2017-07-28#

There appears to be an increased interest in two divergent ideas in regards to privacy.

The Five-Eyes are exploring the back-door into Encryption while at the same time there appears to be an increased interest into privacy.

Ran Across Today#

  • LIGHTest
  • STORK - a platform which allows people to use their national electronic ID to establish new e-relations with foreign electronic services

STORK #

STORK project is to establish a European Union eID Interoperability Platform that will allow citizens to establish new e-relations across borders, just by presenting their National Identity Card eID.

Cross-border user authentication for such e-relations will be applied and tested by the project by means of five pilot projects that will use existing government services in European Union Member States. In time however, additional service providers will also become connected to the platform thereby increasing the number of cross-border services available to European users.

Thus in the future, you should be able to start a company, get your tax refund, or obtain your university papers without physical presence; all you will need to access these services is to enter your personal data using your national eID, and the STORK platform will obtain the required guarantee (authentication) from your government.

User centric Approach = Privacy Guarantee

The role of the STORK platform is to identify a user who is in a session with a service provider, and to send his data to this service. Whilst the service provider may request various data items, the user always controls the data to be sent. The explicit consent of the owner of the data, the user, is always required before his data can be sent to the service provider.

STORK project has been completed! is stated on the website and refers to a STORK 2 but there website is not found.

Zero Trust#

Zero Trust is a data-centric network design that puts micro-perimeters around specific data or resources so that more-granular rules can be enforced and implemented.

BeyondCorp is an implementation by Google for a Zero Trust Model.

The Zero Trust Model is simple: cybersecurity professionals must stop trusting packets as if they were people. Instead, they must eliminate the idea of a trusted network (usually the internal network) and an untrusted network (external networks). In Zero Trust, all network traffic is untrusted. The Zero Trust

Forrester’s Zero Trust Model has three key concepts:#

  • Ensure all resources are accessed securely regardless of location. Assume that all traffic is threat traffic until your team verifies that the traffic is authorized, inspected, and secured. In real-world situations, this will often necessitate using encrypted tunnels for accessing data on both internal and external networks. Cybercriminals can easily detect unencrypted data; thus, Zero Trust demands that security professionals protect internal data from insider abuse in the same manner as they protect external data on the public Internet.
  • Adopt a Principle of least privilege strategy and strictly enforce Access Control. When we properly implement and enforce Access Control, by default we help eliminate the human temptation for people to access Protected Resources. Today, Role Based Access Control (RBAC) is a standard technology supported by network Access Control and infrastructure software, Identity and Access Management systems, and many applications. Zero Trust does not explicitly define RBAC as the preferred access control methodology. Other technologies and methodologies will evolve over time. What is important is the Principle of least privilege and strict Access Control.
  • Inspect and log all traffic. In Zero Trust, someone will assert their identity and then we will allow them access to a particular resource based upon that assertion. We will restrict users only to the resources they need to perform their job, and instead of trusting users to do the right thing, we verify that they are doing the right thing.

In short, Zero Trust flips the mantra "trust but verify" into "verify and never trust." Zero Trust advocates two methods of gaining network traffic visibility: monitoring and logging. Many security professionals do log internal network traffic, but that approach is passive and does not provide the real-time protection capabilities necessary in this new threat environment.

Zero Trust promotes the idea that you must inspect traffic as well as log it. In order to do so, network analysis and visibility (NAV) tools are required to provide scalable and non-disruptive situational awareness. NAV is not a single tool, but a collection of tools that have similar functionality. These NAV tools include network discovery tools for finding and tracking assets, flow data analysis tools to analyze traffic patterns and user behavior, packet capture and analysis tools that function like a network DVR, network metadata analysis tools to provide streamlined packet analysis, and network forensics tools to assist with incident response and criminal investigations.

There are only two Data Classifications that exist in your organization:

  • Data that Someone Wants to Steal
  • Everything Else
The first type is sensitive or toxic data, which can be easily identified with the equation 3P + IP = TD.

The three P's stand for Personally Identifiable Information (PII), Protected Health Information (PHI), and Payment Card Industry (PCI); IP is intellectual property; and TD is toxic data.

Forrester breaks the problem of securing and controlling data down into three areas:

  • Defining the data. This involves data discovery and data classification. Security and risk professionals, together with their counterparts in legal and privacy, should define data classification levels based on toxicity. This allows security to protect properly data based on its classification once it knows where that data is located in the enterprise.
  • Dissecting and analyzing the data. This involves data intelligence (extracting information about the data from the data, and using that information to protect the data) and data analytics (analyzing data in near real time to protect proactively toxic data). Look for security information management (SIM) and network analysis and visibility (NAV) solutions to intersect with big data to enhance security decision-making.
  • Defending and protecting the data. Data defense is the fundamental purpose of cybersecurity, and is the area where organizations focus most today. To defend your data, there are only four levers you can pull — controlling access, inspecting data usage patterns for abuse, disposing of data when the organization no longer needs it, or “killing” data via encryption to devalue it in the event that it is stolen.

Zero Trust is:

  • applicable across all industries and organizations – It is an easy to implement way to improve safety that any organizations can implement.
  • not dependent on a specific technology or vendor – Zero Trust is a vendor neutral design philosophy that allows maximum flexibility to create architectures that meet specific demands.
  • scalable – Vital information is protected while public facing data travels freely.
  • focuses on keeping internal data safe and would not result in any foreseeable encroachment on Civil Liberties.

micro-perimeter around each resource

More Information#

There might be more information for this subject on one of the following: ...nobody

Add new attachment

Only authorized users are allowed to upload new attachments.
« This page (revision-14) was last changed on 28-Jul-2017 20:20 by jim