Prof. Dr. Eberhard von Faber, Security Strategy and Executive Consulting, T-Systems
April 18, 2012 18:20
KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Unlock the power of industry-leading insights and expertise. Gain access to our extensive knowledge base, vibrant community, and tailored analyst sessions—all designed to keep you at the forefront of identity security.
Get instant access to our complete research library.
Access essential knowledge at your fingertips with KuppingerCole's extensive resources. From in-depth reports to concise one-pagers, leverage our complete security library to inform strategy and drive innovation.
Get instant access to our complete research library.
Gain access to comprehensive resources, personalized analyst consultations, and exclusive events – all designed to enhance your decision-making capabilities and industry connections.
Get instant access to our complete research library.
Gain a true partner to drive transformative initiatives. Access comprehensive resources, tailored expert guidance, and networking opportunities.
Get instant access to our complete research library.
Optimize your decision-making process with the most comprehensive and up-to-date market data available.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Configure your individual requirements to discover the ideal solution for your business.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
Prof. Dr. Eberhard von Faber, Security Strategy and Executive Consulting, T-Systems
April 18, 2012 18:20
Prof. Dr. Eberhard von Faber, Security Strategy and Executive Consulting, T-Systems
April 18, 2012 18:20
Next keynote presentation is from professor Dr. Aharon FBA security strategy and executive consulting at T systems. Thank you very much. Thank you, 20 minutes. And I'll give you a call.
Yeah, I need three or four minutes. This one or the other one Is this, is this yours? That's his. Okay. Hmm. Yeah. Yeah. Okay. Welcome ladies and gentlemen. So in the next couple of minutes, I want to address some hot topics or cha real challenging things. Only a couple of things. The talk is entitled top challenges and threats in for security managers. And I selected one, I find that are hot. So this is number one. Can you see it? You can't because that's the nature of this challenge. I call it dark matter or dark data or dark information.
The term is borrowed from cosmology, where in the universe we have galaxies and stars and planets, and all this matter is emitting light or it is reflecting light, or it is, it is visible for, for some reason. And this matter is not dark. It is real. We can see it the same with information. Most of the information we can see it as documents. It is something we can look at, but also in the universe, we can't explain the rotation of the galaxies and some dynamics in the universe without accepting that there is some other kind of matter, which is called dark matter.
And the same happens to information. I guess, dark matter, we have some, some information we look at.
So, and here are some examples, and this is some cons one constructed example of, of information, which is available. For instance, this is some very non-critical information that some hotel is nice. That two people know each other, that some technology is interesting or that for somebody the week was great.
And this information can be obtained from the internet, maybe a review on the internet or a linked in announcement that two people are now sharing contract are share, sharing their context in some networks, which you get as in information via the email, you can look at, if you are in the same group, some technology information about some information, about a technology, which is provided in, in a block or some other information, which is Twittered. The problem is that if you bring these information together, by combining this non-critical information, you can learn very much about that.
This is a constructed one, but if you know where something happens, it is very straightforward to find out that there is a subsid or a fabric of a, of a, of an enterprise next to that hotel, or the hotel is recommended by that fabric. So, you know, that this guy was in the fabric and did some business there, presumably. And if you know that two people a and B know each other, because you have this linked in message, then you know that it is the same time and most probably a and B, where in this hotel meeting in the fabric, doing some business with each other.
And if you read into the, in the block that this guy is interested in some specific technology, then you presumably know what they were talking about. And you may also get some information about the result of it. This is a constructed example, but it happens because you can get much information from this context, context, information, which is publicly, publicly available. The problem with that is that this information, this context information is widespread.
It's, it's, it's exploding. The amount of this context information is exploding. And the half of the internet I would say is full of this context information. And if you take these context information, put it together with some information, what you get, then you can learn much about that. Okay? What are the real secrets enterprises need to protect? That's the question behind that lack of transparency. That's a second problem are cheated. So in today's world, we have complex value change chains. We have multiple suppliers.
If you have a cloud cloud service, and you have a cloud provider, you have networking providers, then there are some software running on it, which is which we developed by some, some other supplier. There is hardware, there is other hardware, and there are people or service companies, which man who manage these services, those a complex world. We have have a very high degree of division of labor internationally. And therefore there are multiple countries, different laws and different cultures, and it is hard to manage these complex value chains.
The problems behind that are questions like are there backdoors and products and in which ones there are, but in which ones for enterprises, it, it is a question, are these backdoors critical and who is the origin of these backdoors? So who built these backdoors in, because it's interesting, are these guys, your friends or your enemies, or what country is behind that? Because you want to know, are you the target simply, or is it built for other, other people? Another question is, is the provider on your site?
So you outsource things to the cloud and you can be cheated by the, by the provider and by all the suppliers back in the chain. So the key question here again is does your provider control all the suppliers in the chain? Is he able to do so? Is he willing to do so? Can he really does it? Yeah. And then here I wrote here, the insider comes from outside. So these are all privileged people in these supply chains, because it's all part of suppliers. They can do things and therefore they have the privileges to do that.
And it is not easy to understand if they do so information, welfare and aspire niche. So it's all on the newspapers that there is information, welfare and aspire niche. And the question is, can you prevent your Waterloo? The problem is that you don't know what's boiling up behind because you can, can't see it. You can't track it, or it's hard, even hard to track it. You see it when it's too late. Often you see normal HES. You may notice or know that there are social engineering and that there are insider attacks or security violations by insiders, at least.
And you may see denial of service attacks or something, which is called advanced persistent threats. And it's too late most probably, but how to, how to prevent these things. First of all, you need to have management attention. That's not easy to explain what's behind that.
And what, what risks are. It is not easy to understand the correct counter measures against these and select them, but more important. It is very hard to create a business case for the appropriate counter measures because you, for, for a business case, you need to know the costs.
That's maybe the easiest part, but to need to know the probability and the business impact the business impact, you need to know who is attacking you because then you know, the business impact because you know what, what he's he is trying to, and the probability, you don't have any clear information, whether or not you are a target that's for standard industry. And the last question is, how do you know if it's enough because you don't have an experience?
No, normally there is, there's very seldom events, hopefully these kind of aspir, and it's very hard to rate when it's enough. That's the third one. And I guess I'm painting a little bit black and white here, but it's not because there is something on this white sheet, there are devices, it needs devices. And we have old four fashion. We have very advanced and we have to manage these things, which are, which may come up tomorrow or the day after tomorrow.
This trend around these devices is nowadays called bring your own device because all these devices are on, on, and not totally controlled by the enterprise, but the employees bring their own device, but it's not the full truth because bring your own device should be read as bring your own vulnerability often, because if you cannot control it, then it is often vulnerable behind. Oops, the trend behind is consumerization, or I would say, take it or leave it.
That's a very heavy load on the way to secure an enterprise because we have these mobile consumer devices, which need to be, or should be, or shall be, or want to be connected to the enterprise infrastructure. We have a mobile public untrusted cloud services, which need to be consumed, or which are used by employees to store data, to something on it. And that's also consumerization. We have the employee's attitude. Don't use your brain. You may need it later. And meanwhile, it's all on the internet.
The question behind that, the questions behind that are with consumerization or related to consumerization, or the problem is that the enterprises lost power against the consumers because they're, there's a, there's a huge amount of, of consumers. And they decide what many, many vendors provide and develop as, as, as devices, the way out is not easy. You can try to integrate these things and add some, some security measures, but a another way is to centralize the data. Don't store it on the mobile devices, store it elsewhere in some cloud, for instance.
So strike back with the cloud, but use the right cloud. So an enterprise cloud, which is secure enough that doesn't solve all problems, but it is some strategy to, to, to deal with a situation that employees like to use their mobile consumer devices skill and will. Yeah. It's not all about technology. It's also people, people are working for you. People are working in an enterprise or in, in public authority. And many of us know that it is not easy to work with these and to make enterprises or authorities secure.
So the question is how to survive with human beings because that's not all technology. So on the one hand, on the, on the one hand, we have the experts, the security experts, they are attentive, and they help you to identify the real issues, to find the problems and to find some solutions. They are smart and produce real results. You can rely on it's all best, but they are rare. You don't have too much or much, much of these experts. And often they are very busy. So as the time and is, is, is limited, which you can use it.
And if these security experts, so the, the, the rare security experts are tackling some thy issues, they are often get killed. So, and if they are not killed, then they are made responsible for, for solving the problem just, oh yes, you identified the problem. You are most familiar with the problem. Therefore it's best that you find a solution for that problem. We know that you have much to do, but this is another task you have to do. And often also they are app use for troubleshooting. So it's not, not easy. They are rare. And they are very, very busy on the one.
On the other side, there are not only experts. You have all the others in an enterprise. They are the majority, of course, they're not very skilled. They are not very trained and they may accidentally make a mess. They may also steal data or tech systems accidentally or deliberate. Nobody else. The problem here is that it's a majority, but it doesn't matter because one person can destroy it all. If you have one person which steals the data, security is compromised. If you have one person which does it in a wrong way, you have a have a, I have a real security problem.
The problem is that you don't know who it is. You have a mass large amount of, of these, these people, but you don't know who's stealing your data, who is making his who's causing the problem the way is that you have to train and educate them all. And secondly, you have to restrict their capabilities and their abilities. So you have to restrict and confine all these things. And of course, you have to monitor what they are doing to prevent the, the worst scenarios let's say. And that's all what you can do.
So not a good situation, but this is, I would say a standard in most of the larger enterprises that you have two sorts of people and the situation is not the best. Yeah. The last advice it's us being the problem, little bit provocative, but with no, and even in large enterprises, we are consuming and reading all these ISO standards, 27 K. And we have all in information security management system have the process with plan, do check act and real architecture and, and all the things in place which are required to manage activity, the information security.
And behind that, of course, we also have a security organization. Who's responsible for the ICT security in our enterprise. And usually this security organization and the guys working for this security organization, they have four, four tasks to do. First. They set the requirements.
Second, they care for the implementation. Third, they drive the enforcement and fourth, they monitor the result because that's PCA in different births. The problem with that, or the risk is that if they do it, nobody else cares about that. And so your it stuff don't care about security because it's up to the security organization to do all the things. So ICT people let's say ignore security. So that's very last in the chain of their, of their activities. The result is you have bad security, much work in pain.
Simply what you need to do is your organization should only be set with the requirements and monitor results, but not being responsible for, for the implementation and for the enforcement that should be done by our others. This is line management. This is a task of line management.
If so, then the security part or the implementation and the enforcement part must be part of the standard it processes. And these are described in it. For instance, companies work, work on that. So the implementation of security issues and the control and enforcement is integrated into the standard it processes. So that's the best world. And this gives you secure by design.
Let's say, this is, this is the best way to deal with security. If so, then you have a good result because for a large enterprise, this means that if you manage to integrate the security and the standard processes of your enterprise, you now have 50,000 security experts, but it's, but it runs perfectly. They have the necessary skill and will, because they're all trained because it's all under standard processes. They responsibly using consumer devices. They are resistant to social engineering. They discover the problems like aspire niche and other enterprises do the same.
So you don't have any problem in the supply chain and dark matter is not critical. So you have a perfect vault. Thank you. Thank.