defense-in-depth has become extinct or ... - security bsides

© 2014. All Rights Reserved. Information and Communications Technology

www.usask.ca/ict

1

www.usask.ca/ict

Defense-in-Depth has Become Extinct or

Information Security in the Post-Enterprise World BSides Ottawa 2014

Dr. Lawrence G Dobranski P.Eng. Director ICT Security

University of Saskatchewan


www.usask.ca/ict

2

The University of Saskatchewan is a member of the U15, the top 15 research universities in Canada.

• 22,500 students from

100 countries (2013)

• 16:1 student to faculty

ratio

• Annual budget of $1B

• $9.2 million annually in

scholarships and

bursaries

• > 120 Graduate Degree

Programs

• ~ 200 Undergraduate

Programs


www.usask.ca/ict

3

Information & Communications Tech @ uSask

• Open, de-perimeterised environment – 15,000 mobile users connecting daily via a ubiquitous

wireless network – Most of them BYOD (Bring Your Own Device)

• Includes: – private cloud – multiple data centers – high performance research computing – petabytes of storage – multi-gigabit connections to the Internet and

international research networks


www.usask.ca/ict

4

Mobile & Cloud @ U of S • ~15K Personal Mobile

Devices Daily (2013)

• ~3.5K Access Points (2013)

• Cloud Services include: – Travel & Expense

Management

– Student Employment

– Responsible Disclosure

– Survey Tools

– Crowd Funding

• iuSask – Award winning university

service app for mobile devices


www.usask.ca/ict

5

IT Consumerization, BYOD, and Cloud Services represent a significant technology & societal disruptor and the arrival of the ‘Post Enterprise World’

BYOD

Cloud Services

IT Consumeriz

-ation

People, Process,

Technology


www.usask.ca/ict

6

Personal Mobile Devices • Mostly termed BYOD for

bring your own device

• Represented by the convergence of mobile computing:

– Laptop, netbook, palm top, tablet, phone

– A matter of size and battery life

– Computing power no longer a limitation

• Stakeholders have multiplied:

– Carriers (maybe more than one)

– 3rd party content (multimedia, software, services)

– Other relying parties: • Employer (more than

one)

• School

• Personal


www.usask.ca/ict

7

Cloud Computing • Architectures:

– Public

– Private

– Hybrid

• Service Oriented:

– Software as a Service

– Platform as a Service

– Applications as a Service

– Security as a Service

– And yes: Malware as a Service

• Business Models:

– Free (if I can mine your data)

– Commercial (pay for it)

– Corporate (a cloud for the enterprise)

– Personal (really?)


www.usask.ca/ict

8

BYOD & Cloud – A Multi-Dimensional Risk Problem

• Not just a “technology” problem

– Technological solution does not address the entire risk spectrum.

– Business perspective is critical.

– Does not recognize “de-perimeterisation” or “context of use”.

• At Risk:

– Confidentiality, Integrity, Availability of information and services

– Personally-identifiable information (aka Privacy)

– Business survivability

– The user, the enterprise, the carrier, and 3rd party information and services


www.usask.ca/ict

9

BYOD & Cloud – Risk Environment

• Banning BYOD or Cloud Services usually just forces them underground – Going underground:

• Hides the threat

• Hides the risk

– Better to manage it rather than ban it

• Need to support controlled, secure access to data and services – No matter how accessed or how provisioned


www.usask.ca/ict

10

BYOD & Cloud – a disruptive technological evolution

• Eradication of boundaries

– That are traditionally used to define the enterprise

– Separate trusted and untrusted domains no longer clear

– Defense-in-depth going extinct

• Context of use

– How, why, where, what, when regarding data and service access

Data

Application

Host

Internal Network

Perimeter

Physical

Policies, Procedures,

Practices

De-perimeterisation

Evolution to the mobile, social media, always-on society


www.usask.ca/ict

11

De-perimeterisation • Concept originally championed by The Open

Group’s Jericho Forum®

• Traditionally, organizations relied upon boundaries and perimeters to provide security, different areas of trust.

• BYOD and Cloud Services mean that the boundaries have changed or do not exist.

Now not just who is inside your perimeter, accessing the data, but who, where, how, and

with what.


www.usask.ca/ict

12

Moving Beyond a Perimeter Security Model

Before BYOD & Cloud

• Hard perimeter • Clear policy enforcement points • Defense-in-depth strategy • Only organizational supplied

hardware & software on the network

• Able to answer: – Who is accessing? – How they are accessing? – Where are they?

• Clear whose device and who owns the data

• Threats understood • Compliance achievable

After BYOD & Cloud

• Soft perimeter • Policy enforcement points are

now vague • Hardware & software can be

organizational, personal, or 3rd party

• No longer clear: – Who is accessing? – How they are accessing? – Where are they?

• Not clear whose device and who owns the data

• Lack of clarity regarding threats • Compliance – what does it mean?


www.usask.ca/ict

13

Mitigating the De-perimeterisation Risk

After BYOD & Cloud BYOD & Cloud Mitigation

• Sandbox Applications and Data

• Application Integrity

• Policy enforced at application and data boundaries

• Mandatory access control for servers and infrastructure

• Compliance requires clear policy/procedures/processes

• Enhanced, context aware authentication/authorization

• Security Awareness Critical

Mitigate

• Soft perimeter

• Policy enforcement points are now vague

• Hardware & software can be organizational, personal, or 3rd party

• Discretionary Access Control


• Lack of clarity regarding threats

• Compliance – what does it mean?

Do you know where your organization’s data is?


www.usask.ca/ict

14

Context of Use, aka Mobility • A significant business driver by itself

• Institutions want to be agile, to be accessible, and to support collaboration – No matter where their users are

– No mater what device they are using

– Expanding to include however they are accessing data and services

• Focus is giving ubiquitous access to organization data, networks, services, and applications – To be agile, responsive, and value-providing anywhere

at any time


www.usask.ca/ict

15

Context of Use – No Longer Just Who • Traditionally IAM only addresses ‘Who is accessing the data?’

– Privileges: • Discretionary access control • We know who you are, we trust you

• Now need to ask – How is the data being accessed? – Who is delivering the data and service? – Where is it being accessed from? Location and device critical – What expectations are there for the data’s confidentiality, integrity,

and availability? – Who owns and controls the data? – Who owns and controls the device?

• Is the security policy/security compliance adaptable based on these considerations?

• Who do you trust?


www.usask.ca/ict

16

The context of the mobile device and the service provided must be reflected in the authorizations granted to the authenticated user.

Context of Use

Where

Who

What

When

Why

How


www.usask.ca/ict

17

The Context of Use Dilemma Before BYOD & Cloud • Hard perimeter • Clear policy enforcement points • Defense-in-depth strategy • Only organizational supplied

hardware & software on the network

• Able to answer: – Who is accessing? – How they are accessing? – Where are they?

• Clear whose device and who owns the data

• Threats understood • Compliance achievable • Jurisdiction clear

After BYOD & Cloud • Soft perimeter • Policy enforcement points are

now vague • Hardware & software can be

organizational, personal, or 3rd party

• No longer clear: – Who is accessing? – How they are accessing? – Where are they?


• Lack of clarity regarding threats • Compliance – what does it mean? • Jurisdiction not clear


www.usask.ca/ict

18

Mitigating the Context of Use Risk

After BYOD & Cloud BYOD & Cloud Mitigation • Sandbox Applications, Data, &

Services

• Security from a data perspective

• Application Security

• Policy enforced at application and data boundaries

• Mandatory access control for servers and infrastructure

• Compliance requires clear policy/procedures/processes

• Enhanced, context aware authentication/authorization

• Security Awareness Critical

Mitigate • Soft perimeter • Policy enforcement points are now

vague • Hardware & software can be

organizational, personal, or 3rd party • No longer clear:

– Who is accessing? – How they are accessing? – What are they using to access? – Where are they?


• Lack of clarity regarding threats • Compliance – what does it mean? • Jurisdiction more clear

Do you know where your organization’s data is?


www.usask.ca/ict

19

Regulatory & Legal Issues • Most regulatory &

compliance regimes:

– Built for a traditional defense-in-depth model

– Corporate owned, or at least controlled devices, on a corporate owned or managed network

• No acknowledgement

– of BYOD or Cloud Based Services

– Multiple stakeholders

– Multiple jurisdictions

• How owns the data?

• Who controls the data?

• Are you sure?

• Whose jurisdiction?


www.usask.ca/ict

20

Security, Privacy, & Audit in a BYOD & Cloud World

• Consider:

– User in country A

– Whose company’s HQ is in country B

– Using a mobile device from a carrier in country C

– Accessing servers located in country D

– Containing data of citizens of country E

– Using software from a firm located in country F

– Regarding a transaction with a firm located in country G

So whose jurisdiction/policies applies?


www.usask.ca/ict

21

And the survey said… • Work based on a survey of 750 security

professionals in Canada

• Professionals from the ITAC Cyber Security Forum

• Basis for DSc dissertation…


www.usask.ca/ict

22

Research Question

What are the critical factors influencing information security professionals’ perceptions of information security risks and threats in BYOD environments?


www.usask.ca/ict

23

Independent and Dependent Variables

Context of Use

Compliance

Security Controls

Security Awareness

De-perimeterisation

Information Security Professionals’

Perception of Risk Due to BYOD

Independent Variables

Dependent Variable

23


www.usask.ca/ict

24

Importance-Performance Analysis • Technique to measure

importance and performance of attributes

• Developed originally by Myers and Alpert (1968)

• Successfully extended to other domains

• Output recognizable as the familiar four quadrant graph

Based in part on “Importance-Performance Analysis” by Martilla and James,

1977, as featured in “A critical evaluation of importance-performance

analysis” by Azzopardi and Nash, 2013.

24


www.usask.ca/ict

25

Importance Performance Analysis Applied to Risk Analysis

IV I

III II

Low High

High

Low

Low High

High

Low

High Risk(Sustain Risk Mitigation)

Medium Risk(Risk Mitigation Required)

Low Risk(No change in Risk

Mitigation)

Medium Risk(Curtail Risk Mitigation)

Like

liho

od

Impact

Scale Likelihood

1 Extremely unlikely

2 Unlikely

3 Neutral

4 Likely

5 Extremely likely

Scale Impact

1 No consequence

2 Minor consequence

3 Moderate consequence

4 Major consequence

5 Critical consequence


www.usask.ca/ict

26

Data Collection • Research Site:

– Cyber Security Forum of the IT Association of Canada

• Approximately 750 information security professionals across multiple industries and domains

• Research instrument:

– 15 threat attributes

– 7 demographic questions

– 84 responses received, 64 deemed to be valid


www.usask.ca/ict

27

BYOD Threat Attribute Ratings Number Attribute Description

1 Owner of the device controls the context of use, not the

organization.

2 Loss of policy enforcement points.

3 Device handling personal and work data simultaneously.

4 Device will be used to access networks which the organization cannot control access.

5 Security perimeter now at data level.

6 Verification of the implementation of security controls may not be possible.

7 A copy of data of interest to the organization may only exist on the

device and not within the organizational network.

8 Security policy on device is not in the control of the organization.

9 Lack of clear boundaries/areas of trust.

10 Organization administrators not controlling the configuration of the

device connecting to the organization's network.

11 Cannot completely wipe the device because it contains personal data that may or may not be backed up

12 Data on the device may not be encrypted.

13 Device may not have a password or a password of appropriate strength.

14 Lack of user understanding that the use of personal mobile device can expose organization to significant risks.

15 Lack of user understanding of where the device is used affects the

risk to the organization's assets.


www.usask.ca/ict

28

BYOD Risk Results Number Attribute Description Risk σ Rank

1 Owner of the device controls the context of use, not the organization. 15.9 0.4 5

2 Loss of policy enforcement points. 14.3 0.4 9

3 Device handling personal and work data simultaneously. 15.7 0.3 6

4 Device will be used to access networks which the organization cannot control

access. 16.1 0.2 4

5 Security perimeter now at data level. 15.2 0.3 7

6 Verification of the implementation of security controls may not be possible.

13.0 0.4 14

7 A copy of data of interest to the organization may only exist on the device and

not within the organizational network. 12.6 0.5 15

8 Security policy on device is not in the control of the organization. 13.1 0.4 13

9 Lack of clear boundaries/areas of trust. 13.2 0.4 12

10 Organization administrators not controlling the configuration of the device

connecting to the organization's network. 13.9 0.4 10

11 Cannot completely wipe the device because it contains personal data that may

or may not be backed up. 13.5 0.3 11

12 Data on the device may not be encrypted. 17.5 0.3 2

13 Device may not have a password or a password of appropriate strength.

14.5 0.4 8

14 Lack of user understanding that the use of personal mobile device can expose

organization to significant risks. 17.5 0.3 3

15 Lack of user understanding that where the device is used effects the risk to the

organization's assets. 17.8 0.3 1


www.usask.ca/ict

29

Risk Surfaces


www.usask.ca/ict

30

Lawrence Dobranski, DSc, MBA, MSc (Eng), P.Eng.

[email protected] @ldobranski (306) 966-7177

Thank you!

mailto:[email protected]

defense-in-depth has become extinct or ... - security bsides

Documents