Case Studies I

Chair: Dennis Moreau, Intel

Top-Down Continuous Policy Compliance, Sergio Pozo-Hidalgo, Vmware    SLIDES
Abstract: Nowadays most enterprises have a multi-cloud stack with combination of owned, leased, and pay-as-you-go infrastructure (compute, storage, and network) with both on-prem and cloud models, that is consumed from different cloud providers, and where applications run and are accessed from users anywhere and from any device. Many enterprises are also moving towards a de-centralization of workloads, where a single complex composite application can run across multiple of these cloud silos (this is, the Edge model).

Strict compliance regulations and requirements exist today that govern how security should be applied based on many factors (such as data sensitivity), that helped formalize security controls that spawned massive industries. Yet conventional approaches to security are failing to the current highly heterogeneous and distributed model, where cybersecurity professionals still struggle with the balance of implementing the standards to avoid liability, along with a never-ending list of new defense-in-depth tools to add.

Based on both customer and industry input (like the NIST Zero Trust Architecture), it is clear that how to manage and troubleshoot security policies, and how to achieve compliance across silos is a disruptive challenge, that requires a full re-thinking. To this end, we present a top-down architecture for continuous compliance, where risk is no longer binary or static, and where mitigations are risk adaptative. This model provides just in time decisions about which are the conditions required to permit an access between resources, being those users, devices, applications, or data. The architecture shifts from the one-time "perfect" macro-security decision, toward a context-dependent set of micro-decisions, constantly evaluating the ever-changing risk of the resources and the transaction itself, in order to adjust the mitigations required to continue permitting the access over time, and not to block it. We finalize the proposal with a demonstration and examples of implemented policy, and a comparison of how the proposed approach captures risks that are missed by conventional approaches.

Bio: Sergio has over 20 years of experience in IT Security and Networking, leading the research, ideation, design, and execution of innovative security products. As part of the Network and Security CTO Office R&D team, Sergio is involved in designing, executing, and introducing new security products to the market at the intersection of Multi-cloud, Zero Trust Architectures, SASE, and Service Mesh. Sergio collaborates with the Zero Trust Architecture and Multi-Cloud Security initiatives at NIST and the NCCoE.

Prior to VMware, Sergio founded Intelliment Security, where he built an intent-based vendor-neutral network security policy automation product, accelerating application time to value with increased network operations efficiency, reliability, visibility, and security in large enterprises.

Sergio received a Summa Cum Laude PhD from the University of Sevilla in Spain, where he spent over 12 years researching in the fields of security policy modelling, automated risk and compliance assessment, and automatic code generation. He Published over 30 peer-reviewed papers in books, journals, and conferences, and volunteered in the scientific committee of over 20 scientific conferences.

Gaining Assurance in Commodities within Trustworthy Systems, Ian Bryant, University of Warwick    SLIDES
Abstract: Virtually any Trustworthy System is an assemblage of multiple smaller Elements, and it is a fact universally acknowledged that in the modern era, a proportion of such elements are likely to be Commodity Products and Services.  A challenge with Commodity Elements is that although a variety of Assurance Schemes have been created over the years, these tend to be short lived, and not directly compatible.   This Case Study examines an approach, called Commodity Usage Principles and Assurance (CUPA), that is intended to enable confidence in the comsumption of Commodity Elements of a variety of sources and  provenances, by the establishment of an enabling Normalisation process.

Bio: Ian Bryant is an Adjunct Professor, and Principle Investigator for Understanding Cyber Risk (UCR), in the Cyber Security Centre (CSC) of the University of Warwick.  In his other roles he is a Professional Engineer focusing on Information and Info-Cyber Systems (ICyS) protection, is heavily involved with various Standards Development Organisations (SDO), predominantly as a Principal UK Expert for the British Standards Institution (BSI) across a number of Committees, where he acts as a UK Head of Delegation to both ISO/IEC and CEN/CENELEC, and is the Honorary Secretary, and Standards Development Advisor, for the UK’s Advisory Committee on Trustworthy Systems (ACTS).