Sometime last autumn I started researching the field of Micro-Segmentation, particularly as a consequence of attending a Unisys analyst event and, subsequently, VMworld Europe. Unisys talked a lot about their Stealth product, while at VMworld there was much talk about the VMware NSX product and its capabilities, including security by Micro-Segmentation.
The basic idea of Datacenter Micro-Segmentation, the most common approach on Micro-Segmentation, is to segment by splitting the network into small (micro) segments for particular workloads, based on virtual networks with additional capabilities such as integrated firewalls, access control enforcement, etc.
Using Micro-Segmentation, there might even be multiple segments for a particular workload, such as the web tier, the application tier, and the database tier. This allows further strengthening security by different access and firewall policies that are applied to the various segments. In virtualized environments, such segments can be easily created and managed, far better than in physical environments with a multitude of disparate elements from switches to firewalls.
Obviously, by having small, well-protected segments with well-defined interfaces to other segments, security can be increased significantly. However, it is not only about datacenters.
The applications and services running in the datacenter are accessed by users. This might happen through fat-client applications or by using web interfaces; furthermore, we see a massive uptake in the use of APIs by client-side apps, but also backend applications consuming and processing data from other backend services. Furthermore, there is also a variety of services where, for example, data is stored or processed locally, starting with downloading documents from backend systems.
Apparently, not everything can be protected perfectly well. Data accessed through browsers is out of control once it is at the client – unless the client can become a part of the secure environment as well.
Anyway, there are – particularly within organizations with good control of everything within the perimeter and at least some level of control around the devices – more options. Ideally, everything becomes protected across the entire business process, from the backend systems to the clients. Within that segmentation, other segments can exist, such as micro-segments at the backend. Such “Business Process Micro-Segmentation” stands not in contrast to Datacenter Micro-Segmentation, but extends that concept.
From my perspective, we will need two major extensions for moving beyond Datacenter Micro-Segmentation to Business Process Micro-Segmentation. One is encryption. While there is limited need for encryption within the datacenter (don’t consider your datacenter being 100% safe!) due to the technical approach on network virtualization, the client resides outside the datacenter. The minimal approach is protecting the transport by means like TLS. More advanced encryption is available in solutions such as Unisys Stealth.
The other area for extension is policy management. When looking at the entire business process —and not only the datacenter part — protecting the clients by integrating areas like endpoint security into the policy becomes mandatory.
Neither Business Process Micro-Segmentation nor Datacenter Micro-Segmentation will solve all of our Information Security challenges. Both are only building blocks within a comprehensive Information Security strategy. In my opinion, thinking beyond Datacenter Micro-Segmentation towards Business Process Micro-Segmentation is also a good example of the fact that there is not a “holy grail” for Information Security. Once organizations start sharing information with external parties beyond their perimeter, other technologies such as Information Rights Management – where documents are encrypted and distributed along with the access controls that are subsequently enforced by client-side applications – come into play.
While there is value in Datacenter Micro-Segmentation, it is clearly only a piece of a larger concept – in particular because the traditional perimeter no longer exists, which also makes it more difficult to define the segments within the datacenter. Once workloads are flexibly distributed between various datacenters in the Cloud and on-premises, pure Datacenter Micro-Segmentation reaches its limits anyway.
On April 18th 1906, an earthquake and fires destroyed nearly three quarters of San Francisco. Around 3000 people lost their lives. Right up to the present many other, less critical tremors followed. The danger of another catastrophe can’t be ignored. In a city like San Francisco, however wonderful it might be to live there, people always have to be aware that their whole world can change in an instant. Now the Internet of Things (IoT) can help to make alarm systems get better. People in this awesome city can at least be sure that the mayor and his office staff do their best to keep them safe and secure in all aspects.
Not only that: With the help of the Internet of Things (IoT) they’re also looking for new ways to make the life of the citizens more convenient. That became clear to me when I saw ForgeRock’s presentation about their IoT and Identity projects in San Francisco. I noticed with pleasure that Lasse Andresen, ForgeRock’s CTO and Founder confirmed what I have been saying for quite some time: Security and Privacy must not be an afterthought. Rightfully designed from the start, both do not hinder new successful business models but actually enable them. In IoT, security and privacy are integral elements. They lead to more agility and less risk.
Andresen says in the presentation that Identity, Security and Privacy are core to IoT: “It’s kind of what makes IoT work or not work. Or making big data valuable or not valuable.” San Francisco is an absolutely great example of what that means in practice. Everything – “every thing” - in this huge city shall have its own unique identity, from the utility meter to the traffic lights and parking spaces to the police, firefighters and ambulance. This allows fast, secure and ordered action in case of emergencies. Because of their identities and with geolocation, the current position of each vehicle is always exactly known to the emergency coordinators. The firefighters identify themselves with digital key cards at the scene to show that they are authorized to be there. Thus everything and everyone becomes connected with each other, people, things and services. With identity as the glue.
Identity information enables business models that e. g. improve life in the city. The ForgeRock demonstration shows promising examples such as optimizing the traffic flow and road planning with big data, street lights that reduce power consumption by turning on and off automatically, smart parking that allows the car driver to reserve a space online in advance combined with demand based pricing of parking spaces and, last but not least, live-optimization of service routes.
The ForgeRock solution matches the attributes and characteristics of human users to those of things, devices, and apps, collects the notifications all together in a big data repository and then flexibly manages the relationships between all entities - people and things - from this central authoritative source. Depending on her or his role, each different user will be carefully provisioned with access to certain devices as well as certain rights and privileges. That is why identity is a prerequisite for secure relationships. Things are just another channel demanding access to the internet. It has to be clear what they are allowed to do, e. g. may item A send sensitive data to a certain server B? If so, does the information have to be encrypted? Without the concept of identities, their relations, and for managing their access there are too many hindrances for successful change in business models and regulations.
Besides the questions about security and privacy, the lack of standards has long been the biggest challenge for full-functioning IoT. Manifold platforms, various protocols and many different APIs made overall integration of IoT systems problematic. Yes, there are even many different “standards”. However, with User Managed Access (UMA) a new standard eventually evolved that’s taking care of the management of access rights. With UMA, millions of users can manage their own access rights and keep full control over their own data without giving it to the service provider. They alone decide which information they share with others. While the resources may be stored on several different servers, a central authorization server controls that the rules laid down by the owner are being reliably applied. Any enterprise that adapts UMA early now has the chance to build a new, strong and long-lasting relationship with customers built on security and privacy by design.
There is a lot of talk about Blockchain and, more generally, Distributed Public Ledgers (DPLs) these days. Some try to position DPLs as a means for better identification and, in consequence, authentication. Unfortunately, this will not really work. We might see a few approaches for stronger or “better” identification and authentication, but no real solution. Not even by DPLs, which I see as the most disruptive innovation in Information Technology in a very, very long time.
Identification is the act of finding out whether someone (or something) is really the person (or thing) he (it) claims to be. It is about knowing whether the person claiming to be Martin Kuppinger is really Martin Kuppinger or in fact someone else.
Authentication, in contrast, is a proof that you have a proof such as a key, a password, a passport, or whatever. The quality of authentication depends on one hand on the quality of identification (to obtain the proof) and on the other hand on aspects such as protection against forgery and the ubiquitous authentication strength.
Identification is, basically, the challenge in the enrollment process of an authenticator. There are various ways of doing it. People might be identified by their DNA or fingerprints – which works as long as you know that the DNA or fingerprint belongs to someone. But even then, you might not have the real name of that person. People might be identified by showing their ID cards or passports – which works well unless they use faked ID cards or passports. People might be identified by linking profiles of social networks together – which doesn’t help much, to be honest. They might use fake profiles or they might use fake names in real profiles. There is no easy solution for identification.
In the end, it is about trust: Do we trust the identification when rolling out authentications to trust the authenticators?
Authentication can be performed with a variety of mechanisms. Again, this is about trust: How much do we trust a certain authenticator? However, authentication does not identify you. It proves that you know the username and password; that you possess a token; or that someone has access to your fingerprints. Some approaches are more trustworthy; others are less trustworthy.
So why don’t DPLs such as Blockchain solve the challenge of identification and authentication? For identification, this is obvious. They might provide a better proof that an ID is linked to various social media profiles (such as with Onename), but they don’t solve the underlying identification challenge.
DPLs also don’t solve the authentication issue. If you have such an ID, it either must be unlocked in some way (e.g. by password, in the worst case) or bound to something (e.g. a device ID). That is the same challenge as we have today.
DPLs can help in improving trust e.g. in that still the same social media profiles are linked. It can support non-repudiation which is an essential element. It will increase the trust level with a growing number of parties participating in a DPL. But it can’t solve the underlying challenges of identification and authentication. Simply said, Technology will never know exactly who someone is.
Currently, there is a lot of talk about new analytical approaches in the field of cyber security. Anomaly detection and behavioral analytics are some of the overarching trends along with RTSI (Real Time Security Intelligence), which combines advanced analytical approaches with established concepts such as SIEM (Security Information and Event Management).
Behind all these changes and other new concepts, we find a number of buzzwords such as pattern-matching algorithms, predictive analytics, or machine learning. Aside from the fact that such terms frequently aren’t used correctly and precisely, some of the concepts have limitations by design, e.g. machine learning.
Machine learning implies that the “machine” (a piece of software) is able to “learn”. In fact this means that the machine is able to improve its results over time by analyzing the effect of previous actions and then adjusting the future actions.
One of the challenges with cyber security is the fact that there are continuously new attack vectors. Some of them are just variant of established patterns; some of them are entirely new. In an ideal world, a system is able to recognize unknown vectors. Machine learning per se doesn’t – the concept is learning from things that have gone wrong.
This is different from anomaly detection which identifies unknown or changing patterns. Here, the new is something which is identified as an anomaly.
Interestingly, some of the technologies where marketing talks about “machine learning” in fact do a lot more than ex-post-facto machine learning. Frequently, it is not a matter of technology but of the wrong use of buzzwords in marketing. Anyway, customers should be careful about buzzwords: Ask the vendor what is really meant by them. Any ask yourself whether the information provided by the vendor really is valid and solves your challenge.
One of the lessons I have learned over the years is that it is far simpler “selling” things by focusing on the positive aspects, instead of just explaining that risk can be reduced. This is particularly true for Information Security. It also applies to privacy as a concept. A few days ago I had a conversation about the chances organizations have in better selling their software or services through supporting advanced privacy features. The argument was that organizations can achieve better competitive positioning by supporting high privacy requirements.
Unfortunately, this is only partially true. It is true in areas with strong compliance regulations. It is true for that part of the customer base that is privacy-sensitive. However, it might even become a negative inhibitor in other countries with different regulations and expectations.
There are three different groups of arguments for implementing more security and privacy in applications and services:
- Security and regulatory requirements – even while they must be met, these arguments are about something that must be done, with no business benefit.
- Competitive differentiation – an opportunity; however, as described above, that argument commonly is only relevant for certain areas and some of the potential customers. For these, it is either a must-have (regulations) or a positive argument, a differentiator (security/privacy sensitive people).
- Security and privacy as a means for becoming more agile in responding to business requirements. Here we are talking about positive aspects. Software and services that can be as secure as it needs to be (depending on regulations or customer demand) or as open as the market requires allows organizations to react flexibly on demand amid changing requirements.
The third approach is obviously the most promising one when trying to sell your project internally as well as your product to customers.
With a recent announcement, Microsoft reacts on both privacy and security concerns of customers and the continuous uncertainty regarding a still pending law suit in the U.S. The latter is about an order Microsoft had received on turning over a customer’s emails stored in Ireland to the U.S. government.
The new data centers will operate from two locations within Germany, Frankfurt/Main and Magdeburg. They will run under the control of T-Systems, a subsidiary of Deutsche Telekom. Thus, an independent German company is acting as the data trustee, as Microsoft has named that role. Microsoft itself will not be able to access the data without the permission of customers or the data trustee, and if permission is granted will do so only under its supervision.
Concretely, customers can access the Microsoft cloud services from a non-Microsoft datacenter which operates locally. They have access to the full functionality of the Microsoft cloud services, but do not work with Microsoft as an U.S.-based company.
Microsoft’s announcement is not the first of that sort. T-Systems e.g. already operates Cisco cloud services, while the Microsoft cloud services are expected being available in the second half of 2016. VMware also works with independent service providers for delivering their cloud services.
Basically, we observe a growing trend of U.S. cloud service providers to provide delivery options altogether with partners from other countries, to serve to the customer requests for privacy, security, and independence of the U.S. court decisions. On one hand, U.S. cloud providers going that path can address their customer’s needs better now. On the other hand, this provides a tremendous potential for locally operating enterprise-class cloud providers, which can act as the local partners by delivering services locally. They even might combine such services with value-add services and integrations, e.g. complete offerings for medium-sized business covering all major enterprise functionalities from email to ERP, CRM, and other areas.
There is no doubt that such offering will come at a price – but I’m sure that many customers will be willing to pay that price, not only in Germany and other European countries but also many other regions worldwide that prefer relying on locally delivered, well-segregated services.
IoT (Internet of Things) and Smart Manufacturing are part of the ongoing digital transformation of businesses. IoT is about connected things, from sensors to consumer goods such as wearables. Smart Manufacturing, also sometimes titled Industry 4.0, is about bridging the gap between the business processes and the production processes, i.e. manufacturing goods.
In both areas, security is a key concern. When connecting things, both things and the central systems receiving data back from things must be sufficiently secure. When connecting business IT and operational IT (OT for Operational Technology), frequently systems that formerly have been behind an “air gap” now become directly connected. The simple rule behind all this is: “Once a system is connected, it can be attacked” – via that connection. Connecting things and moving forward to Smart Manufacturing thus inevitably is about increasing the attack surface.
Traditionally, if there is a separate security (and not only a “safety”) organization in OT, this is segregated from the (business) IT department and the Information Security and IT Security organization. For the things, there commonly is no defined security department. The logical solution when connecting everything apparently is a central security department that oversees all security – in business IT, in OT, in things. However, this is only partially correct.
Things must be constructed following the principles of security by design and privacy by design from the very beginning. Security must not be an afterthought. Notably, this also increases agility. Thus, the people responsible for implementing security must reside in the departments creating the “things”. Security must become an integral part of the organization.
For OT, there is a common gap between the safety view in OT and the security perspective of IT. However, safety and security are no dichotomy – we need to find ways of supporting both, in particular by modernizing the architecture of OT, well beyond security. Again, security has to be considered here at any stage. Thus, execution also should be an integral part of e.g. planning plants and production lines.
Notably, the same applies for IT. Security must not be an afterthought. It must move into the DNA of the entire organization. Software development, procurement, system management etc. all have to think about security as part of their daily work.
Simply said: Major parts of security must move into the line of business departments. There are some cross-functional areas e.g. around the underlying infrastructure that still need to be executed centrally (plus potentially service centers e.g. for software development etc.) – but particularly when it is about things, security must become an integral part of R&D.
On the other hand, the new organization also needs a strong central element. While the “executive” element will become increasingly decentralized, the “legislative” and “judicative” elements most be central – across all functions, i.e. business IT, OT, and IoT. With other words: Governance, setting the guidelines and governing their correct execution, is a central task that must span and cover all areas of the connected enterprise.
Microsoft and Secure Islands today announced that Microsoft is to acquire Secure Islands. Secure Islands is a provider of automated classification for documents and further technologies for protecting information. The company already has tight integration into Microsoft’s Azure Rights Management Services (RMS), a leading-edge solution for Secure Information Sharing.
After completing the acquisition, Microsoft plans full integration of Secure Islands’ technology into Azure RMS, which will further enhance the capabilities of the Microsoft product, in particular by enabling interception of data transfer from various sources on-premise and in the cloud, and by automated and, if required, manual classification.
Today’s announcement confirms Microsoft's focus and investment into the Secure Information Sharing market, with protecting information at the information source (e.g. document) itself being one of the essential elements of any Information Security strategy. Protecting what really needs to be protected – the information – obviously (and if done right) is the best strategy for Information Security, in contrast to indirect approaches such as server security or network security.
By integrating Secure Islands' capabilities directly into Microsoft Azure RMS, Microsoft now can deliver an even more comprehensive solution to its customers. Furthermore, Microsoft continues working with its Azure RMS partner ecosystem in providing additional capabilities to its customers.
There is no doubt that organizations need both a plan for what happens in case of security incidents and a way to identify such incidents. For organizations that either have high security requirements or are sufficient large, the standard way for identifying such incidents is setting up a Security Operations Center (SOC).
However, setting up a SOC is not that easy. There are a number of challenges. The three major ones (aside of funding) are:
- Integration & Processes
The list is, from our analysis, order in according to the complexity of challenges. Clearly the biggest challenge as of today is finding the right people. Security experts are rare, and they are expensive. Furthermore, for running a SOC you not only need subject matter experts for network security, SAP security, and other areas of security. In these days of a growing number of advanced attacks, you will need people who understand the correlation of events at various levels and in various systems. These are even more difficult to find.
The second challenge is integration. A SOC does not operate independently from the rest of your organization. There is a need for technical integration into Incident Management, IT GRC, and other systems such as Operations Management for automated reactions on known incidents. Incidents must be handled efficiently and in a defined way. Beyond the technical integration, there is a need for well thought-out process for incident and crisis management or, as it commonly is named, Breach & Incident Response.
The third area is technology. Such technology must be adequate for today’s challenges. Traditional SIEM (Security Information and Event Management) isn’t sufficient anymore. SIEM solutions might complement other solutions, but there needs to be a strong focus on analytics and anomaly detection. From our perspective, the overarching trend goes towards what we call RTSI - Real Time Security Intelligence. RTSI is more than just a tool, it is a combination of advanced analytical capabilities and managed services.
We see a growing demand for these solutions – I’d rather say that customers are eagerly awaiting the vendors delivering mature RTSI solutions, including comprehensive managed services. There is more demand than delivery today. Time for the vendors to act. And time for customers to move to the next level of SOCs, well beyond SIEM.
Do you use mTANS (mobile transaction authentication numbers) for online banking? Have you checked your bank account balance lately? Well, what happened to Deutsche Telekom customers recently has happened to others before and is likely to happen again elsewhere if online banking customers and providers don't follow even the most basic rules of IT security.
IT protection measures are smart, unfortunately the attackers are often smarter these days: several customers of Deutsche Telekom's mobile offering have become victims of a cunning fraud series while banking online. The German (online-) newspaper "Süddeutsche Zeitung" reported about this in detail. What led to success for the criminals was their clever acting. The whole scam reminded me somehow of the old television series Mission Impossible, only that this time the protagonists were criminals: first, the robbers hacked the bank clients' computers and installed malware - supposedly via e-mail - that sent them the numbers of the online banking accounts and passwords through the net without any knowledge of the PC owners. But that wasn’t all: the hackers also went through their victim's e-mails looking for their online phone bills. Thus they were, according to an article in "Die Welt", also provided with customer IDs. Simultaneously, the thieves found - or spied - out the mobile phone numbers of their victims, clients of various banks who all happened to have at the same time mobile phone contracts with Deutsche Telekom.
With this information in hand the felons contacted Deutsche Telekom and pretended to be authorized dealers ("Telekom Shop") who needed to activate a substitute SIM card with the mobile number of "their" customer since the original one had been lost or stolen. They had more or less no problems with getting the new cards. Now they were able to receive every text message meant for the original customer. Bingo! The fraudsters could now enter their target's full bank account with all rights and privileges. Transfer in operation.
This sly method could lead to an amazed laugh if it weren't so seriously bad. In dozens of cases the crooks withdrew five-digit amounts, in one known case 30,000 Euro, the whole “take” is estimated to be more than a million Euro. There might still be other victims, but this hasn't been detected so far. The Telekom at least seems to be convinced that the method of the burglars won't work anymore in the future and that they have found safer ways to identify their retailers. But are they prepared for all other hard-to-imagine-now methods in the future? I doubt it. After earlier mTAN hacks providers had already made it generally more difficult to get a second SIM card. Customers have either to show their passports or give a password over the phone. But if it's not Deutsche Telekom, there are other telco providers who might be tricked in the future.
Fitting security concept necessary
Where security relevant elements like SIM cards play a vital part a fitting security concept is absolutely necessary. The whole process and supply chain from ordering to delivery has to be adapted accordingly. However, there are so far no easy solutions available for both secure and comfortable online banking with mTANs. Risk based authentication/authorization might help banks a bit to recognize unusual user behaviour and thus request further credentials, but this is also quite limited - where there are plenty of smaller transactions unusual behaviour quickly remains unrecognized.
The challenges start with the digital certificates and the question of getting them securely from the Certificate Authority to the rightful addressee. Personal handover of e. g. a smart card would be perfect. As well as - on another level - Post Identity Procedure, where one has to appear in person at the post office with an ID card before being able to use online banking. However, such processes require a bigger effort on the user side and they also take longer. This collides with the business models of the providers and the wishes and demands of their customers, like e. g. quickly and comfortably getting a substitute SIM. However, it all depends finally on balancing security needs with demands of both customers and providers. Multi-layer security - identifying the SIM card plus the device, on which the transaction is going to take place - makes mobile banking initially more inconvenient, but there is still the possibility of installing further controls to reduce the risks.
Since it has become a lucrative global industry for criminals, they exert a lot of effort in breaking into the - up to the present day - seemingly most secure infrastructures. Potential victims - vendors of "things and services" as well as end-consumers - should do the same in trying to prevent this. At least everyone should care for state-of-the-art malware protection as well as regular (automatic) software updates and patches. Keep yourself informed: Several non-profit websites provide useful information about cyber threats like phishing, e.g. this one. It cannot be said often enough that there is no one hundred percent security - but for your own sake you better try to come close. It's worth it.