Vous êtes sur la page 1sur 13

IP over IP

The impact of convergence on information value

Clive Longbottom,
Service Director, Quocirca Ltd
Context

• Convergence provides cost savings


– Via single management
– Via single transport
• Convergence provides greater capabilities
– Greater integration
– Better response times
• But…
• Convergence can lead to
greater security risks

© 2007 Quocirca Ltd


The Lure of Convergence

• One technology, one set of wires, one means of


management
• Brings together data, voice, video
• Enables multi-channel businesses to act more coherently

• But:
– Everything is now accessible via a single transport
– Everything is stored in a similar way
– Information disruption and theft is more attractive

© 2007 Quocirca Ltd


The old days

• Data security based on discrete approaches


– Application security
– Perimeter security
– End Point security
– VPN transport security
• Encryption seen as a discrete, manual solution

© 2007 Quocirca Ltd


Issues

• More deperimeterisation in the


value chain
– Mobile workers
– Contractors/consultants
– Suppliers and customers
• More data at rest
– Less of it fully secured
– More of it duplicated
• More data in movement
– Can you count on it being
secure?

© 2007 Quocirca Ltd


The Perception of Security

• Our systems are protected by:


– A firewall
– Database security
– Challenge/response access
– VPNs
– Anti-virus/spyware

• Therefore, we must be secure

© 2007 Quocirca Ltd


The Reality

• The Firewall is like Swiss Cheese


– Ports have been opened all over
the place
• Database security only protects
what’s in the database
– That’s less than 20% of an
organisation’s data
• Challenge/response is no answer
– Look for yellow sticky notes stuck to the
screen of the laptop
• VPNs are good..
– …but if breached, provide a secure tunnel
back in to the organisation
• Also – look at rogue WiFi access points, P2P
software, rogue USB hardware, etc, etc…
© 2007 Quocirca Ltd
What needs to be done?

• Intellectual property is carried in documents – less so in


application databases
• Intellectual property should be secured at the point of
creation
• Intellectual property should be accessible by role and
individual
– But the rights should be capable of being immediately
revoked
– Need to be extended to suppliers, customers as well
as contractors and consultants

© 2007 Quocirca Ltd


Encryption

• Data encryption has been around for ever


– But highly technically sold
• Data encryption should be as transparent as possible to
the user
• The use of central policies driving automated encryption
has to be utilised

© 2007 Quocirca Ltd


The Hybrid Approach

• Remember that the majority of information thefts are


still opportunistic
– Being more secure than someone else may be enough
• Worry that many information thefts are targeted
– If your business is heavily based on intellectual
property, you can’t risk it
• Secure via:
– Information security
– Transport security
– Application security
– Database security
– Device security
– Biometrics
© 2007 Quocirca Ltd
Other concerns

• Do everything to stop accidental leakage


– Limit routing
• Use formal workflows to ensure specific flows
– Stop email forwarding
• Also saving of attachments
– Prevent printing
– Prevent cut and paste
• Create solid guidance to stop purposeful leakage
– Use of special screen-grab programs
– Use of cameras
– Manual copying of information

© 2007 Quocirca Ltd


Prevention and Cure

• Don’t let a problem get to the network


• If it gets to the network, don’t let it get to a device
• If it gets to a device, don’t let it do anything
• If its does anything, don’t let it get to the information
• If it gets to the information, make the information
useless

• It’s the information that counts


– Devices can be replaced
– Time can be recouped to a degree
– Lost information kills the business

© 2007 Quocirca Ltd


Conclusions

• Intellectual property is the life blood of many


organisations
– Leaving important information at rest or on the move
in the clear should not be tolerated
• Encryption technologies have to be easy to use
– Policy driven approaches can drive needs and hide
technical complexity
• Security has to be multi-layered
– Although its not the device or the network that really
matters, pragmatism, loss of time and need for
specific skills dictates the need for multi-layered
security

© 2007 Quocirca Ltd

Vous aimerez peut-être aussi