clearpath forward and security - unisys · 2019. 10. 4. · biometric sme, security architect,...
TRANSCRIPT
Today’s Security Challenges
ClearPath Forward and Security
Ronald Huijgens
2© 2019 Unisys Corporation. All rights reserved. |
Agenda
• Introduction
• Security models today
• Digital transformation changes everything
• Zero Trust Model
• Open Systems
• ClearPath intrinsic security
• Conclusion
3© 2019 Unisys Corporation. All rights reserved. |
Introduction
• Ronald Huijgens - Consulting Sr. Manager
• Phone: +31 610 001 543
• www.linkedin.com/in/ronald-huijgens-5212a3
Specialist in
⁃ Biometrics
⁃ Unisys Stealth(identity) and Stealth(core)
At Unisys today:
⁃ Security consultancy and advisory
⁃ Secure systems analysis and design
⁃ Implementations
4© 2019 Unisys Corporation. All rights reserved. |
Professional Journey
AT&T• 1987 – 1992
• Roles: Hardware & software
developer
• Clients: telecom operators
• Results: PDH Cross connect
system, multiplexers, line system,
SDH/Sonet multiplexers, Generic
Fault Management software
(embedded SIEM)
CMG/LogicaCMG• 1992 – 2005
• Roles: SW engineer, lead architect,
biometric SME, security architect,
security consultant, IT project
manager, Logistics manager
• Clients: Public, Aviation, Finance,
Mobile Telecom
• Results: NMT KMS, SMSC, Privium,
Dutch biometric Passport, Saudi
National ID card, Y2K compliance
Unisys Corporation• 2005 – now
• Roles: Biometric SME, security architect,
lead architect, security consultant/trusted
advisor, biometric consultant
• Clients: Public, Aviation, Finance,
Healthcare
• Results: Integrated Physical & Logical
Access control systems, Biometric
Identity Management systems, Security
Architectures, Large Scale Biometric
Systems
5© 2019 Unisys Corporation. All rights reserved. |
Security Model - Physical Perimeter
6© 2019 Unisys Corporation. All rights reserved. |
Logical perimeter
Source: https://techcommunity.microsoft.com
7© 2019 Unisys Corporation. All rights reserved. |
Analysts Quote
”
The idea of a secure network perimeter is dead. As organizations embrace digital
transformation they become substantially more vulnerable to cyberattacks. Zero
Trust affords digital businesses operational agility while containing risk.
“
Forrester Opportunity Snapshot: A Custom Study Commissioned By Unisys | September 2018
There is a path forward...Cyber Attackers are exploiting
new vulnerabilities...
Digital transformation is
everywhere...
Digital transformation forcing a new approach to security
100%of businesses have a digital
transformation strategy1
84%agree digital transformation requires
adjustments to traditional perimeter-based security strategies2
80%agree digital transformation
expands attack surface3
81%of data breaches are caused by
stolen credentials4
$7millionis the average worldwide5
company cost of a breach
92%of businesses do not have
information security functions that fully meet their needs6
84%practice or want to adopt new
Zero Trust security model7
75%agree digital transformation requires microsegment-level
protection8
98%see benefits associated with
microsegmentation9
1. Forrester Opportunity Snapshot: A Custom Study Commissioned By Unisys | September 2018
2. Ibid
3. Ibid
4. Verizon: 2018 Data Breach Investigations Report
5. Ponemon Institute: The 2018 State of Endpoint Security Risk
6. EY Global Information Security Survey 2018-19
7. Forrester Opportunity Snapshot: A Custom Study Commissioned By Unisys | September 2018
8. Ibid
9. Ibid
9© 2019 Unisys Corporation. All rights reserved. |
Lack of
visibility
Traditional security measures can’t meet digital transformation security needs
Large and dynamic threat
landscape
Ever-evolving sophisticated
threats
Sluggish detection and
response
Wider breach impact and downtime
Where to start? How to protect what
matters the most?
How to stay ahead of
hackers?
How to stop
cyberattacks at the first
sign of compromise?
How to minimize the
business impact?
10© 2019 Unisys Corporation. All rights reserved. |
Prioritize
Unisys is Zero Trust: Implemented
Architect | Build | Maintain
Protect Predict Isolate Remediate
Prioritize investments
based on business
impact
Protect the most
vulnerable people,
devices and networks
Strengthen your risk
posture with AI-
powered predictive
threat prevention
Quickly isolate critical
data and systems from
rogue users in minutes
– not hour, while
business continues
Minimize the
operational impact of
attacks by reducing
your response time
11© 2019 Unisys Corporation. All rights reserved. |
Unisys Security Solutions
• TrustCheck™ Cyber Risk Management
⁃ Bridge the gap between the CISO and the board
• Stealth™ Products and Services
⁃ Zero trust security built on identity based, encrypted micro segmentation, cloaking
• Incident Response Ecosystem
⁃ Accurate and faster response for minimal business impact
• Managed Security Services
⁃ Proactive cyber defense to detect and respond to advanced cyberattacks
• Security Consulting Services
⁃ Trusted partners for managing your global security risk
Goal of information securityThe basics
13© 2019 Unisys Corporation. All rights reserved. |
Information security – Core Pillars
• Confidentiality
⁃ Information may only be created, accessed, updated or removed by authorized actors
• Integrity
⁃ Information must be correct, complete, accurate and protected against unintended and unauthorized modification
• Availability
⁃ The ability of an actor to access information or resources at the specified location in the correct format
14© 2019 Unisys Corporation. All rights reserved. |
Security Principles
A security principle is a fundamental and seldom changing qualitative statement of intent that guides and directs secure development and design
Focus on Business Continuity Security in-depth. Security By Design.
Regulatory ComplianceFailing Securely Policy Driven SecurityAccountability
15© 2019 Unisys Corporation. All rights reserved. |
What is the Zero Trust security model?
ZT allows security and privacy protections to
travel with the data itself — across hosting
models, locations, devices, and third parties.
It also applies the appropriate access rights
based on the user’s identity.”
“A Zero Trust (ZT) security model — a more identity- and data- centric approach based on network
segmentation, data obfuscation, security analytics, and automation that never assumes trust.
Forrester Opportunity Snapshot: A Custom Study Commissioned By Unisys | September 2018
16© 2019 Unisys Corporation. All rights reserved. |
Utility vs. Security
• Strict security may reduce ease of use
• Easy access may increase risk of
unauthorized access
• Segregation of duties requires more
coordination
• Enforcing least privilege may restrict
people’s freedom
• Zero-trust helps find the optimal
balance
Utility
Security
Vs.
Finding the right balance is key !
Open systemsAn analysis
18© 2019 Unisys Corporation. All rights reserved. |
Architecture - Usage quadrant: Perception
Unisys OS2200
Unisys MCP
IBM iSeries
IBM z Series
OpenVMS
HP UX
AIX
UNIX
Solaris
Linux
WindowsIn
ten
de
d U
se
Sp
ecia
lG
en
eric
Proprietary Open Architecture
19© 2019 Unisys Corporation. All rights reserved. |
What defines an ‘open system’?
Ensures interoperability
Provides portability
Based on ‘open software standards’ (e.g. ISO,
IEC, ITU-T, IETF)
Open standards
⁃ Publicly available
⁃ Can be Implemented on royalty-free basis
⁃ “reasonable and non-discriminatory” patent licensing requirements (commercial)
⁃ “can be freely adopted, implemented and extended” (open source)
20© 2019 Unisys Corporation. All rights reserved. |
Heterogeneous external environments:
• Applications
• Mobile applications
• Databases
• Systems
ClearPath Middleware
Portfolio
ClearPath
• Applications
• Databases
• Transactions
.NET XML
J2EE, JCA, Resource Adapters WEB Services, WEB
BEA Tuxedo, X/Open Mobile access
JBoss, BEA WLS, WebSphere SOA
IBM WebSphere MQ, MSMQ JDBC, ODBC, OLE DB, SQL
ClearPath is an OPEN System
ClearPath has all the popular industry standard integration technologies
21© 2019 Unisys Corporation. All rights reserved. |
Reality Architecture – Usage quadrant:
Inte
nd
ed
Use
Sp
ecia
lG
en
eric
Proprietary OpenArchitecture
Unisys OS2200
Unisys MCP
IBM i Series
IBM z Series
HP UX
AIX
UNIX
Solaris
Linux
Windows
OpenVMS
ClearPath and securitySecurity features explained
23© 2019 Unisys Corporation. All rights reserved. |
Security Principles Security Controls
ClearPath Intrinsic Security Highlights
• Least Privilege
• Security by design
• Accountability
• Policy driven security
• Failing securely
• Discretionary Access Control (DAC)
• Mandatory Access Control (MAC)
• Strict segregation of duties
• Secure memory management
• Management of System Resources
• Powerful security management
24© 2019 Unisys Corporation. All rights reserved. |
ClearPath was resistant to these vulnerabilities
• Meltdown: allow rogue process to read all memory
⁃ ClearPath was not vulnerable because:
• Memory management: no direct access to memory
• External programs have no access to system resources, and thus cannot read all data (MAC)
• Strict separation of memory types (stack/data/program code)
• Spectre: private data may be revealed by branch misprediction
⁃ ClearPath was not vulnerable because:
• Memory management: no direct access to memory
• External programs have no access to system resources, and thus cannot read all data (MAC)
• Strict separation of memory types (stack/data/program code)
• This also goes for the latest MDS vulnerabilities (speculative
execution side channel vulnerabilities ) announced by Intel
Operating System Number of
Vulnerabilities
Date of Last
Vulnerability
Compromised
User Data
Unisys ClearPath OS
2200
0 - No
Unisys ClearPath MCP 3 02/26/2018 No
IBM System z (zSeries) 24 02/13/2015 Yes
IBM System i (iSeries) 26 06/14/2019 Yes
OpenVMS 38 05/01/2018 Yes
HP-UX 368 07/22/2019 Yes
AIX 396 04/08/2019 Yes
Unix 873 07/30/2019 Yes
Solaris 1,104 07/23/2019 Yes
Windows 7,477 07/30/2019 Yes
Linux 7,517 07/30/2019 Yes
Data taken 08/05/19
This chart was developed by Unisys and represents Unisys’ interpretation of publicly available NIST data in the National Vulnerability Database, which has compiled vulnerabilities since 1997.
26© 2019 Unisys Corporation. All rights reserved. |
Conclusion
• Digital transformation of businesses and the wide
adoption of Cloud computing requires better
protection against cyber threats
• Infrastructures with generic, commodity servers can be
protected by implementing Zero Trust and state of art
tools for monitoring, detection, isolation and remediation
• ClearPath is an open system, that can be part of Zero
Trust infrastructures
• ClearPath systems intrinsically more secure than
generic systems, and provide a modern integrated
technology stack that supports digital transformation and
delivers GDPR compliance
• ClearPath has proven its value in the past, but it is
absolutely the cloud platform of choice for the future
Thank You
Email: [email protected]
Security ModelsEnforcing Confidentiality and Integrity
29© 2019 Unisys Corporation. All rights reserved. |
Bell-LaPadula Confidentiality model (1973)
• Multilevel security policy
• Developed for the military
• Implements MAC and DAC
Rules:
• Simple: No read-up
• Star (*): No write down
• Strong Star (*)Layer of
Lower secrecy
Layer of
higher secrecy
Read/
Write
Strong
Star (*)
Property
Simple
Security
Principle
Read
Reading
secrets
Reading
secrets
Read/
Write
Star (*)
Property
Divulging
secrets
30© 2019 Unisys Corporation. All rights reserved. |
Biba Integrity model (1975)
• Ruleset to ensure data integrity.
• Data and subjects are grouped into
ordered levels of integrity
• Prevents corruption/contamination
of data
Rules:
• Simple: read-up
• Integrity Star (*): write down
• Invocation: no access up
Layer of
Lower integrity
Layer of
higher integrity
Invoke
Invocation
Property
Simple
Integrity
Principle
Read
Contamination
Write
Integrity
Star (*)
Property
Get
contaminated
31© 2019 Unisys Corporation. All rights reserved. |
Clarke-Wilson model (1987)
• Three-part relationship of
subject/program/object
• subjects do not have direct access to
objects
• Objects can only be accessed through
programs
Based on:
• Well-formed transactions to change
the state
• Integrity of transactions protected by
integrity policy
• Separation of duty
32© 2019 Unisys Corporation. All rights reserved. |
Bridge the gap between the CISO and the board
TrustCheck™ Cyber Risk Management
• Assess cybersecurity and cyber risk posture in
economic terms.
• Understand where the risk transfer zone is for
all cyber perils.
• Easily communicate risk reduction initiatives to
the board.
• Prioritize risk mitigation strategies.
• Analyze the return on investment of
cybersecurity investments.
• Determine the likelihood of a cyber-related
financial loss.
TYPICAL
USE
CASESStrategic Risk
Mitigation
Board Ready
Business Case?
Compliance
Audits?Expected Loss
Analysis
Return on
Investment Insight
33© 2019 Unisys Corporation. All rights reserved. |
Zero trust security built on identity based, encrypted microsegmentation
Stealth™ Products and Services
• Identity-based microsegmentation, encryption
and cloaking.
• Visibility into unsafe ecosystem communication.
• Securely extend datacenters to public, private or hybrid clouds (AWS/Azure).
• Risk-based multi-factor authentication.
• Secure remote and BYOD users.
Reduce attack surface
Stealth(core) Stealth(aware)
Know your environment
Stealth(cloud)
Extend datacenters to Cloud
Stealth(identity)
Irrefutable identity
Stealth(mobile)
Security on the go
Zero Day
ProtectionInternal Threat
Protection
Legacy
ProtectionData Center
Consolidation
Compliance
Certification
TYPICAL
USE
CASESIPv4 IoT
DevicesOperational
Technology
34© 2019 Unisys Corporation. All rights reserved. |
Delivers a maturity and capability score based on a
customized evaluation existing security program.Comparison against industry best practices to identify
gaps and provide recommendations to mitigate issues.
On-site, scenario-driven exercise to improve cyberattack
preparedness and resilience.
Accurate and faster response for minimal business impact
Incident Response Ecosystem
TYPICAL
USE
CASESPotential Malicious
Activity Detection
Scenario-driven
Exercise
IR maturity and
Capability Score
Comparison
Against Industry
Best Practices
Benchmark
Simulation
Unknown
Threat Activity
Identification
Detect suspicious or potentially malicious activity
within your environment.
Assess the present environment, identify unknown
threat activity, and suggest remediation.
Assessment of operational readiness to detect and respond
to modern cybersecurity threats.
35© 2019 Unisys Corporation. All rights reserved. |
Proactive cyber defense to detect and respond to advanced cyberattacks
Managed Security Services
• Powerful arsenal of high-performance tools for
correlating and simplifying security, compliance and
operations. Leverages best-in-class LogRhythm ®
SIEM technology.
• Detect and prevent malware that signature and
hash-based protection solutions can’t. Powered by
CylancePROTECT® an industry leading endpoint
protection solution.
• Manage and optimize your security technology
infrastructure.
• Enable frictionless access to sensitive data
TYPICAL
USE
CASES
Managed Security
Information and
Event Management
Advanced
Endpoint
Protection
Security
Device
Management
Security
Automation
Security
Analytics
Event
Monitoring
Incident
Investigation
Compromise
assessment
Migration from
legacy anti-virus
Security Infra
ITSM
Managed
PKI
Services
Safe
Comms
36© 2019 Unisys Corporation. All rights reserved. |
Trusted partners for managing your global security risk
Security Consulting Services
• Industry-specific expertise.
• Secure data today while moving your organization
to a more efficient security program.
• Executive advisory services on security,
compliance, strategic planning, and mobile device
security strategies.
• Vulnerability and threat assessments along with
eDiscovery forensic data analysis – for both
incident and non-incident related security.
TYPICAL
USE
CASES
Technical
Consulting
Strategic
Consulting
Systems
Integration
Incident
Response
Obligatory breach
notification programLitigation
PreparationIncident
response plans
Regulatory
Compliance
37© 2019 Unisys Corporation. All rights reserved. |
Significant Industry Recognition & Awards for Unisys Security Transformation Capabilities
NelsonHall
Leader‘ - NEAT vendor evaluation for Managed
Security Services, 2018, 2017
Frost & Sullivan
Customer Value Leadership Award for Encrypted Network
Security Solutions, 2017
HfS Research
As a Service Winner’s Circle -Managed Security Services,
2017
NIAP Certification
To meet internationally accepted standards for trusted security products and solutions.
NSA
Approved by the U.S. National Security Agency's (NSA) Commercial Solutions for
Classified (CSfC)
Philadelphia Business Journal
2018 Healthcare Innovator of the Year
Minnesota High Tech Association (MHTA)
2018 Tekne Award for Cybersecurity