Setting the Foundations  The Jericho Forum “Commandments”  Nick Bleech Rolls Royce & Jericho Forum Board.

Slides:



Advertisements
Similar presentations
Connected Health Framework
Advertisements

Potential Smart Grid standardisation work in ETSI Security and privacy aspects Carmine Rizzo on behalf of Scott CADZOW, C3L © ETSI All rights reserved.
Creating HIPAA-Compliant Medical Data Applications with Amazon Web Services Presented by, Tulika Srivastava Purdue University.
Supporting National e-Health Roadmaps WHO-ITU-WB joint effort WSIS C7 e-Health Facilitation Meeting 13 th May 2010 Hani Eskandar ICT Applications, ITU.
FIA Prague Preparation February 6, Scenario planning approach We cannot predict the future We cannot predict the future We do understand the drivers.
A Unified Approach to Combat Counterfeiting: Use of the Digital Object Architecture and ITU-T Recommendation X.1255 Robert E. Kahn President & CEO CNRI,
Policy interoperability in electronic signatures Andreas Mitrakas EESSI International event, Rome, 7 April 2003.
Sponsored by the U.S. Department of Defense © 2005 by Carnegie Mellon University 1 Pittsburgh, PA Dennis Smith, David Carney and Ed Morris DEAS.
Real world application  Protocols  Paul Simmonds ICI Plc. & Jericho Forum Board.
Connect. Communicate. Collaborate Click to edit Master title style MODULE 1: perfSONAR TECHNICAL OVERVIEW.
Collaboration Oriented Architecture COA Position Paper An Overview Adrian Seccombe Board of Management, Jericho Forum ® CISO & Snr Enterprise Information.
IT Audit & Identity Management Challenges in a De-perimeterisation Scenario Henry S. Teng, CISSP, CISM Enterprise Security Compliance Officer Philips International.
Notes to the presenter. I would like to thank Jim Waldo, Jon Bostrom, and Dennis Govoni. They helped me put this presentation together for the field.
CS 268: Future Internet Architectures Ion Stoica May 1, 2006.
April 1, 2004ECS 235Slide #1 Chapter 1: Introduction Components of computer security Threats Policies and mechanisms The role of trust Assurance Operational.
Stephen S. Yau CSE , Fall Security Strategies.
Information and communication technology (ICT) capability Australian Curriculum, F10.
Wireless Network Security. Wireless Security Overview concerns for wireless security are similar to those found in a wired environment concerns for wireless.
A Robust Health Data Infrastructure P. Jon White, MD Director, Health IT Agency for Healthcare Research and Quality
Auditing Logical Access in a Network Environment Presented By, Eric Booker and Mark Ren New York State Comptroller’s Office Network Security Unit.
Chapter © 2012 Pearson Education, Inc. Publishing as Prentice Hall.
The disappearing perimeter and The need for secure collaboration Bob West Founder and CEO, Echelon One, & Jericho Forum ® Board Member Jericho Forum at.
Jericho Forum Achievements  Steve Whitlock Board of Management, Jericho Forum ®
Copyright © 2006 CyberRAVE LLC. All rights reserved. 1 Virtual Private Network Service Grid A Fixed-to-Mobile Secure Communications Framework Managed Security.
Jericho une approche alternative de la sécurité Bjorn Gronquist (CSO Capgemini) Lyon – 26 novembre 2009 XIVe Symposium de l’Architecture du 16 au 26 novembre.
1 A pattern language for security models Eduardo B. Fernandez and Rouyi Pan Presented by Liping Cai 03/15/2006.
TFTM Interim Trust Mark/Listing Approach Paper Analysis of Current Industry Trustmark Programs and GTRI PILOT Approach Discussion Deck TFTM Committee.
SAMANVITHA RAMAYANAM 18 TH FEBRUARY 2010 CPE 691 LAYERED APPLICATION.
© Synergetics Portfolio Security Aspecten.
Data Integrity Lesson 12. Skills Matrix Maintaining Data Integrity Maintaining data integrity is your most important responsibility. –Performing backups.
Cryptography, Authentication and Digital Signatures
The Jericho Forum’s Architecture for De-Perimeterised Security Presentation at CACS 2007 Auckland Prof. Clark Thomborson 10 th September 2007.
Jericho’s Architecture for De-Perimeterised Security Presentation at ISACA/IIA Wellington Prof. Clark Thomborson 27 th July 2007.
HIT Policy Committee NHIN Workgroup Recommendations Phase 2 David Lansky, Chair Pacific Business Group on Health Danny Weitzner, Co-Chair Department of.
Virtual Private Ad Hoc Networking Jeroen Hoebeke, Gerry Holderbeke, Ingrid Moerman, Bard Dhoedt and Piet Demeester 2006 July 15, 2009.
John Carpenter & lecture & Information Security 2008 Lecture 1: Subject Introduction and Security Fundamentals.
Chapter 1 Overview The NIST Computer Security Handbook defines the term Computer Security as:
Name Position Organisation Date. What is data integration? Dataset A Dataset B Integrated dataset Education data + EMPLOYMENT data = understanding education.
Identity Management: A Technical Perspective Richard Cissée DAI-Labor; Technische Universität Berlin
12 Steps to Cloud Security A guide to securing your Cloud Deployment Vishnu Vettrivel Principal Engineering Lead,
SOA-39: Securing Your SOA Francois Martel Principal Solution Engineer Mitigating Security Risks of a De-coupled Infrastructure.
Frankfurt (Germany), 6-9 June 2011 Iiro Rinta-Jouppi – Sweden – RT 3c – Paper 0210 COMMUNICATION & DATA SECURITY.
Distribution and components. 2 What is the problem? Enterprise computing is Large scale & complex: It supports large scale and complex organisations Spanning.
Lecture slides prepared for “Computer Security: Principles and Practice”, 3/e, by William Stallings and Lawrie Brown, Chapter 1 “Overview”. © 2016 Pearson.
Lecture 24 Wireless Network Security
Lesson 19-E-Commerce Security Needs. Overview Understand e-commerce services. Understand the importance of availability. Implement client-side security.
Security Patterns for Web Services 02/03/05 Nelly A. Delessy.
Jericho Commandments, Future Trends, & Positioning.
HIT Policy Committee NHIN Workgroup HIE Trust Framework: HIE Trust Framework: Essential Components for Trust April 21, 2010 David Lansky, Chair Farzad.
COA Masterclass The introduction! Paul Simmonds Board of Management, Jericho Forum ® ex.CISO, ICI Plc.
GRID ANATOMY Advanced Computing Concepts – Dr. Emmanuel Pilli.
Chapter © 2012 Pearson Education, Inc. Publishing as Prentice Hall.
Key Management in AAA Russ Housley Incoming Security Area Director.
Slide 1 2/22/2016 Policy-Based Management With SNMP SNMPCONF Working Group - Interim Meeting May 2000 Jon Saperia.
Information Resource Stewardship A suggested approach for managing the critical information assets of the organization.
The NIST Special Publications for Security Management By: Waylon Coulter.
Securing Access to Data Using IPsec Josh Jones Cosc352.
© ITT Educational Services, Inc. All rights reserved. IS3220 Information Technology Infrastructure Security Unit 10 Network Security Management.
Records without boundaries? Penny Hill. Objectives of the session To identify the issues around managing record boundaries and how the CRDB is addressing.
Dr. Ir. Yeffry Handoko Putra
Outline Basic concepts in computer security
The disappearing perimeter and The need for secure collaboration
I have many checklists: how do I get started with cyber security?
Chapter 1: Introduction
IS4680 Security Auditing for Compliance
How to Mitigate the Consequences What are the Countermeasures?
SAMANVITHA RAMAYANAM 18TH FEBRUARY 2010 CPE 691
Collaboration Oriented Architecture COA Position Paper An Overview
PLANNING A SECURE BASELINE INSTALLATION
Presentation transcript:

Setting the Foundations  The Jericho Forum “Commandments”  Nick Bleech Rolls Royce & Jericho Forum Board

I have ten commandments. The first nine are, thou shalt not bore. The tenth is, thou shalt have right of final cut.

Rationale  Jericho Forum in a nutshell: “Your security perimeters are disappearing: what are you going to do about it?”  Need to express what / why / how to do it in high level terms (but allowing for detail)  Need to be able to draw distinctions between ‘good’ security (e.g. ‘principle of least privilege’) and ‘de-perimeterisation security’ (e.g. ‘end-to-end principle’)

Why should I care?  De-perimeterisation is a disruptive change  There is a huge variety of: –Starting points / business imperatives –Technology dependencies / evolution –Appetite for change / ability to mobilise –Extent of de-perimeterisation that makes business sense / ability to influence  So we need rules-of-thumb, not a ‘bible’ –“A benchmark by which concepts, solutions, standards and systems can be assessed and measured.” IT Strategy and Planning Portfolio Management Asset Management Resource Management Service Management Solution Delivery Business Strategy

Structure of the Commandments  Fundamentals (3)  Surviving in a hostile world (2)  The need for trust (2)  Identity, management and federation (1)  Access to data (3)

Fundamentals 1. The scope and level of protection must be specific and appropriate to the asset at risk.  Business demands that security enables business agility and is cost effective.  Whereas boundary firewalls may continue to provide basic network protection, individual systems and data will need to be capable of protecting themselves.  In general, it’s easier to protect an asset the closer protection is provided.

Fundamentals 2. Security mechanisms must be pervasive, simple, scalable and easy to manage.  Unnecessary complexity is a threat to good security.  Coherent security principles are required which span all tiers of the architecture.  Security mechanisms must scale: –from small objects to large objects.  To be both simple and scalable, interoperable security “building blocks” need to be capable of being combined to provide the required security mechanisms.

Fundamentals 3. Assume context at your peril.  Security solutions designed for one environment may not be transferable to work in another: –thus it is important to understand the limitations of any security solution.  Problems, limitations and issues can come from a variety of sources, including: –Geographic –Legal –Technical –Acceptability of risk, etc.

Surviving in a hostile world 4. Devices and applications must communicate using open, secure protocols.  Security through obscurity is a flawed assumption –secure protocols demand open peer review to provide robust assessment and thus wide acceptance and use.  The security requirements of confidentiality, integrity and availability (reliability) should be assessed and built in to protocols as appropriate, not added on.  Encrypted encapsulation should only be used when appropriate and does not solve everything.

Surviving in a hostile world 5. All devices must be capable of maintaining their security policy on an untrusted network.  A “security policy” defines the rules with regard to the protection of the asset.  Rules must be complete with respect to an arbitrary context.  Any implementation must be capable of surviving on the raw Internet, e.g., will not break on any input.

The need for trust 6. All people, processes, technology must have declared and transparent levels of trust for any transaction to take place.  There must be clarity of expectation with all parties understanding the levels of trust.  Trust models must encompass people/organisations and devices/infrastructure.  Trust level may vary by location, transaction type, user role and transactional risk.

The need for trust 7. Mutual trust assurance levels must be determinable.  Devices and users must be capable of appropriate levels of (mutual) authentication for accessing systems and data.  Authentication and authorisation frameworks must support the trust model.

Identity, Management and Federation 8. Authentication, authorisation and accountability must interoperate/ exchange outside of your locus/ area of control.  People/systems must be able to manage permissions of resources they don't control.  There must be capability of trusting an organisation, which can authenticate individuals or groups, thus eliminating the need to create separate identities.  In principle, only one instance of person / system / identity may exist, but privacy necessitates the support for multiple instances, or once instance with multiple facets.  Systems must be able to pass on security credentials/assertions.  Multiple loci (areas) of control must be supported.

Finally, access to data 9. Access to data should be controlled by security attributes of the data itself.  Attributes can be held within the data (DRM/Metadata) or could be a separate system.  Access / security could be implemented by encryption.  Some data may have “public, non-confidential” attributes.  Access and access rights have a temporal component.

Finally, access to data 10. Data privacy (and security of any asset of sufficiently high value) requires a segregation of duties/privileges  Permissions, keys, privileges etc. must ultimately fall under independent control –or there will always be a weakest link at the top of the chain of trust.  Administrator access must also be subject to these controls.

Finally, access to data 11. By default, data must be appropriately secured both in storage and in transit.  Removing the default must be a conscious act.  High security should not be enforced for everything: –“appropriate” implies varying levels with potentially some data not secured at all.

Consequences … is that it? Jericho Forum Standards Groups Vendors Customers Desired Future State Standards and Solutions ContinuumWork Types Needs Principles Strategy White Papers Patterns Use Cases Guidelines Standards Solutions

Consequences…is that it?  We may formulate (a few) further Commandments … and refine what we have … based on –Your feedback (greatly encouraged) –Position papers (next level of detail) –Taxonomy work –Experience  Today’s roadmap session will discuss where we go from here Cecil B. DeMille What I have crossed out I didn't like. What I haven't crossed out I'm dissatisfied with.

Paper available from the Jericho Forum  The Jericho Forum “Commandments” are freely available from the Jericho Forum Website

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.