Client Security in a Deperimeterized World

1
Client Security in a Deperimeterized World

• September 21st, 2006
• Jericho Forum Open Meeting
• Seattle, Washington, USA

2
Agenda

• What is a client? Everything
• Requirements What we need to do
• Capabilities What we can do
• Gaps What we cant do (yet)
• Progress What were doing about it

3
What is a client?Everything

• Data leaks into every corner of every little
  place we keep electrons

• Personally-owned computers
• Shared Workstations
• Services (Google Office/Gmail)
• iPods

• Workstations
• Laptops
• Mobile Phones
• PDAs
• Kiosks
• Flash Drives

4
RequirementsWhat we need to do

• Extend the Enterprise
• Beyond the office walls
• Beyond company-owned devices
• Access Applications and Information
• Email
• Documents/Presentations/Spreadsheets
• Internal Web sites
• Instant Messaging
• Telephony
• Protect Information at-rest
• Full-Disk Encryption
• Rights Management
• Files Email encryption (Public Key
  Cryptography)
• Protect Hosts
• Anti-Virus/Anti-Malware
• Firewall
• Patch automation management

5
CapabilitiesWhat we can do

• Extend the Enterprise
• Beyond the office walls
• Laptops (Traditional clients)
• IPSEC SSL VPN
• Beyond Company-owned devices
• SSL VPNs
• Smartphones and Thin clients
• Transient (display-only) access
• Access Applications and Information
• Web Access to Email
• Portal-izing/Proxying applications
• Protect Information at-rest
• Full-Disk Encryption
• Email File Encryption (Public Key Cryptography)
• Protect the Host
• Anti-Virus, Anti-Spyware
• Personal Firewalls

6
GapsWhat we cant do (yet)

• Extend the Enterprise
• Focus on the data, make the device irrelevant
• Support Microsoft-y protocols
• Too many ports, too little control, too much bad
  history
• Even Microsoft admits this problem is still
  unsolved
• Easy Strong Authentication
• Especially on Mobile Devices
• Protect Information at Rest
• Rights Management
• Provide rights management for arbitrary file
  types
• Support ad-hoc protection (This will come as the
  tools mature)
• Protect the Host
• Host protection often still requires users to
  lose control
• Ensure patching and configuration management

7
ProgressWhat were doing about it

• Extend the Enterprise
• Data-Centric Protection
• Focus on defending the data, make the device
  network location irrelevant
• Transient/Display-only access
• Thin Client Portal
• Application proxying, screen scraping
• SSL VPN
• Limited access, non-Domain member access
• Protect Information at Rest
• Rights Management
• Control what authorized users do with information
• Trusted Computing
• Already exists in phones but is frequently
  cracked
• Prospects for the PC are probably worse
• Protect the Host
• Trusted Computing
• Time will tell, but its not doing well thus far

8
Thank You

• Questions and Discussion
• Contact Chandler Howell