With an impressive list of distinguished speakers, this year’s keynotes and debates offer insights on the industry’s hot topics.
The entire information security industry will gather at London’s Olympiafor Infosecurity Europe this month. More than 11,000 visitors areexpected to attend, taking advantage of the free education programmethat addresses both strategic and technical issues and draws on theskills and experience of senior end users. This year’s show will bebusier than ever, with 300-plus exhibitors, including 100 vendorslaunching new solutions.
The keynote sessions are the highlight of the education programme. Theybring together the industry’s leading independent experts, governmentofficials and end users from high-profile corporations and take anin-depth look at some of the big ideas of the moment.
The opening keynote speech by Lord Broers, the chairman of House ofLords science and technology committee, explores some of theconsiderations from other countries the committee has gained in thecourse of its inquiry into internet security.
In his special address, Derek Wyatt MP, chair of the all-party internetgroup, highlights some of the key measures that will be put in place toassure the security of the 2012 Olympic Games.
Phil Cracknell, UK president of the Information Systems SecurityAssociation, leads a panel on wireless security with Andy Yeomans,vice-president of global information security at Dresdner Kleinwort andJohn Meakin, group head of information security at Standard CharteredBank.
“With recent survey’s showing more than 80 per cent of UK businesses nowhaving a ‘wireless policy’, you would think it would be a case of ‘jobdone’,” says Phil Cracknell. “However, on closer scrutiny, it wouldappear that corporate wireless users have only scratched the surface.Little, if any, provision is present for the increasingly importantissues of wireless scanning, rogue hotspots, evil twins and driftingclients.”
Lord Erroll will lead a panel debate on identity management, examininghow to pick the right tools for the job. The panellists will includeToby Stevens, vice-chairman, BCS Security Forum; Andy Kellett, seniorresearch analyst, Butler Group; and Maury Shenk, partner, Steptoe andJohnson LLP.
“Identity management is one of the most misused expressions in moderncomputing,” says Stevens. “The vested interests behind identity cards,biometric technologies and single sign-on systems have created anenvironment where it is almost impossible to distinguish betweentechnology fact, science fiction and commercial propaganda. The heateddebate around these issues is eroding public confidence in theindustry’s trustworthiness, and it is high time that we adopt a moretransparent dialogue about system capabilities – and shortcomings – sothat we can create identity assurance systems that serve providers andusers alike.”
“There is increasing recognition that different identity managementsolutions, ranging from strong password policies to multi-factorauthentication to biometrics, are appropriate to different applications,in order to deal with the commercial and legal risks of particularsituations,” adds Shenk. “This is a significant contrast to the tendencyto propose global ‘one size fits all’ solutions that one saw during thedotcom boom.”
Paul Simmonds, global information security director, ICI; Jason Creasey,head of research, ISF; Stuart Okin, senior executive, Accenture; andJohn Reece, CEO, John C Reece & Associates LLP; make up the panel thatwill discuss whether network security is dead, led by John Riley,managing editor of Computer Weekly
“If you think about it, the idea of application and data security at thenetwork level is not a viable solution. Try asking a firewallsalesperson praising the merits of deep-packet inspection how theyhandle HTTPS,” suggests Simmonds. “So I’m as interested in thecounter-arguments as I am looking forward to the debate.”
As applications move towards architectures with components running onmultiple hosts and local units, the edges of systems are blurring,according to Okin. “Essentially, applications are becoming a cloud thatend users interface with, rather than a controlled black box – and ITstaff may not control all of the elements of the system, especially withan internet backbone,” he says. “With the additional corporate trendstowards sharing and outsourcing services, these clouds of applicationsare also found within a traditional enterprise environment. As a result,the perimeter is no longer well defined. The challenge for organisationsis to identify who is connecting with these application clouds andestablish their intent.”
Qualifications and working practices
With a myriad of qualifications available, the biggest question forinformation security directors remains: how can appropriatequalification be recognised, and what are the right educational toolsfor the job that your staff are doing? This issue will be evaluated in aseminar chaired by Nick Coleman, CEO of the, IISP on “Professionalism:Where are we in 2007?”. Panellists include Jeremy Beale, Head of theCBI’s e-business group; Chris Ensor, head of profession at CESG; andRobert Coles, director EMEA, head of information security and privacy,Merrill Lynch.
The keynote presentation “Are You Even Remotely Secure?” will examinenew threats in the wake of changes in working habits, and explore waysin which organisations can mitigate them. Chair Brian McKenna, securityjournalist, is joined by Steven Furnell, professor of informationsystems security, University of Plymouth; Steve Robinson, head of ITsecurity Europe, Lehman Brothers; and David Perry, principal analyst,Freeform Dynamics.
The danger with mobile devices is that data is being stored in aninherently more vulnerable location, with less protection than it wouldreceive in the workplace. “If we specifically consider devices such assmartphones and PDAs, then not only does the size and mobility of thedevices render them far more susceptible to loss and theft, but they arealso more limited in the security options that are available,” saysFurnell. “Also, while we might be happy enough entering a ten-characterpassword to access a laptop, this would be less acceptable on a PDA.Indeed, such devices are often left entirely unprotected againstunauthorised access.”
“The pressure to ‘get me the data, now’ from a senior level can lead torapid deployment of mobile data, without a sufficient securityframework” adds Perry. “Deployment of mobile applications is one of thekey areas of future competitive advantage, but this opportunity must bedeveloped alongside a comprehensive security strategy.”
Keeping up with telecoms technology
Marika Konings, director of European affairs at the Cyber SecurityIndustry Alliance, leads a panel on how to secure the latest telecomstechnologies with Cate McGregor, DFN, director OGDS and agencies,Defence Communications Services Agency; and Roger Cumming, head ofadvice and delivery, Centre for the Protection of NationalInfrastructure.
The convergence of communications networks, devices and content hasenabled service providers to deliver newer, faster and more advancedservices including voice, data, video and applications, all over asingle IP network. “While these rapid technology advancements havetremendous benefits, they have raised questions from policy-makers aboutwhether security can keep up,”says Konings. “It is vital for theinformation security industry to stay engaged with our policy-makers asthey evaluate the impact of these new technologies.”
Every business is subject to crime every day, but at what point does itbecome sensible for you to report it? The keynote presentation entitled”Should You Always Report Crime?” is chaired by Geoff Smith, head ofinformation security policy, Deprtment of Trade and Industry. He isjoined by Tony Neate, managing director, GetSafeOnline; Philip Virgo,secretary-general, EURIM; and Jonathan Coad, partner, Swan Turton.
To confess or not to confess, that is the question. Whether it issmarter to suffer the slings and arrows of outrageous media coverage byreporting a crime, or hope to avoid the repercussions while risking evenmore of them by staying quiet. Coad says: “From my experience as a medialawyer, reporting crime to the police is a double-edged sword asinvariably the press have found out about it, with my client hitting theheadlines within 24 hours as a result.”
And we must stop patronising small firms and consumers if we want themto do serious business online, argues Virgo. “How do they find outwhether their system has been recruited into a botnet? The time has cometo respond to the needs of the customer for security tools they canunderstand, realistic advice, guidance and support on how to use them,”he says. “We also need reporting systems that will route their enquiryto someone who will respond – be it law enforcement or technicalsupport.”
To round up events, author Bruce Schneier will debate the psychology ofsecurity in his keynote session and Bob Ayers, associate fellow, ChathamHouse Information Security Programme, will lead a panel discussion onthe increasingly important issue of insider threats. Finally, Jon Fell,partner at Pinsent Masons, will chair the hackers’ panel, which returnsin the wake of a year of legislative change. Expect a lively discussionfrom a range of “experts” in hacking practice and legislation.
WHERE AND WHEN
Dates: 24-26 April 2007
Venue: Grand Hall, Olympia, London
More information www.infosec.co.uk