David Lacey
Director, Information Security Royal Mail Group
The Truth about Wireless Security
Royal Mail GroupTrusted with the important
business of everyday life
since 1636
Wireless security today•Earlier implementations not secure, requiring raft
of additional security measures: Tight policy and configuration standards
Risk assessment for every implementation
Add-on encryption for sensitive data
Secure administration and key management
Multiple access points for resilience
Regular security audits of wireless networks
•Current technology much better but requires technology refresh of desktop (e.g. upgrade to XP)
•Future security models will be based on securing applications and data rather than infrastructure
Security issues with IP convergence
•Will VoIP protocols drive a coach and horses through our firewall security policies?
•Are voice technologies built with vulnerability management in mind?
•Will IP convergence substantially increase the number of attack points in our networks?
•How will we communicate if the converged network goes down?
•How do we develop new security architectures to manage the above risks?
Be prepared for a different future
We know only one thing about the future or, rather, the futures:
“It will not look like the present”
Jorge Luis BorgesAuthor
Some aspects of the future are predictable
•The potential impact of the information age has been extensively studied (by Toffler et al)
•We have lessons from other infrastructure changes (electricity, roads, railways, etc)
•Tools such as Technology Road Mapping and Scenario Planning can be used to explore the collective impact of key drivers, trends and events
•Products emerging in the next 5-10 years are likely to be in today’s research labs
Some trends are long lasting
Increasing Threats
from viruses, hackers, fraud,
espionage
Increasing Exposure
greater dependence on IT, increasing
connectivity
Increasing Expectations
from customers, partners, auditors,
regulators
And may even dominate this Century
“The 21st Century will be dominated by information wars and increased economic and financial espionage”
Alvin TofflerFuturist
But trends take longer to emerge than you think
“People often overestimate what will happen in the next two years and underestimate what will happen in ten. I’m guilty of this myself.”
Bill GatesThe Road Ahead, 1995
Networks change everything
“The business environment of the future is likely to be very different from today’s, where boundaries between personal and business computing will blur and everyone and everything will be linked to the Internet. In order to survive, firms must embrace the new risks this environment creates”
David LaceyRisk Management Bulletin, June 2001
The political landscape is changing
“Disruption of both international security and trust in the marketplace highlight the importance of the role of the state”
Shell Global Scenarios 2025
“At no time since the formation of the Western Alliance system in 1949 have the shape and nature of international alignments been in such a state of flux”
US National Intelligence Council “Mapping the Global Future”
Organisations are changing
Weak Internalrelationships
Strong
External relationships
‘Soft’ ‘Hard’
“Machine”
“Organism”
Trend
Security emphasis is changing
Secure buildings1980s Glasshouse data centres
Managed networks1990sNetwork firewalls
Streetwise users
??
21st Centurycyberspace road warriors
Today’s solutions are not sustainable
Intranet
ASP
JV
Service provider
ExtranetPartner
JV
Outsource
Intranet
ASP
JV
Service provider
ExtranetPartner
JV
OutsourceOutsource
Intranet
ASP
JV
Serviceprovider
ExtranetPartner
JV
OutsourceOutsource
As we experience the 1st security paradigm shift of the 21st Century
What does it mean?
•Recognition of the “disappearing perimeter”
•De-coupling security from the infrastructure level and moving it to the application and data levels
•Understanding that securing your own backyard is no longer sufficient to protect your data
•Working with business partners to develop practical collaborative solutions
We can design our own future
“The best way to predict the future is to invent it”
Alan Kay
Using the power of our imagination
“Imagination is more important than knowledge.”
Einstein
De-Perimeterisation
“The act of applying organisational and technical design changes to enable collaboration and commerce beyond the constraints of existing perimeters, through cross-organisational processes, services, security standards and assurance.”
The Jericho Forum
The Jericho Forum
Jericho Forum - Vision
Enable business confidence beyond the constraint of the corporate perimeter, through:
• Cross-organisational security process
• Shared security services
• Products that conform to Open security standards
• Assurance processes that when used in one organisation can be trusted by others
Jericho Forum - Mission
Act as a catalyst to accelerate the achievement of the vision by:
• Defining the problem space
• Communicating the collective Vision
• Challenging constraints and creating an environment for innovation
• Demonstrating the market
• Influencing future products and standards
Jericho Forum – Business Scenarios
1. Provide low-cost secure connectivity - Access over wireless and public networks - Domain inter-working via open networks
4. Improve flexibility - Connect Organisations for EDI Using Secure XML Messaging and Web Services - Consolidate identity & access management systems for collaboration & commerce - Automate policy for controlled information sharing with other organisations - Harmonize identities and trust relationships with individuals
3. Allow external access - Application access by suppliers, distribution agents or business partners - Outsourced help desk access to internal systems
2. Support roaming personnel - Phoning home from a hostile environment - Enable portability of identities and data
Jericho Forum – Working Groups
•Meta Architecture and Vision
•Requirements/ Ontology
•Technology and Solutions (sees wireless as quick win)
•Trust Models
•Management and Monitoring
•Public relations (PR) Media and Lobbying
•Vendor Management
Technology will transform our world
• Exploding connectivity and complexity (embedded Internet, IP convergence)
• Machine-understandable information
• De-fragmentation of computers into networks of smaller devices
• From deterministic to probabilistic systems
• Wireless, wearable computing
• Ubiquitous digital rights management
• Biometrics and novel user interfaces
There are consequences for security
• Slow death of network perimeters
• Continuing blurring of business and personal lifestyles
• Security migrates to the data level
• New languages and tools needed to express, translate and negotiate security policies
• Intelligent monitoring systems needed to maintain control of complex, networked systems
• Uncertain security - no guarantees
• Manage incidents as opportunities
As we look ahead to the 2nd security paradigm shift of the 21st Century
A world of increasing openness & complexity
• Exploding surveillance opportunities
• Limited opportunities for privacy-enhancing technologies
• Proliferating data wakes and pervasive circumstantial data about personal behaviour
• Intelligent monitoring software can highlight unusual behaviour
• Data fusion, mining and visualisation software can extract intelligence out of noise
• Exploitable for business, security, fraud or espionage
Visibility & understanding will be key
•Understanding and interpreting data in context (Semantic Web)
•Data fusion, mining and neural networks to crunch through complexity
•Data visualisation technology to enhance human understanding
•Computational immunology to differentiate good transactions from bad ones
Thank you for listening
David Lacey
Director, Information Security
Royal Mail Group