IP over IP
The impact of convergence on information value Clive Longbottom, Service Director, Quocirca Ltd
Context • Convergence provides cost savings – Via single management – Via single transport • Convergence provides greater capabilities – Greater integration – Better response times • But… • Convergence can lead to greater security risks
© 2007 Quocirca Ltd
The Lure of Convergence • One technology, one set of wires, one means of management • Brings together data, voice, video • Enables multi-channel businesses to act more coherently • But: – Everything is now accessible via a single transport – Everything is stored in a similar way – Information disruption and theft is more attractive
© 2007 Quocirca Ltd
The old days • Data security based on discrete approaches – Application security – Perimeter security – End Point security – VPN transport security • Encryption seen as a discrete, manual solution
© 2007 Quocirca Ltd
Issues • More deperimeterisation in the value chain – Mobile workers – Contractors/consultants – Suppliers and customers • More data at rest – Less of it fully secured – More of it duplicated • More data in movement – Can you count on it being secure?
© 2007 Quocirca Ltd
The Perception of Security • Our systems are protected by: – A firewall – Database security – Challenge/response access – VPNs – Anti-virus/spyware • Therefore, we must be secure
© 2007 Quocirca Ltd
The Reality • The Firewall is like Swiss Cheese – Ports have been opened all over the place • Database security only protects what’s in the database – That’s less than 20% of an organisation’s data • Challenge/response is no answer – Look for yellow sticky notes stuck to the screen of the laptop • VPNs are good.. – …but if breached, provide a secure tunnel back in to the organisation • Also – look at rogue WiFi access points, P2P software, rogue USB hardware, etc, etc… © 2007 Quocirca Ltd
What needs to be done? • Intellectual property is carried in documents – less so in application databases • Intellectual property should be secured at the point of creation • Intellectual property should be accessible by role and individual – But the rights should be capable of being immediately revoked – Need to be extended to suppliers, customers as well as contractors and consultants
© 2007 Quocirca Ltd
Encryption • Data encryption has been around for ever – But highly technically sold • Data encryption should be as transparent as possible to the user • The use of central policies driving automated encryption has to be utilised
© 2007 Quocirca Ltd
The Hybrid Approach • Remember that the majority of information thefts are still opportunistic – Being more secure than someone else may be enough • Worry that many information thefts are targeted – If your business is heavily based on intellectual property, you can’t risk it • Secure via: – Information security – Transport security – Application security – Database security – Device security – Biometrics © 2007 Quocirca Ltd
Other concerns • Do everything to stop accidental leakage – Limit routing • Use formal workflows to ensure specific flows – Stop email forwarding • Also saving of attachments – Prevent printing – Prevent cut and paste • Create solid guidance to stop purposeful leakage – Use of special screen-grab programs – Use of cameras – Manual copying of information
© 2007 Quocirca Ltd
Prevention and Cure • • • • •
Don’t let a problem get to the network If it gets to the network, don’t let it get to a device If it gets to a device, don’t let it do anything If its does anything, don’t let it get to the information If it gets to the information, make the information useless
• It’s the information that counts – Devices can be replaced – Time can be recouped to a degree – Lost information kills the business
© 2007 Quocirca Ltd
Conclusions • Intellectual property is the life blood of many organisations – Leaving important information at rest or on the move in the clear should not be tolerated • Encryption technologies have to be easy to use – Policy driven approaches can drive needs and hide technical complexity • Security has to be multi-layered – Although its not the device or the network that really matters, pragmatism, loss of time and need for specific skills dictates the need for multi-layered security
© 2007 Quocirca Ltd