Geeks With Blogs
Robert's Sysadmin Blog Unraveling the datacenter one fibre at a time

Update 12/05: Steve Lamb notices that Rafal is doing the same seminar in the UK soon.


Attended a Microsoft Expert Conference today, the topic was Holistic Security and Digital Trust, and the speaker was the very excellent Rafal Lukawiecki.

Sessions included:

A Holistic View of Enterprise Security, Rafal Lukawiecki
The tough realities of today make security of enterprise systems one of the highest priorities on most IT Professionals’ agenda. This conceptual, rather than technical, session will overview security from a holistic, process-oriented perspective. While still uncommon, this approach seems to best model the threats that affect our installations. This way of looking at security is based on risk assessment and worries about all aspects of the system equally: we do not want to be building bullet-proof steel doors in a house made of paper walls. After discussing the main challenges that make achieving optimal security difficult, we will concentrate on three process-based holistic approaches: OCTAVE, Simplified Security Risk Analysis, and Threat Modeling. Also in this session we will attempt at categorizing all security technologies into active and passive approaches, thus providing a structure to the remainder of the seminar.

Active Security Common Practices, Rafal Lukawiecki
Starting with the concept of Defense-in-Depth we will look at all of the main aspects of the operational environment that require being secured using active technologies. We will look at the techniques and guidance available for securing applications, hosts and the network itself. Specifically, we will debate some of the challenges posed by in-house enterprise applications, as well as those provided by vendors such as Microsoft. While discussing the available security technologies, we will attempt to provide a fairly complete list of those that you should consider employing, including: Windows XP SP2, Patch Management and WU/SUS/SMS, ISA, Server Hardening Guides, IPSec, MOM, 802.1x/WPA, and Identity Integration. We will close this session with a brief discussion of the checklists of the ‘Top 10’ suggestions for securing the primary Microsoft server systems.

Cryptography and PKI for Passive Security, Rafal Lukawiecki
Holistic security uses both active and passive technologies. Cryptography is the mainstay of passive approaches, primarily used to protect the data layer in the defense-in-depth view. This session aims to provide a good technical overview of all of the foundational concepts of cryptography in order to enable a IT security professional to make better decisions regarding the technologies used for protection. We will, at first, explain the concepts of hybrid, symmetric and asymmetric cryptography before moving onto the subject of hash and digest functions in order to explain the problems found with today’s digital signatures. With that introduced, we will look at the X.509 certificate standard, SSL and smartcards and move onto a rapid discussion of all of the current encryption algorithms such as AES, TripleDES, IDEA, RC2, RC4, RSA, ElGamal, ECC, and briefly touching on quantum cryptography. We are not going to discuss each of them in detail – instead we hope to provide enough information to allow you to make better choices when deciding on the technologies to use.

Digital Trust: Goals and Obstacles, Rafal Lukawiecki
Trustworthiness is as important as security of the system, according to its users, such as clients, employees and partners. Traditional paper-based trust increasingly has to be replaced with digital signatures and other legally-binding electronic forms of interaction between parties. PKI, Identity Management and Digital Signatures form the basis of Digital Trust. In addition, Time Stamp Authorities, Trusted Document Repositories and e-Notary Service are also vitally needed to build a usable infrastructure of digital trust. We will look at the standards and technologies that enable this concept, and, keeping with reality, we will point out a number of outstanding legal and social issues that may prevent your organization from successfully adopting some principles of digital trust. We will also briefly touch on Digital Rights Management as an aspect of digital trust and its relationship to privacy protection. This session is likely to be of more interest to those working in the public sector, governments, and bigger enterprises interacting with a large consumer base, and consultants working with them.

Really interesting material, and Rafal is a really excellent speaker!

In the Q&A I asked him about his view on the current standards in identity federation, and where the field was going. He said he was putting his money on the WS-series of standards being developed by IBM and MS.


Posted on Friday, April 22, 2005 10:53 AM Security , Tech | Back to top

Comments on this post: A Holistic View of Enterprise Security, Rafal Lukawiecki

# re: A Holistic View of Enterprise Security, Rafal Lukawiecki
Requesting Gravatar...
I have also taken two of Rafal's sessions in PDC Microsoft at my home country. Those are already mentioned above.

- A Holistic View of Enterprise Security
- Cryptography and PKI for Passive Security

Although, I am a J2EE developer and have never done with Microsoft .NET. But the session was quite general, not platform specific, and worth it.

Moreover, Rafal is a top-notch speaker I have ever seen.
Left by Adeel Ansari on Jun 16, 2005 7:53 AM

# re: A Holistic View of Enterprise Security, Rafal Lukawiecki
Requesting Gravatar...
holistic security is most power full securities in all securitis.
Left by asif on Sep 30, 2009 8:05 AM

Your comment:
 (will show your gravatar)

Copyright © Robert Kloosterhuis | Powered by: