Professional Documents
Culture Documents
Abstract
In todays business environment, disruptive technologies such
as cloud computing, social computing, and next-generation
mobile computing are fundamentally changing how
organizations utilize information technology for sharing
information and conducting commerce online. This wave
of technology innovation, often driven by consumer trends
which are being rapidly adopted across the enterprise, has
created unparalleled levels of access and connectivity
across people, information, systems and assets worldwide
and has transformed todays network-delivered society. In
the CyberSecurity arena, the increasing sophistication,
frequency and scale of cyber-crime as a rapid result of this
open and network-oriented society, coupled with the recent
explosion in the use of edge devices and cloud-based
applications, and increasing regulatory and compliance
requirements, has created an urgent need for organizations
to rapidly advance their security counter-measures and
re-think traditional approaches. On a more global level, due
to the compelling and pressing nature of the issues involved,
many countries have elevated CyberSecurity to a top-tier
priority within their national security strategies.
For businesses and governments alike, getting the CyberSecurity posture right across all its
elements will be vital for future growth, innovation and competitive advantage in order to truly
exploit the business and economic opportunities provided by technologies such as cloud,
mobile and social computing as well as smart computing and IT appliances. A CyberSecurityrelated mis-step in any of these rapidly emerging areas can lead to lost productivity and
potentially serious damage to brand reputation. There is no single answer for success, but
by working across public- and private sector partnerships and by advancing security measures
particularly with regard to mission-critical systems, processes and applications that are
connected into cyberspace, businesses will be able to work towards a future environment
that is both open and secure and prosperous.
One of the key implications of this definition of CyberSecurity is that we now have a society
dependent on network delivered services. Protecting this new dependency is what we call
CyberSecurity. It spans both the logical world of IT, bits and bytes, and computers as well as
the real world of going about our business as usual in CyberSpace. Everything we do
is network delivered, even crime. One of the imperatives for any CyberSecurity strategy is
therefore to take a more holistic approach to how we defend and protect our organizations, and
even our society, and to help recover when things go wrong.
Cloud Computing
As organizations move towards cloud computing for the inherent agility and economic
benefits this IT delivery model entails, they are increasingly moving towards hybrid enterprise
environments that consist of a mix of cloud, non-cloud, internal and external IT service
delivery models. This is due to the fact that not all application workloads, whether they are
business-as-usual, mission-critical or highly innovative, are suited to cloud deployments
and may need to remain within a more traditional footprint for reasons as varied as
architecture, regulatory compliance, and location where data is stored. This hybrid enterprise
environment is more than just a hybrid cloud model consisting of two or more cloud-based
entities, but is a composition of cloud, non-cloud, internal and external IT service delivery
models that remain unique entities, but are bound together by an integrated management
environment, and common technology, processes and policies. The CyberSecurity
challenge for cloud computing is therefore to not only protect data within public clouds and
hosted private clouds, but to ensure governance, risk and compliance is addressed
across this full, integrated environment where applications and data may be highly virtualized
across the end-to-end infrastructure.
INFORMATION GOVERNANCE
INFORMATION ASSURANCE
IA RISK
MANAGEMENT
BUSINESS CONTINUITY
MANAGEMENT
RESILIENCE,
DIVERSITY
REDUNDANCY
ADEQUACY OF
CONTROLS
ISO/IEC 27037
(Cybersecurity)
Section 5.3 Figure 1
UK Contribution for
Relationship between
Cybersecurity and other
security domains
INFORMATION
RECOVERY
INVESTIGATIONS,
incl. FORENSICS
DOCUMENT
SECURITY
INFOSEC
RADSEC
(TEMPTEST + EMI, ELSEC,
RFSEC)
COMPUSEC
SECURE
DEVELOPMENT
CERTIFICATION &
ACCREDITATION
SECURITY
COMSEC
and
TRANSEC
EMIP
(EM Interference
Protection: EMC,
HEMP/HERF)
COMPUTER
NETWORK ATTACK
COMPUTER NETWORK
DEFENSE
ANALYSIS
NETWORK
MONITORING &
PROTECTION
PHYSICAL
SECURITY
CND RISK
MANAGEMENT
PERSONNEL
SECURITY
SYSTEMS RECOVERY
COMPUTER NETWORK
OPERATIONS
COMPUTER
NETWORK
EXPLOITATION
eCNI
PROTECTION
CYBER-SECURITY
Figure 2 - UK contribution for the relationship between CyberSecurity and other security domains.
Data
Identity
& Access
Management
Applications
Sensitive
Data
Protection
Application
Security
Modernization
Infrastructure
Secure
Infrastructure
Engineering
Assets
Cyber
Supply
Chain
Identity Assurance
Given the almost universal access to enterprise systems and data through mobile devices, it
is more important than ever to manage user identities and entitlements in a comprehensive
integrated approach that reflects the unique cyber security challenges.
Centralized Identity and Access Management applications that integrate user system access
with user device management are the key to protecting cyber assets in a mobile environment.
For example, when an employee leaves the organization, the access de-provisioning process
should include the purging of organizational data from the mobile devices.
This assumes that all mobile devices organization- or employee-owned - and the associated
organizational applications are part of an overall managed process that links devices to an
individual user identity which can be verified through multi-factor authentication techniques.
The authentication techniques may include biometrics and PKI. The same multi-factor
authentication techniques can be leveraged in the case a mobile device is lost or stolen
to prevent opportunistic cyber access to organizational data whether stored on the device
or in the cloud.
routers. Just as supply chains such as those in the pharmaceutical industry need to protect
against counterfeits and ensure the integrity of their operations, the same is true within the
cyber supply chain. This is a particularly important issue for government and the financial
services industry where any compromise in software or hardware within their IT supply
chains can potentially lead to theft of confidential information, financial crimes, or even
cyber-terrorism. Recent examples of real-world incidents have included counterfeit hardware
such as routers with malware built-in and also brand-name manufacturers who have
inadvertently shipped pre-owned laptops, hard drives, and other devices with viruses, worms,
and Trojans on them9. The problem can also occur at the chip level where it is very difficult
to tell the difference between a compromised chip and a real one. To address this issue,
enterprises need to build a trusted relationship with their suppliers at all levels in the supply
chain and additionally adopt best practices across their systems and processes. Some
guidelines from the U.S. National Institute of Standards and Technology (NIST) state this
may include the use of trusted suppliers, service-level agreements related to quality
and security during the manufacturing stage, vetting of software updates, use of secure
distribution channels, and secure destruction of media after use.
10
References
1
A Strong Britain in an Age of Uncertainty: The National Security Strategy, October 2010,
http://www.cabinetoffice.gov.uk/sites/default/files/resources/national-security-strategy.pdf
Ditto
Ditto
11
05/11
11-0116