Continuous Multilayer Protection: Operationalizing a Security Framework

Straw Program

- Topics that highlight Ericsson’s IP

expertise

- Leverage Ericsson’s strengths and

apply to new technology and issues to

resolve. (e.g, MBH)

- Focus on operator perspective and

pain points

- Cover emerging tech and tech we have

“on the truck”

- Include “friendly” partners to show not

working in a vacuum

- Industry thought leaders for keynotes to

highlight technical business drivers

- One track for non-technical business

related content*

- Possible Friday customer meetings

• 2-3 distinct parallel tracks.

• Could have side room for “Meet the Engineer” private sessions.

Continuous Multilayer Protection:- Operationalizing a Security Framework

Mats Nilsson

2015-05-25 | Page 2

Connectivity more and more part of our life

1875 20001975

10

30

50

15 years

50 billion connected devices

25 years

5 billion connected people

100 years

1 billion connected places

20

40

Con

ne

ctio

ns (

bill

ion

)

2020

2015-05-25 | Page 3

Connectivity integrated into our way of life

Collaboration

Innovation

Privacy

Competence

Trust

Socializing

Learning

Everything

PEOPLE do

Media

Commerce

Security

Government

Education

Transport

Healthcare

Utilities

In all parts of

SOCIETY &

BUSINESS

Will be done over a

NETWORK

2015-05-25 | Page 4

NEW OPPORTUNITIES– NEW CHALLENGES

Increased

network capacity

More commerce &

financial transactions

More cloud

storage & services

Open and capable

devices

An IP based unified

global network

New things

get connected

More services

get networked

More decisions

based on real-time data

Policy and regulation

› Status and drivers

– On top of political agendas

– The (global) Economic and

Social impact of the ICT

enabled society

– How to ensure core values

and security in Cyberspace

› Activities and consequences– Definition and scope of Critical

Information Infrastructures (e.g. Communications, Healthcare Energy, Transport

– Operational security requirements and audits

› Voluntary but required to avoid liabilities – US

› Law - EU

– Mitigation through recommended Standards, Best practices, implementation incentives or law/liabilities

› Examples of policy measures– US Executive Order 13636 and

“Cyber security Framework”

– EU› Cyber security strategy

› EU proposed NIS directive

› EU NIS platform

– India › Security requirements and

audits on operators.

› Mandatory local testing of equipment (from 1 April 2015) however alignment with global standards

– Many others….

2015-05-25 | Page 6

our perspective on Security in the networked society

• services should always be available

• security should require minimum effort from users

• communications should be protected

• all access to information and data should be authorized

• manipulation of data in the networks should be possible to detect

• the right to privacy should be protected

SECURITY IN THE NETWORKED SOCIETY

Operator Policies

& Directives

Secure

Operations

Secure

Network

Secure

Products

Laws &

RegulationStandards:

ISO 27001…

3GPP, ITU-T,

IETF…

3GPP SECAM,

ISO 15408…

2015-05-25 | Page 8

System scale

UsersThousands Millions Billions

Enterprise

Telecom Networks

Multiple Networks

Moderate

Large

Very large

Our Focus:Large scale security

2015-05-25 | Page 9

Point security

• Firewalls

• Malware detection

• Intrusion detection

• Content scrubbing

Network & Operational Security

• Software and data integrity verification

• Tamper protection

• Identity management

• Fraud prevention mechanisms

• ISO 27 000 certified operations

• Secure storage

Integrated SecurityCreating Large-scale system Security

• Integrity

• Robustness

• Scalability

• Efficiency

• Confidentiality

• Privacy

• Coordinated defense

• Fast response

Integrated security

Threat

Threat

Threat

2015-05-25 | Page 10

People &

Processes HW & SW Data

TransactionsConfigurationsIdentities

Devices

…and much more

What needs to be trusted

2015-05-25 | Page 11

NE

ED

S

THE ERICSSON TRUST STACK

TRUSTED BUSINESS

TRUSTED OPERATIONS

TRUSTED NETWORKS

TRUSTED PRODUCTS

EN

AB

LE

S

2015-05-25 | Page 12

NIST CS FW mapped to RESPONSIBILITIES

Identify

Protect

Detect

Respond

Recover

NIST CS FW

2015-05-25 | Page 13

integrated process for Product and service development

PRODUCT

SECURITY

FUNCTIONS

PRODUCT

SECURITY

ASSURANCE

PRODUCT

SECURITY

DOCUMENTATION

PRODUCT NEAR

SECURITY

SERVICES

Developing the

right security

functions for a

product or service

Assuring that the

security

functionality works

as expected

Documenting

security

functionality to

enable secure

operations

Provide services to

ensure that

security

functionality is

properly used

Security reliability model:

2015-05-25 | Page 14

FROM: PROTECT ONLY

100% protection is possible

Re-Invention of Cloud SecurityThe Shift to Cloud Requires a New Focus

Hardened end points, users not

devices

Illusion of liability protection:

third party audits,

certifications

Data is locked down

Perimeter-centric: access control,

encryption

Authenticate end points: trusted identity of

users AND devices

Data is portable, in compliance

with local regulations

Data - centric: every data asset is

tagged, tracked, located, verified

Onus for proof: independently

verifiable, mathematical

forensics

2015-05-25 | Page 15

Ericsson Wallet Platform overview of security controls

Approval of sensitive

operations

Traceability & accountability

Security

configuration

validation

Eavesdropping and

modification protection

Two factor authentication

Configurable access control

System and API

hardening

Financial crime controls

2015-05-25 | Page 16