SlideShare una empresa de Scribd logo

CeBIT 2012: IBM Secure Enterprise Desktop

IBM Research - Zurich
IBM Research - Zurich

Today at the CeBIT Fair, IBM is announcing the Secure Enterprise Desktop, an innovative service that enables corporate users to securely access the contents of their entire hard disk, including operating system, applications and company data, from anywhere in as little as two minutes. With the consumerization of IT and the emergence of bring your own device to work, organizations are being forced to figure out how to manage new security challenges in the enterprise. In addition, according to the 2011 IBM CIO Study, two of three CIOs have visionary plans that include mobility solutions and virtualization to remain competitive. To address these challenges IBM scientists in Zurich, also known for developing the secure operating system used on hundreds of millions of smart cards today, have developed the Secure Enterprise Desktop.

Tecnología
1 de 15
Descargar para leer sin conexión
IBM Secure Enterprise Desktop – An enterprise application of the IBM ZTIC Dr. Michael Baentsch, Dr. Paolo Scotton, IBM Research – Zurich IBM Secure Enterprise Desktop © 2012 IBM Corporation
Secure Enterprise Desktop: Core problem addressed All Internet connected devices are (and will remain) under attack … – Attack vectors (selection) • Spam (mail): “Click-and-be-doomed” • Some “free helper tools” • “popular” websites (porn, warez, etc.): “Drive-by infection” • Google-found websites – Sample attack method (beyond traditional vulnerability + standard API exploits) • APEG (Automatic Patch-based exploit generation) – Attack goals (selection) • Get at company secrets (SpearPhishing, Advanced Persistent Threats and beyond) • Log company communication in real-time • Find out about customer’s customers – Attack professionalism • Very high and rising (task “outsourcing”, physical “enforcement” the norm) • To some accounts, e-crime is already more profitable than drug trafficking IBM Secure Enterprise Desktop
Authentication: Main Attack classes Spoofed email (phishing) Fake server Link Credentials login: Im pe rs on a ti on a ta ny Fake Fake tim e Server server client Impersonation while genuine client connects e/ Man-in-the-middle (MITM) y tim on an ti at nsac n tra t io na uine rso n Trojan horse virus pe g ge Im r in Du Credentials Malicious software (MSW) Man-in-the-browser (MITB) IBM Secure Enterprise Desktop
Secure Enterprise Desktop: So what? You cannot trust the PC (tablet, smart phone, etc.) display – nor any SW. You need separate protection – crypto & I/O HW outside the PC. Based on some “trust anchor” – ideally a mobile one. IBM Secure Enterprise Desktop
classicZTIC concept: How it works (high-level) 2: ZTIC initiates connection to server (automatically via auto-run or after user clicks on ZTIC icon) 3: ZTIC establishes TLS connection to server (incl. automatic certificate check and possibly, using client authentication) TLS Proxy 1: User approaches any appliance with USB port and inserts ZTIC TLS Server Connection 4: Server validates authenticity (using existing authentication protocols like EMV CAP or via PKI/SSL client authentication) IBM Secure Enterprise Desktop
Approaches to Desktop Security Corporate-issue PCs: Machines are custom-installed and centrally managed. Challenges: limited choice of machines; cost for dedicated hardware; zero-day exploits; mobility Trusted Platform Modules, Smart Cards, etc: Security hardware protecting system software Challenges: Without I/O, user cannot ascertain what’s happening; mobility Secure Execution Environments: Software controlling applications executing Challenges: Size & origin of software; can software be protected by software? Secure boot stick: user carries a secure OS to boot from on a USB stick Challenges: maintenance of OS; no central control; no user credential control Virtualization: adding an access & security control layer for all resources Challenges: host-OS security; installation; performance/scalability IBM Secure Enterprise Desktop
IBM Secure Enterprise Desktop: Design Goals Protect against “State of the Art” Attacks (esp. Malware & Man-in-the-Middle) – Do not rely on PC or smart phone for input or output of critical data Do not require the installation of additional software – No device drivers (no new user/support center hassles) – Work on as many platforms as possible Do not interfere with existing protection technologies – VPNs, Firewalls, Virus scanners, etc. Be easy-to-use – Do not create performance penalties – Use “familiar” device/interaction pattern mobility Be easy-to-administrate & integrate – Require minimal server changes • Re-use existing authentication protocols, e.g., CAP, PKI/SSL client- authentication – Allow for “fool-proof” device maintenance IBM Secure Enterprise Desktop
Secure Enterprise Desktop: Goal IBM Secure Enterprise Desktop
Secure Enterprise Desktop: Basic Concept ‘Bring-Your-Own’ IBM Secure Enterprise Desktop
Secure Enterprise Desktop: Core technologies Image ZTIC Management • Image backup • Security • Image composition • Authentication • Image maintenance • Key storage Secure Enterprise Desktop • Streaming technology • Significant OS experience Provisioning IBM Secure Enterprise Desktop
Secure Enterprise Desktop: Architecture Hypervisor allows SED… …to be hardware agnostic: hardware support delegated to the hypervisor …to implement specialized drivers without changing the user image …run multiple images on the same client IBM Secure Enterprise Desktop
Secure Enterprise Desktop: Usage view IBM Secure Enterprise Desktop
Secure Enterprise Desktop: Key Differentiators VM + OS provisioning is server-controlled via trusted channel – ZTIC establishes basic trust level and pulls disk-keys & software via SSL – Future extension: Build VPN support into low-level drivers + ZTIC No need for or reliance on pre-installed software – ZTIC possession is sufficient to get started boot off empty/’bare metal’ machines – All OS & user data is streamed as needed Fast start-up time on empty machines – Local machine used as ‘cache’ scalability from overall system perspective Constant ‘backup’ when online – Offline operation also possible (e.g., when traveling) – All local data encrypted via ZTIC and mirrored back when online again User credentials handled outside of PC – Protection even against hacked BIOS’ – Smart card support without need for drivers IBM Secure Enterprise Desktop
Secure Enterprise Desktop: Next steps for 2012 IBM internal pilot operation Introduction of standard/’out-of-the-box’ usage scenarios Pilot deployment at lead customers Integration with IBM standard offerings IBM Secure Enterprise Desktop
Questions? http://www.zurich.ibm.com/secure-ed eztic@zurich.ibm.com YouTube: http://www.youtube.com/watch?v=mPZrkeHMDJ8 Michael Baentsch (mib@zurich.ibm.com; +41 44 724 8620) Paolo Scotton (psc@zurich.ibm.com; +41 44 724 8948) IBM Secure Enterprise Desktop

Recomendados

Delivering exceptional web experiences
Delivering exceptional web experiencesDelivering exceptional web experiences
Delivering exceptional web experiencesChad Hollingsworth
 
Project competitions for students
Project competitions for studentsProject competitions for students
Project competitions for studentsDr. C.V. Suresh Babu
 
Managing identity frauds
Managing identity fraudsManaging identity frauds
Managing identity fraudsEddy Cormon
 
E banking security
E banking securityE banking security
E banking securityIman Rahmanian
 
IBM Presentation
IBM PresentationIBM Presentation
IBM Presentationrolsen3
 
Ibm presentation ppt
Ibm presentation pptIbm presentation ppt
Ibm presentation pptravish28
 
International human resource management
International human resource managementInternational human resource management
International human resource managementrhimycrajan
 
Different Markets, Different Products
Different Markets, Different ProductsDifferent Markets, Different Products
Different Markets, Different ProductsIBM Research - Zurich
 

Recomendados

Delivering exceptional web experiences
Delivering exceptional web experiencesDelivering exceptional web experiences
Delivering exceptional web experiencesChad Hollingsworth
 
Project competitions for students
Project competitions for studentsProject competitions for students
Project competitions for studentsDr. C.V. Suresh Babu
 
Managing identity frauds
Managing identity fraudsManaging identity frauds
Managing identity fraudsEddy Cormon
 
E banking security
E banking securityE banking security
E banking securityIman Rahmanian
 
IBM Presentation
IBM PresentationIBM Presentation
IBM Presentationrolsen3
 
Ibm presentation ppt
Ibm presentation pptIbm presentation ppt
Ibm presentation pptravish28
 
International human resource management
International human resource managementInternational human resource management
International human resource managementrhimycrajan
 
Different Markets, Different Products
Different Markets, Different ProductsDifferent Markets, Different Products
Different Markets, Different ProductsIBM Research - Zurich
 
9. FORUM INNOVATION
9. FORUM INNOVATION9. FORUM INNOVATION
9. FORUM INNOVATIONIBM Research - Zurich
 
CeBIT 2012: IBM Battery 500
CeBIT 2012: IBM Battery 500CeBIT 2012: IBM Battery 500
CeBIT 2012: IBM Battery 500IBM Research - Zurich
 
Open Collaboration and Innovation
Open Collaboration and InnovationOpen Collaboration and Innovation
Open Collaboration and InnovationIBM Research - Zurich
 
EUNICE 2011: Sensing a Smarter Planet
EUNICE 2011: Sensing a Smarter PlanetEUNICE 2011: Sensing a Smarter Planet
EUNICE 2011: Sensing a Smarter PlanetIBM Research - Zurich
 
Open Innovation in a Globally Integrated Enterprise
Open Innovation in a Globally Integrated EnterpriseOpen Innovation in a Globally Integrated Enterprise
Open Innovation in a Globally Integrated EnterpriseIBM Research - Zurich
 
Open Innovation: An IBM Research Perspective
Open Innovation: An IBM Research PerspectiveOpen Innovation: An IBM Research Perspective
Open Innovation: An IBM Research PerspectiveIBM Research - Zurich
 
IBM Innovations: Made in Switzerland
IBM Innovations: Made in SwitzerlandIBM Innovations: Made in Switzerland
IBM Innovations: Made in SwitzerlandIBM Research - Zurich
 
IBM Research: Collaborating to Create a Smarter Planet
IBM Research: Collaborating to Create a Smarter PlanetIBM Research: Collaborating to Create a Smarter Planet
IBM Research: Collaborating to Create a Smarter PlanetIBM Research - Zurich
 
Security and the Smarter Planet
Security and the Smarter PlanetSecurity and the Smarter Planet
Security and the Smarter PlanetIBM Research - Zurich
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024The Digital Insurer
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native ApplicationsWSO2
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...apidays
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MIND CTI
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Jeffrey Haguewood
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobeapidays
 
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024The Digital Insurer
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century educationjfdjdjcjdnsjd
 

Más contenido relacionado

Más de IBM Research - Zurich

EUNICE 2011: Sensing a Smarter Planet
EUNICE 2011: Sensing a Smarter PlanetEUNICE 2011: Sensing a Smarter Planet
EUNICE 2011: Sensing a Smarter PlanetIBM Research - Zurich
 
Open Innovation in a Globally Integrated Enterprise
Open Innovation in a Globally Integrated EnterpriseOpen Innovation in a Globally Integrated Enterprise
Open Innovation in a Globally Integrated EnterpriseIBM Research - Zurich
 
Open Innovation: An IBM Research Perspective
Open Innovation: An IBM Research PerspectiveOpen Innovation: An IBM Research Perspective
Open Innovation: An IBM Research PerspectiveIBM Research - Zurich
 
IBM Innovations: Made in Switzerland
IBM Innovations: Made in SwitzerlandIBM Innovations: Made in Switzerland
IBM Innovations: Made in SwitzerlandIBM Research - Zurich
 
IBM Research: Collaborating to Create a Smarter Planet
IBM Research: Collaborating to Create a Smarter PlanetIBM Research: Collaborating to Create a Smarter Planet
IBM Research: Collaborating to Create a Smarter PlanetIBM Research - Zurich
 

Más de IBM Research - Zurich (9)

9. FORUM INNOVATION
9. FORUM INNOVATION9. FORUM INNOVATION
9. FORUM INNOVATION
 
CeBIT 2012: IBM Battery 500
CeBIT 2012: IBM Battery 500CeBIT 2012: IBM Battery 500
CeBIT 2012: IBM Battery 500
 
Open Collaboration and Innovation
Open Collaboration and InnovationOpen Collaboration and Innovation
Open Collaboration and Innovation
 
EUNICE 2011: Sensing a Smarter Planet
EUNICE 2011: Sensing a Smarter PlanetEUNICE 2011: Sensing a Smarter Planet
EUNICE 2011: Sensing a Smarter Planet
 
Open Innovation in a Globally Integrated Enterprise
Open Innovation in a Globally Integrated EnterpriseOpen Innovation in a Globally Integrated Enterprise
Open Innovation in a Globally Integrated Enterprise
 
Open Innovation: An IBM Research Perspective
Open Innovation: An IBM Research PerspectiveOpen Innovation: An IBM Research Perspective
Open Innovation: An IBM Research Perspective
 
IBM Innovations: Made in Switzerland
IBM Innovations: Made in SwitzerlandIBM Innovations: Made in Switzerland
IBM Innovations: Made in Switzerland
 
IBM Research: Collaborating to Create a Smarter Planet
IBM Research: Collaborating to Create a Smarter PlanetIBM Research: Collaborating to Create a Smarter Planet
IBM Research: Collaborating to Create a Smarter Planet
 
Security and the Smarter Planet
Security and the Smarter PlanetSecurity and the Smarter Planet
Security and the Smarter Planet
 

Último

Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024The Digital Insurer
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native ApplicationsWSO2
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...apidays
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MIND CTI
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Jeffrey Haguewood
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobeapidays
 
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024The Digital Insurer
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century educationjfdjdjcjdnsjd
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdflior mazor
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfOverkill Security
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAndrey Devyatkin
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingEdi Saputra
 

Último (20)

Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 

CeBIT 2012: IBM Secure Enterprise Desktop

  • 1. IBM Secure Enterprise Desktop – An enterprise application of the IBM ZTIC Dr. Michael Baentsch, Dr. Paolo Scotton, IBM Research – Zurich IBM Secure Enterprise Desktop © 2012 IBM Corporation
  • 2. Secure Enterprise Desktop: Core problem addressed All Internet connected devices are (and will remain) under attack … – Attack vectors (selection) • Spam (mail): “Click-and-be-doomed” • Some “free helper tools” • “popular” websites (porn, warez, etc.): “Drive-by infection” • Google-found websites – Sample attack method (beyond traditional vulnerability + standard API exploits) • APEG (Automatic Patch-based exploit generation) – Attack goals (selection) • Get at company secrets (SpearPhishing, Advanced Persistent Threats and beyond) • Log company communication in real-time • Find out about customer’s customers – Attack professionalism • Very high and rising (task “outsourcing”, physical “enforcement” the norm) • To some accounts, e-crime is already more profitable than drug trafficking IBM Secure Enterprise Desktop
  • 3. Authentication: Main Attack classes Spoofed email (phishing) Fake server Link Credentials login: Im pe rs on a ti on a ta ny Fake Fake tim e Server server client Impersonation while genuine client connects e/ Man-in-the-middle (MITM) y tim on an ti at nsac n tra t io na uine rso n Trojan horse virus pe g ge Im r in Du Credentials Malicious software (MSW) Man-in-the-browser (MITB) IBM Secure Enterprise Desktop
  • 4. Secure Enterprise Desktop: So what? You cannot trust the PC (tablet, smart phone, etc.) display – nor any SW. You need separate protection – crypto & I/O HW outside the PC. Based on some “trust anchor” – ideally a mobile one. IBM Secure Enterprise Desktop
  • 5. classicZTIC concept: How it works (high-level) 2: ZTIC initiates connection to server (automatically via auto-run or after user clicks on ZTIC icon) 3: ZTIC establishes TLS connection to server (incl. automatic certificate check and possibly, using client authentication) TLS Proxy 1: User approaches any appliance with USB port and inserts ZTIC TLS Server Connection 4: Server validates authenticity (using existing authentication protocols like EMV CAP or via PKI/SSL client authentication) IBM Secure Enterprise Desktop
  • 6. Approaches to Desktop Security Corporate-issue PCs: Machines are custom-installed and centrally managed. Challenges: limited choice of machines; cost for dedicated hardware; zero-day exploits; mobility Trusted Platform Modules, Smart Cards, etc: Security hardware protecting system software Challenges: Without I/O, user cannot ascertain what’s happening; mobility Secure Execution Environments: Software controlling applications executing Challenges: Size & origin of software; can software be protected by software? Secure boot stick: user carries a secure OS to boot from on a USB stick Challenges: maintenance of OS; no central control; no user credential control Virtualization: adding an access & security control layer for all resources Challenges: host-OS security; installation; performance/scalability IBM Secure Enterprise Desktop
  • 7. IBM Secure Enterprise Desktop: Design Goals Protect against “State of the Art” Attacks (esp. Malware & Man-in-the-Middle) – Do not rely on PC or smart phone for input or output of critical data Do not require the installation of additional software – No device drivers (no new user/support center hassles) – Work on as many platforms as possible Do not interfere with existing protection technologies – VPNs, Firewalls, Virus scanners, etc. Be easy-to-use – Do not create performance penalties – Use “familiar” device/interaction pattern mobility Be easy-to-administrate & integrate – Require minimal server changes • Re-use existing authentication protocols, e.g., CAP, PKI/SSL client- authentication – Allow for “fool-proof” device maintenance IBM Secure Enterprise Desktop
  • 8. Secure Enterprise Desktop: Goal IBM Secure Enterprise Desktop
  • 9. Secure Enterprise Desktop: Basic Concept ‘Bring-Your-Own’ IBM Secure Enterprise Desktop
  • 10. Secure Enterprise Desktop: Core technologies Image ZTIC Management • Image backup • Security • Image composition • Authentication • Image maintenance • Key storage Secure Enterprise Desktop • Streaming technology • Significant OS experience Provisioning IBM Secure Enterprise Desktop
  • 11. Secure Enterprise Desktop: Architecture Hypervisor allows SED… …to be hardware agnostic: hardware support delegated to the hypervisor …to implement specialized drivers without changing the user image …run multiple images on the same client IBM Secure Enterprise Desktop
  • 12. Secure Enterprise Desktop: Usage view IBM Secure Enterprise Desktop
  • 13. Secure Enterprise Desktop: Key Differentiators VM + OS provisioning is server-controlled via trusted channel – ZTIC establishes basic trust level and pulls disk-keys & software via SSL – Future extension: Build VPN support into low-level drivers + ZTIC No need for or reliance on pre-installed software – ZTIC possession is sufficient to get started boot off empty/’bare metal’ machines – All OS & user data is streamed as needed Fast start-up time on empty machines – Local machine used as ‘cache’ scalability from overall system perspective Constant ‘backup’ when online – Offline operation also possible (e.g., when traveling) – All local data encrypted via ZTIC and mirrored back when online again User credentials handled outside of PC – Protection even against hacked BIOS’ – Smart card support without need for drivers IBM Secure Enterprise Desktop
  • 14. Secure Enterprise Desktop: Next steps for 2012 IBM internal pilot operation Introduction of standard/’out-of-the-box’ usage scenarios Pilot deployment at lead customers Integration with IBM standard offerings IBM Secure Enterprise Desktop
  • 15. Questions? http://www.zurich.ibm.com/secure-ed eztic@zurich.ibm.com YouTube: http://www.youtube.com/watch?v=mPZrkeHMDJ8 Michael Baentsch (mib@zurich.ibm.com; +41 44 724 8620) Paolo Scotton (psc@zurich.ibm.com; +41 44 724 8948) IBM Secure Enterprise Desktop