Two weeks ago was held in Marseille the first edition of the Secutic Day PACA, a conference dediacted to IT managers focusing on protection of digital economy. A first post reported the legal aspects behind the risk of having weak security in IT systems, together with means for IT managers to understand and implement the primary security measures. This new post is detailing the views of the different invited experts on the recent threats that IT managers should face. Warning, this post includes all attractive buzz words, such as BYOD, cloud and social media …
Which environment are we trying to control ?
Thanks to the diversity of the speakers, different IT framework have been discussed, relying on different population and services :
- Employees : big companies offering IT services to several hundreds of employees, a.k.a. corporate;
- Citizen : government environment, where services are offered to citizen to pay tax or declare revenues, a.k.a e-government;
- Machines : distributed industrial environment, where cars or vending machines are accessing central services, a.k.a M2M;
- Mixing human : partnering environment, meaning environment such as Marseille Innovation , a place where start up are sharing a same physical space and IT systems, where new business models are designed, in a collaborative but protected environment. People are ready to share crazy ideas in front of the coffee machine, but do not want to disclose their business cases and make sure their innovations stay theirs.
Whatever was the human or machine to connect, the key point for getting access to the system was the access control. While a large number of technology could support access control (smart card, one time password, token, identity card…) it was reminded that access control only works if it is used, and this makes the elected solutions required to be simple, cost effective and user friendly. It was mentioned that human science could be of great help for technologist to find suitable solutions matching those criteria. The possible innovations for designing new access control could also rely on structure such as the worlwide center “Solutions Communicantes Sécurisées” (Communicating and Secured Solutions) , an industrial collaborative structure In Provence. This structure gathering 280 companies among them 70% of SMB – which are well known to feed the big players with interesting use cases.
Is Bring Your Own Device a good thing ?
An interesting approach was made by Nicolas Grégoire @Agarri_FR, CEO of a security company . He simply compared the well defined ‘on site and local’ security with BYOD situation. In on site and local situation, users are known and tagged (they are employees, or visitors), the material is known (all computers are registered), rights are managed (thanks to a system like Active Directory). Data produced may be duplicated to be protected, to get a reference, a back up, in controlled manner.
Now imagine the situation where a person is accessing IT system with an unknown device. In addition to have a big question mark about the type of material accessing the system, it is not even proven that an identified and trustable person is behind the device. In that case reaching a good level of security is just close to magic. Identity and material are not any more reliable assets in the system. From this description of the situation, Nicolas gave two recommendations : (1) avoid the BYOD – and if happening, control it carefully, (2) always think as if the data would be lost – meaning always use encrypted set of data and stored in protected location. To the traditional question if rooted BYO devices were more dangerous then other devices, the answer was that in case of android based device, the rooted devices would not be more compromised then others, while in the case of iPhone, the jailbreak would challenge the basic of the iPhone system, and thus expose increased risks.
Is cloud evil ?
While we were reviewing the main disruptive IT usage, the cloud obviously came into the discussion. What do security experts think about cloud ? First a basic reminder was made by Luc d’Urso from Wooxo on the fact that signing a contract for consuming cloud services was signing a delegation of operations. Meaning that it was necessary to analyse the contract and its security aspects carefully to identify where the liability would be in case of problem. As such the first conditions to look at in the Terms and Condition were :
- availability of service (SLA),
- jurisdiction mismatch (same as the consumer or under different laws),
- confidentiality insurance (as per privacy aspects, customers data should laways be protected),
- data exploitation (in case the cloud service is free, it may happen that the data have a value and are exploited, and this requires some authorization from customers, employees…),
- interoperability and churn conditions (how to bring back the data pushed to the cloud in case a new service is more attractive on another cloud platform)
- exact forecast of the cost for consuming this service (and thus an exact ROI calculation)
Philippe Conchonnet @PConchonnet from Orange Business Services made some advertising about cloud Orange offer. He reminded that OBS provides security by design, leveraging on telecom experiences such as complex system and disaster management, together with transparency for the lawmakers that telecommunication business imposes. On this last point Nicolas Grégoire @Agarri_FR highlighted that one of the brainteaser for security experts in the usage of cloud was the security audit. How to make intrusion test on a system that do not belong to you ? To his knowledge, only two companies were providing this audit capability for cloud services : Amazon and Orange.
Finally what about data destruction ?
It was repeated during the day that there was a need to control data. But what about destruction of data ? Several voices were made about the fact that in case of BYOD, the destruction of data would not be not possible either due to technical aspects (no external slot is available on tablets to trigger the wiping of data) or due to social aspects (killing an iPhone may not be acceptable with respect to its value). Nevertheless, BYOD apart, it was reminded by Gilbert Derderian, owner of Beaver company, that the destruction of digital content was now a possible, specially with hard disk or any device allowing data storage – provided that the owner agrees with it.
Is Social Media a real risk ?
The Social Media buzz was also discussed, but it was associated with the risk of branding reputation. Nicolas Chabert @nicolas_chabert , founder of Perfeo, a web agency, mentionned that yes social media could be a mean to have leak of data, but just like any other application allowing interface with external world. The major risk to highlight with Social Media was the e-reputation one. The case were a company would not control anymore its image and thus would suffer uncontrolled marketing message. After having a look at the cloud and the BYOD, social media were considered as a low risk technology.
This Secutic Day Paca was particularly interesting and it gave me a chance to approach the event organizers, Philippe Biton @proxia (working for gemalto like me), Ely de Travieso @ElydeTravieso and Cédric Messeguie . An interview of those guys might land soon around. Visit this blog in 2013 !