defense-in-depth has become extinct or ... - security bsides
TRANSCRIPT
© 2014. All Rights Reserved. Information and Communications Technology
www.usask.ca/ict
1
www.usask.ca/ict
Defense-in-Depth has Become Extinct or
Information Security in the Post-Enterprise World BSides Ottawa 2014
Dr. Lawrence G Dobranski P.Eng. Director ICT Security
University of Saskatchewan
© 2014. All Rights Reserved. Information and Communications Technology
www.usask.ca/ict
2
The University of Saskatchewan is a member of the U15, the top 15 research universities in Canada.
• 22,500 students from
100 countries (2013)
• 16:1 student to faculty
ratio
• Annual budget of $1B
• $9.2 million annually in
scholarships and
bursaries
• > 120 Graduate Degree
Programs
• ~ 200 Undergraduate
Programs
© 2014. All Rights Reserved. Information and Communications Technology
www.usask.ca/ict
3
Information & Communications Tech @ uSask
• Open, de-perimeterised environment – 15,000 mobile users connecting daily via a ubiquitous
wireless network – Most of them BYOD (Bring Your Own Device)
• Includes: – private cloud – multiple data centers – high performance research computing – petabytes of storage – multi-gigabit connections to the Internet and
international research networks
© 2014. All Rights Reserved. Information and Communications Technology
www.usask.ca/ict
4
Mobile & Cloud @ U of S • ~15K Personal Mobile
Devices Daily (2013)
• ~3.5K Access Points (2013)
• Cloud Services include: – Travel & Expense
Management
– Student Employment
– Responsible Disclosure
– Survey Tools
– Crowd Funding
• iuSask – Award winning university
service app for mobile devices
© 2014. All Rights Reserved. Information and Communications Technology
www.usask.ca/ict
5
IT Consumerization, BYOD, and Cloud Services represent a significant technology & societal disruptor and the arrival of the ‘Post Enterprise World’
BYOD
Cloud Services
IT Consumeriz
-ation
People, Process,
Technology
© 2014. All Rights Reserved. Information and Communications Technology
www.usask.ca/ict
6
Personal Mobile Devices • Mostly termed BYOD for
bring your own device
• Represented by the convergence of mobile computing:
– Laptop, netbook, palm top, tablet, phone
– A matter of size and battery life
– Computing power no longer a limitation
• Stakeholders have multiplied:
– Carriers (maybe more than one)
– 3rd party content (multimedia, software, services)
– Other relying parties: • Employer (more than
one)
• School
• Personal
© 2014. All Rights Reserved. Information and Communications Technology
www.usask.ca/ict
7
Cloud Computing • Architectures:
– Public
– Private
– Hybrid
• Service Oriented:
– Software as a Service
– Platform as a Service
– Applications as a Service
– Security as a Service
– And yes: Malware as a Service
• Business Models:
– Free (if I can mine your data)
– Commercial (pay for it)
– Corporate (a cloud for the enterprise)
– Personal (really?)
© 2014. All Rights Reserved. Information and Communications Technology
www.usask.ca/ict
8
BYOD & Cloud – A Multi-Dimensional Risk Problem
• Not just a “technology” problem
– Technological solution does not address the entire risk spectrum.
– Business perspective is critical.
– Does not recognize “de-perimeterisation” or “context of use”.
• At Risk:
– Confidentiality, Integrity, Availability of information and services
– Personally-identifiable information (aka Privacy)
– Business survivability
– The user, the enterprise, the carrier, and 3rd party information and services
© 2014. All Rights Reserved. Information and Communications Technology
www.usask.ca/ict
9
BYOD & Cloud – Risk Environment
• Banning BYOD or Cloud Services usually just forces them underground – Going underground:
• Hides the threat
• Hides the risk
– Better to manage it rather than ban it
• Need to support controlled, secure access to data and services – No matter how accessed or how provisioned
© 2014. All Rights Reserved. Information and Communications Technology
www.usask.ca/ict
10
BYOD & Cloud – a disruptive technological evolution
• Eradication of boundaries
– That are traditionally used to define the enterprise
– Separate trusted and untrusted domains no longer clear
– Defense-in-depth going extinct
• Context of use
– How, why, where, what, when regarding data and service access
Data
Application
Host
Internal Network
Perimeter
Physical
Policies, Procedures,
Practices
De-perimeterisation
Evolution to the mobile, social media, always-on society
© 2014. All Rights Reserved. Information and Communications Technology
www.usask.ca/ict
11
De-perimeterisation • Concept originally championed by The Open
Group’s Jericho Forum®
• Traditionally, organizations relied upon boundaries and perimeters to provide security, different areas of trust.
• BYOD and Cloud Services mean that the boundaries have changed or do not exist.
Now not just who is inside your perimeter, accessing the data, but who, where, how, and
with what.
© 2014. All Rights Reserved. Information and Communications Technology
www.usask.ca/ict
12
Moving Beyond a Perimeter Security Model
Before BYOD & Cloud
• Hard perimeter • Clear policy enforcement points • Defense-in-depth strategy • Only organizational supplied
hardware & software on the network
• Able to answer: – Who is accessing? – How they are accessing? – Where are they?
• Clear whose device and who owns the data
• Threats understood • Compliance achievable
After BYOD & Cloud
• Soft perimeter • Policy enforcement points are
now vague • Hardware & software can be
organizational, personal, or 3rd party
• No longer clear: – Who is accessing? – How they are accessing? – Where are they?
• Not clear whose device and who owns the data
• Lack of clarity regarding threats • Compliance – what does it mean?
© 2014. All Rights Reserved. Information and Communications Technology
www.usask.ca/ict
13
Mitigating the De-perimeterisation Risk
After BYOD & Cloud BYOD & Cloud Mitigation
• Sandbox Applications and Data
• Application Integrity
• Policy enforced at application and data boundaries
• Mandatory access control for servers and infrastructure
• Compliance requires clear policy/procedures/processes
• Enhanced, context aware authentication/authorization
• Security Awareness Critical
Mitigate
• Soft perimeter
• Policy enforcement points are now vague
• Hardware & software can be organizational, personal, or 3rd party
• Discretionary Access Control
• Not clear whose device and who owns the data
• Lack of clarity regarding threats
• Compliance – what does it mean?
Do you know where your organization’s data is?
© 2014. All Rights Reserved. Information and Communications Technology
www.usask.ca/ict
14
Context of Use, aka Mobility • A significant business driver by itself
• Institutions want to be agile, to be accessible, and to support collaboration – No matter where their users are
– No mater what device they are using
– Expanding to include however they are accessing data and services
• Focus is giving ubiquitous access to organization data, networks, services, and applications – To be agile, responsive, and value-providing anywhere
at any time
© 2014. All Rights Reserved. Information and Communications Technology
www.usask.ca/ict
15
Context of Use – No Longer Just Who • Traditionally IAM only addresses ‘Who is accessing the data?’
– Privileges: • Discretionary access control • We know who you are, we trust you
• Now need to ask – How is the data being accessed? – Who is delivering the data and service? – Where is it being accessed from? Location and device critical – What expectations are there for the data’s confidentiality, integrity,
and availability? – Who owns and controls the data? – Who owns and controls the device?
• Is the security policy/security compliance adaptable based on these considerations?
• Who do you trust?
© 2014. All Rights Reserved. Information and Communications Technology
www.usask.ca/ict
16
The context of the mobile device and the service provided must be reflected in the authorizations granted to the authenticated user.
Context of Use
Where
Who
What
When
Why
How
© 2014. All Rights Reserved. Information and Communications Technology
www.usask.ca/ict
17
The Context of Use Dilemma Before BYOD & Cloud • Hard perimeter • Clear policy enforcement points • Defense-in-depth strategy • Only organizational supplied
hardware & software on the network
• Able to answer: – Who is accessing? – How they are accessing? – Where are they?
• Clear whose device and who owns the data
• Threats understood • Compliance achievable • Jurisdiction clear
After BYOD & Cloud • Soft perimeter • Policy enforcement points are
now vague • Hardware & software can be
organizational, personal, or 3rd party
• No longer clear: – Who is accessing? – How they are accessing? – Where are they?
• Not clear whose device and who owns the data
• Lack of clarity regarding threats • Compliance – what does it mean? • Jurisdiction not clear
© 2014. All Rights Reserved. Information and Communications Technology
www.usask.ca/ict
18
Mitigating the Context of Use Risk
After BYOD & Cloud BYOD & Cloud Mitigation • Sandbox Applications, Data, &
Services
• Security from a data perspective
• Application Security
• Policy enforced at application and data boundaries
• Mandatory access control for servers and infrastructure
• Compliance requires clear policy/procedures/processes
• Enhanced, context aware authentication/authorization
• Security Awareness Critical
Mitigate • Soft perimeter • Policy enforcement points are now
vague • Hardware & software can be
organizational, personal, or 3rd party • No longer clear:
– Who is accessing? – How they are accessing? – What are they using to access? – Where are they?
• Not clear whose device and who owns the data
• Lack of clarity regarding threats • Compliance – what does it mean? • Jurisdiction more clear
Do you know where your organization’s data is?
© 2014. All Rights Reserved. Information and Communications Technology
www.usask.ca/ict
19
Regulatory & Legal Issues • Most regulatory &
compliance regimes:
– Built for a traditional defense-in-depth model
– Corporate owned, or at least controlled devices, on a corporate owned or managed network
• No acknowledgement
– of BYOD or Cloud Based Services
– Multiple stakeholders
– Multiple jurisdictions
• How owns the data?
• Who controls the data?
• Are you sure?
• Whose jurisdiction?
© 2014. All Rights Reserved. Information and Communications Technology
www.usask.ca/ict
20
Security, Privacy, & Audit in a BYOD & Cloud World
• Consider:
– User in country A
– Whose company’s HQ is in country B
– Using a mobile device from a carrier in country C
– Accessing servers located in country D
– Containing data of citizens of country E
– Using software from a firm located in country F
– Regarding a transaction with a firm located in country G
So whose jurisdiction/policies applies?
© 2014. All Rights Reserved. Information and Communications Technology
www.usask.ca/ict
21
And the survey said… • Work based on a survey of 750 security
professionals in Canada
• Professionals from the ITAC Cyber Security Forum
• Basis for DSc dissertation…
© 2014. All Rights Reserved. Information and Communications Technology
www.usask.ca/ict
22
Research Question
What are the critical factors influencing information security professionals’ perceptions of information security risks and threats in BYOD environments?
© 2014. All Rights Reserved. Information and Communications Technology
www.usask.ca/ict
23
Independent and Dependent Variables
Context of Use
Compliance
Security Controls
Security Awareness
De-perimeterisation
Information Security Professionals’
Perception of Risk Due to BYOD
Independent Variables
Dependent Variable
23
© 2014. All Rights Reserved. Information and Communications Technology
www.usask.ca/ict
24
Importance-Performance Analysis • Technique to measure
importance and performance of attributes
• Developed originally by Myers and Alpert (1968)
• Successfully extended to other domains
• Output recognizable as the familiar four quadrant graph
Based in part on “Importance-Performance Analysis” by Martilla and James,
1977, as featured in “A critical evaluation of importance-performance
analysis” by Azzopardi and Nash, 2013.
24
© 2014. All Rights Reserved. Information and Communications Technology
www.usask.ca/ict
25
Importance Performance Analysis Applied to Risk Analysis
IV I
III II
Low High
High
Low
Low High
High
Low
High Risk(Sustain Risk Mitigation)
Medium Risk(Risk Mitigation Required)
Low Risk(No change in Risk
Mitigation)
Medium Risk(Curtail Risk Mitigation)
Like
liho
od
Impact
Scale Likelihood
1 Extremely unlikely
2 Unlikely
3 Neutral
4 Likely
5 Extremely likely
Scale Impact
1 No consequence
2 Minor consequence
3 Moderate consequence
4 Major consequence
5 Critical consequence
© 2014. All Rights Reserved. Information and Communications Technology
www.usask.ca/ict
26
Data Collection • Research Site:
– Cyber Security Forum of the IT Association of Canada
• Approximately 750 information security professionals across multiple industries and domains
• Research instrument:
– 15 threat attributes
– 7 demographic questions
– 84 responses received, 64 deemed to be valid
© 2014. All Rights Reserved. Information and Communications Technology
www.usask.ca/ict
27
BYOD Threat Attribute Ratings Number Attribute Description
1 Owner of the device controls the context of use, not the
organization.
2 Loss of policy enforcement points.
3 Device handling personal and work data simultaneously.
4 Device will be used to access networks which the organization cannot control access.
5 Security perimeter now at data level.
6 Verification of the implementation of security controls may not be possible.
7 A copy of data of interest to the organization may only exist on the
device and not within the organizational network.
8 Security policy on device is not in the control of the organization.
9 Lack of clear boundaries/areas of trust.
10 Organization administrators not controlling the configuration of the
device connecting to the organization's network.
11 Cannot completely wipe the device because it contains personal data that may or may not be backed up
12 Data on the device may not be encrypted.
13 Device may not have a password or a password of appropriate strength.
14 Lack of user understanding that the use of personal mobile device can expose organization to significant risks.
15 Lack of user understanding of where the device is used affects the
risk to the organization's assets.
© 2014. All Rights Reserved. Information and Communications Technology
www.usask.ca/ict
28
BYOD Risk Results Number Attribute Description Risk σ Rank
1 Owner of the device controls the context of use, not the organization. 15.9 0.4 5
2 Loss of policy enforcement points. 14.3 0.4 9
3 Device handling personal and work data simultaneously. 15.7 0.3 6
4 Device will be used to access networks which the organization cannot control
access. 16.1 0.2 4
5 Security perimeter now at data level. 15.2 0.3 7
6 Verification of the implementation of security controls may not be possible.
13.0 0.4 14
7 A copy of data of interest to the organization may only exist on the device and
not within the organizational network. 12.6 0.5 15
8 Security policy on device is not in the control of the organization. 13.1 0.4 13
9 Lack of clear boundaries/areas of trust. 13.2 0.4 12
10 Organization administrators not controlling the configuration of the device
connecting to the organization's network. 13.9 0.4 10
11 Cannot completely wipe the device because it contains personal data that may
or may not be backed up. 13.5 0.3 11
12 Data on the device may not be encrypted. 17.5 0.3 2
13 Device may not have a password or a password of appropriate strength.
14.5 0.4 8
14 Lack of user understanding that the use of personal mobile device can expose
organization to significant risks. 17.5 0.3 3
15 Lack of user understanding that where the device is used effects the risk to the
organization's assets. 17.8 0.3 1
© 2014. All Rights Reserved. Information and Communications Technology
www.usask.ca/ict
29
Risk Surfaces
© 2014. All Rights Reserved. Information and Communications Technology
www.usask.ca/ict
30
Lawrence Dobranski, DSc, MBA, MSc (Eng), P.Eng.
[email protected] @ldobranski (306) 966-7177
Thank you!