super secure clouds
DESCRIPTION
Cloud Computing could be the biggest single opportunity for a significant improvement in our network and information security for decades. Multiple operators and suppliers offering multiple access points, services and applications that we can tap at the same time will give us a diversity of new protection mechanisms way beyond those we enjoy today. For sure we need to improve our log-on processes, firewalls and malware protection, but thin clients change the name of the game. A lack of memory and processing power leverage down any malware sophistication, whilst access and utilisation will be harder to compromise when we choose different devices and servers at random. If we also sign up for applications and services from multiple players, and disperse our information in parsed and scattered locations that are never connected in the same manner more than once, then infiltration will be orders of magnitude more difficult. All clouds are not the same, and their will be large numbers of them spanning corporates, governments, social and personal applications. Some will last, others will be sporadic and last for seconds. Connections too will be continually varying and sporadic. A moving target is harder to hit, and The Cloud might be the ultimate target!TRANSCRIPT
CLOUD
S U P E RSECURE
Peter Cochranecochrane.org.uk
Tuesday, 26 June 12
Security is always a cat and mouse game...
Tuesday, 26 June 12
And we are always trying to tilt the odds in our favour...
Tuesday, 26 June 12
But we cannot leave anything to chance, we cannot afford to gamble, the stakes are far too high..
Tuesday, 26 June 12
We have to think like the enemy, war game, test and probe, & constantly keep ahead technically and strategically...
Tuesday, 26 June 12
1) There is always a threat
2) It is always in a direction you’re not looking
3) Perceived risk/threat never equals reality
4) Nothing is 100% secure
5) People are always the primary risk
6) Resources are deployed inversely proportional to actual risk
Laws of security...
Tuesday, 26 June 12
Laws of security...
7) You need two security groups - defenders & attackers
8) Security & operational requirements are mutually exclusive
9) Legislation is always > X years behind
10) Security standards are an oxymoron
11) Security people are never their own customer
12) Cracking systems is far more fun than defending them
Tuesday, 26 June 12
Laws of security...
13) Hackers are smarter than you - they are younger!
14) Hackers are not the biggest threat - governments are!
15) As life becomes faster it becomes less secure
16) Connectivity and data half lives are getting shorter too
17) We are most at risk during a time of transition
18) The weakest link generally defines the outcome
Tuesday, 26 June 12
If we continue to do what we’ve always done our Cloud exposure will accelerate..
Tuesday, 26 June 12
In The Cloud - the attack surface is the entire planet...
Tuesday, 26 June 12
We w i l l n e e d more and smarter firewalls...
Tuesday, 26 June 12
All forms of malware protection will have to become evolutionary...
Tuesday, 26 June 12
Has to become far more sophisticated...
Tuesday, 26 June 12
Enhancing login vectors...Something you:
- Do- Are- Know- Posses- Deduce- Relate to- Recognise- Remember- Understand
A concatenation of weak vectors rapidly becomes very strong...
Tuesday, 26 June 12
Concatenating numerous low cost biometrics is a good example...
- Eye- Face- Hand- Voice- Typing- Habits- Devices- Locations- ++++
Tuesday, 26 June 12
Automated & stronger encryption...
...but only where needed !Tuesday, 26 June 12
More anonymity applications...
Tuesday, 26 June 12
More url hopping, identity, & location cloaking applications...
Tuesday, 26 June 12
What does The Cloud offer beyond all this ?
Tuesday, 26 June 12
So what are the extras The Cloud brings to the party ?
It will destroy dominant mono-cultures of:- Devices- Browsers- eMail clients- Application sets- Operating modes- Operating systems
Hackers love mono-cultures - it makes their lives so very
much easier...
Tuesday, 26 June 12
More variety, dynamism, and faster change...
Tuesday, 26 June 12
Clouds of all sizes will form and dissipate by demand . . .w i t h t h e clustering of people and devices +++
Tuesday, 26 June 12
Connectivity will be less static, comms between Clouds sporadic and far more varied...
Tuesday, 26 June 12
Moving targets are very hard to hit
Tuesday, 26 June 12
Thin clients offer very limited processing and memory, making it far harder for malware to be effective...
Tuesday, 26 June 12
Cloud services now a v a i l a b l e f r o m multiple suppliers...
- Infrastructure- Platform- Software
Tuesday, 26 June 12
Use multiple suppliers for connectivity, apps, storage, security et al and employ in a randomised fashion...
Tuesday, 26 June 12
...seamlessly flip between devices...Tuesday, 26 June 12
Why
Tuesday, 26 June 12
To make it incredibly difficult for the dark side:
- No single log-on device- No single log-on location- Variable log-on routine- Distributed applications- Distributed filing system- Parsed and distributed data- Multiple clouds and providers- Dynamic creation of clouds- Dynamic cloud interconnection- Inter-cloud encryption and coding- Corporate strength security for all
Tuesday, 26 June 12
App
App App
App
App Storage
Storage Corporate
Corporate
Corporate
Personal Personal Storage
One of manyConnection
Clouds
SurroundedBy
Clouds
Tuesday, 26 June 12
Parsed data flows to/frommultiple destinations...
...are incredibly difficult to intercept and decode...
Tuesday, 26 June 12
Parsed, encrypted & distributed folders over multiple global ser vers . . . i s even harder!
Tuesday, 26 June 12
Parsed, encrypted and distributed data folders over multiple global servers...is even worse!
The biggest threat is still people laxity and the insider...
Tuesday, 26 June 12
Behavioural monitoring and analysis will become an essential cloud service for SMEs, corporations & .gov...
Tuesday, 26 June 12
Half lives of connections, data, info and knowledge...are going to get much shorter!
Tuesday, 26 June 12
We have toreduce theopportunityand the time available forThe Dark Sideto infiltrate and take action...
Tuesday, 26 June 12
And should they break in we confront them with partial access and a very confusing picture...
Which door to choose, and to which cloud, for how long, with access to what ?
Tuesday, 26 June 12
How many layers, combinations,connections, locks,types ?
How long will they be open,
and what is in each of the many clouds ?
Tuesday, 26 June 12
The Dark S i d e w i l l thus have far less time to infiltrate a n d t a k e action...
The day of the lone hacker is coming to an end...
Tuesday, 26 June 12
The New Dark Side are gov agencies and criminal organisations with huge budgets, people & tech resources...
Tuesday, 26 June 12
The sophistication of StuxNet and Flame surprised industry and governments .. .and they mark the start of a new era...
Tuesday, 26 June 12
We may be transiting to‘Cyber Warfare’...
Tuesday, 26 June 12
Fending off such threats
demands more capability
than individual corps can
muster
Tuesday, 26 June 12
Global cooperation will be required, to develop military grade solutions ...
Tuesday, 26 June 12
To survive and prosper we have to think and act differently whilst leverag ing new technology, and techniques...
Tuesday, 26 June 12
The DIYcompanies
will not survive...
Tuesday, 26 June 12
Malware is now open code for free or a modest price f r o m m u l t i p l e sources...
...it is also breeding by the hand of man and by a digital life force we created...
Tuesday, 26 June 12
The Art of War by Sun Tzu, 600 BC
“Speed is the essence of war. Take advantage of the enemy's unpreparedness ; t rave l by unexpected routes and strike him where he has taken no precautions”
Tuesday, 26 June 12
Be prepared !Tuesday, 26 June 12
Thank You
ca-global.orgcochrane.org.uk
COCHRANE a s s o c i a t e s
Tuesday, 26 June 12