High Security Requirements

Working in the security market

High Security market• Customers:

• Intelligence agencies (NSA, CIA, USAF, WH)

• Finances (Banks)

• Governments (Justice system, education system)

• Chief Security Officer / CIO has power to decide

• Product features come after security features

ionGrid• Solve BYOD for

file access

• Secure container

• Integrates with current infrastructure

Data in movement

Data in movement (cont)• Provisioning

• Enables end-to-end encryption

• Improves security against “man in the middle attack”

• Secure channel in AMQP protocol

• Pro : AMQP instead of HTTPS gives stronger encryption

• Cons : very hard to work with…

• Real use case

• Pretty much everything…

Data at rest (cont)

Data Key

Password

Data at rest• Encrypt data

• Much harder to access the data against a dumping attack

• Server gives the key every time authentication is correct

• Multiple factor authentication (password, RSA SecureID, etc…)

• Offline authentication

• Encrypt master key using password

• User can retrieve its key with password

Security policies• Classic RWX (Read, Write, Execute)

• Pros: Access data, modify them, etc…

• Cons: Very hard to express the business needs

• “Can I … ?” policies (ie: can login)

• Pros: Much better for business needs

• Cons: Requires a lot of maintenance

• How can I handle a lot of business rules ?

• Access data only during the day / at a location

• Specify policies per file / folder / user

Security policies (cont)• Empower your customer with its own security

policies!

• Define “Can I … ?” policies in client

• Policy engine is defined in JavaScript

• Let the company code and define its own rules or use simple true/false checkboxes

• Code snippet can be defined per file / user

• Code is shipped to the device

• Works offline

• Works in the future

Device compromised• Simple cases:

• Device stolen or lost

• Employee quits or is fired

• Device exits location

• Active attacks

• Faraday bag

• Forensic attack

TIME-BOMB EVERYTHING!

Real use cases• JP Morgan

• Encryption and secure channel

• Coke

• Executive board members would loose their iPads…

• NBC universal

• TV Shows scripts should only be accessed with a specific set of rules

• Schweppes

• Secure video streaming

Real use cases (cont)• New York City Transit

• Offline use

• Application secure sandbox in HTML5

• “pg&e from the east coast”

• Got rid of “secure binders” during Sandy storm

• White House / CIA / USAF

• Overall security

• Supreme court of Australia

• Security ended up speeding trial time by 10%

And now…

• Which use case around secure messaging have you heard about ?

• What security problem should we try to solve ?