Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Continuous Multilayer Protection: Operationalizing a Security Framework
1. Straw Program
- Topics that highlight Ericsson’s IP
expertise
- Leverage Ericsson’s strengths and
apply to new technology and issues to
resolve. (e.g, MBH)
- Focus on operator perspective and
pain points
- Cover emerging tech and tech we have
“on the truck”
- Include “friendly” partners to show not
working in a vacuum
- Industry thought leaders for keynotes to
highlight technical business drivers
- One track for non-technical business
related content*
- Possible Friday customer meetings
• 2-3 distinct parallel tracks.
• Could have side room for “Meet the Engineer” private sessions.
Continuous Multilayer Protection:
- Operationalizing a Security Framework
Mats Nilsson
2. 2015-05-25 | Page 2
Connectivitymoreand more part ofour life
1875 20001975
10
30
50
15 years
50 billion connected devices
25 years
5 billion connected people
100 years
1 billion connected places
20
40
Connections(billion)
2020
3. 2015-05-25 | Page 3
Connectivityintegrated
into our way oflife
Collaboration
Innovation
Privacy
Competence
Trust
Socializing
Learning
Everything
PEOPLE do
Media
Commerce
Security
Government
Education
Transport
Healthcare
Utilities
In all parts of
SOCIETY &
BUSINESS
Will be done over a
NETWORK
4. 2015-05-25 | Page 4
NEW OPPORTUNITIES
– NEW CHALLENGES
Increased
network capacity
More commerce &
financial transactions
More cloud
storage & services
Open and capable
devices
An IP based unified
global network
New things
get connected
More services
get networked
More decisions
based on real-time data
5. Policyand regulation
› Status and drivers
– On top of political agendas
– The (global) Economic and
Social impact of the ICT
enabled society
– How to ensure core values
and security in Cyberspace
› Activities and consequences
– Definition and scope of Critical
Information Infrastructures (e.g.
Communications, Healthcare Energy,
Transport
– Operational security requirements
and audits
› Voluntary but required to avoid
liabilities – US
› Law - EU
– Mitigation through recommended
Standards, Best practices,
implementation incentives or
law/liabilities
› Examples of policy measures
– US Executive Order 13636 and
“Cyber security Framework”
– EU
› Cyber security strategy
› EU proposed NIS directive
› EU NIS platform
– India
› Security requirements and
audits on operators.
› Mandatory local testing of
equipment (from 1 April 2015)
however alignment with global
standards
– Many others….
6. 2015-05-25 | Page 6
our perspective onSecurity
in the networked society
• services should always be available
• security should require minimum effort from users
• communications should be protected
• all access to information and data should be authorized
• manipulation of data in the networks should be possible to detect
• the right to privacy should be protected
7. SECURITYIN THE NETWORKED SOCIETY
Operator Policies
& Directives
Secure
Operations
Secure
Network
Secure
Products
Laws &
Regulation
Standards:
ISO 27001…
3GPP, ITU-T,
IETF…
3GPP SECAM,
ISO 15408…
8. 2015-05-25 | Page 8
System scale
Users
Thousands Millions Billions
Enterprise
Telecom Networks
Multiple Networks
Moderate
Large
Very large
Our Focus:
Large scalesecurity
13. 2015-05-25 | Page 13
integrated process for Product andservice development
PRODUCT
SECURITY
FUNCTIONS
PRODUCT
SECURITY
ASSURANCE
PRODUCT
SECURITY
DOCUMENTATION
PRODUCT NEAR
SECURITY
SERVICES
Developing the
right security
functions for a
product or service
Assuring that the
security
functionality works
as expected
Documenting
security
functionality to
enable secure
operations
Provide services to
ensure that
security
functionality is
properly used
Securityreliability model:
14. 2015-05-25 | Page 14
FROM: PROTECT ONLY
100% protection is possible
Re-Inventionof CloudSecurity
TheShift to Cloud Requires a New Focus
Hardened end points, users not
devices
Illusion of liability protection:
third party audits,
certifications
Data is locked down
Perimeter-centric: access control,
encryption
Authenticate end points: trusted identity of
users AND devices
Data is portable, in compliance
with local regulations
Data - centric: every data asset is
tagged, tracked, located, verified
Onus for proof: independently
verifiable, mathematical
forensics
15. 2015-05-25 | Page 15
Ericsson WalletPlatformoverviewof securitycontrols
Approval of sensitive
operations
Traceability & accountability
Security
configuration
validation
Eavesdropping and
modification protection
Two factor authentication
Configurable access control
System and API
hardening
Financial crime controls