Dr Meng Chow Kang, CISSP, CISA
Director and CISO for Greater China and APJ, Cisco Systems
The Blurring of Everything Internet –implications on data protection for higher education
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialPresentation_ID 2
Agenda
How are they impacting information security practices
Trends, evolutions – what’s going on around us
What should we do to address the challenges
Focus on higher education
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialPresentation_ID 3
Traditional Organization Border
Corporate Border
Branch Office
Applications
and Data
Corporate Office
Policy
Attackers CustomersPartners
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialPresentation_ID 4
4G3G/+2G/+
At the edges of the Internet …
Increasing bandwidth, in particular, on wireless and mobile networks
Improving security capabilities
Increasing reliability
<10 kbps < 200 kbps 300 kbps – 10 Mbps < 50 Mbps 50 Mbps – 1Gbps
GSM GPRS/EDGE WCDMA HSPA HSPA+ LTE FDD LTE+
TD-SCDMA TD-HSPA TD-HSPA+ TD-LTE TD LTE+
IEEE 802.11nIEEE
802.11rClient authentication
Mutual authentication; Strong encryption
Transforming
the individuals PersonalMobility
Consumerization of corporate network
Proliferation of devices and operating systems
Social networking
Mixed use of personal devices and corporate resources
Proliferation of multimedia contents – videos, pictures, …
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialPresentation_ID 6
Open up new business models
Maximize resources and productivity—
any device, anywhere, anytime
Reduce costs—operational efficiency
Transforming the Enterprise –
the Borderless Network
Access from
AnywhereCollaboration &
Communications
Access
with Any
Device
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialPresentation_ID 7
Mobility and CollaborationIs Dissolving the Internet Border
Corporate Border
Branch Office
Applications
and Data
Corporate Office
Policy
Attackers Customers
Home Office
Coffee
Shop
Airport
Mobile
User Partners
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialPresentation_ID 8
What hasn’t changed?
Need for Nimbleness, Scale, and a Lower Total Cost of Ownership (TCO)
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialPresentation_ID 9
What’re the responses?
• Migrating applications into Data Center ―islands‖
• Adopting Hosted Services (PaaS/SaaS/IaaS)
• Virtualizing Clients and Servers
Organizations, including higher education institutions are responding:
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialPresentation_ID 10
Hosted Services
Cisco Confidential
10
IaaS- w/ Security
- SLA support
PaaS- w/ Security
- SLA support
SaaS- w/ Security
- SLA support
seamless extension
Enterprise ITaaS
Enterprise ITaaS
Enterprise ITaaS
Multi-Tenant SP Cloud
Multi-Tenant SP Cloud
Multi-Tenant SP Cloud
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialPresentation_ID 11
―Trusted‖ Internal Externalizing TrendDMZ
-Collaboration Platforms/WebEx/IWE
-Commoditized Computing
-SaaS/XaaS/PaaS/Cloud
- Internal/External Dependencies
-External Virtualized Storage
-Data Management/Monitoring
-Co-mingled Data/BCP Scenarios
- Increasing Export of Company’s IP
-Converged Identity Sources
-External Personas of Internal Users
-Varying AuthC/Z Capabilities
-Non-integrated Provisioning Controls
-―Any Device‖ w/ External Services
-Personal Mobile Strategy
-Contingent WF Platform Shift
- Increasingly ―Untrusted‖ Clients
AssetsPersonal Mobile
Contingent/ ―Untrusted‖
Laptop Corporate Mobile/PC
―Unknown‖ Mobile/PC
UsersContingent/‖Unknown‖
User
Corporate User
―Non-corporate‖
Users
Data
Corporate IP
Exported Data
Services
Internal Service
Externalized Service
Service Dependencies
Organization Transformation
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialPresentation_ID 12
Cloud Computing Is Dissolving the Data Center Border
Corporate Border
Branch Office
Applications
and Data
Corporate Office
Policy
Attackers
Home Office
Coffee
ShopCustomers
Airport
Mobile
User Partners
Platform
as a Service
Infrastructure
as a ServiceX
as a ServiceSoftware
as a Service
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialPresentation_ID 13
Increasing complexity and sophistication of attacks
Escalating concerns over data losses
Web 2.0 & social networking
Social engineering
Vulnerability exploitations
Mobility
Beyond Windows
“Just landed in Baghdad‖- Rep. Peter Hoekstra,
R-Mich tweets
Secret delegation led by House
Minority Leader John A. Boehner is
not so secret…
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialPresentation_ID 14
How to collaborate without borders
Corporate Border
Branch Office
Applications
and Data
Corporate Office
Policy
Attackers
Home Office
Coffee
ShopCustomers
Airport
Mobile
User Partners
Platform
as a Service
Infrastructure
as a ServiceX
as a ServiceSoftware
as a Service
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialPresentation_ID 15
Collaborate with Confidence
Standards
Technology
Governance
Industry
Consistent baseline; interoperability; manageability
―Baked-in‖ Security in architecture: Endpoint, Infrastructure, and Backend; Leverage; Innovate
Policy, ISMS, awareness, competency, operation readiness & excellence, visibility of risk, partners security
Alliances; public-private sector partnerships
We need to rethink the traditional organizational perimeter and operating boundary, especially away from an over-reliance on Layer 2/3 control methodologies
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialPresentation_ID 16
Governance
Aware and Competence
Visibility of Risk
Operational Readiness and
Excellence
Secure Partners Collaboration and Communications
Info-Security Management
Systems (ISMS)
Information security risk management system
•Understand our risk profile thru’ a management system approach, leveraging ISO/IEC 27001 standards
•Determine & mitigate gaps between requirements and actual practice
Improve awareness and competence
•Regular Security Events and Newsletter – focus on practices
•Mandatory new hires security orientation
•Security training program for critical roles
Improve visibility of risks
•Establish security metrics to align with strategy map
•Rigorous monitoring and active discovery
•Regular reporting
•Regional security watch and analytics
Operational readiness and excellence
•Alignment of security operations with risk management approach
•Establish and improve Service Level
•Introduce formal security testing/drills for critical incidents preparedness
Enable secure partners collaboration
•Understand the partners eco-systems and information flows
•Establish requirements and develop standards of best practices
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialPresentation_ID 17
ISO/IEC JTC 1/SC 27
Security Techniques
Secretariat
Krystyna Passia
Chair: Walter Fumy
Vice Chair: Marijke de Soete
WG 1 Security Management
Convener: Ted Humphreys
Vice Convener:
Angelika Plate
WG 2 Cryptography and Security Mechanisms
Convener: Kenji Naemura
WG 3 Security Assurance
Convener: Miguel Bañón
WG 4 Security Controls and
Services
Convener: Meng-Chow
Kang
WG 5 Identity Management and Privacy Technology
Convener: Kai Rannenberg
Levering Standards
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialPresentation_ID 18
WG 1 Projects and Standards
•ISMS RequirementsISO/IEC 27001
•Overview and vocabularyISO/IEC 27000
•Code of practice for information security managementISO/IEC 27002
•ISMS implementation guidelinesISO/IEC 27003
•Information security measurementsISO/IEC 27004
•ISMS risk managementISO/IEC 27005
•Requirements for bodies providing audit and certification of ISMSISO/IEC 27006
•Guidelines for ISMS auditorsISO/IEC 27007
•Guidelines for auditors on ISMS controlsISO/IEC 27008
•ISM for inter-sector communicationsISO/IEC 27010
•ISMS for telecoms organizations based on ISO/IEC 27002ISO/IEC 27011
•Guidelines on the integrated implementation of ISO/IEC 20000-1 and ISO/IEC 27001ISO/IEC 27013
•Information security governance frameworkISO/IEC 27014
•ISMS for financial and insurance services sectorISO/IEC 27015
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialPresentation_ID 19
ISO/IEC 27001 – Information Security Management Systems (ISMS)
Plan
• Establish & design the ISMS
Act
• Improve & maintain the ISMS
Check
• Monitor & review the ISMS
Do
• Implement & deploy the ISMS
Risk assessment
Risk treatment
Management decision making
Selection and implementation of risk controls
Monitor, review, and re-assess the risks
Make improvements to the risk controls, select more controls
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialPresentation_ID 20
ICT Readiness for Business Continuity (27031)
Cybersecurity (27032)
Information security incident management (27035)
ICT Disaster Recovery Services (24762)
Network Security (27033 Parts 1 to 7)
Application Security (27034 Parts 1 to 5)
Security Info-Objects for Access Control (TR 15816)
Security of Outsourcing (27036)
TTP Services Security (TR 14516; 15945)
Time Stamping Services (TR 29149)
Identification, collection and/or acquisition, and preservation of digital evidence (27037)
Unknown or emerging
information security
issues
Known information
security issues
Information security
breaches and compromises
WG 4 Projects & Study Periods
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialPresentation_ID 21
Bord
erle
ss
Da
ta C
en
ter
3
Bord
erle
ss
Inte
rnet
2
Bord
erle
ss
En
d Z
on
es
1
Architecture for Borderless Network Security
Policy
Corporate Border
Branch Office
Applications
and Data
Corporate Office
Policy(Access Control, Acceptable Use, Malware, Data Security)4
Home Office
AttackersCoffee
ShopCustomers
Airport
Mobile
User Partners
Platform
as a Service
Infrastructure
as a ServiceX
as a ServiceSoftware
as a Service
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialPresentation_ID 22
Intelligent End Point Traffic Routing
Pillar 1: Borderless End Zone
Persistent Connectivity
Always On, Location Aware
Auto Head-end Discovery
IPsec , SSL VPN, DTLS
Advanced Security
Strong Authentication
Fast, Accurate Protection
Consistent Enforcement
Broadest Coverage
Most OS’s and Protocols
Windows Mobile
Apple iPhone
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialPresentation_ID 23
Always On Security and Protection
Traditional VPN
Protected
Borderless Network Security
Un-Protected
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialPresentation_ID 24
Always On Security and Protection
Anytime, Anywhere, Any Device
Sitting in a Park
Cape Town, South Africa
In the Office
San Jose, California
Sydney, Australia
At a Coffee Shop
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialPresentation_ID 25
Pillar 2: Borderless Security ArrayAdvanced Scanning and Enforcement Capabilities
Access Control | Acceptable Use | Data Security |Threat Protection
Integrated into the Fabric of the Network
Cisco IronPort
Email Security
Appliance
Cisco Adaptive
Security Appliance
Cisco Integrated
Services Routers
Cisco IronPort
Web Security
Appliance
25
VM Software Security Module Hybrid HostedAppliance
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialPresentation_ID 26
HTTP Is the New TCP
Instant Messaging
Peer to Peer
File Transfer
Protocol
Understanding Web Traffic26
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialPresentation_ID 27
Advanced Content Analysis
27
SSN Detection
Rule Is Matched Multiple
Times to Increase Score
Unique Rule Matches Are Met
Matches Are Found
in Close Proximity
Proper Name
Detection
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialPresentation_ID 28
Advanced, Proactive Threat ProtectionCisco Security Intelligence Operations
GlobalThreat
Telemetry
GlobalThreatTelemetry
8:03 GMT Sensor Detects Hacker Probing
Bank Branch
in Chicago
Ad Agency HQ
in LondonISP Datacenter
in Moscow
8:00 GMT Sensor Detects New Malware
8:07 GMT Sensor Detects New Botnet
8:10 GMT
All Cisco Customers Protected
Cisco
SensorBase
Threat
Operations Center
Advanced
Algorithms
© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 28
Higher Threat Coverage, Greater Accuracy, Proactive Protection
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialPresentation_ID 29
App
Server
Database
Server
Web
Server
Physical Security Device
Virtual Contexts
Pillar 3: Secure Virtualized Data Center
App
Server
Database
Server
Web
Server
Hypervisor
Physical Security Device
Virtual ContextsVIRTUAL SECURITY
App
Server
Database
Server
Web
Server
Hypervisor
Connect Physical Security to Virtual Machines with Cisco’s SIA
2Secure Physical Infrastructure1
Embed Security in the Virtual Switch3
Service Chaining
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialPresentation_ID 30
Pillar 4: Enables Rich Policy for ―Ubiquitous‖, Consistent Control
Who? What? When? Where? How?
3Policy On and Off Premise
2Dynamic Containment Policy
1Access
Policy
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialPresentation_ID 31
Industry Collaboration
Nature of Cybersecurity Issues
Occurs on the Internet
(Cyberspace)
Global nature, multiple countries, different policies and regulations, different focus
Multiple entities, simple client
system to complex infrastructure
Weakest link and lowest common
denominator prevail
Highly creative landscape –
always changing
Many overlapping and conflicting needs & issues
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialPresentation_ID 32
Industry Collaboration (cont.)
Two Questions
What are the ―security things‖ that individuals, communities, and organizations need to do while using or leveraging the Cyberspace?
What are the desirable behaviors?
How do we evolve from our existing information security practices?
What should be our security approach?
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialPresentation_ID 33
Industry Collaboration (cont.)
ITU-T X.1207
Guidelines for Telecommunication Service Providers for Addressing the Risk of Spyware and Potentially Unwanted Software
ISO/IEC 29147
Responsible Vulnerability Disclosure
Developer Highway Code
Examples of Desirable Cybersecurity Behavior
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialPresentation_ID 34
Industry Collaboration (cont.)
Forum of Incident Response and Security Team (FIRST)
http://www.first.org/
Research & Education Information Sharing and Analysis Center (REN-ISAC)
http://www.ren-isac.net
Telecom ISAC
US, Japan, Korea
Asia Pacific CERT (APCERT)
http://www.apcert.org/
HK CERT
http://www.hkcert.org/
Examples of Information Sharing Networks
FINALREMARKS
Borderless network transformation influencing
changes to enterprises & users
Disrupting common information security
approaches
Need to rethink our approach in at least four
areas – governance, standards, technology,
and industry.
People is key to our respond to these
challenges—continuing education and
awareness are therefore critical
Need to pay particular attention to security
information sharing, organization & individual
responsibility in Cyberspace
―Progress, far from consisting in change, depends on retentiveness. Those who cannot remember the past are condemned to repeat it" -
George Santayana