Today’s Security Challenges

ClearPath Forward and Security

Ronald Huijgens

2© 2019 Unisys Corporation. All rights reserved. |

Agenda

• Introduction

• Security models today

• Digital transformation changes everything

• Zero Trust Model

• Open Systems

• ClearPath intrinsic security

• Conclusion

3© 2019 Unisys Corporation. All rights reserved. |

Introduction

• Ronald Huijgens - Consulting Sr. Manager

• Ronald.Huijgens@unisys.com

• Phone: +31 610 001 543

• www.linkedin.com/in/ronald-huijgens-5212a3

Specialist in

⁃ Biometrics

⁃ Unisys Stealth(identity) and Stealth(core)

At Unisys today:

⁃ Security consultancy and advisory

⁃ Secure systems analysis and design

⁃ Implementations

4© 2019 Unisys Corporation. All rights reserved. |

Professional Journey

AT&T• 1987 – 1992

• Roles: Hardware & software

developer

• Clients: telecom operators

• Results: PDH Cross connect

system, multiplexers, line system,

SDH/Sonet multiplexers, Generic

Fault Management software

(embedded SIEM)

CMG/LogicaCMG• 1992 – 2005

• Roles: SW engineer, lead architect,

biometric SME, security architect,

security consultant, IT project

manager, Logistics manager

• Clients: Public, Aviation, Finance,

Mobile Telecom

• Results: NMT KMS, SMSC, Privium,

Dutch biometric Passport, Saudi

National ID card, Y2K compliance

Unisys Corporation• 2005 – now

• Roles: Biometric SME, security architect,

lead architect, security consultant/trusted

advisor, biometric consultant

• Clients: Public, Aviation, Finance,

Healthcare

• Results: Integrated Physical & Logical

Access control systems, Biometric

Identity Management systems, Security

Architectures, Large Scale Biometric

Systems

5© 2019 Unisys Corporation. All rights reserved. |

Security Model - Physical Perimeter

6© 2019 Unisys Corporation. All rights reserved. |

Logical perimeter

Source: https://techcommunity.microsoft.com

7© 2019 Unisys Corporation. All rights reserved. |

Analysts Quote

”

The idea of a secure network perimeter is dead. As organizations embrace digital

transformation they become substantially more vulnerable to cyberattacks. Zero

Trust affords digital businesses operational agility while containing risk.

“

Forrester Opportunity Snapshot: A Custom Study Commissioned By Unisys | September 2018

There is a path forward...Cyber Attackers are exploiting

new vulnerabilities...

Digital transformation is

everywhere...

Digital transformation forcing a new approach to security

100%of businesses have a digital

transformation strategy1

84%agree digital transformation requires

adjustments to traditional perimeter-based security strategies2

80%agree digital transformation

expands attack surface3

81%of data breaches are caused by

stolen credentials4

$7millionis the average worldwide5

company cost of a breach

92%of businesses do not have

information security functions that fully meet their needs6

84%practice or want to adopt new

Zero Trust security model7

75%agree digital transformation requires microsegment-level

protection8

98%see benefits associated with

microsegmentation9

1. Forrester Opportunity Snapshot: A Custom Study Commissioned By Unisys | September 2018

2. Ibid

3. Ibid

4. Verizon: 2018 Data Breach Investigations Report

5. Ponemon Institute: The 2018 State of Endpoint Security Risk

6. EY Global Information Security Survey 2018-19

7. Forrester Opportunity Snapshot: A Custom Study Commissioned By Unisys | September 2018

8. Ibid

9. Ibid

9© 2019 Unisys Corporation. All rights reserved. |

Lack of

visibility

Traditional security measures can’t meet digital transformation security needs

Large and dynamic threat

landscape

Ever-evolving sophisticated

threats

Sluggish detection and

response

Wider breach impact and downtime

Where to start? How to protect what

matters the most?

How to stay ahead of

hackers?

How to stop

cyberattacks at the first

sign of compromise?

How to minimize the

business impact?

10© 2019 Unisys Corporation. All rights reserved. |

Prioritize

Unisys is Zero Trust: Implemented

Architect | Build | Maintain

Protect Predict Isolate Remediate

Prioritize investments

based on business

impact

Protect the most

vulnerable people,

devices and networks

Strengthen your risk

posture with AI-

powered predictive

threat prevention

Quickly isolate critical

data and systems from

rogue users in minutes

– not hour, while

business continues

Minimize the

operational impact of

attacks by reducing

your response time

11© 2019 Unisys Corporation. All rights reserved. |

Unisys Security Solutions

• TrustCheck™ Cyber Risk Management

⁃ Bridge the gap between the CISO and the board

• Stealth™ Products and Services

⁃ Zero trust security built on identity based, encrypted micro segmentation, cloaking

• Incident Response Ecosystem

⁃ Accurate and faster response for minimal business impact

• Managed Security Services

⁃ Proactive cyber defense to detect and respond to advanced cyberattacks

• Security Consulting Services

⁃ Trusted partners for managing your global security risk

Goal of information securityThe basics

13© 2019 Unisys Corporation. All rights reserved. |

Information security – Core Pillars

• Confidentiality

⁃ Information may only be created, accessed, updated or removed by authorized actors

• Integrity

⁃ Information must be correct, complete, accurate and protected against unintended and unauthorized modification

• Availability

⁃ The ability of an actor to access information or resources at the specified location in the correct format

14© 2019 Unisys Corporation. All rights reserved. |

Security Principles

A security principle is a fundamental and seldom changing qualitative statement of intent that guides and directs secure development and design

Focus on Business Continuity Security in-depth. Security By Design.

Regulatory ComplianceFailing Securely Policy Driven SecurityAccountability

15© 2019 Unisys Corporation. All rights reserved. |

What is the Zero Trust security model?

ZT allows security and privacy protections to

travel with the data itself — across hosting

models, locations, devices, and third parties.

It also applies the appropriate access rights

based on the user’s identity.”

“A Zero Trust (ZT) security model — a more identity- and data- centric approach based on network

segmentation, data obfuscation, security analytics, and automation that never assumes trust.

Forrester Opportunity Snapshot: A Custom Study Commissioned By Unisys | September 2018

16© 2019 Unisys Corporation. All rights reserved. |

Utility vs. Security

• Strict security may reduce ease of use

• Easy access may increase risk of

unauthorized access

• Segregation of duties requires more

coordination

• Enforcing least privilege may restrict

people’s freedom

• Zero-trust helps find the optimal

balance

Utility

Security

Vs.

Finding the right balance is key !

Open systemsAn analysis

18© 2019 Unisys Corporation. All rights reserved. |

Architecture - Usage quadrant: Perception

Unisys OS2200

Unisys MCP

IBM iSeries

IBM z Series

OpenVMS

HP UX

AIX

UNIX

Solaris

Linux

WindowsIn

ten

de

d U

se

Sp

ecia

lG

en

eric

Proprietary Open Architecture

19© 2019 Unisys Corporation. All rights reserved. |

What defines an ‘open system’?

Ensures interoperability

Provides portability

Based on ‘open software standards’ (e.g. ISO,

IEC, ITU-T, IETF)

Open standards

⁃ Publicly available

⁃ Can be Implemented on royalty-free basis

⁃ “reasonable and non-discriminatory” patent licensing requirements (commercial)

⁃ “can be freely adopted, implemented and extended” (open source)

20© 2019 Unisys Corporation. All rights reserved. |

Heterogeneous external environments:

• Applications

• Mobile applications

• Databases

• Systems

ClearPath Middleware

Portfolio

ClearPath

• Applications

• Databases

• Transactions

.NET XML

J2EE, JCA, Resource Adapters WEB Services, WEB

BEA Tuxedo, X/Open Mobile access

JBoss, BEA WLS, WebSphere SOA

IBM WebSphere MQ, MSMQ JDBC, ODBC, OLE DB, SQL

ClearPath is an OPEN System

ClearPath has all the popular industry standard integration technologies

21© 2019 Unisys Corporation. All rights reserved. |

Reality Architecture – Usage quadrant:

Inte

nd

ed

Use

Sp

ecia

lG

en

eric

Proprietary OpenArchitecture

Unisys OS2200

Unisys MCP

IBM i Series

IBM z Series

HP UX

AIX

UNIX

Solaris

Linux

Windows

OpenVMS

ClearPath and securitySecurity features explained

23© 2019 Unisys Corporation. All rights reserved. |

Security Principles Security Controls

ClearPath Intrinsic Security Highlights

• Least Privilege

• Security by design

• Accountability

• Policy driven security

• Failing securely

• Discretionary Access Control (DAC)

• Mandatory Access Control (MAC)

• Strict segregation of duties

• Secure memory management

• Management of System Resources

• Powerful security management

24© 2019 Unisys Corporation. All rights reserved. |

ClearPath was resistant to these vulnerabilities

• Meltdown: allow rogue process to read all memory

⁃ ClearPath was not vulnerable because:

• Memory management: no direct access to memory

• External programs have no access to system resources, and thus cannot read all data (MAC)

• Strict separation of memory types (stack/data/program code)

• Spectre: private data may be revealed by branch misprediction

⁃ ClearPath was not vulnerable because:

• Memory management: no direct access to memory

• External programs have no access to system resources, and thus cannot read all data (MAC)

• Strict separation of memory types (stack/data/program code)

• This also goes for the latest MDS vulnerabilities (speculative

execution side channel vulnerabilities ) announced by Intel

Operating System Number of

Vulnerabilities

Date of Last

Vulnerability

Compromised

User Data

Unisys ClearPath OS

2200

0 - No

Unisys ClearPath MCP 3 02/26/2018 No

IBM System z (zSeries) 24 02/13/2015 Yes

IBM System i (iSeries) 26 06/14/2019 Yes

OpenVMS 38 05/01/2018 Yes

HP-UX 368 07/22/2019 Yes

AIX 396 04/08/2019 Yes

Unix 873 07/30/2019 Yes

Solaris 1,104 07/23/2019 Yes

Windows 7,477 07/30/2019 Yes

Linux 7,517 07/30/2019 Yes

Data taken 08/05/19

This chart was developed by Unisys and represents Unisys’ interpretation of publicly available NIST data in the National Vulnerability Database, which has compiled vulnerabilities since 1997.

26© 2019 Unisys Corporation. All rights reserved. |

Conclusion

• Digital transformation of businesses and the wide

adoption of Cloud computing requires better

protection against cyber threats

• Infrastructures with generic, commodity servers can be

protected by implementing Zero Trust and state of art

tools for monitoring, detection, isolation and remediation

• ClearPath is an open system, that can be part of Zero

Trust infrastructures

• ClearPath systems intrinsically more secure than

generic systems, and provide a modern integrated

technology stack that supports digital transformation and

delivers GDPR compliance

• ClearPath has proven its value in the past, but it is

absolutely the cloud platform of choice for the future

Thank You

Email: ronald.huijgens@unisys.com

Security ModelsEnforcing Confidentiality and Integrity

29© 2019 Unisys Corporation. All rights reserved. |

Bell-LaPadula Confidentiality model (1973)

• Multilevel security policy

• Developed for the military

• Implements MAC and DAC

Rules:

• Simple: No read-up

• Star (*): No write down

• Strong Star (*)Layer of

Lower secrecy

Layer of

higher secrecy

Read/

Write

Strong

Star (*)

Property

Simple

Security

Principle

Read

Reading

secrets

Reading

secrets

Read/

Write

Star (*)

Property

Divulging

secrets

30© 2019 Unisys Corporation. All rights reserved. |

Biba Integrity model (1975)

• Ruleset to ensure data integrity.

• Data and subjects are grouped into

ordered levels of integrity

• Prevents corruption/contamination

of data

Rules:

• Simple: read-up

• Integrity Star (*): write down

• Invocation: no access up

Layer of

Lower integrity

Layer of

higher integrity

Invoke

Invocation

Property

Simple

Integrity

Principle

Read

Contamination

Write

Integrity

Star (*)

Property

Get

contaminated

31© 2019 Unisys Corporation. All rights reserved. |

Clarke-Wilson model (1987)

• Three-part relationship of

subject/program/object

• subjects do not have direct access to

objects

• Objects can only be accessed through

programs

Based on:

• Well-formed transactions to change

the state

• Integrity of transactions protected by

integrity policy

• Separation of duty

32© 2019 Unisys Corporation. All rights reserved. |

Bridge the gap between the CISO and the board

TrustCheck™ Cyber Risk Management

• Assess cybersecurity and cyber risk posture in

economic terms.

• Understand where the risk transfer zone is for

all cyber perils.

• Easily communicate risk reduction initiatives to

the board.

• Prioritize risk mitigation strategies.

• Analyze the return on investment of

cybersecurity investments.

• Determine the likelihood of a cyber-related

financial loss.

TYPICAL

USE

CASESStrategic Risk

Mitigation

Board Ready

Business Case?

Compliance

Audits?Expected Loss

Analysis

Return on

Investment Insight

33© 2019 Unisys Corporation. All rights reserved. |

Zero trust security built on identity based, encrypted microsegmentation

Stealth™ Products and Services

• Identity-based microsegmentation, encryption

and cloaking.

• Visibility into unsafe ecosystem communication.

• Securely extend datacenters to public, private or hybrid clouds (AWS/Azure).

• Risk-based multi-factor authentication.

• Secure remote and BYOD users.

Reduce attack surface

Stealth(core) Stealth(aware)

Know your environment

Stealth(cloud)

Extend datacenters to Cloud

Stealth(identity)

Irrefutable identity

Stealth(mobile)

Security on the go

Zero Day

ProtectionInternal Threat

Protection

Legacy

ProtectionData Center

Consolidation

Compliance

Certification

TYPICAL

USE

CASESIPv4 IoT

DevicesOperational

Technology

34© 2019 Unisys Corporation. All rights reserved. |

Delivers a maturity and capability score based on a

customized evaluation existing security program.Comparison against industry best practices to identify

gaps and provide recommendations to mitigate issues.

On-site, scenario-driven exercise to improve cyberattack

preparedness and resilience.

Accurate and faster response for minimal business impact

Incident Response Ecosystem

TYPICAL

USE

CASESPotential Malicious

Activity Detection

Scenario-driven

Exercise

IR maturity and

Capability Score

Comparison

Against Industry

Best Practices

Benchmark

Simulation

Unknown

Threat Activity

Identification

Detect suspicious or potentially malicious activity

within your environment.

Assess the present environment, identify unknown

threat activity, and suggest remediation.

Assessment of operational readiness to detect and respond

to modern cybersecurity threats.

35© 2019 Unisys Corporation. All rights reserved. |

Proactive cyber defense to detect and respond to advanced cyberattacks

Managed Security Services

• Powerful arsenal of high-performance tools for

correlating and simplifying security, compliance and

operations. Leverages best-in-class LogRhythm ®

SIEM technology.

• Detect and prevent malware that signature and

hash-based protection solutions can’t. Powered by

CylancePROTECT® an industry leading endpoint

protection solution.

• Manage and optimize your security technology

infrastructure.

• Enable frictionless access to sensitive data

TYPICAL

USE

CASES

Managed Security

Information and

Event Management

Advanced

Endpoint

Protection

Security

Device

Management

Security

Automation

Security

Analytics

Event

Monitoring

Incident

Investigation

Compromise

assessment

Migration from

legacy anti-virus

Security Infra

ITSM

Managed

PKI

Services

Safe

Comms

36© 2019 Unisys Corporation. All rights reserved. |

Trusted partners for managing your global security risk

Security Consulting Services

• Industry-specific expertise.

• Secure data today while moving your organization

to a more efficient security program.

• Executive advisory services on security,

compliance, strategic planning, and mobile device

security strategies.

• Vulnerability and threat assessments along with

eDiscovery forensic data analysis – for both

incident and non-incident related security.

TYPICAL

USE

CASES

Technical

Consulting

Strategic

Consulting

Systems

Integration

Incident

Response

Obligatory breach

notification programLitigation

PreparationIncident

response plans

Regulatory

Compliance

37© 2019 Unisys Corporation. All rights reserved. |

Significant Industry Recognition & Awards for Unisys Security Transformation Capabilities

NelsonHall

Leader‘ - NEAT vendor evaluation for Managed

Security Services, 2018, 2017

Frost & Sullivan

Customer Value Leadership Award for Encrypted Network

Security Solutions, 2017

HfS Research

As a Service Winner’s Circle -Managed Security Services,

2017

NIAP Certification

To meet internationally accepted standards for trusted security products and solutions.

NSA

Approved by the U.S. National Security Agency's (NSA) Commercial Solutions for

Classified (CSfC)

Philadelphia Business Journal

2018 Healthcare Innovator of the Year

Minnesota High Tech Association (MHTA)

2018 Tekne Award for Cybersecurity