David Lacey

1
The Truth about Wireless Security

• David Lacey
• Director, Information Security Royal Mail Group

2
Royal Mail Group
Trusted with the important business of everyday
life since 1636
3
Wireless security today

• Earlier implementations not secure, requiring
  raft of additional security measures
• Tight policy and configuration standards
• Risk assessment for every implementation
• Add-on encryption for sensitive data
• Secure administration and key management
• Multiple access points for resilience
• Regular security audits of wireless networks
• Current technology much better but requires
  technology refresh of desktop (e.g. upgrade to
  XP)
• Future security models will be based on securing
  applications and data rather than infrastructure

4
Security issues with IP convergence

• Will VoIP protocols drive a coach and horses
  through our firewall security policies?
• Are voice technologies built with vulnerability
  management in mind?
• Will IP convergence substantially increase the
  number of attack points in our networks?
• How will we communicate if the converged network
  goes down?
• How do we develop new security architectures to
  manage the above risks?

5
Be prepared for a different future

• We know only one thing about the future or,
  rather, the futures
• It will not look like the present
• Jorge Luis BorgesAuthor

6
Some aspects of the future are predictable

• The potential impact of the information age has
  been extensively studied (by Toffler et al)
• We have lessons from other infrastructure changes
  (electricity, roads, railways, etc)
• Tools such as Technology Road Mapping and
  Scenario Planning can be used to explore the
  collective impact of key drivers, trends and
  events
• Products emerging in the next 5-10 years are
  likely to be in todays research labs

7
Some trends are long lasting
from viruses, hackers, fraud, espionage
greater dependence on IT, increasing connectivity
from customers, partners, auditors, regulators
8
And may even dominate this Century

• The 21st Century will be dominated by
  information wars and increased economic and
  financial espionage
• Alvin TofflerFuturist

9
But trends take longer to emerge than you think

• People often overestimate what will happen in
  the next two years and underestimate what will
  happen in ten. Im guilty of this myself.
• Bill GatesThe Road Ahead, 1995

10
Networks change everything

• The business environment of the future is
  likely to be very different from todays, where
  boundaries between personal and business
  computing will blur and everyone and everything
  will be linked to the Internet. In order to
  survive, firms must embrace the new risks this
  environment creates
• David LaceyRisk Management Bulletin, June 2001

11
The political landscape is changing

• Disruption of both international security and
  trust in the marketplace highlight the
  importance of the role of the stateShell
  Global Scenarios 2025
• At no time since the formation of the Western
  Alliance system in 1949 have the shape and nature
  of international alignments been in such a state
  of fluxUS National Intelligence Council
  Mapping the Global Future

12
Organisations are changing
Strong
Organism
External relationships
Trend
Weak
Internal relationships
Soft
Hard
13
Security emphasis is changing
14
Todays solutions are not sustainable
15
As we experience the 1st security paradigm shift
of the 21st Century
De-Perimeterisation
16
What does it mean?

• Recognition of the disappearing perimeter
• De-coupling security from the infrastructure
  level and moving it to the application and data
  levels
• Understanding that securing your own backyard is
  no longer sufficient to protect your data
• Working with business partners to develop
  practical collaborative solutions

De-Perimeterisation
17
We can design our own future

• The best way to predict the future is to invent
  it
• Alan Kay

18
Using the power of our imagination

• Imagination is more important than knowledge.
• Einstein

19
De-Perimeterisation

• The act of applying organisational and
  technical design changes to enable collaboration
  and commerce beyond the constraints of existing
  perimeters, through cross-organisational
  processes, services, security standards and
  assurance.
• The Jericho Forum

20
The Jericho Forum
21
Jericho Forum - Vision

• Enable business confidence beyond the constraint
  of the corporate perimeter, through
• Cross-organisational security process
• Shared security services
• Products that conform to Open security standards
• Assurance processes that when used in one
  organisation can be trusted by others

22
Jericho Forum - Mission

• Act as a catalyst to accelerate the achievement
  of the vision by
• Defining the problem space
• Communicating the collective Vision
• Challenging constraints and creating an
  environment for innovation
• Demonstrating the market
• Influencing future products and standards

23
Jericho Forum Business Scenarios
1. Provide low-cost secure connectivity -
Access over wireless and public networks -
Domain inter-working via open networks
2. Support roaming personnel - Phoning home
from a hostile environment - Enable
portability of identities and data
3. Allow external access - Application
access by suppliers, distribution agents or
business partners - Outsourced help desk
access to internal systems
4. Improve flexibility - Connect
Organisations for EDI Using Secure XML Messaging
and Web Services - Consolidate identity
access management systems for collaboration
commerce - Automate policy for controlled
information sharing with other organisations
- Harmonize identities and trust relationships
with individuals
24
Jericho Forum Working Groups

• Meta Architecture and Vision
• Requirements/ Ontology
• Technology and Solutions (sees wireless as quick
  win)
• Trust Models
• Management and Monitoring
• Public relations (PR) Media and Lobbying
• Vendor Management

25
Technology will transform our world

• Exploding connectivity and complexity (embedded
  Internet, IP convergence)
• Machine-understandable information
• De-fragmentation of computers into networks of
  smaller devices
• From deterministic to probabilistic systems
• Wireless, wearable computing
• Ubiquitous digital rights management
• Biometrics and novel user interfaces

26
There are consequences for security

• Slow death of network perimeters
• Continuing blurring of business and personal
  lifestyles
• Security migrates to the data level
• New languages and tools needed to express,
  translate and negotiate security policies
• Intelligent monitoring systems needed to maintain
  control of complex, networked systems
• Uncertain security - no guarantees
• Manage incidents as opportunities

27
As we look ahead to the 2nd security paradigm
shift of the 21st Century
Spy vs Spy
28
A world of increasing openness complexity

• Exploding surveillance opportunities
• Limited opportunities for privacy-enhancing
  technologies
• Proliferating data wakes and pervasive
  circumstantial data about personal behaviour
• Intelligent monitoring software can highlight
  unusual behaviour
• Data fusion, mining and visualisation software
  can extract intelligence out of noise
• Exploitable for business, security, fraud or
  espionage

29
Visibility understanding will be key

• Understanding and interpreting data in context
  (Semantic Web)
• Data fusion, mining and neural networks to crunch
  through complexity
• Data visualisation technology to enhance human
  understanding
• Computational immunology to differentiate good
  transactions from bad ones

30
Thank you for listening

• David Lacey
• Director, Information Security
• Royal Mail Group