Can you make data invisible to intruders? Unisys Stealth system creates a community around sensitive data and encrypts communications between all users.
20 Great Ideas To Steal In 2014
(Click image for larger view and slideshow.)
At last week's Interop 2014 in Las Vegas, Unisys renamed its Unisys Secure Private Cloud to Choreographer. The new name is a nod to the fact that the platform is now about marshaling a secure exchange between many different types of devices on the network rather than securing a fixed set of hardware assets.
Unisys chief information security officer Dave Frymier announced the change in a presentation titled "Don't Sweat The Small Stuff: Protect What Matters Most." To some extent, Frymier seemed bent on turning the usual approach to enterprise security on its head.
"Discovering what systems are there is what malware does," he said in a follow-up interview after the show. Enterprise security has primarily concentrated on keeping malware out through firewalls at the perimeter or by detecting its activity in server log analysis, but neither of these techniques is guaranteed to keep skilled intruders from lifting identity and credit card information. On the contrary, recent breaches at universities, Target, and other locations suggest that all too frequently intruders find what they want by getting inside before countermeasures are implemented.
That's why Unisys recommends a new approach: creating a community of interest around important software systems, then protecting them by applying encryption automatically on communications between all users. For example, instead of worrying about everyone's email, how about creating a community of interest around the users of the enterprise financial system and encrypting all communications concerning it?
Choreographer leverages another Unisys product, Stealth, which is basically an encryption system that allows end users to carry an encryption key on laptops or other mobile devices that can be used to send and receive encrypted messages. Malware, attempting to phish for information or sniff out passwords and keys, can ping the system for attention or attempt to break in. But without access to the encryption system, the system ignores the attempts and the intruder is kept out. To the phisher, it's as if the financial system no longer exists.
"The network of a community of interest goes dark on the corporate network," Frymier said. "It won't respond to unencrypted communication. Any user outside the community doesn't know it's there."
But aren't such keys on mobile devices an exposure to security in themselves? What if a laptop is stolen? Frymier explained that the key is enclosed in a software wrapper and installed according to the ISO standard for end user key protection. It can't be retrieved by a thief who gains control of the device.
According to Frymier, this approach is simpler and more effective in a BYOD world than attempting to track and monitor activity on many different kinds of devices. It won't protect everything, but it will protect any system and set of sensitive data deemed worthy of having its own community of interest. For a financial system at a large company, the community might include 1,000 or more end users and would remain dark to any user who is not part of the community.
Unisys, which produced Stealth two years ago, announced a way to apply it to BYOD mobile systems last fall. Frymier admitted that Stealth had few adopters at first, but he said the growing use of smart phones and tablets in the enterprise has since turned the tables. Since its BYOD announcement, Unisys has been peppered with requests for guidance on how to establish a pilot project.
"Right now a lot of information security is focused on log file management, generating alerts, [and] detecting an intrusive presence. This isn't doing any of that," Frymier noted. Instead, it walls off data and applications that are rich targets for intruders.
Last June, Unisys announced Stealth for Amazon Web Services, which encrypts all communications between enterprise users and business-critical systems running on Amazon. Unlike other such systems, the Stealth key is kept on a secure server inside the enterprise and deeply embedded in end-user devices. Many other encryption protection systems require the key to be stored inside the cloud service and accessed over the public Internet to work with mobile users, Frymier explained, which can create problems.
The Stealth name is borrowed from the US Air Force's stealth aircraft, which absorbs searching radar waves rather than sending back an echo. Similarly, Unisys Stealth absorbs intruders' communications but offers nothing back.
Cyber-criminals wielding APTs have plenty of innovative techniques to evade network and endpoint defenses. It's scary stuff, and ignorance is definitely not bliss. How to fight back? Think security that's distributed, stratified, and adaptive. Read our Advanced Attacks Demand New Defenses report today. (Free registration required.)
Charles Babcock is an editor-at-large for InformationWeek and author of Management Strategies for the Cloud Revolution, a McGraw-Hill book. He is the former editor-in-chief of Digital News, former software editor of Computerworld and former technology editor of Interactive ... View Full Bio
Multicloud Infrastructure & Application ManagementEnterprise cloud adoption has evolved to the point where hybrid public/private cloud designs and use of multiple providers is common. Who among us has mastered provisioning resources in different clouds; allocating the right resources to each application; assigning applications to the "best" cloud provider based on performance or reliability requirements.