Transcript The Truth about Wireless Security

The Truth about Wireless
Security
David Lacey
Director, Information Security
Royal Mail Group
Royal Mail Group
Trusted with the important
business of everyday life
since 1636
Wireless security today
• Earlier implementations not secure, requiring raft of
additional security measures:
Tight policy and configuration standards
Risk assessment for every implementation
Add-on encryption for sensitive data
Secure administration and key management
Multiple access points for resilience
Regular security audits of wireless networks
• Current technology much better but requires technology
refresh of desktop (e.g. upgrade to XP)
• Future security models will be based on securing
applications and data rather than infrastructure
Security issues with IP convergence
• Will VoIP protocols drive a coach and horses through
our firewall security policies?
• Are voice technologies built with vulnerability
management in mind?
• Will IP convergence substantially increase the number
of attack points in our networks?
• How will we communicate if the converged network
goes down?
• How do we develop new security architectures to
manage the above risks?
Be prepared for a different future
We know only one thing about the future or, rather,
the futures:
“It will not look like the present”
Jorge Luis Borges
Author
Some aspects of the future are
predictable
• The potential impact of the information age has been
extensively studied (by Toffler et al)
• We have lessons from other infrastructure changes
(electricity, roads, railways, etc)
• Tools such as Technology Road Mapping and Scenario
Planning can be used to explore the collective impact
of key drivers, trends and events
• Products emerging in the next 5-10 years
are likely to be in today’s research labs
Some trends are long lasting
Increasing
Threats
from viruses,
hackers, fraud,
espionage
Increasing
Expectations
from customers,
partners, auditors,
regulators
Increasing
Exposure
greater dependence
on IT, increasing
connectivity
And may even dominate this Century
“The 21st Century will be dominated by
information wars and increased economic
and financial espionage”
Alvin Toffler
Futurist
But trends take longer to emerge
than you think
“People often overestimate what will happen in
the next two years and underestimate what will
happen in ten. I’m guilty of this myself.”
Bill Gates
The Road Ahead, 1995
Networks change everything
“The business environment of the future is likely
to be very different from today’s, where
boundaries between personal and business
computing will blur and everyone and everything
will be linked to the Internet. In order to survive,
firms must embrace the new risks this
environment creates”
David Lacey
Risk Management Bulletin, June 2001
The political landscape is changing
“Disruption of both international security and
trust in the marketplace highlight the importance
of the role of the state”
Shell Global Scenarios 2025
“At no time since the formation of the Western Alliance system
in 1949 have the shape and nature of international alignments
been in such a state of flux”
US National Intelligence Council “Mapping the Global Future”
Organisations are changing
Strong
“Organism”
External
relationships
Trend
“Machine”
Weak
‘Soft’
Internal
relationships
‘Hard’
Security emphasis is changing
1980s
Glasshouse
data centres
Secure buildings
Managed networks
1990s
Network
firewalls
?
Streetwise users
? 21st Century
cyberspace
road warriors
Today’s solutions are not sustainable
ASP
JV
JV
Service
provider
Intranet
Extranet
Partner
Outsource
ASP
JV
JV
Intranet
Service provider
Extranet
Partner
Outsource
ASP
JV
JV
Service provider
Extranet
Partner
Outsource
Intranet
As we experience the 1st security
paradigm shift of the 21st Century
What does it mean?
• Recognition of the “disappearing perimeter”
• De-coupling security from the infrastructure level
and moving it to the application and data levels
• Understanding that securing your own backyard
is no longer sufficient to protect your data
• Working with business partners to develop
practical collaborative solutions
We can design our own future
“The best way to predict the future is to invent it”
Alan Kay
Using the power of our imagination
“Imagination is more important than knowledge.”
Einstein
De-Perimeterisation
“The act of applying organisational and
technical design changes to enable
collaboration and commerce beyond the
constraints of existing perimeters, through
cross-organisational processes, services,
security standards and assurance.”
The Jericho Forum
The Jericho Forum
Jericho Forum - Vision
Enable business confidence beyond the constraint
of the corporate perimeter, through:
• Cross-organisational security process
• Shared security services
• Products that conform to Open security
standards
• Assurance processes that when used in one
organisation can be trusted by others
Jericho Forum - Mission
Act as a catalyst to accelerate the achievement of
the vision by:
• Defining the problem space
• Communicating the collective Vision
• Challenging constraints and creating an
environment for innovation
• Demonstrating the market
• Influencing future products and standards
Jericho Forum – Business Scenarios
1. Provide low-cost secure connectivity
- Access over wireless and public networks
- Domain inter-working via open networks
2. Support roaming personnel
- Phoning home from a hostile environment
- Enable portability of identities and data
3. Allow external access
- Application access by suppliers, distribution agents or business partners
- Outsourced help desk access to internal systems
4. Improve flexibility
- Connect Organisations for EDI Using Secure XML Messaging and Web Services
- Consolidate identity & access management systems for collaboration & commerce
- Automate policy for controlled information sharing with other organisations
- Harmonize identities and trust relationships with individuals
Jericho Forum – Working Groups
• Meta Architecture and Vision
• Requirements/ Ontology
• Technology and Solutions (sees wireless as quick win)
• Trust Models
• Management and Monitoring
• Public relations (PR) Media and Lobbying
• Vendor Management
Technology will transform our world
• Exploding connectivity and complexity (embedded
Internet, IP convergence)
• Machine-understandable information
• De-fragmentation of computers into networks of
smaller devices
• From deterministic to probabilistic systems
• Wireless, wearable computing
• Ubiquitous digital rights management
• Biometrics and novel user interfaces
There are consequences for security
• Slow death of network perimeters
• Continuing blurring of business and personal
lifestyles
• Security migrates to the data level
• New languages and tools needed to express,
translate and negotiate security policies
• Intelligent monitoring systems needed to maintain
control of complex, networked systems
• Uncertain security - no guarantees
• Manage incidents as opportunities
As we look ahead to the 2nd security
paradigm shift of the 21st Century
A world of increasing openness &
complexity
• Exploding surveillance opportunities
• Limited opportunities for privacy-enhancing
technologies
• Proliferating data wakes and pervasive circumstantial
data about personal behaviour
• Intelligent monitoring software can highlight unusual
behaviour
• Data fusion, mining and visualisation software can
extract intelligence out of noise
• Exploitable for business, security, fraud or espionage
Visibility & understanding will be key
• Understanding and interpreting data in context
(Semantic Web)
• Data fusion, mining and neural networks to crunch
through complexity
• Data visualisation technology to enhance human
understanding
• Computational immunology to differentiate good
transactions from bad ones
Thank you for listening
David Lacey
Director, Information Security
Royal Mail Group