High Security Requirements Working in the security market
High Security Requirements
Working in the security market
High Security market• Customers:
• Intelligence agencies (NSA, CIA, USAF, WH)
• Finances (Banks)
• Governments (Justice system, education system)
• Chief Security Officer / CIO has power to decide
• Product features come after security features
ionGrid• Solve BYOD for
file access
• Secure container
• Integrates with current infrastructure
Data in movement
Data in movement (cont)• Provisioning
• Enables end-to-end encryption
• Improves security against “man in the middle attack”
• Secure channel in AMQP protocol
• Pro : AMQP instead of HTTPS gives stronger encryption
• Cons : very hard to work with…
• Real use case
• Pretty much everything…
Data at rest (cont)
Data Key
Password
Data at rest• Encrypt data
• Much harder to access the data against a dumping attack
• Server gives the key every time authentication is correct
• Multiple factor authentication (password, RSA SecureID, etc…)
• Offline authentication
• Encrypt master key using password
• User can retrieve its key with password
Security policies• Classic RWX (Read, Write, Execute)
• Pros: Access data, modify them, etc…
• Cons: Very hard to express the business needs
• “Can I … ?” policies (ie: can login)
• Pros: Much better for business needs
• Cons: Requires a lot of maintenance
• How can I handle a lot of business rules ?
• Access data only during the day / at a location
• Specify policies per file / folder / user
Security policies (cont)• Empower your customer with its own security
policies!
• Define “Can I … ?” policies in client
• Policy engine is defined in JavaScript
• Let the company code and define its own rules or use simple true/false checkboxes
• Code snippet can be defined per file / user
• Code is shipped to the device
• Works offline
• Works in the future
Device compromised• Simple cases:
• Device stolen or lost
• Employee quits or is fired
• Device exits location
• Active attacks
• Faraday bag
• Forensic attack
TIME-BOMB EVERYTHING!
Real use cases• JP Morgan
• Encryption and secure channel
• Coke
• Executive board members would loose their iPads…
• NBC universal
• TV Shows scripts should only be accessed with a specific set of rules
• Schweppes
• Secure video streaming
Real use cases (cont)• New York City Transit
• Offline use
• Application secure sandbox in HTML5
• “pg&e from the east coast”
• Got rid of “secure binders” during Sandy storm
• White House / CIA / USAF
• Overall security
• Supreme court of Australia
• Security ended up speeding trial time by 10%
And now…
• Which use case around secure messaging have you heard about ?
• What security problem should we try to solve ?