Security in a Web 2.0+ World: A Standards-Based Approach

Discover how technology is affecting your business, and why typical security mechanisms are failing to address the issue of risk and trust. Security for a Web 2.0+ World looks at the perplexing issues of cyber security, and will be of interest to those who need to know how to make effective security policy decisions to engineers who design ICT systems – a guide to information security and standards in the Web 2.0+ era. It provides an understanding of IT security in the converged world of communications technology based on the Internet Protocol. Many companies are currently applying security models following legacy policies or ad-hoc solutions. A series of new security standards (ISO/ITU) allow security professionals to talk a common language. By applying a common standard, security vendors are able to create products and services that meet the challenging security demands of technology further diffused from the central control of the local area network. Companies are able to prove and show the level of maturity of their security solutions based on their proven compliance of the recommendations defined by the standard. Carlos Solari and his team present much needed information and a broader view on why and how to use and deploy standards. They set the stage for a standards-based approach to design in security, driven by various factors that include securing complex information-communications systems, the need to drive security in product development, the need to better apply security funds to get a better return on investment. Security applied after complex systems are deployed is at best a patchwork fix. Concerned with what can be done now using the technologies and methods at our disposal, the authors set in place the idea that security can be designed in to the complex networks that exist now and for those in the near future. Web 2.0 is the next great promise of ICT – we still have the chance to design in a more secure path. Time is of the essence – prevent-detect-respond!

Table of Contents:
FOREWORD xi seasoned and influential security professional puts the chapters of this book into context by discussing the challenges of cyber security in the Web 2.0+ world. PROLOGUE xv 1 The World of Cyber Security in 2019 1 It is 2019, Web 3.0 has arrived, but it is a destination fraught with the problems of cyber security. With the benefit of hindsight, what went wrong in the development of Web 2.0 is obvious, how to fix it is not so – the challenges abound. This chapter explores the road we travel and why uncorrected it will lead directly to the destination of an uncertain Web. 2 The Costs and Impact of Cyber Security 15 An increasing number of reporting and regulatory requirements are being placed on businesses, which is resulting in rising compliance costs while yielding poor results in the actual protection against cyber threats. This chapter discusses cyber security from an economic (cost) and risk management perspective, the methods of quantifying po- tential losses, enhancing business process, and reaping value from enhanced security standards. 3 Protecting Web 2.0: What Makes it so Challenging? 39 Web 2.0 has begun to impact almost every aspect of everyday life, but comprehensive controls to protect assets, wireless, and content in all of its forms, has yet to be implemented. The lack of security standards could be potentially devastating as virtual life and the physical world begin to meld without the recognition that both need to be protected with the same vigilance. 4 Limitations of the Present Models 63 This chapter names the problem – a practiced model of security that is bolted on – and why the current models of cyber security are inef- fective in transitioning to Web 2.0. Patching, over-reliance on de- tection and response, and the omnipresence of data in the cloud require a model of greater discipline where security is part of the design, not the afterthought. 5 Defining the Solution – ITU-T X.805 Standard Explained 79 Bell Labs introduced a security framework that became Recommen- dation ITU- T X.805 in 2003. The efficacy of this model for present and Web 2.0 systems is discussed in terms of its overall framework components. As a model it offers a way to apply a disciplined approach to security designed-in, not bolted on. In a security value life cycle, it forms the links in the trust chain from the point of technology creation through technology implemented in security-integrated operational environments. 6 Building the Security Foundation Using the ITU-T X.805 Standard: The ITU-T X.805 Standard Made Operational 101 By using the ITU-T X.805 standard as a framework, this chapter explores how to implement the X.805 framework as a model for trust concepts in applied computing. 7 The Benefits of a Security Framework Approach 113 Transparency is the primary benefit and one of the key attributes to transform from the present model of aftermarket security to protecting the evolution of Web 2.0. It allows for the proper implementation of security from the beginning stages of product development to the point of delivery while creating a basis for trust, developing a common language, and reducing costs. 8 Correcting Our Path – What Will it Take? 137 The challenges of protecting Web 2.0 and the solutions toward a more efficient paradigm have been presented, but who will im-plement these sorely needed changes in the system? Leadership from business, academia, and government is paramount to re-shaping the process of how products and solutions are made secure up front in the development life cycle. It will take more than the logic of why it should be done – it will take an active role in these three domains. It starts with the buyers of technology applying the leverage of purchasing in large numbers to change a behaviour already ingrained. APPENDIX A 151 APPENDIX B 181 APPENDIX C 207 GLOSSARY 217 INDEX 229  

About the Author :
Carlos Curtis Solari (lead author) is VP, Security Strategy and Solutions, Alcatel-Lucent. Carlos joined Alcatel-Lucent as Bell Labs Security Solutions Vice President in April 2006. In this role, Carlos heads a team defining and implementing the security strategy positioning Alcatel-Lucent as the vendor of choice for secure, reliable networks, services and applications. Carlos has extensive experience in the field of information systems security as applied in the areas of homeland security, law enforcement, public safety and defence; with over 25 years in various government and private industry positions, including more than 6 years as a senior executive with the Federal Bureau of Investigation. From 2002 to 2005 he served as Chief Information Officer for the Executive Office of the President - the White House.

Review :
"Hard-hitting stuff -- and undeniable too." (CIO, June 2009)