Secure Identity Best Practice
Facebook Twitter LinkedIn

Secure Identity Best Practice

Combined Session
Wednesday, May 15, 2019 14:30—15:30
Location: CHIEMSEE

Rethinking Trust in Cloud Platforms: Secure and Trusted Out-Of-Band Data Acquisition

The complexity and sophistication of modern malware are evolving rapidly. Malwares today are able to exploit both hardware and software to infiltrate systems and tamper with data used for management. The revelation of several attacks on host machines, highlights that anything with shared resources can be attacked. 
In cloud environment, data management is done by a centralised server that maintains the state of each platform. However, this is not an easy task when a machine is compromised. When the data acquisition software runs in the same domain as the malware, there is no guarantee that this data will not be tampered with. In particular, malware behaves different to when an observer-effect is detected. There is a visibility problem of how to securely acquire reliable data and infer the state of the system without leaving an observer effect? There is a need to rethink how to decentralise trust in complex platforms such as the cloud and use trusted method to prevent tampering with the data acquired for management. We solve the trust and visibility problem by acquiring physical memory out-of-band using a device from a new category of commercial-hardware (SmartNICs). Using this separate trust domain, we protect from tampering with the data being acquired. 
To that end we have developed an abstraction software that facilitates acquisition of segments from the physical memory. More importantly without the knowledge of host software (e.g. malware) of when segments of the physical memory are being acquired. An added benefit of our approach is the fact that SmartNICs are on the edge of the network, which makes this technology capable of doing more than just detection but also prevention. For instance, blocking the network when signs of compromise are detected.

Key takeaways:

Rethinking Trust in Cloud Platforms: Secure and Trusted Out-Of-Band Data Acquisition
Presentation deck
Rethinking Trust in Cloud Platforms: Secure and Trusted Out-Of-Band Data Acquisition
Click here to download the slide deck. Please note that downloads are only available for event participants and subscribers. You'll need to log in to download it.
Dr. Ahmad Atamli
Dr. Ahmad Atamli
Mellanox Technologies
Ahmad Atamli is the Chief Researcher and Architect of Security at Mellanox Technologies where he leads the security research and development of SmartNICs as a separate Trusted Domain for security...

Navigating NIST Sp-800-63-3 Thanks to Practical xAL Cheat Sheets

Trust. Trust is the most fundamental notion in every one of our business interactions, whatever our needs are: low or high assurance.

Do you know that, by June 2019, NIST SP-800-63-3 will celebrate its second birthday? It is a framework that improved lots of points over the previous LoA scale and gained a lot of maturity thanks to implementers, researchers, and confrontations to other Trust frameworks.
Still you may find it hard to find your way wherever you try to be a compliant IAL2 compliant CSP to ensure a third party that your users are IAL3 proofed or authenticated through an AAL2 authenticator, etc.

Surely you know that you enrolled this user thanks to a photocopied electricity bill and authenticated him/her based on an Out-of-Band single factor device generating OATH compliant OTP tokens. Those are real life examples but you will have to find in which xAL box this may fit.
This specific situation was raised within IDPro and we formalized some cheat sheets for you to navigate the inherent difficulties such as:
• Main differences between levels of assurance;
• Differences and ways to categorized WEAK, LOW, STRONG, and SUPERIOR real-life identity evidences;
• Differences and ways to categorize real-life authenticators;
• Ways to map NIST xALs to other Trust frameworks categories.

By attending this session you will get a clearer, simpler, and more actionable picture of NIST SP-800-63-3 that will ease your path for your Vector of Trust journey.

Navigating NIST Sp-800-63-3 Thanks to Practical xAL Cheat Sheets
Presentation deck
Navigating NIST Sp-800-63-3 Thanks to Practical xAL Cheat Sheets
Click here to download the slide deck. Please note that downloads are only available for event participants and subscribers. You'll need to log in to download it.
Jean-François Lombardo
Jean-François Lombardo
EXFO
With 13 years [Wavestone (2005), Facilité Inc. (2013), then CGI (2018)] of field experience in Identity, Access, Authentication, and mostly Information Protection space; Jean-François...

Fight Cyber Risks with Risk Aware DevOps Engineers!

To keep a customer’s trust risk and security is key for Financial Enterprises like ING. At the same time we want to work Agile in an BizDevOps format, because we know it gives us the increased velocity and quality of software we need. And this way of working leads to happier and therefore more productive employees. A separate security team that has to check all software before it goes into production would be a huge bottleneck, especially if you have some 150 teams building software. The only way we can maintain velocity without sacrificing our security demands is to have all DevOps teams take responsibility. Not just for the software they build and maintain, but also for the security aspects of those applications.

This can be easier said than done, especially in an Agile way of working. In this kind of environment the requirements of Risk management can easily be perceived as old fashioned and unnecessarily restrictive – a thing of the past when we still worked Waterfall. In addition, top down orders don’t work anymore. All work should be planned via the Backlog and team and Product Owner have the last word in deciding what is done in which sprint. And you can explain to the teams how important Risk and Security is, but if you can’t make it tangible are they going to remember that in the daily hectic?

To address these challenges we started our Risk Awareness Days program in 2017. During the year 5 days are set aside for all teams to work on the same Risk items. The topic for the day varies, depending on which risks are highest on the agenda at that time. Regardless of the topic a central theme is that if an engineer can engineer at a problem, he/she will understand and remember it better. And working on Risk and Security shouldn’t be a nuisance but rather a joy. After the first few days we came to a standard program that has the biggest positive effect. Both on the security awareness in the engineers mindset, but also in the number of concrete risks that were eliminated.

In this talk we discuss how we organise our Risk Awareness Days. We will take you through the standard program and why we chose this combination of increasing knowledge and practical engineering work. We discuss some of the topics we addressed, and some of the results that we can share.

Key takeaways:
• How to make IT Risk fun? 
• How to challenge your engineers to stay ahead of cyber criminals? 
• Can you be both Agile and in control of Risk and Security? 
• How do you make Risk Management meaningful? 
• Engineers should engineer – especially when dealing with Risk and Security

Fight Cyber Risks with Risk Aware DevOps Engineers!
Presentation deck
Fight Cyber Risks with Risk Aware DevOps Engineers!
Click here to download the slide deck. Please note that downloads are only available for event participants and subscribers. You'll need to log in to download it.
Jan-Joost Bouwman
Jan-Joost Bouwman
ING
Jan-Joost stumbled into IT almost 20 years ago, starting on a temp job for 5 days that lasted 7 years. During these 20 years he has been mostly on the functional and process side of things, having...
Leon Janson
Leon Janson
ING
Léon Janson has been working within Risk management and IT at ING since the late nineties. He started at Credit Risk management where he developed and implemented a world-wide Credit Risk...
Subscribe for updates
Please provide your email address