intelligence Operations

Organizations Must Employ Effective Data Security Strategies

Addressing Security for Hybrid Cloud

Cloud Security Primer MALICIOUS NETWORK COMMUNICATIONS: WHAT ARE YOU OVERLOOKING?

REVOLUTIONIZING ADVANCED THREAT PROTECTION

SANS Top 20 Critical Controls for Effective Cyber Defense

Networking for Caribbean Development

identity as the new perimeter: securely embracing cloud, mobile and social media agility made possible

defending against advanced persistent threats: strategies for a new era of attacks agility made possible

The Hillstone and Trend Micro Joint Solution

From Secure Virtualization to Secure Private Clouds

The Need for Intelligent Network Security: Adapting IPS for today s Threats

Sygate Secure Enterprise and Alcatel

Technology Blueprint. Secure Your Virtual Desktop Infrastructure. Optimize your virtual desktop infrastructure for performance and protection

Cisco Virtualization Experience Infrastructure: Secure the Virtual Desktop

Carbon Black and Palo Alto Networks

Effective IDS/IPS Network Security in a Dynamic World with Next-Generation Intrusion Detection & Prevention

CounterACT Plugin Configuration Guide for ForeScout Mobile Integration Module MaaS360 Version ForeScout Mobile

Leading The World Into Connected Security. Dipl.-Inform., CISSP, S+ Rolf Haas Enterprise Technology Specialist Content Lead EMEA

Managing Web Security in an Increasingly Challenging Threat Landscape

eguide: Designing a Continuous Response Architecture Executive s Guide to Windows Server 2003 End of Life

Symantec Endpoint Security Management Solutions Presentation and Demo for:

How To Calculate Hd Costs

Deploying secure wireless network services The Avaya Identity Engines portfolio offers flexible, auditable management for secure wireless networks.

Cisco Cloud Web Security

ENTERPRISE IT SECURITY ARCHITECTURE SECURITY ZONES: NETWORK SECURITY ZONE STANDARDS. Version 2.0

Company Co. Inc. LLC. LAN Domain Network Security Best Practices. An integrated approach to securing Company Co. Inc.

Market Guide for Network Sandboxing

End-user Security Analytics Strengthens Protection with ArcSight

CoIP (Cloud over IP): The Future of Hybrid Networking

Cisco TrustSec Solution Overview

SECURITY ANALYTICS MOVES TO REAL-TIME PROTECTION

Deploying Firewalls Throughout Your Organization

Penta Security 3rd Generation Web Application Firewall No Signature Required.

The Dirty Secret Behind the UTM: What Security Vendors Don t Want You to Know

Cisco Advanced Malware Protection for Endpoints

Next Gen Firewall and UTM Buyers Guide

I D C T E C H N O L O G Y S P O T L I G H T. S e r ve r S e c u rity: N o t W h a t It U s e d t o Be!

Braindumps QA

How To Sell Security Products To A Network Security Company

White Paper. Why Next-Generation Firewalls Don t Stop Advanced Malware and Targeted APT Attacks

SourceFireNext-Generation IPS

Finding Security in the Cloud

Securing your IT infrastructure with SOC/NOC collaboration

EXTENDING NETWORK SECURITY: TAKING A THREAT CENTRIC APPROACH TO SECURITY

Cloud, SDN and the Evolution of

Securing Virtual Applications and Servers

Using Palo Alto Networks to Protect the Datacenter

WatchGuard Technologies, Inc. 505 Fifth Avenue South Suite 500, Seattle, WA

Next Generation IPS and Reputation Services

Next-Generation Firewalls: Critical to SMB Network Security

A Look at the New Converged Data Center

FIVE KEY CONSIDERATIONS FOR ENABLING PRIVACY IN HEALTH INFORMATION EXCHANGES

10 Potential Risk Facing Your IT Department: Multi-layered Security & Network Protection. September 2011

Putting Web Threat Protection and Content Filtering in the Cloud

Security Virtual Infrastructure - Cloud

SIEM and IAM Technology Integration

Service management White paper. Manage access control effectively across the enterprise with IBM solutions.

WHITEPAPER. Addressing Them with Adaptive Network Security. Executive Summary... An Evolving Network Environment Adaptive Network Security...

management solutions

Frank Andrus WHITEPAPER. CTO, Bradford Networks. Evolve your network strategy to meet new threats and achieve expanded business imperatives

IBM Security IBM Corporation IBM Corporation

Office 365 Cloud App Security MARKO DJORDJEVIC CLOUD BUSINESS LEAD EE TREND MICRO EMEA LTD.

ARCHITECT S GUIDE: Comply to Connect Using TNC Technology

Cisco Advanced Malware Protection for Endpoints

Security in the Software Defined Data Center

Big Data and Security: At the Edge of Prediction

Economics of the Cloud: Business Value Assessments

Transcription:

The Future of Information Security Is Context Aware and Adaptive Gartner RAS Core Research Note G00200385, Neil MacDonald, 14 May 2010, RA3416 01022011 Most of today s security infrastructure is static enforcing policies defined in advance in environments where IT infrastructure and business relationships are relatively static. This is no longer sufficient in an environment that is highly dynamic, multisourced and virtualized, and where consumer-oriented IT is increasingly used in lieu of enterprise-owned and provisioned systems. Key Findings Context-aware security is the use of supplemental information to improve security decisions at the time the decision is made, resulting in more-accurate security decisions capable of supporting more-dynamic business and IT environments. Context information that will be relevant to security decisions is not limited to environmental context and will include context information from multiple sources. awareness, identity awareness and content awareness are all examples of the broader shift to context-aware and adaptive security infrastructures. In static IT infrastructures, ownership became a proxy for trust. This model no longer works. Every element of our enterprise computing stack needs to be treated with a degree of uncertainty and skepticism. Binary trust will be replaced with a paradigm of trustability. Context-aware and adaptive security will be the only way to securely support the dynamic business and IT infrastructures emerging during the next 10 years. Recommendations Context awareness helps make security an enabler, not an inhibitor, of dynamic business requirements. Begin the transformation to context-aware and adaptive security infrastructure now as you replace legacy static security infrastructure, such as firewalls, and Web security gateway and endpoint protection platforms. Use the framework provided in this research as a way to evaluate security offerings for their capability to incorporate richer context information at the time of a security decision.

2 Question security vendors on their specific road maps for application, identity and content awareness, as well as the ability to incorporate other types of context information into their policy enforcement decisions. Remove hard-coded and static security policies from applications and other systems, and move them to externalized security policy enforcement points capable of consuming realtime context information. STRATEGIC PLANNING ASSUMPTION By 2015, 90% of enterprise security solutions deployed will be context aware. ANALYSIS 1.0 Context Awareness and Information Security Context is the circumstances within which something exists or happens, and that can help explain or understand it (see Acronym Key and Glossary Terms). Context-based computing uses supplemental context information to improve the computing experience at the point of consumption. Applying this to information security, context-based security is the use of supplemental information to improve security decisions at the time the decisions are made. Rapidly changing business and threat environments, as well as user demands, are stressing static security policy enforcement models. Information security infrastructure must become adaptive by incorporating additional context at the point when a security decision is made, and we are already seeing signs of this transformation. security solutions are evolving to incorporate application awareness and identity awareness into their offerings. Information protection solutions are evolving to deliver content awareness., identity and content awareness are all part of the same underlying shift to incorporate more context at the point when a security policy enforcement decision is made. To enable faster and more-accurate assessments of whether a given action should be allowed or denied, we must incorporate more real-time context information at the point when a security decision is made. 2.0 Why Context, Why Now? Consider a layered IT stack model of the network, device, operating system (OS), application, identity, content and process as shown in Figure 1. All these layers encompass physical or logical entities (objects) packets, machines, applications, services, users, groups, transactions and so on. Information security can be thought of as the enforcement of a series of policies (in other words, a set of security policy enforcement points) to enable action between Figure 1. Example of a Layered IT Stack Source: Gartner (May 2010) different entities in an IT stack, with the goal of protecting the confidentiality, integrity, availability, authenticity and accountability of the information and workloads being handled among them (see Figure 2). As shown in Figure 2, security decisions occur when an entity at any layer on the left side wants to take an action on an entity on the right side. For example: Can this IP address talk with this other IP address? This type of policy is traditionally enforced by network firewalling. Can this user load and run this unknown application? This type of policy is traditionally enforced by antivirus and application whitelisting software. Can this user access this content? This type of policy is traditionally enforced by access control and digital rights management mechanisms. Can this input be accepted by this application? This type of policy is traditionally enforced by application-level firewalls (such as a Web application or a database firewall). 2010 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. or its affiliates. Reproduction and distribution of this publication in any form without prior written permission is forbidden. The information contained herein has been obtained from sources believed to be reliable. Gartner disclaims all warranties as to the accuracy, completeness or adequacy of such information. Although Gartner s research may discuss legal issues related to the information technology business, Gartner does not provide legal advice or services and its research should not be construed or used as such. Gartner shall have no liability for errors, omissions or inadequacies in the information contained herein or for interpretations thereof. The opinions expressed herein are subject to change without notice.

When IT and business infrastructures are fairly static and welldefined, these security decisions are simpler, and there are fewer of them. In most cases, for the past 30 years, our organizations owned and controlled most of the entities shown in Figure 1 and Figure 2. In static IT infrastructures, ownership became a proxy for trust. Because we owned and controlled most of the pieces, information security policy enforcement points were typically only placed at the demarcation point (perimeter) between something we owned and something we didn t own (and, therefore, didn t trust). For example, we placed network firewalls where our network connected to the outside world, placed e-mail security gateways where we received outside e-mail and placed antivirus software where our systems accepted unknown executable code from the outside world. This model of trusting us (we own it, we control it) and not trusting them (they own it, they control it) and placing security policy enforcement points only where we had a handoff between us and them has worked reasonably well, but is coming under extreme pressure. This model fails in a world where we increasingly don t own all the pieces of our business and IT infrastructures. Multiple converging trends in business and IT are tearing down the silos of traditional IT infrastructure, and tearing down the traditional, well-defined boundaries of our businesses. Collectively, these six trends are driving the need for adaptive, context-based security: 1. Mobilization. Our increasingly mobile workforce requires us to support anywhere, anytime access to our systems from a variety of locations using devices that vary in their trustability, including home machines. 2. Externalization and collaboration. This is the business imperative to open our IT systems to the outside world for the purposes of collaboration. By 2015, in most enterprises, more external users will access internal systems than employees. 3. Virtualization. The decoupling and abstraction of the entire IT stack and movement to next-generation virtualized data centers means that workloads and information will no longer be tied to specific devices and fixed IP addresses, breaking static security policies based on physical attributes. 4. Cloud computing. The shift to cloud-based computing resources means that we no longer own or control the infrastructure or applications that hold and process our workloads and information. 5. Consumerization. The increasing use of technology designed for consumers (devices and applications) in the enterprise requires that we now allow a wide variety of devices, not all of which are owned by the enterprise, to connect to our systems (e.g., smartphones and USB memory sticks), and users that demand access a wider variety of consumer applications (e.g., Facebook). 3 Figure 2. Example Information Security Decisions Among Entities Can this entity take this action Examples: Open Read Write Communicate with Execute E-mail Copy Print Paste Attach to Insert inside of Mount Migrate Start Stop Archive Recover on this entity? Source: Gartner (May 2010)

4 6. Industrialization of hackers. The shift from mass to targeted attacks requires a shift in protection strategies where we have less trust of internal users and systems, either as a result of a compromised insider or a targeted attack launched from a one of our own internal systems that has been compromised. 3.0 Real-Time Context Leads to Measures of Trustability The six trends identified here will collectively force a shift to contextbased, adaptive security infrastructure. Instead of binary and static yes/no, us/them decisions that we can anticipate and define in advance, security decisions in emerging computing and business environments are not as clearly defined and not known in advance. Traditional approaches of whitelisting (allow known good, block everything else) and blacklisting (block known bad, allow everything else) assume we have excellent, high assurance information as to what is trusted and what is not. This is no longer the case. Every element of our computing stack will need to be treated with a degree of uncertainty and skepticism. Security decisions that were largely black and white, and where policies were set statically in advance, become decisions with a multitude of shades of gray made dynamically at the time the request is made. Instead of perceived absolute trust (which we never really had), we will shift to a paradigm that embraces variable levels of trustability adaptive and context-aware security policy enforcement mechanisms that help us answer the real question: Do I have enough trust in the entities involved to take the requested action at my current level of risk tolerance and given the current context to allow the action to take place? For example, This user wants to execute this financial transaction should this be allowed or not? Adaptive and context-aware security infrastructure would look at the context of the request before allowing or denying the request. Is the device trustable? Is the network connection trustable? Where is the device currently located? When was the last access? How strong was the authentication credential used? What time of day is it? Does the transaction requested fall within historical patterns of being normal? To enable faster and more-accurate assessments of whether a given action should be allowed or denied, we must incorporate more real-time context information at the time a security decision is made. This is the heart of adaptive and context-aware security. 4.0 Types of Context That Are Relevant to Security Decisions Today, context-aware computing is most commonly associated with the use of environmental context information (such as location and time of day) to improve computing experiences. In a simple security example, a sensitive application could be restricted for use from only within an enterprise s physical location and only during working hours. In Figure 3, we have extended Figure 2 to include environmental context information. However, in Gartner s definition of context-based computing, there is no restriction that environmental information be the only type of information that can be used to improve the computing experience. An Information Model for Context-Enriched Services maps out a four-layer model for different types of context information that provides a more detailed framework for this information. There are many types of contextual information that can be used at the point of the security decision to improve the security decision. In addition to the community and environmental context from Gartner s context information model, any of the layers shown in Figure 3 can provide additional context for improved security decisions. Table 1 contains some examples. All these layers environmental, community, process, content, identity, application, OS, device and network can provide useful context to real-time security decisions being made at the layers below them. For example, identity-level and application-level information can provide additional context to a network-level firewalling decision. Content-level information can provide additional context to a decision as to whether a document should be allowed to be e-mailed. Indeed, there are multiple real-world examples of the shift to the incorporation of context information in security decisions. 5.0 Examples of Context-Aware, Adaptive Security Infrastructure Today We are seeing a shift to context-aware, adaptive security infrastructure across all areas of information security today. -level firewalls have been among the first to be transformed. Being lower in the stack, they are the most affected by the six trends identified in this research. As workers become more mobile, as businesses open up to collaborate, as computing shifts to the Web and cloud-based computing models, and as workloads are virtualized, traditional security policies based on static device and network-level attributes (such as port number or IP address) are increasingly ineffective. In Defining the Next- Generation Firewall, we highlight the importance of application awareness (incorporating context information from the next context layer up, as shown in Table 1) as a key requirement of a nextgeneration firewall. In Introducing the -Aware, we highlight the importance of incorporating identity information into next-generation network adaptive security infrastructures (such as the TrustSec Initiative from Cisco). There are many other examples of the shift to adaptive security infrastructure throughout information security infrastructure: and Access Management Authentication is incorporating more real-time context at the point of the authentication decision, such as requiring stronger authentication when the context of the transaction indicates unusual behavior. Interestingly, in another example of the consumerization of enterprise IT, many of these techniques were pioneered many years ago to support consumer payment transactions (for example, store-based credit card payments or Web-based payments) where financial services institutions and other payment acceptors have little or no control over end-user devices, OSs or networks, and were forced to incorporate more context into adaptive security policy decisions to reduce fraud. Likewise, authorization decisions are also becoming more contextual with the shift to externalized authorization and entitlement management solutions that are better able to consume

Figure 3. Adding Environmental Context to Security Decisions 5 Can this entity take this action Examples: Open Read Write Communicate with Execute E-mail Copy Print Paste Attach to Insert inside of Mount Migrate Start Stop Archive Recover on this entity? Source: Gartner (May 2010) In this context? Environmental context examples: Location Time of day context information when policies are not statically predefined and hard-coded into applications. Organizations have also struggled with the static limitations of traditional role-based access control mechanisms, which are too static for adaptive computing environments. The move to externalize authorization enforcement and the shift to attribute-based access control, authorization-based access control (ZBAC) and claims-based access architectures highlight this shift to incorporate context information in access management decisions. Data Protection To adequately protect sensitive information throughout its life cycle and across the entire enterprise IT ecosystem, most security policy enforcement points are becoming content aware. Content-aware data loss prevention (DLP) tools enable the dynamic application of policy based on the classification of content determined at the time of an operation for example, providing e-mail security gateways the ability to identify when sensitive content is being sent via e-mail and applying the appropriate security policy (for example, allow, block, log and encrypt) based on the context, such as the information being sent and the identity and role of the person the information is being sent to. access control (NAC) Whether used on guest networks, virtual private network (VPN) access or for all network access, NAC solutions are using real-time contextual information before allowing workstations to connect to the enterprise network. For example, based on a health assessment of the device to see if it is patched, doesn t appear to be compromised and has a current version of antivirus installed and running, or based on whether the device is known and placing unknown devices onto a guest network. Intrusion prevention systems (IPSs) Rather than apply all IPS rules to all traffic flows, next-generation IPS systems are able to use real-time contextual knowledge of what version of an OS or application a workload is running and what vulnerabilities are present in the systems they are protecting (for example, Real-time Awareness (RNA)/Real-time User Awareness (RUA) integration with Sourcefire). This context improves the speed and accuracy of IPS decisions, allowing more-efficient use of processing resources, as well as reducing the chance of false positives. Endpoint protection platforms (EPPs) Faced with the increasing ineffectiveness of signature-based approaches, EPP vendors are supplementing traditional whitelisting and blacklisting models with community-based reputation services that provide real-time reputation look-up information when determining whether a given piece of executable code is trustable enough or not.

6 Table 1. Examples of Context Information That Might Be Relevant to a Security Decision Context Layer Environmental Community Content Example Categories at This Layer Local environment Macroenvironment Friends Family Social networks Customer facing Revenue producing Files Databases Executable content E-mail Input Organization User Group Service Transaction APIs Uniform resource identifier (URI)/URL es Threads System calls drivers Virtualization platform type Virtual machine or physical IP Address Packets Connection types Port/protocol Examples of Contextual Information at This Layer Location Prior location Proximity Time of day, month, year Time elapsed since last action Temperature Ambient lighting Relationships Patterns of uptake Presence Links Tagging Importance of the process Impact on revenue if down SLA requirements Current users of the process Sensitivity of content Trust of the content Reputation of executable code Reputation of the e-mail Known vulnerabilities Input from the collective Reputation of the user Strength of authentication Current role Team membership Clearance level Transaction amount limit Credit rating Reputation of the application Reputation of the URL Sensitivity of the transaction Amount of the transaction Historical patterns of behavior Patch level Known vulnerabilities SLA requirements Historical patterns of behavior Health of the OS Patch level Known vulnerabilities Root of trust measurements Reputation of the IP address reputation Health of the device Managed/unmanaged Enterprise owned? Storage encrypted? Strength of encryption? Accelerometer data Traffic encrypted? Strength of encryption? Historical patterns of behavior Known vulnerabilities Source: Gartner (May 2010)

Secure Web gateways (SWGs) Like the EPP, simple Web proxy filtering and blocking based solely on URL information is increasingly insufficient. SWGs are evolving well beyond static URL filtering to incorporate context information such as the reputation of the URL, the location and reputation of the source IP address and other information at the point of the security policy enforcement decision. These products are also becoming content aware to help monitor for data loss on outbound connections. While a few of the information security vendors have adopted the term adaptive security infrastructure, most are using the terms application awareness, identity awareness and content awareness as adaptive and context-aware security capabilities are added. Instead of being separate requirements, we believe these are all examples of an underlying architectural shift to contextaware and adaptive security infrastructure. Each independently describes the need to incorporate higher levels of context into security decisions to improve those decisions. 6.0 Looking Ahead: Context Lays the Foundation for the Shift to Adaptive Risk-Based Security Context is a foundational element for adaptive security infrastructure, but alone it is not sufficient. In a world where the entire IT stack has been decoupled, and our systems and information have been dispersed around the world on systems we don t own and don t control, attempting to predetermine all possible usage scenarios and enforce them using static, predefined security policies will simply not scale, nor provide the flexibility demanded by businesses. In dynamic business and IT environments, we cannot anticipate all needs to access systems and content. Static security infrastructure is becoming an inhibitor to dynamic business needs. Context-aware security mechanisms provide a layer of abstraction and automation of security policies that can adapt to the context of the request and the time the security decision is made. Users will have access to things they would have otherwise been restricted from using static policies where the need for them to access the information wasn t presupposed. Even becoming context aware, we cannot place a security policy enforcement point at every demarcation point between something we own and control, and something we don t. Information security budgets cannot continue to grow at a faster rate than overall IT budgets. The realities of budget and resource constraints will force us to start using differential and intelligent security protection where the risk/reward ratio is optimized. We cannot protect everything equally, nor is everything we need to protect of equal value. As information security evolves to become adaptive and context aware, our approach to risk management must change as well. Rather than deploying all security controls possible, we must shift to intelligent and adaptive placement of controls based on the context of the action being requested the importance of the process being protected, the content being handled, the trustability of the entities involved and our tolerance for risk This is often referred to as the shift to trust-based or risk-based security, and context awareness will be a key enabler. Finally, although there are examples of application, identity, and content awareness being used to context-enrich security infrastructure, process awareness is the next frontier. Here, knowledge of the context of the business process supported by the requested action will be a factor in context-aware, risk-based decision making for example, how important the process is to the revenue generation capabilities of the business or the number of people that would be affected if the process became unavailable. -awareness and context will require tighter integration with operational infrastructures, which also has the same need to support SLAs for these processes and the same fundamental requirement to provide resilient systems and information as information security does. 7

8 Acronym Key and Glossary Terms Context Context action Context analysis Context aware Context broker Context data Context-enriched service Context provider the circumstances within which something exists or happens, and that can help explain or understand it an action triggered in response to a change in context rules that are applied by a context broker in response to the arrival of context data, and that either deduce new context data or trigger context actions an adjective used to describe applications or services that use context a software component that collects and stores context data, deduces context, and triggers context actions raw or processed information that contributes to determining the context of a person or object a service that exploits or is enriched by context an organization that operates a context broker to provide contextual services

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information