PMO - PowerPoint PPT Presentation

Loading...

PPT – PMO PowerPoint presentation | free to view - id: 181622-ZDc1Z



Loading


The Adobe Flash plugin is needed to view this content

Get the plugin now

View by Category
About This Presentation
Title:

PMO

Description:

VoIP enables convergence of data, voice, and video onto single ... Other codecs: G.729, G.726, ... -28 - RTP. Realtime Transport Protocol (RFC 3550, July 2003) ... – PowerPoint PPT presentation

Number of Views:450
Avg rating:3.0/5.0
Slides: 120
Provided by: tyronne
Category:
Tags: pmo | codecs | hijacking

less

Write a Comment
User Comments (0)
Transcript and Presenter's Notes

Title: PMO


1
Adrian Garrity Managing Director
  • Introduction
  • PMO
  • MRS
  • Independent ICT Consultancy
  • Practical Considerations when deploying
  • VoIP and Mobile Data

2
Practical Considerations when deploying VoIP and
Mobile Data
  • Presented by
  • Tyronne Mexson of

For
3
Introduction - VoIP
4
Introduction - VoIP
  • VoIP enables convergence of data, voice, and
    video onto single network.
  • Attractive opportunities
  • Reducing costs
  • Reducing complexities
  • Enabling progressive business gains
  • Biggest concern with VoIP is security - steps
    being taken to secure internet
  • Other concerns include Quality of Service

5
Introduction - VoIP
  • Numerous threats
  • Device failures
  • Malicious attacks
  • Need to guarantee calls as well as data over
    networks
  • Need to guarantee services
  • 999 emergency services
  • 101 SNEN

6
Introduction - VoIP
  • This presentation will cover the following
  • What is VoIP?
  • Security Risks
  • Security Solutions
  • Future of VoIP

7
What is VoIP?
8
What is VoIP?
  • Voice over IP
  • Making phone calls using a computer network by
    transmitting voice signals over an IP network
  • Analog signal converted to digital, compressed,
    broken into packets, sent across network, and
    converted back to analog at destination
  • Packet switched network
  • Less cost and more scalability
  • No dedicated bandwidth
  • Uses standard networking components (routers and
    switches)

9
What is VoIP?
  • Voice over IP
  • IP phones have Ethernet network interface cards
    included for internet access
  • Dedicated phone line or telephone set not needed
    any longer
  • Need high speed internet connection
  • Telephone calls can be made from PC using
    microphone and speakers

10
Network Components
  • Four main network components needed
  • IP telephony device
  • Call processing manager
  • Voice mail system
  • Voice gateway

11
Network Components
  • 1) IP telephony device
  • Any device that supports placing calls in an IP
    telephony network
  • IP phones
  • System applications using microphones and speakers

12
Network Components
  • 2) Call Processing Manager
  • A.K.A. IP PBX
  • Server that provides call control and
    configuration management for IP telephony devices
  • Functions include call setup and routing calls

13
Network Components
  • 3) Voice Mail System
  • IP voice mail storage
  • Provides user directory lookup
  • Provides call forwarding

14
Network Components
  • 4) Voice Gateway
  • IP packet routing
  • Backup call processing
  • Provides access to legacy voice systems for local
    calls, toll bypass, and WAN backup in case of
    failures

15
Benefits of VoIP
  • Ability to combine voice, video, data on same
    network
  • Use existing internet connection for phone calls
  • Call anyone, anywhere, at any length
  • Same or lower cost
  • Increased employee productivity
  • Combination of communication channels (telephone,
    voice mail, fax, e-mail, pagers, mobile phones,
    PDAs)
  • Listen to emails Check voice mails from
    internet

16
Capabilities
  • By using XML capabilities, new IP phones have
    enhanced user interfaces
  • Access to any web-based content
  • Access to employee extension numbers
  • Administrative and attendance solutions for
    school districts and universities
  • Inventory tracking
  • Restaurant listings and reservations
  • Emergency notification and audio streaming
    systems for government and public safety
    personnel
  • Enterprise applications email, unified
    messaging, corporate directories, conference room
    booking, and expense reporting
  • Easily accessible for employees anytime, anywhere

17
Reliability
  • Traditional PBX highly reliable
  • 99.999 reliability (5 minutes of outage per
    year)
  • Highly reliable components and built in
    redundancy
  • VoIP
  • Relies on gateways and phones that can register
    on multiple servers
  • Uses IP networks multiple paths

18
VoIP QoS
  • Voice signals more demanding than data
    communications
  • To ensure quality, attributes must be managed
    properly
  • Bandwidth
  • Number of packets lost
  • Round trip delay
  • Jitter / variability in delay
  • Establish QOS needed for expected traffic

19
VoIP QoS - Bandwidth
  • Bandwidth
  • Generally modest (64 kbps or less)
  • Depends on codec and use of silence suppression

Codec Rate (kbps)
G.711 64
G.722 48-64
G.729 (A/B) 8
  • Packet loss
  • Should be less then 5

20
VoIP QoS - Latency
  • Voice quality characteristics
  • Clarity fidelity, clearness, and intelligibility
    of signal
  • Delay effect on interactivity
  • Echo distracting and confusing
  • Latency
  • Components Encoding, Packetisation, Network
    delay, Receiver buffering, Decoding
  • ITU-TG.114 recommends 150ms

One-way Delay Effect on perceived Quality
lt100 -150ms Delay not detectable
150 - 200ms Acceptable quality slight delay or hesitation noticeable
Over 200 - 300ms Unacceptable delay normal conversation impossible
21
VoIP QoS - Jitter
  • Jitter
  • Smoothed by playback buffers
  • Receivers adapt the depth of these buffers
  • Sudden changes in jitter may cause loss

22
Convergence mediation
23
H.323 and SIP
24
H.323
  • Recommendation published by ITU
  • Ties together a number of protocols to allow
    multimedia transmission through an unreliable
    packet-based network
  • 1996 approved by ITU
  • 2003 Version 5

25
H.323 Architecture
  • H.323 Terminal
  • Gateway
  • Gatekeeper
  • Multipoint Control Units (MCU)

26
H.323 Protocol Stack for VoIP
27
G.7xx Speech (De)Coding
  • H.323 systems must support G.711 PCM, 64kbps
  • Other codecs G.729, G.726,

28
RTP
  • Realtime Transport Protocol (RFC 3550, July 2003)
  • Application layer protocol for transmitting
    realtime data (audio, video, ...)
  • Includes payload type identification, sequence
    numbering, timestamping, delivery monitoring
  • Mostly over UDP
  • Supports multicast unicast

29
Control Protocol - RTCP
  • RTP Control Protocol (RFC 3550, July 2003)
  • Periodic transmission of control packets to all
    participants in the session
  • Main functions
  • provide feedback on quality of data distribution
  • carries a persistent transport-level identifier
    for an RTP source (CNAME)
  • each participant sends control packets to all
    others which independently observe the number of
    participants

30
More Control Protocols in H.323
  • H.225 (RAS)
  • protocol between terminal and gatekeeper (if
    present)
  • allows terminals to join/leave zone,
    request/return bandwidth, provide status updates,
  • H.245 (Call Control)
  • Media Control Protocol
  • Allows terminals to negotiate connection
    parameters (codec, bit rate, ..)
  • Q.931 (Call Signaling)
  • Manages call setup and termination

31
SIP Session Initiation Protocol
  • Developed by IETF since 1999
  • RFC 2543, March 1999 (obsolete)
  • RFC 3261, June 2002
  • Target develop simpler and more modular protocol
    for VoIP than the large and complex H.323 by ITU

32
SIP Session Initiation Protocol
  • SIP is a text-based protocol similar to HTTP and
    SMTP, for initiating interactive communication
    sessions between users
  • SIP is an application-layer control (signaling)
    protocol for creating, modifying and terminating
    sessions with one or more participants
  • Sessions include Internet Multimedia conferences,
    Internet Telephone calls and Multimedia
    distribution

33
SIP Session Initiation Protocol
  • SIP can be used with different transport
    protocols, it doesn't even require reliable
    transport protocols
  • A simple SIP client can be implemented using only
    UDP

34
SIP components
35
SIP components
UAC (user agent client) Caller application that initiates and sends SIP requests.
UAS (user agent server) Receives and responds to SIP requests on behalf of clients accepts, redirects or refuses calls.
SIP Terminal Supports real-time, 2-way communication with another SIP entity. Supports both signalling and media, similar to H.323 terminal. Contains UAC.
Proxy Server Contacts one or more clients or next-hop servers and passes the call requests further. Contains UAC and UAS.
Redirect Server Accepts SIP requests, maps the address into zero or more new addresses and returns those addresses to the client. Does not initiate SIP requests or accept calls.
Location Server Provides information about a callers possible locations to redirect and proxy servers. May be co-located with a SIP server.
36
Comparison of H.323 and SIP
Item H.323 SIP
Designed by ITU IETF
Compatibility with PSTN Yes Largely
Compatibility with Internet No Yes
Architecture Monolithic Modular
Completeness Full Protocol Stack SIP just handles set-up
Parameter negotiation Yes Yes
Call signaling Q.931 over TCP SIP over TCP or UDP
Message format Binary ASCII
Media Transport RTP/RTCP RTP/RTCP
Multiparty calls Yes Yes
Multimedia conferences Yes No
Addressing Host or Tel Number URL
Call termination Explicit or TCP Release Explicit or timeout
Instant messaging No Yes
Encryption Yes Yes
Size of standards 1400 Pages 250 pages
Implementation Large and Complex Moderate
Status Widely deployed Up and coming
37
Disadvantages to VoIP
  • Some internet voice services do not work during
    power outages and do not provide backup power
  • Some services difficult to connect with 999
    dispatcher
  • Some providers do not provide white pages
  • SECURITY

38
Security Risks
39
DoS Attack
?
call
40
Toll Fraud
Hacker sells your company calling information
Your company gets the bill
41
Call Manager OS
42
Call Manager OS
?
43
Eavesdropping
call
44
Recording
call
45
Hijacking/Injection Attack
call
46
Call Forwarding/Spoofing
call
47
Call Forwarding/Spoofing
call
48
Call Forwarding/Spoofing
?
call
49
Expose private conversations
!
call
50
Block certain calls
?
555-1212
999-1213
987-6543
51
Log call activity
call
52
VoIP Security Concerns
53
VoIP Security Concerns
  • What is the greatest risk to your organisation
    when implementing Voice over IP?

54
VoIP Security Concerns
  • What is the greatest risk to your organisation
    when implementing Voice over IP?

Loss of use and resulting loss of business,
whether a result of a DoS attack, power failure,
or poor management/maintenance of the VoIP
systems.
55
VoIP Security Concerns
  • What are the security risks you are exposing your
    organisation to when considering Voice over IP
    (VoIP)?

56
VoIP Security Concerns
  • What are the security risks you are exposing your
    organisation to when considering Voice over IP
    (VoIP)?

Denial of Service, Toll Fraud, O/S
Vulnerabilities, Hacking, Recording,
Eavesdropping, Hijacking, Spoofing, Call
Forwarding, Call Blocking, Call Logging
57
Security Solutions
58
Network Solutions Security Policy
  • Establish a corporate security policy
  • Acceptable Use Policy
  • Analog/Dial-in/ISDN Line Policy
  • Anti-Virus Process
  • E-mail Policy
  • Automatic Forwarding
  • Usage
  • Retention
  • Ethics Policy
  • Password Protection Policy
  • Patch Management Process
  • Router Security Policy
  • Server Security Policy
  • Risk Assessment Policy
  • VPN Security Policy
  • Wireless Security Policy

59
Security Solutions Network
Network Design by Cisco Systems
60
Security Solutions DoS
  • Provide redundancy through
  • Mesh Corporate WAN design
  • Utilising multiple ISPs
  • Fallback PSTN Gateway(s)
  • Uninterruptible Power Supplies
  • Negotiate QoS agreements

61
Security Solutions Hacking
  • Segment networks into separate VLANs
  • Voice network
  • Data network
  • Monitoring and control network

62
Security Solutions Hacking
  • Maintain VoIP application server updates
  • Call manager server(s)
  • Voicemail server(s)
  • Gateway server(s)
  • Install current Operating System patches
  • Install current application software patches

63
Security Solutions Spoofing
  • Eliminate unknown devices
  • DHCP Snooping
  • DAI Dynamic Address Resolution Protocol
    Inspection
  • IP Source Guard
  • Eliminate unknown software
  • Digital Signatures

64
Security Solutions Threats
  • Manage and prevent threats via
  • Stateful Firewalls
  • Virus Filters
  • Intrusion Detection (NIDS)
  • Intrusion Prevention (HIPS)
  • Filter unnecessary ports on
  • Routers
  • Switches
  • PCs
  • IP Telephones
  • Firewalls

65
Security Solutions Complete
66
FUTURE OF VoIP
67
Wireless VoIP
  • 802.11b (WiFi), the current standard, supports
    raw data rates up to 11Mbps.
  • 802.11a 802.11g standards support 54 Mbps

68
Differences between A G
  • Major difference is operating spectrum frequency.
  • G standard utilises 2.4GHz ISM band (same as
    B standard)
  • A standard utilises 5.2GHz band

69
Advantages
  • A standard
  • No interference because it utilises the 5.2GHz
    band
  • Meets the need for future high-bandwidth
    applications for wireless video and the like.
  • G standard
  • Extended capability of supporting B devices.
  • Older B mobile units can continue to be used
    along with any new G mobile devices.
  • Meets the need for future high-bandwidth
    applications for wireless video and the like.

70
Disadvantages
  • A standard
  • 802.11a wireless voice devices are not readily
    available on the market.
  • Few vendors have announced support of A for a
    wireless VoIP application.
  • G standard
  • ISM band may become too crowded and introduces a
    possibility of interference problems (e.g.,
    Bluetooth, cordless phones, etc.).

71
Conclusion
72
Conclusion
  • The challenge of VoIP security is not new.
    History has shown that advances and trends in
    information technology typically outpace the
    corresponding realistic security requirements.
    Such requirements are often tackled only after
    these technologies have been widely adopted and
    deployed Cable Datacom News

73
Major Concern
  • With VoIP the Internet becomes the backbone of a
    company's phone network.
  • Hackers
  • Worms
  • Viruses
  • DoS attacks

74
Advantages
  • Convergence of voice and data into a common
    infrastructure for wiring, routers, network
    connectivity.
  • Companies will be able to deploy, manage and
    maintain one network to serve all communication
    needs, saving on infrastructure costs and
    resources.

75
Introduction Mobile Data
76
Introduction Mobile Data
  • This presentation will cover the following
  • The Need For Remote Access
  • Internet IPVPNs
  • Key Customer Wireless Issues
  • Considerations for Personal Trusted Devices

77
The Need For Remote Access
78
Is there a need for Remote access?
  • Save money on office facilities
  • Use of smaller workforce effectively and
    strategically
  • Reach and service more customers
  • Flexibility to work force - flexihours

Space to Workforce lower than 13 in many
offices
MOBILITY is MONEY
79
Needs of Mobile Workforce
  • Corporate Email
  • Allows mobile workforce to be in touch
  • Access to corporate intranets.
  • Marketing/sales collaterals, access KM sites,
    download forms, generate quotations.
  • Access to resources.
  • Source code, documents, lab infrastructure,
    calendaring system, booking meeting rooms.
  • Access to enterprise applications
  • SAP, Oracle, Lotus notes or other suites for
    purposes like order processing, tracking,
    inventory management etc.
  • Video and Tele Conferencing
  • 24X7 Availability and Support

80
Challenges for Enterprises
  • Authenticating of the user
  • Encrypting data that is sent over the public
    network
  • Tracking the usage of devices
  • Protection from Spoofing and Sniffing
  • Support for growing list of devices

81
Technology Choices available today
  • Technology
  • IPSec VPN
  • Allows complete access to enterprise resources
  • Heavy weight protocol, but complete control to
    user
  • Needs software on clients
  • Email access
  • Accessible through https (secure HTTP)
  • Connectivity options
  • Ethernet
  • GPRS
  • WiFi

82
Technology trends
  • Encrypted Disk drives
  • Data is stored in encrypted form
  • External security keys
  • Stored as USB Dongle or Serial port device
  • Used as a key to access enterprise data
  • Allows authentication and tracking
  • SSL VPN
  • Allows any web browser to access enterprise data
  • Light weight solution, deployment cost is low
  • Access restricted to Web based resources only
  • Biometric identification
  • Eye (iris) or finger print based identification

83
Gaps remaining
  • Access of enterprise data at public kiosks
  • Caching of information
  • Saving of downloaded information
  • Theft
  • The disks can be read by another device
  • Pictures and Messages stored in PDAs/Cell Phones
  • Secured Access guarantee by ISPs
  • Remote Patch Management
  • Enterprise Policy for Remote Work Force

84
Suggestions for Enterprises
  • Formulate a Policy for Remote Connectivity
  • Centralise the maintenance and control of
    Security Settings
  • Standardisation of devices
  • Employees should not be allowed to choose devices
  • Enforce anti-virus and patch management policy
  • Have an approved list of applications to be used
    remotely
  • Encryption of data is a must

85
IPVPNs
86
Internet VPN
  • An Internet VPN is configured on the customers
    own equipment e.g. a router. A tunnel is created
    between two customer sites normally using IP Sec
    (IP Security) on the customer router and the
    traffic is routed over the Internet.It is a
    very low-cost way of establishing a VPN between
    two locations.However, there is no commitment
    with regard to speed of delivery of the data and
    at times when the Internet is busy it may not be
    possible to establish a connection at all or to
    transmit data with any reasonable speed.Many
    corporate customers will not use this type of VPN
    as it can route over many different service
    providers' networks and is subject to the same
    security risks as the www.

87
Internet VPN
  • Sole traders and companies who only need to
    exchange email and perhaps a small amount of data
    are the major users of Internet VPNs.If a
    customer is comparing the price of an Internet
    VPN to that of an internet IPVPN it is important
    not to focus too much on the price of the IPVPN
    as two totally different services are being
    compared.

88
Internet IPVPN (Tunnelling) Technologies
  • VPN technology
  • GRE
  • IP sec
  • IP sec standards
  • AH
  • ESP
  • IKE
  • DES
  • Triple DES
  • RC4
  • X.509 digital certificates

89
VPN using GRE Tunnel
  • GRE (Generic Route Encapsulation) is another
    method of creating a tunnel which can then form a
    VPN between two sites.The most common use of
    GRE tunnels is to transport legacy i.e. protocols
    other than IP across MPLS networks.For example
    a customer with a fully meshed IPVPN over an MPLS
    core network could connect two sites using a GRE
    tunnel and send SNA traffic (i.e. non IP traffic)
    between the two sites without having to convert
    the SNA to IP before it entered the IPVPN.
  • It can also be used as an unsecured internet VPN
    for non-sensitive traffic.

90
VPN using IP sec tunnelling
  • IP Sec (IP Security) based VPNs use
    authentication mechanisms to ensure that only
    valid clients can connect across the tunnel. In
    addition there are different encryption
    algorithms that can be applied to IP Sec tunnels
    to ensure that the data passing through the VPN
    is not compromised.An IP Sec VPN is a point to
    point tunnel that can also be established between
    two sites that are connected into a multi-site
    IPVPN with MPLS.This would be used for example
    to connect two bank computer sites together where
    security of data transfer between mainframes is
    vital.The two sites would send email over the
    normal MPLS IPVPN fully meshed VPN and just use
    the IP Sec tunnel for special data between the
    two computers.

91
IP sec Key features

92
IP sec VPN

93
Key Customer Wireless Issues
94
Key Customer Wireless Issues
95
Considerations for Personal Trusted Devices
96
The big picture Convergence of Internet and
digital telecom networks
PC

Mobile terminal
TV set
IP Backbone Network
Mobile NW Operator sphere
E-commerce server
CA server
Service provider Server (e.g. GIS)
Community server
97
The big picture Access Network technologies
98
Some measures for the big picture
  • Global wireless infrastructure based on GSM
    technology is truly global with its roaming
    capability and coverage.
  • At the end of 2002, there were 454 GSM operators
    worldwide in 182 countries, and they served over
    730 million users.
  • In 2002, 75 percent of the new mobile customers
    started to use GSM terminals and services
    offered by the GSM networks Nok2003.
  • The number of digital telecom handsets has
    exceeded 1 billion (in 2002, ca. 400 million
    handsets were sold) and by 2006 perhaps 2
    billions.

99
Some measures for the big picture
  • Of these handsets hundreds of millions are
    Internet-enabled (WWW, WAP- or I-mode -enabled).
  • There are over a hundred million of servers at
    the server side (in Internet 1) and many in
    private networks

100
What is a Personal Trusted Device?
  • When the wireless terminals in the above big
    picture are capable of supporting seamless
    communication, authentication and authorisation
    of users, various kind of contents - including
    text, voice and video streams, geocoded contents,
    etc. and practically any conceivable
    application or service, one can begin to talk
    about a Personal Trusted Device (PTD)
  • A device where M-commerce transactions can be
    launched, credit card information stored, access
    to corporate resources allowed through PTDs now
  • A multimedia mobile phone or PDA
  • A Laptop with GPRS / WiFi / 3G card

101
Functionality of a PTD
102
Security and privacy problems of PTDs
  • The PTDs are able to host larger and larger
    amount of data as memories get bigger
  • This data is a security risk, because the device
    could be stolen or lost. So should we minimise
    the amount of critical data kept at the PTD?
  • On the other hand, for guarding against privacy
    violations it might be wise to store large
    amounts of data at the PTD
  • What is an optimal approach and on what does the
    optimality depend?

103
Security and privacy risks
  • Evidently, if there is no risk of losing the
    device and data then it makes sense to keep as
    much as possible data, also critical, at the
    device
  • However, on the contrary, if the risk of losing
    the device to a thief, or if losing the data
    because of a device crash or any other technical
    problem is high, it is advisable to minimise the
    amount of critical data kept at the device

104
Assets, risks, threats
  • Assets
  • Any data stored at the PTD
  • Risks 
  • PTD data lost
  • The data stored at PTD is lost for the data
    owner. There are many threats that result in
    this, as discussed below. 
  • PTD data misused
  • The data stored at PTD and subsequently extracted
    is misused by malicious persons.

105
Assets, risks, threats
  • Threats
  • PTD is destroyed
  • In this case no one can use the data any more
  • PTD is lost for the owner
  • In this case the owner does not get the device or
    data back he or she is unsure, whether the data
    will be misused or not
  • PTD is stolen from the owner
  • The owner knows that the device is stolen and
    certainly all the data is lost, and perhaps some
    or all the data is misused

106
Assets, risks, threats
  • Threats (Cont)
  • PTD data misused unnoticed
  • In this case the data stored at the PTD is
    extracted and/or altered in a way that the owner
    does not notice it
  • The PTD and the data remains at the disposal of
    the owner (perhaps, however, altered in some way)
  • This case can lead to considerable security
    threats and damages from the owners point of view
    (misuse of cyber-identity, passwords, credit
    card, access to company infrastructure etc.)
  • The privacy violation also belongs to this
    category, if the data provided by or stored at
    the terminal is misused

107
Assets, risks, threats
  • Threats (Cont)
  • PTD data misused but detected
  • This case can result from theft, losing the
    device and subsequent theft, or disclosure of a
    misuse attempt from logs or physical traces (cf.
    Bluetooth/Ir-connection).
  • In this case the device owner detects the misuse
    either when it is evident from the context
    (theft) or sometimes afterward
  • The difference to the previous case is that the
    device owner can take deliberate countermeasures

108
Countermeasures against losing data
  • Minimising the amount of critical data stored at
    PTD
  • Full (or partial) data replication at a safe
    network component,
  • Provision of safe backdoors to the data for
    which the legitimate owner has lost access for
    some reason (encrypted data, lost access to the
    entire device or to decryption keys, etc.)

109
Countermeasures against PTD misuse
  • Minimising the amount of critical data stored at
    the device
  • As good as possible physical protection of the
    PTD
  • Reliable access control to the PTD and the data
    stored at it
  • Encryption of the data stored at the device
  • Partition of the data and storing it at the
    device and at another safe location (server,
    memory card, etc.)

110
Countermeasures against PTD misuse
  • Self-destruction of the data if misuse attempt is
    detected by the device
  • Privacy related data and algorithms that monitor
    what combinations of data handed out from the
    device while using various external services
    could lead to privacy violations or threats
  • Refraining from accessing networked services
  • Rroviding full security for communications over
    the air interface (end-to-end message encryption,
    end to authentication, authorisation)

111
Technical support for the countermeasures at PTD
  • Reliable access control and authorisation
  • This is a prerequisite for any security and
    privacy scheme if a malicious person gets access
    to the data at the device just by getting hold of
    it physically, nothing much can be done anymore
    Physical security of the PTD is thus a key
    ingredient in the security field
  • The second security sphere is a proper
    authentication (PIN, biometric authentication,
    etc.)
  • Third sphere is a proper authorisation of data
    access stored at the device
  • Fourth sphere is protecting the device against
    malicious programs that are run there

112
Technical support for the countermeasures
  • Categorisation of the data
  • Assess risk level of particular piece of data and
    tell this to the system software (e.g. high,
    medium, low)
  • Minimising the amount of vulnerable data at the
    PTD
  • This can be semiautomatic, based on the risk
    level and the above categorisation
  • If the risk level exceeds a threshold (e.g. due
    to movement to a high risk area), the vulnerable
    data is moved away from the device or encrypted
    in a suitable way

113
Technical support for the countermeasures
  • Data partitioning
  • The idea here is to store only a portion of a
    particular data half-granule at the PTD and
    another granule at a network component/other
    device so that both granules are useless alone,
    I.e. cannot be used unless first combined thus
    grabbing the device or the other half-granule at
    the network would not yet grant access to the
    other half-granule
  • The problem with the scheme is that if there is
    no network connection, the legal user can neither
    use the data, because the half-granules cannot be
    recombined
  • Another problem is the need for wireless capacity

114
Technical support for the countermeasures
  • Data replication
  • This scheme is solely against losing the data for
    whatever reason (device crash, loss or theft)
  • The data granules stored outside the device (at
    other devices, network components, etc.) function
    basically as back-up copies that must be
    refreshed from time to time
  • The draw-back of the scheme is that it increases
    risk of misuse of the data, because the same data
    is stored in perhaps many places outside the
    device
  • Another drawback is storage and wireless network
    cost

115
Technical support for the countermeasures
  • Encryption of data
  • Encryption means that even if a malicious person
    has got hold of the device, he or she should be
    able do decrypt the data in order to misuse it
  • This can be only be done by passing authorisation
    as a necessary step while accessing the data (PIN
    or authorising the action by other means)

116
Technical support for the countermeasures
  • Destruction of the data
  • This is an ultimate measure that the device
    should launch automatically, if it detects a
    rather clear misuse attempt
  • By destruction the misuse is prohibited, but so
    is the legal use, unless the data is replicated
  • How the decision can be done automatically, is by
    no means clear at the moment

117
Conclusions and further research
  • Added security and privacy protection tend to
    decrease the usability of the device and increase
    power consumption and network capacity
    requirements
  • It is therefore vital that the security and
    privacy protection policies and methods used in
    PTDs are in the right proportion to the threats
  • Support from the network side is needed in almost
    all schemes thus, there must be an integrated
    overall security and privacy scheme

118
Conclusions and further research
  • Many problems remain open, such as
  • The measures for the threat and for the
    similarity of the copies.
  • A comprehensive analytical model with the help
    of which one could better assess the impact of
    the chosen policies and methods to the usability,
    security and privacy of the PTDs
  • These are for further study

119
Contact Details
  • WWW.HiTexConsulting.Co.UK
  • WebInfo_at_HiTexConsulting.Co.UK
  • Tel. 0845 408 2412
  • Fax. 0845 223 5158
  • Presenters
  • Adrian.Garrity_at_HiTexConsulting.Co.UK
  • Tyronne.Mexson_at_HiTexConsulting.Co.UK
About PowerShow.com