I'm just returning from SOFIC 2010 (Special Operations Forces Industry Conference 2010) in sunny, hot Tampa Florida. Oculis Labs was featured in Klas Telecom's booth at the show, where we demonstrated a new small version of Chameleon running on the Klas Telecom GRRIP secure mobile platform.
You can see the whole kit in this picture. You're seeing a complete computer and TS/SCI communications package that fits in a 28lb "fly-away" case. The GRRIP is sitting on its case in this picture, and the new small-form Chameleon sensor is sitting on top just under the monitor. This Klas product is quite a serious achievement. Special Operations uses them extensively in the most rugged field conditions to reach back and access SIPRNET and JWICS via the BGAN network. In civilian-speak, this means the guys in the field can access highly classified networks from the mountains in Afghanistan. Klas Telecom has been very successful in delivering thousands of these essential tools for remote computing.
The obvious extension of the platform is to put Chameleon on it to protect the display against prying eyes. There is a really great fit between Klas and Oculis Labs in this respect. The customer goes to great lengths to ensure the security of their classified networks, but until now has not had the ability to protect the display from some pretty serious risks (think: translators, local liasions, even coalition forces).
We had great interest at the show. The first day was busy, the second a bit slower, and on the third day we got a lot of attention. As is typical with Chameleon, people who had seen it earlier started bringing over their colleagues and management to take a look. We're looking forward to working with Klas to see where this goes.
Sunday, June 20, 2010
Monday, June 7, 2010
Weakness at the seam: electronic vs physical security
I noticed recently that government security blogger Bob Gourley is updating an article he originally published in 2003 titled “Cyber and Physical Security Unite”. The article clearly remains relevant today. In fact we have more to be concerned with today than before, particularly at the seam where electronic data meets the real world.
We need to be more intelligent about protecting electronic assets from physical threats, and not treat the two as separate issues. Today the practitioners in these two security spheres are usually independent. As a result, some of the most vulnerable spots are to be found along the seam where the two intersect.
Computer IT experts focus on protecting data "on the wire" with firewalls, encryption, VPNs, IPS, etc. This is all good. Physical experts tend to look at perimeters. Also good.
The under-rated risk is where that electronic information enters the real world at the computer monitor. The logical data protection control ends as the data is handed off to the physical world where it can be viewed by anyone who happens to have physical access. The rules associated with who can view what in the electronic world are rarely matched with who as has access in the physical world.
Think about your own work environment. You have an access card to get into the building, and a password to access the company financials you use to do your job. However there is nothing to stop other employees from looking at your computer screen. They have physical access to get into the building, but they don't have a need to see those sensitive financials. It's a simple example of how physical and electronic protections are not working together.
We put more and more of our lives into electronic assets every day. The value of protecting our data increases constantly, but social engineering and shoulder surfing are more serious today than ever. Security practitioners need to admit the risks go beyond just electronic, or just physical and make sure they protect information at all points along the way. If you are a security manager looking to protect computer screens against eavesdroppers I urge you to look at Oculis Labs PrivateEye and Chameleon products.
We need to be more intelligent about protecting electronic assets from physical threats, and not treat the two as separate issues. Today the practitioners in these two security spheres are usually independent. As a result, some of the most vulnerable spots are to be found along the seam where the two intersect.
Computer IT experts focus on protecting data "on the wire" with firewalls, encryption, VPNs, IPS, etc. This is all good. Physical experts tend to look at perimeters. Also good.
The under-rated risk is where that electronic information enters the real world at the computer monitor. The logical data protection control ends as the data is handed off to the physical world where it can be viewed by anyone who happens to have physical access. The rules associated with who can view what in the electronic world are rarely matched with who as has access in the physical world.
Think about your own work environment. You have an access card to get into the building, and a password to access the company financials you use to do your job. However there is nothing to stop other employees from looking at your computer screen. They have physical access to get into the building, but they don't have a need to see those sensitive financials. It's a simple example of how physical and electronic protections are not working together.
We put more and more of our lives into electronic assets every day. The value of protecting our data increases constantly, but social engineering and shoulder surfing are more serious today than ever. Security practitioners need to admit the risks go beyond just electronic, or just physical and make sure they protect information at all points along the way. If you are a security manager looking to protect computer screens against eavesdroppers I urge you to look at Oculis Labs PrivateEye and Chameleon products.
Subscribe to:
Posts (Atom)