Winkler Cloud, ORCON, and Mobility
-
date post
19-Oct-2014 -
Category
Technology
-
view
482 -
download
3
description
Transcript of Winkler Cloud, ORCON, and Mobility
© Cocoon Data Holdings Limited 2013. All rights reserved.
Keeping Data Confidential Beyond the Enterprise:
“...Would you like some ORCON with your data?"
Vic WinklerCTO
Covata USA, Inc
Reston, Virginia
© Cocoon Data Holdings Limited 2013. All rights reserved.
mini-bio
• Author“Securing the Cloud: Cloud Computer Security Techniques and Tactics”
May 2011 (Elsevier/Syngress)
• CTO“Self-Defending Data” www.Covata.Com Reston VA | Sydney Australia
• Published ResearcherSecure Operating System Design, Network Monitoring, Intrusion Detection, Information Warfare (PRC Inc., Northrup)
• Security Design & EngineeringSun Grid Compute Utility, Network.Com, The Sun Public Cloud (Sun Microsystems)
Government & Defense Customers (Booz Allen Hamilton, Sun Microsystems, PRC)
• Contact: work: [email protected] personal: [email protected]
© Cocoon Data Holdings Limited 2013. All rights reserved.
The Point of this Talk
• You already know this:- Vulnerabilities and Exploits are Inevitable
- The Perimeter is dead. Long live the Perimeter
- BYOD and Cloud Undermine Enterprise IT
• Unfortunately:- The data itself remains unprotected (inconsistent crypto)
- The goal isn’t just security – it’s control over your data
- DRM | IRM | ORCON extend your control over data
- Persisting Control for X-domain and Ad-hoc Sharing? ORCON
© Cocoon Data Holdings Limited 2013. All rights reserved.
What is Hacking?
• One definition: Focusing on the “protective” qualities of cardboard and ignoring the door
Which is the better defense:A Glass Door …Or a Castle?
Answer: It depends on what you seek to protect from whom
© Cocoon Data Holdings Limited 2013. All rights reserved.
A “Not-so” Accurate History of Security
© Cocoon Data Holdings Limited 2013. All rights reserved.
A “Not-so” Accurate History of Security
(The Dumb Terminal Has Value)
© Cocoon Data Holdings Limited 2013. All rights reserved.
Cloud Computing:A Newer Model for IT
© Cocoon Data Holdings Limited 2013. All rights reserved.
Cloud Computing:A Newer Model for IT
We are trading control
for agility and cost
savings
© Cocoon Data Holdings Limited 2013. All rights reserved.
Where Responsibility Resides
© Cocoon Data Holdings Limited 2013. All rights reserved.
Your Limits as a Tenant
© Cocoon Data Holdings Limited 2013. All rights reserved.
…A Closer Look
© Cocoon Data Holdings Limited 2013. All rights reserved.
Organizational Control
© Cocoon Data Holdings Limited 2013. All rights reserved.
Vendor Transparency
© Cocoon Data Holdings Limited 2013. All rights reserved.
Many “Concerns”:Cloud Security
• Insecure Interfaces & APIsAssess provider’s security model. Check if strong auth., access controls and crypto are used.
• Malicious Cloud Provider EmployeeLack of provider transparency as to processes and procedures can raise concern of provider’s insider threat problem.
• Concerns about Shared InfrastructureMonitor for changes, follow best practices, conduct scanning and config audits.
• Data Loss & LeakageEncrypt. Verify APIs are strong. Verify provider backups are appropriate.
• Account or Service HijackingUse “safe” credentials, 2+-factor, monitor.
• …A Public Service isn’t for EveryoneAnd Yet: Compared to most enterprises, Amazon, Rackspace and Google
have superior IT security implementations and procedures.
© Cocoon Data Holdings Limited 2013. All rights reserved.
Cyber Security?(…Maybe Data Finally Deserves it’s own Protection)
• Networks & Infrastructure: Hard to keep safe“Current security efforts focus on individual radios or nodes, rather than the network, so a single misconfigured or compromised radio could debilitate an entire network” (DARPA)
…Is it a fantasy to believe you can secure everything? …And keep it so?
Is there a “keep it simple stupid” strategy that can work?
• IT is always changingBYOD – A new attack vector. Trade-offs against corporate “control”
• Rescind -or- retract data you shared or a recipient?• The social phenomenon (OMG) (We are doomed)
© Cocoon Data Holdings Limited 2013. All rights reserved.
Motivation for Data-Level Encryption
• Protecting the Network & Nodes
Perimeter complacency… (oh wait, it’s “dead”)
But …what about the data itself?
• My Backup is on Your Email Server
• Encryption Stovepipes
• Full Disk Encryption vs. Data Level
© Cocoon Data Holdings Limited 2013. All rights reserved.
“Goldilocks was Here”
(“just right”)
© Cocoon Data Holdings Limited 2013. All rights reserved.
Access Controls:A Comparison
© Cocoon Data Holdings Limited 2013. All rights reserved.
What is ORCON?
• U.S. Intelligence Community- Desired “Originator Control” in Closed-Network Information Sharing
Examples: Rescind Access; Prevent Forwarding
• Does not Exactly Align with Classic Access Controls- MAC – Mandatory Access Controls (User Clearance : Data Classification)
- DAC – Discretionary Access Controls (Usually too simple such as “UGO”)
- Capability Based – Defines access rights (Akin to a “file descriptor”, process oriented)
- Role Based – Aligns well with “pools of users” problems
• …ORCON is a big part of what you really want
ORCON Control over Data
© Cocoon Data Holdings Limited 2013. All rights reserved.
ORCON is Related to:DRM & IRM
• DRM or IRM solutions expand on access controls with “rights”
• Rights can be anything (download, forward, print,…)• Commercial systems typically use PKI
Which is messy; Which has limits; Which gets complicated
• Examples: Oracle Entitlement Server; EMC’s Documentum; Microsoft DRM; AD Rights Management Services
• These are typically “heavyweight” and entail “services drag”
• They require integration with your workflow …unless you are happy using default applications like Sharepoint
© Cocoon Data Holdings Limited 2013. All rights reserved.
“Sharing Should Just Work”
© Cocoon Data Holdings Limited 2013. All rights reserved.
Use of a Cloud-Based Key Service
© Cocoon Data Holdings Limited 2013. All rights reserved.
Encryption in the Workflow
© Cocoon Data Holdings Limited 2013. All rights reserved.
How it Works
© Cocoon Data Holdings Limited 2013. All rights reserved.
ORCON …
• But does it have to be “Originator” control?No.
1) The enterprise might need to specify default controls for:
All data that is shared between identified individuals
All data that is sent to specific external entities
Specific recipient devices
2) Enterprise DLP systems might need to be bypassed (encrypted content)
Thus:
Encrypted content must meet certain standards
Certain content may warrant additional specific controls
3) The enterprise might “attach” additional ORCON (for instance, by a DLP)
• ORCON is a flexible framework for persisting controls
© Cocoon Data Holdings Limited 2013. All rights reserved.
Options:Enable the Workflow or App
© Cocoon Data Holdings Limited 2013. All rights reserved.
The Nature of Risk
© Cocoon Data Holdings Limited 2013. All rights reserved.
The Point of this Talk
• You already know this:- Vulnerabilities and Exploits are (ABSOLUTELY) inevitable
- The perimeter (REALLY) is dead. Long live the perimeter
- BYOD and Cloud (IRRESISTABLY) undermine enterprise IT
• Unfortunately:- The data itself remains unprotected (inconsistent crypto)
- The goal isn’t just security – it’s control over your data
- DRM | IRM | ORCON extends your control
- For X-domain and ad-hoc use
ORCON Persisting Control over Data
X
© Cocoon Data Holdings Limited 2013. All rights reserved.
Thank You!
Work [email protected]
Personal [email protected]
On: Google+ & LinkedIn