SlideShare a Scribd company logo

Security best practices.

Cotap Engineering, profile picture
Cotap Engineering

The document outlines high security requirements in the security market, targeting key customers such as intelligence agencies, banks, and government systems. It discusses features like end-to-end encryption, secure channels, and customizable security policies that empower customers to enforce their own rules. Real use cases from various organizations demonstrate the effectiveness of these security solutions in protecting sensitive data and maintaining operational integrity.

Engineering
1 of 13
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
High Security Requirements Working in the security market
High Security market • Customers: • Intelligence agencies (NSA, CIA, USAF, WH) • Finances (Banks) • Governments (Justice system, education system) • Chief Security Officer / CIO has power to decide • Product features come after security features
ionGrid • Solve BYOD for file access • Secure container • Integrates with current infrastructure
Data in movement
Data in movement (cont) • Provisioning • Enables end-to-end encryption • Improves security against “man in the middle attack” • Secure channel in AMQP protocol • Pro : AMQP instead of HTTPS gives stronger encryption • Cons : very hard to work with… • Real use case • Pretty much everything…
Data at rest (cont) Data Key Password
Data at rest • Encrypt data • Much harder to access the data against a dumping attack • Server gives the key every time authentication is correct • Multiple factor authentication (password, RSA SecureID, etc…) • Offline authentication • Encrypt master key using password • User can retrieve its key with password
Security policies • Classic RWX (Read, Write, Execute) • Pros: Access data, modify them, etc… • Cons: Very hard to express the business needs • “Can I … ?” policies (ie: can login) • Pros: Much better for business needs • Cons: Requires a lot of maintenance • How can I handle a lot of business rules ? • Access data only during the day / at a location • Specify policies per file / folder / user
Security policies (cont) • Empower your customer with its own security policies! • Define “Can I … ?” policies in client • Policy engine is defined in JavaScript • Let the company code and define its own rules or use simple true/false checkboxes • Code snippet can be defined per file / user • Code is shipped to the device • Works offline • Works in the future
Device compromised • Simple cases: • Device stolen or lost • Employee quits or is fired • Device exits location • Active attacks • Faraday bag • Forensic attack TIME-BOMB EVERYTHING!
Real use cases • JP Morgan • Encryption and secure channel • Coke • Executive board members would loose their iPads… • NBC universal • TV Shows scripts should only be accessed with a specific set of rules • Schweppes • Secure video streaming
Real use cases (cont) • New York City Transit • Offline use • Application secure sandbox in HTML5 • “pg&e from the east coast” • Got rid of “secure binders” during Sandy storm • White House / CIA / USAF • Overall security • Supreme court of Australia • Security ended up speeding trial time by 10%
And now… • Which use case around secure messaging have you heard about ? • What security problem should we try to solve ?

More Related Content

PPTX
Building a Hacker Resistant Network
Sentry Global Technologies, LLC
 
PDF
Efficient data transfer in Android
Cotap Engineering
 
PDF
Startup survival lessons
Cotap Engineering
 
PDF
MQTT
Cotap Engineering
 
PDF
Model S Cover - LCT Oct 2013
Robert Aguirre
 
PDF
How to video.
Cotap Engineering
 
PDF
Proterra TearSheet
Robert Aguirre
 
PDF
Architecting for the Cloud: Hoping for the best, prepared for the worst
Cotap Engineering
 
Building a Hacker Resistant Network
Sentry Global Technologies, LLC
 
Efficient data transfer in Android
Cotap Engineering
 
Startup survival lessons
Cotap Engineering
 
MQTT
Cotap Engineering
 
Model S Cover - LCT Oct 2013
Robert Aguirre
 
How to video.
Cotap Engineering
 
Proterra TearSheet
Robert Aguirre
 
Architecting for the Cloud: Hoping for the best, prepared for the worst
Cotap Engineering
 

Viewers also liked (10)

PPTX
Laporan hasil pratikum indikator asam basa alami
Nita Kurniasih
 
PPT
Rennes
leireagirregabiria
 
PDF
Natural language processing in iOS / OSX
Cotap Engineering
 
PPTX
Indeks harga dan inflasi, permintaan dan penawaran uang
Nita Kurniasih
 
PPTX
Agama qada dan qadar
Nita Kurniasih
 
PPTX
Sejarah peradaban Yunani Kuno
Nita Kurniasih
 
PPTX
Notes on Debugging
Cotap Engineering
 
PPTX
Sejarah Perang Aceh
Nita Kurniasih
 
PPTX
Laporan Hasil Praktikum Koloid
Nita Kurniasih
 
PPTX
Pancasila sebagai ideologi
Nita Kurniasih
 
Laporan hasil pratikum indikator asam basa alami
Nita Kurniasih
 
Rennes
leireagirregabiria
 
Natural language processing in iOS / OSX
Cotap Engineering
 
Indeks harga dan inflasi, permintaan dan penawaran uang
Nita Kurniasih
 
Agama qada dan qadar
Nita Kurniasih
 
Sejarah peradaban Yunani Kuno
Nita Kurniasih
 
Notes on Debugging
Cotap Engineering
 
Sejarah Perang Aceh
Nita Kurniasih
 
Laporan Hasil Praktikum Koloid
Nita Kurniasih
 
Pancasila sebagai ideologi
Nita Kurniasih
 
Ad

Similar to Security best practices. (20)

PPTX
3433 IBM messaging security why securing your environment is important-feb2...
Robert Parker
 
PPTX
IBM Messaging Security - Why securing your environment is important : IBM Int...
Leif Davidsen
 
PDF
Making Security Approachable for Developers and Operators
ArmonDadgar
 
PPTX
ASDF WSS 2014 Paper 003
Association of Scientists, Developers and Faculties
 
PDF
The 5 Layers of Security Testing by Alan Koch
QA or the Highway
 
PDF
The 5 Layers of Security Testing by Alan Koch
QA or the Highway
 
PDF
What Every Developer And Tester Should Know About Software Security
Anne Oikarinen
 
PPTX
How to write secure code
Flaskdata.io
 
PDF
Module 6.pdf
Sitamarhi Institute of Technology
 
PDF
Module 6.Security in Evolving Technology
Sitamarhi Institute of Technology
 
PPT
The bits bytes and business benefits of securing your mq environment and mess...
Leif Davidsen
 
PDF
Middleware Audits And Remediation For Pci Compliance
mjschreck
 
KEY
ONE Conference: Vulnerabilities in Web Applications
Netcetera
 
PDF
What I learned from RSAC 2019
Ulf Mattsson
 
PDF
Computer & Data Security
Frederik Questier
 
PDF
The Future of Software Security Assurance
Rafal Los
 
PPTX
02-overview.pptx
EmanAzam
 
DOCX
Wireless Information Security System via Role based Access Control Pattern Us...
ijcnes
 
PPT
AMI Security 101 - Smart Grid Security East 2011
dma1965
 
PDF
Securing your mobile business with ibm worklight
bupbechanhgmail
 
3433 IBM messaging security why securing your environment is important-feb2...
Robert Parker
 
IBM Messaging Security - Why securing your environment is important : IBM Int...
Leif Davidsen
 
Making Security Approachable for Developers and Operators
ArmonDadgar
 
ASDF WSS 2014 Paper 003
Association of Scientists, Developers and Faculties
 
The 5 Layers of Security Testing by Alan Koch
QA or the Highway
 
The 5 Layers of Security Testing by Alan Koch
QA or the Highway
 
What Every Developer And Tester Should Know About Software Security
Anne Oikarinen
 
How to write secure code
Flaskdata.io
 
Module 6.pdf
Sitamarhi Institute of Technology
 
Module 6.Security in Evolving Technology
Sitamarhi Institute of Technology
 
The bits bytes and business benefits of securing your mq environment and mess...
Leif Davidsen
 
Middleware Audits And Remediation For Pci Compliance
mjschreck
 
ONE Conference: Vulnerabilities in Web Applications
Netcetera
 
What I learned from RSAC 2019
Ulf Mattsson
 
Computer & Data Security
Frederik Questier
 
The Future of Software Security Assurance
Rafal Los
 
02-overview.pptx
EmanAzam
 
Wireless Information Security System via Role based Access Control Pattern Us...
ijcnes
 
AMI Security 101 - Smart Grid Security East 2011
dma1965
 
Securing your mobile business with ibm worklight
bupbechanhgmail
 
Ad

Recently uploaded (20)

PDF
Exploratory_Data_Analysis_Fundamentals.pdf
Ashutosh Satapathy
 
PPTX
Artificial Intelligence
dikshendrasarpate2
 
PPT
INTRODUCTION -Data Warehousing and Mining-M.Tech- VTU.ppt
Subramanyam Natarajan
 
PDF
EXPLORING LEARNING ENGAGEMENT FACTORS INFLUENCING BEHAVIORAL, COGNITIVE, AND ...
johnmathew9417
 
PDF
R24 SURVEYING LAB MANUAL for civil enggi
MNANDITHACIVILSTAFF
 
PPTX
Sorting and Hashing in Data Structures with Algorithms, Techniques, Implement...
usham61
 
PDF
Design Guidelines and solutions for Plastics parts
ferdinand937933
 
PDF
Human-AI Collaboration: Balancing Agentic AI and Autonomy in Hybrid Systems
ijccsa
 
PDF
Automation-in-Manufacturing-Chapter-Introduction.pdf
pcmth867
 
PDF
Soil Improvement Techniques Note - Rabbi
rahmatideal000
 
PDF
COURSE DESCRIPTOR OF SURVEYING R24 SYLLABUS
MNANDITHACIVILSTAFF
 
PPTX
AUTOMOTIVE ENGINE MANAGEMENT (MECHATRONICS).pptx
joanaabban6
 
PPTX
Safety Seminar civil to be ensured for safe working.
DILJEETKUMAR8
 
PDF
null (2) bgfbg bfgb bfgb fbfg bfbgf b.pdf
Ramez Hosny
 
PDF
BIO-INSPIRED HORMONAL MODULATION AND ADAPTIVE ORCHESTRATION IN S-AI-GPT
ijaia
 
PDF
22EC502-MICROCONTROLLER AND INTERFACING-8051 MICROCONTROLLER.pdf
RajalakshmiSermadura
 
PDF
Categorization of Factors Affecting Classification Algorithms Selection
IJDKP
 
PDF
Abrasive, erosive and cavitation wear.pdf
nfandraden
 
PDF
Influence of Green Infrastructure on Residents’ Endorsement of the New Ecolog...
Journal of Contemporary Urban Affairs
 
PDF
PREDICTION OF DIABETES FROM ELECTRONIC HEALTH RECORDS
ijaia
 
Exploratory_Data_Analysis_Fundamentals.pdf
Ashutosh Satapathy
 
Artificial Intelligence
dikshendrasarpate2
 
INTRODUCTION -Data Warehousing and Mining-M.Tech- VTU.ppt
Subramanyam Natarajan
 
EXPLORING LEARNING ENGAGEMENT FACTORS INFLUENCING BEHAVIORAL, COGNITIVE, AND ...
johnmathew9417
 
R24 SURVEYING LAB MANUAL for civil enggi
MNANDITHACIVILSTAFF
 
Sorting and Hashing in Data Structures with Algorithms, Techniques, Implement...
usham61
 
Design Guidelines and solutions for Plastics parts
ferdinand937933
 
Human-AI Collaboration: Balancing Agentic AI and Autonomy in Hybrid Systems
ijccsa
 
Automation-in-Manufacturing-Chapter-Introduction.pdf
pcmth867
 
Soil Improvement Techniques Note - Rabbi
rahmatideal000
 
COURSE DESCRIPTOR OF SURVEYING R24 SYLLABUS
MNANDITHACIVILSTAFF
 
AUTOMOTIVE ENGINE MANAGEMENT (MECHATRONICS).pptx
joanaabban6
 
Safety Seminar civil to be ensured for safe working.
DILJEETKUMAR8
 
null (2) bgfbg bfgb bfgb fbfg bfbgf b.pdf
Ramez Hosny
 
BIO-INSPIRED HORMONAL MODULATION AND ADAPTIVE ORCHESTRATION IN S-AI-GPT
ijaia
 
22EC502-MICROCONTROLLER AND INTERFACING-8051 MICROCONTROLLER.pdf
RajalakshmiSermadura
 
Categorization of Factors Affecting Classification Algorithms Selection
IJDKP
 
Abrasive, erosive and cavitation wear.pdf
nfandraden
 
Influence of Green Infrastructure on Residents’ Endorsement of the New Ecolog...
Journal of Contemporary Urban Affairs
 
PREDICTION OF DIABETES FROM ELECTRONIC HEALTH RECORDS
ijaia
 

Security best practices.

  • 2. High Security market • Customers: • Intelligence agencies (NSA, CIA, USAF, WH) • Finances (Banks) • Governments (Justice system, education system) • Chief Security Officer / CIO has power to decide • Product features come after security features
  • 3. ionGrid • Solve BYOD for file access • Secure container • Integrates with current infrastructure
  • 5. Data in movement (cont) • Provisioning • Enables end-to-end encryption • Improves security against “man in the middle attack” • Secure channel in AMQP protocol • Pro : AMQP instead of HTTPS gives stronger encryption • Cons : very hard to work with… • Real use case • Pretty much everything…
  • 6. Data at rest (cont) Data Key Password
  • 7. Data at rest • Encrypt data • Much harder to access the data against a dumping attack • Server gives the key every time authentication is correct • Multiple factor authentication (password, RSA SecureID, etc…) • Offline authentication • Encrypt master key using password • User can retrieve its key with password
  • 8. Security policies • Classic RWX (Read, Write, Execute) • Pros: Access data, modify them, etc… • Cons: Very hard to express the business needs • “Can I … ?” policies (ie: can login) • Pros: Much better for business needs • Cons: Requires a lot of maintenance • How can I handle a lot of business rules ? • Access data only during the day / at a location • Specify policies per file / folder / user
  • 9. Security policies (cont) • Empower your customer with its own security policies! • Define “Can I … ?” policies in client • Policy engine is defined in JavaScript • Let the company code and define its own rules or use simple true/false checkboxes • Code snippet can be defined per file / user • Code is shipped to the device • Works offline • Works in the future
  • 10. Device compromised • Simple cases: • Device stolen or lost • Employee quits or is fired • Device exits location • Active attacks • Faraday bag • Forensic attack TIME-BOMB EVERYTHING!
  • 11. Real use cases • JP Morgan • Encryption and secure channel • Coke • Executive board members would loose their iPads… • NBC universal • TV Shows scripts should only be accessed with a specific set of rules • Schweppes • Secure video streaming
  • 12. Real use cases (cont) • New York City Transit • Offline use • Application secure sandbox in HTML5 • “pg&e from the east coast” • Got rid of “secure binders” during Sandy storm • White House / CIA / USAF • Overall security • Supreme court of Australia • Security ended up speeding trial time by 10%
  • 13. And now… • Which use case around secure messaging have you heard about ? • What security problem should we try to solve ?