gccs-unplugged secure and private communication and collaboration
TRANSCRIPT
Secure and private communication and collaboration
OpenNovations & Kolab Systems AG
About OpenNovations
● >13 years experience in open source, open standards and security.
● Clients in (international) Government, SME, startups.
● Project lead for openSUSE Conference and Kolab Summit (1-4 May 2015)
About Kolab Systems AG
● Patron of the Kolab collaboration suite● Based in Zurich● Offers scalable and secure collaboration
software.● 100% open source and open standards
Topics
● Platforms● Technical aspects
– Standards
● What is missing?● How to organize?
Communication and collaboration software needs external exposure
● Cross network communication● Authentication (identity management)● Spam, security issues.● Old developments
– PGP, S/MIME● Adoption still not very widespread.
● New developments– DKIM, DMARC, DANE
Current offerings focus on availability and price
● Competition on file storage size● Cross device information access● Hosted by cloud vendors
– Integration with existing infrastructure minimal
● SLA's only focussed on uptime, availability– No security, privacy, etc.
● Especially when personal accounts are used.● Data ownership? Copyright?
What solutions that cover both do exist?
● What open source groupware and collaboration solutions work?– Kolab?
– Zimbra?● Not fully open source
● Why does open source matter?– Transparency
– Vendor lockin
– Exit strategy / sustainable data
Security === open source
● Only way to validate fit-for-purpose and implementation
● Maximum exchange of knowledge– Learn from others' mistakes
● Would you trust a proprietary fully closed source medical operation?– Or rather, would a doctor trust another doctor to
operate on him/her if he wouldn't know exactly what he/she was doing?
Functional areas
● Secure collaboration covers several functional area's– Email
– Calendar
– Todo lists
– File storage
– VoIP, chat
● What's missing?
Document collaboration
● ODF is the standard– LibreOffice
– WebODF
● Both cover different use cases.– But are equally important
● Use cases for both?
Secure storage
● Server side encryption?– Trust the admin?
● End to end encryption?– Key management?
– Web access?● Browser security model weak.
● Host your own?– VPS? Do you also control the platform?
● Any ideas?
Secure exchange
● PGP? S/MIME?– Hard to implement?
● SSL / TLS / STARTTLS?– Only transport, it helps, but no identity validation
● Do you use it? Or something else?
Secure documents
● Storage is one thing, access another.– WebDAV as secure as HTTP(s)?
● Large file support not ideal
– CMIS?
● Syncing?– Only for small sets of files
● Else you'll create your own network DdoS
● Security of the reader/writer apps?– Temporary storage?
● Use cases?
Chat and voice
● Unified communications● Carriers also not focussed on security● Most chat apps use centralized servers
– Some even store chat sessions
● End to end encryption– Mostly PR.
How to improve this?
● New standards?● New technologies?● Legislation?
– US / EU Privacy legislation?
● Security versus privacy?– This has been the pov of the Dutch government
(New) standards
● DMARC, DKIM, SPF, DANE?– All focussed on improving the reliability of the transport
● PGP, S/MIME– Message confidentiality and integrity
● How come adoption still is very low?
New technologies?
● Quite a lot of crowd funding campaigns for– Secure email storage
– End to end encrypted file storage
● Is this really new?● Are they proven technology?
– “Old” technologies are battle tested.
● Perhaps the focus should be more on improving existing (and quite wide spread) technologies.
Legislation
● New EU Privacy directive● ENISA guidelines● In Dutch government
– ARBIT
– Parlementairy inquiry (Elias committee)
● Trends are strongly towards open source software– Netherlands: Motion Vendrik (2002), yesterday motion Oosenbrug &
Gesthuizen
– International adoption (UK, Sweden, etc).
● International treaties? – TTIP? DMCA?
Security versus privacy
● There appears to be some tension between security and privacy– Not from an individual persons' point of view
● The more private, the more secure
– From government point of view● Issues with wiretapping
● Lawful interception?
Which areas are still missing?
● Secure one time data/document sharing● Improved crypto for web mail● PKI Integration into all different apps● Two factor authentication across applications
● Other ideas?
How to organize secure collaboration platforms for
individuals?
Host it yourself
● Feels good– Your data under your own control
● But is it really?– How technically skilled
are you really?
– How much time do you spend on maintainance?
– Is your server platform really secure?
Hire a hosting company?
● Outsourcing security and availability– Professionals working on the platform
● But do you really trust them?
Community hosting!
● Organize in communities!– Pay someone (or two) to actually do maintainance
– Get enterprisegrade support for your platform
– Host your own hardware (colocated?), know your platform
● But still, keep it between a (small) known group of people– Stay in control of your data!
Contact!
Hans de Raad
www.opennovations.nl
Kolab Systems AG
www.kolabsys.com