Information Security

Challenges in the 21st

Century

Dr Jamalul-lail Ab Manan

Information Security Cluster

Presentation at


Universiti Sains Islam Malaysia (USIM)



On 3rd march 2010



www.mimos.my © 2010 MIMOS Berhad. All Rights Reserved. 1

 Discussion Points
Introduction – The Good and The Bad


 Today’s Optimized technology

 Today’s Business Opportunities
 Today’s Security & Privacy Issues
 Tomorrow’s world will be…
What is Security?


 What is Information Security?

 How does Information Security Affects You?
 Fraud, Forgery, Secure Collaboration
Defence in Depth


 Traditional Defense In Depth

 Trusted Computing
 Holistic Approach
 Tomorrow’s Defense In Depth
21st Century Security Challenges


Building Trusted Infrastructure



Conclusion


3rd March 2010 ©2010 MIMOS Berhad. All Rights Reserved. 2

 Allah SWT - Created a Balanced Earth
God created nature with different functions, carefully
measured and meticulously balanced by God:
“Everything with Him is measured”
“And the firmament he has raised high, and he has set-up
the balance of everything in order that you (humanity) may not
transgress due balance. So maintain the balance with equity and
not fall short of it”
One of the functions of the natural environment is to
serve humanity:
“He it is who hath made the earth subservient unto you, so
walk in the paths thereof and eat of His providence”
O people! Worship your lord. Who has created you and
those before you, so that you may ward off evil. Who hath
appointed the earth a resting place for you and the sky a canopy
and causeth water to pour down from the sky, thereby producing
fruits as food for you. And do not set up rivals to Allah when ye
know better.

Osman Bakar (2007) Environmental Wisdom for Planet Earth: The Islamic Heritage. Centre for Civilisational Dialogue University Malaya
3rd March 2010 © 2010 MIMOS Berhad. All Rights Reserved. 3
 Introduction – Today’s Optimized Technology
Usage & Platform

3rd March 2010 © 2010 MIMOS Berhad. All Rights Reserved. 4

 Introduction – Today’s Business Opportunities
Mobile Commerce

3rd March 2010 © 2010 MIMOS Berhad. All Rights Reserved. 5

3rd March 2010 © 2010 MIMOS Berhad. All Rights Reserved. 6
 Tomorrow’s World will be …..

3rd March 2010 © 2010 MIMOS Berhad. All Rights Reserved. 7

 What We Predict May be Inaccurate

3rd March 2010 © 2010 MIMOS Berhad. All Rights Reserved. 8

 What is Security?

3rd March 2010 © 2010 MIMOS Berhad. All Rights Reserved. 9

 What is Information Security?

Security From Users’ Perspective

Security From Designers’ Perspective

3rd March 2010 © 2010 MIMOS Berhad. All Rights Reserved. 10
 The Security Challenges in 21st Century
Example : Mobile Commerce Network
Client
Server
Application
Data

3rd March 2010 © 2010 MIMOS Berhad. All Rights Reserved. 11

 Fraud

3rd March 2010 © 2010 MIMOS Berhad. All Rights Reserved. 12

 Forgery

3rd March 2010 © 2010 MIMOS Berhad. All Rights Reserved. 13

 Secure Collaboration Space

What it is NOT

3rd March 2010 © 2010 MIMOS Berhad. All Rights Reserved. 14

 Defense in Depth

“Defense in depth” is to design solutions that

consist of several independent security layers,
that all have the purpose of protecting your
assets.
In order for an attacker to gain access to the


assets we are trying to protect, attacker has to

circumvent each of the defensive measures we
have implemented at each layer including the
human layer.

3rd March 2010 © 2010 MIMOS Berhad. All Rights Reserved. 15

 Today’s Defense In Depth

Passwords, anti virus & user authentication

Network
Operating System patches, configuration and policy control Client
,
Hardware (unprotected) Server
Application
Client
Multi factor user authentication Data
Intrusion detection, firewalls, anti virus
Network Segmentation, encrypted data, real time monitoring, audit & analysis
Patch, configuration and policy control, configuration monitors
Highly regulated HW & SW configuration, controlled physical access

Server

Issue: Weak Client Platforms

Encryption (IPSec, SSL) & Authentication
VPN & Layered Firewalls
causes issues in Security
Intrusion Detection & prevention & 24hrs monitoring implementations
Multi factor Authentication Network Access Control, Network
Segmentation, RADIUS & access control
Domain Controllers, Configuration monitors, policy management
Network

Data Application

3rd March 2010 © 2010 MIMOS Berhad. All Rights Reserved. 16

 Traditional Defense In Depth : Multi-layer Security

3rd March 2010 © 2010 MIMOS Berhad. All Rights Reserved. 17

 Among the common Threats at each layer…

What is lacking is “Trust”…..

3rd March 2010 © 2010 MIMOS Berhad. All Rights Reserved. 18
 Trusted Computing Introduction
TPM As a Foundation For Enterprise Security

Architecture of A Trusted Client

3 rd March 2 0 1 0 © 2 0 1 0 MIMOS Berhad. All Rights Reserved. 19

 Holistic Approach to Information Security
Our approach to counter these threats are by managing the risks at
multiple layers of the security protection and integrity.

Security Model

Desired Platform

Architecture Design
Consideration
Trust Model

3rd March 2010 © 2010 MIMOS Berhad. All Rights Reserved. 20

 Tomorrow’s Defense In-depth

Network
Client
Passwords, anti virus & TPM-based user authentication Server
Operating System patches, configuration and policy control
Security Kernel – TPM based trusted software layer (storage, GUI, etc)
Application
Virtualization (Management of Resource, Memory, IO, etc) Data
Hardware Independent

Multi factor, Certificates & TPM-based Server authentication

Client Intrusion detection, firewalls, anti virus
Network Segmentation, encrypted data, real time monitoring, audit & analysis
Security Kernel – TPM based trusted software layer (storage, GUI, etc)
Virtualization (Management of VM Instances, Resource, Memory, IO, etc)
Patch, configuration and policy control, configuration monitors
Highly regulated HW & SW configuration, controlled physical access

Server

Encryption (IPSec, SSL, M’sian Crypto) & TPM-based Authentication Strength: Strong Client Platforms
TPM-based VPN & Layered Firewalls help Defense In-depth
Intrusion Detection & prevention & 24hrs monitoring Security Strategy
Multi factor Authentication, TPM-based Network Access Control, Network
Segmentation, RADIUS & access control
Domain Controllers, Configuration monitors, policy management

Network

Data Application

3rd March 2010 © 2010 MIMOS Berhad. All Rights Reserved. 21

 Building Trust in Document Security

Encrypted document

Request withSecurity Manager

Issue retrieve
Certificate
Certificate Policy
Domain CA Archive

Existing Document Security

Trusted document
Trust Manager
TPM
TPM
Attest/Issue TPM Attest/request Sealing/ retrieve
Domain CA Certificate
Archive
Policy

Future Document Security

3rd March 2010 © 2010 MIMOS Berhad. All Rights Reserved. 22

 Building Trust in Banking Security

Encrypted document

Request withSecurity Manager

Issue Transaction
Certificate
Certificate Policy
Domain CA Banks

Existing Banking Security

Trusted document

Trust Manager
TPM
TPM
Attest/Issue TPM Attest/request Sealing/ Transaction
Certificate
Domain CA
Banks
Policy

Future Banking Security

3rd March 2010 © 2010 MIMOS Berhad. All Rights Reserved. 23

 Building Trust in Mobile Security

Mobile Manager
Services
Request with
SIM Policy

Existing Mobile Security

Mobile Service Provider

Mobile Trust Manager

MTM
MTM

Attest/request Encrypt/ Services

Policy

Future Mobile Security

3rd March 2010 © 2010 MIMOS Berhad. All Rights Reserved. 24
 Building Trust In Cloud Computing Security

Applications

Request with Cloud Manager

Services task
Certificate
Policy

Cloud Computing

Existing Cloud Computing Security

Applications
Trusted
Compartment

Cloud Trust Manager

TPM
TPM
Attest/request Sealing/ Services task

Cloud Computing
Policy

Future Cloud Computing Security

3rd March 2010 © 2010 MIMOS Berhad. All Rights Reserved. 25
 21st Information Security - Introduction

3rd March 2010 © 2010 MIMOS Berhad. All Rights Reserved. 26

 21st Information Security - Challenges

Trust
Models:

Security Threat
Goals: s:

3rd March 2010 © 2010 MIMOS Berhad. All Rights Reserved. 27

 21st Information Security - Enforcement

3rd March 2010 © 2010 MIMOS Berhad. All Rights Reserved. 28

 Conclusions

• Our Complex, future environment is too important to

be left others to dictate for us.
• We need Sound Theoretical Foundations and Sound
Research Methodologies
– We should be able to predict our future
– Security Research need a paradigm shift
– True Experimentation is needed
– Shared Experimental Infrastructure, collaboration,
implementation and deployment for future
• We need to collaborate – Ris, Industry and Academia

3rd March 2010 © 2010 MIMOS Berhad. All Rights Reserved. 29

 THANK YOU

3rd March 2010 © 2010 MIMOS Berhad. All Rights Reserved. 30

 Biodata

• Education Background
– B Eng (Electrical Engineering) 1981
– M Sc (Microprocessor Engineering) 1987
– PhD (Electronics & Communications Engg) 1995
• Work Experience (29 years)
– Academic (17.5 years)
– Industry (11.5 years)
• Work in Information Security
– Network Security (8 years)
– Trusted Computing (3 years)
– Privacy Enhancing Technologies (6 months)

3rd March 2010 © 2010 MIMOS Berhad. All Rights Reserved. 31

 How do you Manage Security?
An ISMS Model

3rd March 2010 © 2010 MIMOS Berhad. All Rights Reserved. 32