This is the second content post of my summary of the day’s events at the DGI Cyber Security Conference and Expo. Click here for the overview post of the conference.
The next speaker was Samuel Chun who is the Director of Cyber Security Practice of the EDS Government Solutions. Mr. Chun was, in my opinion, one of the best speakers at the conference. His speech had information that was interesting to me, and he didn’t put the crowd to sleep. He talked a little bit about EDS as a company. EDS, in his words, is truly a global company. They do work with governments in all the habitable continents in the world. This is pretty cool and very different than a lot of government defense contractors here in the U.S. that only do work with domestic clients.
Mr. Chun detailed the top five security challenges that EDS has been seeing as of late in global government. Before talking about the security challenges, he cleared up a few things, including definitions. There are many definitions for the term cyberspace. The one that was used for this presentation is “A domain characterized by the use of electronics and the electromagnetic spectrum to store, modify and exchange data via networked systems and associated physical infrastructures.” He also spoke of the fact that the increase of globalization will lead to new threats and opportunities to public and private sectors in cyberspace.
The first challenge is Perimeter Diffusion. In the past few years, we have seen an explosion of remote users and devices tapping into networks from outside the physical network. Devices like VPN’ed laptops, Blackberries, iPhones, Smartphones and other such technologies are constantly expanding the footprints of organizations. Mobile electronic devices require an additional span of control, especially since high-speed wireless broadband access is now widespread. The existing definitions of network perimeters have become useless and obsolete, and companies are having a difficult time catching up. Unfortunately, there also seems to be a lowered expectation that physical and virtual security in these expanding networks to be secure. The bottom line is that the more a company expands its network, the more opportunity there is for attack and exploit. Obviously encryption is incredibly important in this section. New encryption techniques are hardware and software based, and innovative hybrid techniques combine the two. Elliptical Curve Cryptography for asymmetric key exchanges will become the standard in the coming years due to the reliability and superiority of this new kind of crypto.
The second security trend is that of Cross Domain Collaboration. The internet has made many jobs easier, including collaboration over long distances. Even though it may seem as though working with coalitions and allies is a long-established tool, there seems to be an ever increasing trend to exploit the same tool with the internet in parallel. Currently, the sharing of information between two different entities is difficult, even with advances in interoperability and related technologies. What scares a great deal of companies is that information may be passed into the wrong hands. This fear prohibits true, streamlined synergy and reduces confidence in using technology that can be used for good. Many EDS clients have an incredible need for flexible, peer to peer organizations and groups. This need can even allow competitors to turn into temporary allies. Although competitors turned allies seems like an uncomfortable propositions, it allows customers for trusted, cross-domain information exchange.
Thirdly, Mr. Chun highlighted the challenge of Assurance of Identity. The need for better identity management by governments mitigates issues in the following sectors: terrorism, coalitions and federations, immigration and lastly, fraud and abuse. In the civilian and corporate worlds, programs are in place that focus on design and issuance. In a smaller circle of organizations and corporations, they are taking these programs one step further to set up logical access and federation. Instead of IT staff having to set up a new user account when a new contractor comes on the job site, the worker can present a card which details key information. Permissions can be automatically set based on your relationship with organizations, companies and people. This cross-domain capability and flexibility is being looked at closely by tech vendors to key in on identity and access management. Mr. Chun summarizes this section by saying that the “assurance of identity (authentication, authorization and non-repudiation) is a fundamental [and lasting] requirement for cybersecurity.” A program called Federal Identity Management (FIM) has the potential to be a major enabling technology for domestic and global collaborations. Most major tech security vendor companies are working on FIM solutions. Essentially, a federal identity can be used across multiple autonomous domains. Entitlements and access are based on identity attributes rather than intra-domain roles. This approach allows for the accommodation of orthogonal roles. Another great thing about this system is that it allows for multiple formats of authentication like Kerberos, X.509 and AD to be used interchangeably. A technology called SAML (versions 1.0 and 2.0) is becoming de facto standard for cross-domain authentication and access. Big companies like Microsoft have built in SAML into some of their products, but no current product has taken complete advantage of the flexible technology.
In looking at the fourth security trend of Perimeter Security vs. Core Security, we refer back to the first cyber security challenge in this presentation. Since we are seeing a trend of the ballooning of networks due to mobile devices, it is only natural to question our age-old practices of network defense. Instead of having a strong network perimeter by having the latest in firewall technology and packet scanning technology, you can take actions within the network to minimize risk. We can do this by placing emphasis on “inappropriate propagation and derivation, differentiating between admission and access, securing applications and services in addition to infrastructure.” Drawing inferences between the parallel between what Mr. Chun is saying and what Mr Gibbons said in first presentation is easy. They each stress individual application security and other core security capabilities rather than firewalls. Tools for strengthening app security are easy to find and implement. Black Box testing is now the standard for testing software. The White Box Testing of yesteryear is still mandatory, but now involves manual code reviews and embedding applications security code.
The final problem is Consolidation. In government IT (as well as corporate), members of the industry see a thirst for the consolidation of networks. The consolidation saves all kinds of things- money, the environment, computing resources (among other things) and is has easy to demonstrate citizen value. Like I reported above, the less connections that you have, the less things you have to secure. (To see the Trusted Internet Connection government initiative, check out part six of this series.) Virtualization is the most effective and frequently used technical approach to consolidation. A major problem with virtualization is that when you consolidate servers (hardware and software), you are also consolidating identities. Even this has cybersecurity implications. We must balance the consolidation of servers and identity with availability and resiliency. This is especially true when keeping critical infrastructure apart from non-critical infrastructure. Another weird thing about individualization is that you must have the governance processes as the technology itself is extremely expensive, but it is very easy to implement.
Please give your comments on this fantiastic prensentation. I hope it was as interesting to read the summary as it was for me to actually view the presentation.