secure business collaboration do it now! collaboration oriented architecture as it pertains to...
TRANSCRIPT
Secure Business Collaboration Do It Now!
Collaboration Oriented Architectureas it pertains to FIPNet
Adrian SeccombeCISO, Eli Lilly
Why Worry: Security Environment 2005 > 2008Changing Threats Changing Perpetrators
TargetedUntargeted
Overt
Covert
2005Worms < Created Noise
< Creates LossPhishing TargetedAttacks
TeenageHackers
Criminals
HighImpact
LowImpact
Foreign States
Individuals
Unlikely Likely
Activists
HighProfit
LowProfit
Low IT Use High IT Use
Banks
Pharma
Target Industries
Farming
Retail
Denial
Extrusion: Mobile
Devices
HighImpact
LowImpact
Intrusion
Extrusion: Physical
Unlikely Likely
Extrusion: Logical
Changing Means
Defence
Author: Adrian Seccombe
Potentially Vulnerable Devices
at a Prior Conference
phone
SCH-A950
phone
BlackBerry 8800
phone
BlackBerry 8310
computer
Elvis
phone
Motorola Q
phone
James Phone
computer
T61WIDE
computer
Z9302319
phone
K800i
phone
P910i
computer
Please Change my ID
computer
NOTEBOOK20
computer
W2MZXLH203
computer
LAPTOP
phone
T630
phone
BlackBerry 7290
phone
SGH-A707
phone
Nokia 6230
computer
N155021
computer
ACNCND732025K
computer
IBM-5B6F900A4BA
computer
JimPhelps GoLeft
phone
BlackBerry 7250
phone
SAMSUNG SGH-D600
computer
YAXXX
My last conference check
5 Phones 2 Computers
Breakfast at SC World
in the conference today
I will gather these stats and
update this slide on the day
Looks like we are learning !!! ;-)
You’re the best to date!
Only 6% of delegates…
…are promiscuous on Bluetooth
Latest UK Cash Card cloned before it hit the streets!
iPod Touch
“Jail Broken” w
ithin
a month of launch
Remember De-Perimeterisation!A pointer fromHISTORY!
Backgrounder
• The journey so far…• Defined the issue, and created noise around …
– We don’t apologise for the controversy!• Created the Commandments, there are 11!• Created a generic Roadmap• Trademarked: Jericho Forum• Created Inherently Secure Communications Paper
•Published the COA Position PaperCollaboration Oriented Architectures
We need to shift our mindset!A fundamental shift in thinking is required, moving from the thinking of a Hedgehog, an animal that rolls into a tight ball at any sign of threat,
to that of a…
Strawberry Plant, which puts
all its key genetic materialsecurely on its outside, as
well as sending out suckersto extend the plants domain.
The Lilly Frame…
• We are changing from a FIPCo to a FIPNet.– Fully Integrated Pharmaceutical Company– Fully Integrated Pharmaceutical Network
• Collaboration will be a core capability.
The moral: “Virtual Size” does matter!Goals: Lower Cost, More Flexibility, Managed Risk!
Properties of “2.0” EnterprisesLow- Barrier, Self ServiceNetworked, Cost Effective
Open, DecentralisedCustomer Centric
Workforce Enterprise 2.0 Intranet
Customers Web 2.0 Web
2-way flow of content Cloud Computing
InternalNetworkEffects
ExternalNetworkEffects
According to Professor
Andrew McAffee
SEARCH
LINKS
AUTHORSHIP
TAGS
EXTENSIONS
SIGNALLING
Enterprise 2.0Capabilities
The trick is
designing each of
these capabilities a
s
Securely Collaboration Oriented
The trick is
designing each of
these capabilities a
s
Securely Collaboration Oriented
SEARCH
LINKS
AUTHORSHIP
TAGS
EXTENSIONS
SIGNALLING
Discoverability of information drives reuse, leverage
and ROI
Enterprise 2.0Capabilities
SEARCH
LINKS
AUTHORSHIP
TAGS
EXTENSIONS
SIGNALLING
Using URIs to forge thousands of deep
interconnectionsbetween enterprise
and external content
Enterprise 2.0Capabilities
SEARCH
LINKS
AUTHORSHIP
TAGS
EXTENSIONS
SIGNALLING
Ensuring that every worker has easy access to,
and knowledge ofcontent tools
Enterprise 2.0Capabilities
SEARCH
LINKS
AUTHORSHIP
TAGS
EXTENSIONS
SIGNALLING
Allowing naturalorganic, on-the-fly
organisation of datafrom every point of view
Enterprise 2.0Capabilities
SEARCH
LINKS
AUTHORSHIP
TAGS
EXTENSIONS
SIGNALLING
Extend knowledgeby mining
patterns anduser activity
Enterprise 2.0Capabilities
SEARCH
LINKS
AUTHORSHIP
TAGS
EXTENSIONS
SIGNALLING
Make information consumption easy
by pushing changes
Enterprise 2.0Capabilities
Collaboration Oriented Architectures Why?
• We had defined the Problem…
• We had developed a set of “Principles” in the Commandments…
• We had created a roadmap in 2007 (Though not rich with content)
• We realised we needed to provide more details around the Solution….
COA: The Papers Framework
• Introduction
• Problem
• Why Should I Care?
• Components of COA
• Recommended Solution/Response
• Conclusion
• The Way Forward
Why Should I care?
• De-Perimeterisation is happening NOW!
• COA is the framework that will allow appropriately architected business-driven solutions to be developed and delivered.
• Adopting COA allows the added value of externalisation while mitigating the additional risks to your organizations.
Components of COA
Services- Federated Identity- Policy Management- Data/Information Management- Classification- Audit
Solution AttributesUsability/ManageabilityAvailabilityEfficiency/PerformanceEffectivenessAgility
An Architects’ View
Principles- Known parties- Assurance- Trust- Risk- Compliance- Legal, Regulatory, Contractual- Privacy
Technologies- End Point Security/Assurance- Secure Communications
- Secure Protocols-Secure Data/Information
- Content Monitoring- Content ProtectionProcesses
PeopleRiskInformationDevicesEnterprise
Secure!Reliable!Trustworth
y!
More on the PRIDE Control Processes
People
Risk Management
Information Asset (Data and Records)
Device
Enterprises
P
R
I
D
E
More on the PRIDE Control Processes
People processes that enable the life cycle management of the new externalised workforce and empowered customers, including on-boarding, role management and off-boarding.
P
R
I
D
E
More on the PRIDE Control Processes
Risk Management Processes that can enable the management of Information Risk across multiple partners and collaborators.
P
R
I
D
E
More on the PRIDE Control Processes
Information Asset (Data and Records) life cycle management processes that ensure the Identity, Confidentiality, Integrity, Availability of Data, including Data and Record Retention in Collaborations.
P
R
I
D
E
More on the PRIDE Control Processes
Device life cycle management processes that ensure the appropriate trust state and identity of technical entities (Clients, Servers, and Services) accessing the information assets.
P
R
I
D
E
More on the PRIDE Control Processes
The life cycle that manages the on-boarding, role management and off-boarding of Enterprises (Suppliers, Partners and Collaborators)
P
R
I
D
E
Conclusion
• Implementing COA builds upon existing standards and practises to enable effective and secure collaboration
• COA recognises that the SOA pattern enables collaboration and allows legacy applications to be re-architected.
• It will take a different “Web 2.0” and “Externalising” Mindset, and new services, both “in clouds” and around the data.
The way forward
• Read and “Internalize” the Jericho Forum Commandments so you can “Externalize”
• Read and Understand the Collaboration Oriented Architectures Papers
• Get ready for the Cloud and Web 2.0 waves they will REALLY help you understand the De-Perimeterisation Problem… …hopefully not too late!!!
• Papers available at :
https://www.opengroup.org/jericho/publications.htm
Pointers from NatureMacro-Perimeterisation(Security Services in the cloud)
Compartmentalisation
Micro-Perimeterisation(Information Centric Security)
Segmentation
An Enterprise
Genetic
Verification
Questions…. Please!
Enterprise 2.0 some links
• http://blogs.zdnet.com/Hinchcliffe/
• http://dealarchitect.typepad.com/deal_architect/2006/08/the_bionic_ente.html
• Are you Jericho Forum Members yet?
…and the Jericho Forum 2009 Focus: Securely Collaborating in
Clouds
Insourced
Outsourced
Proprietary Open
Internal
External
Cloud Types
Watch out for communications about the 2009 launch on the Jericho Forum Website
Cloud Layers
Process
Software
Platform
Infrastructure
Outcome / ValueA
b s
t r
a c
t I
o n
o
c c
u r
s
h e
r e
!
1st
2nd
3rd
Last!
Orc
hest
ratio
n
Security and IdA
M