Speakers: Jay Heiser; Tom Scholtz; Neil MacDonald.
Coming up later this week:
- Ross Anderson—professor of Security Engineering, University of Cambridge Computer Laboratory--speaks tomorrow and has written a book called "Security Engineering".
- Peter Hustinx, European Data Protection Supervisor—strategic issues for data protection in Europe.
- Best practice workshops: SANS; ISACA.
Adaptive Security Infrastructure; Neil MacDonald discussing how information security must become adaptive. Adaptive to changing threats and to changing business needs. At the moment, information security is not keeping up; too many point products, with too much complexity; products are too expensive and vendors are not investing enough. Network, endpoint, application and content security all separate and don't talk to each other. We need to switch from "zero risk" to "managed risk".
Implications for security as we virtualize hardware, operating system and applications; data from applications is abstracted through web services. Then there are portable personalities, EC2 (Amazon) etc etc...
The current model is flawed: there is no "us" and "them". Every device, every packet, all content, every user is a risk. Implication is that the notion of the "perimeter" is less important; security and trust are no longer binary; we need to think about the "relative trustability". Rather than just one "perimeter" there will be multiple. Look to survival of the system: protect workloads and information, not endpoints.
At the bottom, firewalls, application control. In the middle, anti-virus, anti spam, URL filtering. At the top, looking at behaviour. The layers communicate with each other.
Service Mark-up Language is going to be used to build security models (amongst other things) at the point that applications are written (will be announced by Microsoft at TechEd as project "Oslo"). Seems like the next generation of Dynamic Systems Initiative. The model describes the role(s) that should be able to perform particular functions within the application.
1 comment:
I read a little about "Oslo" a while ago when Tech Ed 2008 (US) was running. It seemed to be the next step in Microsoft's SoA initiative, and was all about "making everyone a developer" (please don't take my job away Microsoft...).
It seems to be a platform for modelling domains / applications / processes (?), but rather than just creating high-level models for use at the design stage, these models can actually be stored in some kind of repository and incorporated at runtime, allowing true model-driven applications.
Those models presumably apply across traditional application boundaries in a more service-oriented fashion, though it'll be interesting to see how aspects such as security defined within those models integrate and co-exist with more traditional methods across underlying components.
Post a Comment