A Shift in the Data Security Paradigm CAUBO 2015 Dr. Lawrence Dobranski P.Eng. Director ICT Security, Access & Compliance Professional Affiliate, Department of Computer Science University of Saskatchewan www.usask.ca/ict
Information Systems @ uSask Open, de-perimeterised environment 16,000 mobile users connecting daily via a ubiquitous wireless network Most of them BYOD (Bring Your Own Device) Most services directly reachable by https:// Ubiquitous single sign on Includes: private cloud multiple data centers high performance research computing petabytes of storage multi-gigabit connections to the Internet and international research networks
Mobile & Cloud @ U of S ~2.4K Access Points -> seeing ‘Tragedy of the Commons’ Cloud Services include: Travel & Expense Management Student Employment Responsible Disclosure Survey Tools Crowd Funding iUsask Award winning university service app for mobile devices (Sept .2013)
Personal Mobile Devices and Cloud Computing represent significant technology & societal disruptors and the arrival of the ‘Post Enterprise World’. The Post Enterprise
Personal Mobile Devices Represented by the convergence of mobile computing: Laptop, netbook, palm top, tablet, phone -> “The endpoint” A matter of size and battery life Computing power no longer a limitation Data storage -> in the cloud Stakeholders have multiplied: Carriers (maybe more than one) 3rd party content (multimedia, software, services, …) Other relying parties (licensing parties too …) Employer (maybe more than one) School Personal
Cloud Computing Architectures: Service Oriented: Business Models: Software as a Service Platform as a Service Applications as a Service Security as a Service Business Models: Free I can mine your data Commercial If I can mine your data Corporate A cloud for the enterprise Personal Private Hybrid Community Public And yes: Malware as a Service Just “Who owns the computer?”
The number of stakeholders are multiplying; no longer just the employer and the employee. Carriers 3rd Parties Apps Environments
BYOD & Cloud – Represents a Multi-Dimensional Risk Challenge Not just a technology challenge, it is a business challenge. Risk involves: Confidentiality, Integrity, Availability of information & services Personally-identifiable information (aka Privacy) Business survivability (disaster recovery & business continuity) Multiple stakeholders (users, clients, 3rd parties, CxOs, …) Information is the asset – authorization is the key. Traditional IT approaches do not acknowledge: ‘de-perimeterisation’ or ‘context of use’
Banning BYOD or Cloud Services usually just forces them underground. Better to manage it rather than ban it Need to support controlled, secure access to information and services Wholesale adoption of BYOD and/or Cloud without risk management is just as bad. Know where your data is, and how it is being accessed.
Evolution to the mobile, social media, always-on society BYOD & Cloud – A disruptive technological, business, and sociological evolution Elimination of boundaries Traditionally used to define the enterprise and society Separate trusted and untrusted domains are no longer clear. Defense-in-depth going extinct evolving Context of use How, why, where, what, when regarding data and service access Evolution to the mobile, social media, always-on society
Now not just who is accessing the data, De-Perimeterisation Concept originally championed by The Open Group’s Jericho Forum® Traditionally, organizations relied upon boundaries and perimeters to provide security, different areas of trust. BYOD and Cloud Services mean that the boundaries of the organization have changed or do not exist. Now not just who is accessing the data, but where, how, and with what device.
BYOD and Cloud as a disruptive revolution are represented by the eradication of boundaries. De-Perimeterisation
Context of Use, aka Mobility A significant technology, business, and social driver by itself Users and Institutions want to be agile, to be accessible, and to support collaboration: No matter where they are No matter what device they are using Expanding to include however they are accessing data and services Focus on giving ubiquitous access to organizational data, networks, services, and applications, as well as personal data, networks, services, and applications To be agile, responsive, and value-providing, anywhere, at any time
Context of Use Context of Use Where Who What When Why How The context of the mobile device and the service provided must be reflected in the authorizations granted to the authenticated user. Information is the asset; authorization is the key.
Context of Use – No Longer Just Who Traditionally identity management only addresses ‘Who is accessing the data?’ We know who you are; we trust you. Now need to address: Who owns the servers? Who owns the applications? Who owns the data? (Are you sure?)
Context of Use – Now need to ask How is the data being accessed? Who is delivering the data and service? Where is it being accessed from? Location and device are critical. What expectations exist for the data’s confidentiality, integrity, and availability? Who owns and controls the data? Who owns and controls the devices? Is the security policy/security compliance adaptable? Whom do you trust?
Regulatory & Compliance in this New Model Most regulatory & compliance regimes: Built for a traditional defense-in-depth model Corporate owned, or at least corporate-controlled devices, on a corporate owned or managed network No acknowledgement Of BYOD or Cloud Based Services Multiple stakeholders Multiple jurisdictions Who owns the data? Who controls the data? Are you sure? Whose jurisdiction?
BYOD and Cloud Risks Loss of the network perimeter Loss of directive control and audit Physical location of servers Multi-tenancy Risks from Internet availability, capability, and accessibility Effective records management Jurisdiction Human Rights Data ownership Server ownership
Thank you! Lawrence Dobranski, DSc, MBA, MSc (Eng), P.Eng. lawrence.dobranski@usask.ca @ldobranski (306) 966-7177