Jericho - an alternative approach to Security

• 1. Jericho une approche alternative de la scurit Bjorn Gronquist (CSO Capgemini) Lyon 26 novembre 2009 XIVe Symposium de lArchitecturedu 16 au 26 novembre 2009

2. Introduction

• Why does traditional security guys sayNO ?

• • Because conventional security is wedded to an outdated industrial model of security.

• Jericho Forum:

• • User group that publicises de-perimeterisation and its consequences

• • NOT a standards body

• • Affiliated to the Open Group as a hosted forum

• • Capgemini has board level representation

3. PART I: Jericho versus Conventional Security 4. The Industrial Security Model

• Assets are held within aPerimeter .

• Users must enter the perimeter to access the assets.

• The perimeter is guarded by a gatehouse

• The gate house has a list of the people with access

• Employees are the good guys; everyone else must be kept out

• Changes to the perimeter, the gate house or the employees are rare

• The workers go into the factory once per day

5. Examples Mechanism Perimeter Asset Policy Lock Box Whats in the box Who has the key Guard house Fence The site within the fence Who is on the security guards list Firewall Perimeterised computernetwork Information and applications attached to the network The packet filtering configurations on the firewall 6. Modern Business Trends

• User Mobility

• • Users arent in a perimeter

• Business Agility

• • Physical and organisational perimeters arent stable

• • Business processes change constantly

• SaaS and Cloud Computing

• • Assets arent in a perimeter

De-perimeterisation 7. Perimeterised Security hypothesis versus real world Users need to access assetsfrom anywhere Users mustenter the perimeterto access the assets. Processes are complexand unique Processes are simpleand repeatable Many different partieshave a stake in an information asset Single business ownersets the access policy for its assets Workers access an assetonce a minute The workers go into the factoryonce per day Mergers, de-mergers, joint ventures, shared services are the norm; legislationchanges constantly Rare Changes to the perimeter , the gate house or the employees Suppliers and customersneed access; employees constitute a potential threat Employeesare the good guys; everyone else must be kept out Access policies arerich and complex The gate house has asimple list of the people with access Assets outside the perimeterarent protected by a gatehouse on the perimeter Assets inside the perimeteris guarded by a gatehouse 8. Perimeter based security is outdated

• What you forget when you think in terms of perimeter:

• • Laptops outside of the office, new devices (Iphone, USB keys etc)

• • Guests in you office

• • Social networking activities

• • Cooperation (IM, email)

• • Software as a service

• • Cloud computing

• The work condition evolves

• • The Intranet becomes theInternet

• • The work station becomes theWeb browser

• • Business process becomesCollaboration

9. Consequences of the Mismatch

• Security is costly

• • Security maintenance is work intensive

• • Business and technical change are complex

• • Difficult to take advantage of new opportunities like cloud computing

• • Difficult to provide access to customers, suppliers and contractors

• Assets arent properly protected

• • Security does not meet anymore social and legal requirements

• • Lack of partner confidence

• • Frequent security breaches (bypasses of security)

10. PART 2: Collaboration Oriented Architecture 11. The Collaboration Oriented Architecture (COA)

• Collaborations between different people & services based on

• • Trust

• • Reputation

• • Identity

• Examples

• • Surfing, Chatting, Shopping, etc..

• • Social networking, Emailing, Reporting, Purchasing, etc..

• Privacy

Right level of security 12. The Collaboration Oriented Architecture (COA)

• Principles:

• • Collaborationis thebasic unitof security

• • Securitybased onrisk managementand shall betransparent to users

• • Parties, Risks, Identities, Devices and Collaborations all have lifecycles that must be able to pass organisational boundaries transparently and securely

Change of paradigm 13. Trusted network Network Access Insiders theft Application vulnerabilities Compliance Residual risks Security Review Model.ppt PageFirewall Content filtering VPN Internet & Partners Perimeter style security IPS 14. End Point Protection Trust monitor Risk assessment Identity federation Encrypted data transmission Deperimeterized network PageService Protection Cloud Security Jericho Style Security 15. Collaborations

• The Collaboration generalises concepts ofcontractandorganisation

• It comprises

• • Parties that co-operate for a common goal (these can be people, devices or collaborations)

• • Rules governing their interaction (one or more contracts)

• • A redress mechanism to handle non-performance by any party

• A collaboration membership has a lifecycle

16. Trust

• Collaborations often have a relying party

• • I pay now for my CD and I rely upon Amazon to deliver the CD later

• Why are relying parties willing to rely?

• • Because they trust the counterparty

• • Because a redress mechanism is available

• Trust means

• • The trusted party has the necessary competence, skills and resources to collaborate

• • The trusted party is well disposed towards the relying party

• • It is in the trusted partys best interests to collaborate

17. Reputation

• Collaboration

• • Parties want to reduce the risk of their collaborations by choosing good counterparties

• • They need information about other parties before agreeing to collaborate with them

• This information is calledReputationand comprises

• • Certifications and Qualifications

• • Criminal Record and Credit History

• • Collaboration History

• • References and Testimonials

• Reputation

• • A partys reputation affects the collaborations it can enter into

18. The Trust Lifecycle Trust based security Security Activities 19. Identity

• A partysidentitycomprises

• • Reputation (used when agreeing collaborations)

• • Agreed collaborations (used when fulfilling collaborations)

• • These have different uses and different security requirements

• Important security decisions

• • Agreeing to collaborate in the basis of reputation

• • Handling resource access requests, or provisioning, on the basis of identity (collaborations + reputation)

• • Updating reputations on the basis of performance in collaborations

20. Examples

• Buy a CD from Amazon.com

• • A short term low risk collaboration

• • • Search phase Google or Amazon search

• • • Negotiate phase shopping card

• • • Fulfilment payment and delivery

• • Reputation amazon.com site certificate

• • Contract recorded internally by Amazon

• Employment

• • A long term medium risk collaboration

• • • Search phase monster.com, head-hunter

• • • Negotiate phase interviews

• • • Fulfilment A sequence of tasks directed by management, each of which is like a sub-collaboration