Post on 07-Aug-2020
1
Security in the Digital Age
Understand, mitigate and manage security risks
2
Maneesh Tripathi
Service Product Line ExecutiveSecurity and Privacy Services –IBM Global Technology Services Asia Pacific
Global Technology Services
3
Introduction and the Security Industry
Global Technology Services
4
Its interesting to note security threats are getting personal and commercial
• The incidents reported to CERT.ORG are growing exponentially year after year
• The sophistication of these attacks has reached unprecedented levels
• The weaker point of the chain is often the target. Today: the end user and wireless networks
IBM Security Index
• 237 million security attacks during 1st half 05 • Resurgence of targeted phishing attacks for money laundering
and identity fraud purposes• More and more astute in the creation and delivery of such
attacks• Hackers have turned toward more criminal and lucrative areas
of directing attacks to specific individuals or organizations• During 1st quarter, 35 million attacks specifically designed to
steal critical data and personal information for financial gains• The government was the most targeted industry with more than
54 million targeted attacks, manufacturing ranked second with almost 36 million attacks recorded, and financial services was third with a little over 34 million (Message Labs contributed tothis item)
• Increased critical security events are seen on Fridays and Sundays
Global Technology Services
5
“Security, compliance and data protection” is the #1 challenge facing IT organizations.
Source: IBM Market Intel, Market Needs in ITSM Workshop Summary March 2006, n=1089
When customers were asked to rate the challenges facing IT organizations today…
• Security, Compliance and Data Protection
#1 Challenge64% rated a 7 or higher(out of 10)18% rated it the “most challenging issue”
When asked to rate the different Security, Compliance and Data Protection Issues, our customers said . . .
Rated Top Challenge
Rated >= 7
Issues
21%59%Backing up data
18%63%Complying with government regulations
19%67%Reducing data loss in the event of a disaster
20%70%Detecting security attacks or breaches
According to IBM client research, of the infrastructure solutions, IT Security has the broadest strategic appeal across all industries and
companies of all sizesSource: IGS Market Assessment Panel, 4Q05
Global Technology Services
6
64%
55%
47%
44%
42%
36%
18%
10%
8%
6%
4%
3%
Security, Complianceand Data Protection
Optimizing Cost andEfficiency
Alignment of IT andBusiness Objectives
Complexity ofInfrastructureManagement
IT ProcessImplementation and
Integration
Change and ReleaseManagement
Rated 7,8, 9 or 10 Rated 10 (The Top Challenge)
Challenges Facing IT Organizations
Q1. I’d like to turn your attention to some of the challenges facing IT organizations today. Please use a scale of 0 to 10 where 10 means it is “the top challenge” and 0 means that it is “not
currently a challenge.” N=1089
The top challenges are related to the traditional issues facing the IT organization. While between 40% and 50% have begun to address the challenge of maturing their organization through aligning IT with Business needs and formalizing processes and implementation, the top challenges remain addressing the fundamentals of data protection and cost reduction.
The most significant challenge facing IT organizations is Security, Compliance and Data Protection, with almost two-thirds (64%) giving this a rating of ‘7’ or higher, and close to one in five (18%) rating it a most challenging issue.
Optimizing Cost and Efficiency is the second most challenging, with 55% rating it higher than a ‘7.’
Source: IBM Market Intel, Market Needsin ITSM Workshop Summary Mar 2006
Global Technology Services
7
70%
67%
66%
63%
63%
60%
59%
52%
48%
48%
46%
45%
44%
41%
20%
19%
10%
18%
13%
12%
21%
12%
7%
8%
8%
10%
11%
4%
Detect/identify security breaches
Reduce data loss in event of major disaster
Improving IT security management
Complying w/ government regulations
Enforcing policies for protection
Securing/controlling access to IT resources
Backing up/protecting data
Ensuring compliance against external controls
Ensuring compliance with internal audit controls
Improving granularity in point-in-time recovery
Managing user accounts, etc.
Increase spending to meet compliance targets
Remove access/ IDs from system when employee leaves thecompany
Reducing manual effor to respond to requests for audits
Rated 7,8, 9 or 10 Rated 10 (The Top Challenge)
Security, Compliance, Data Protection Challenges
Q2A. Using the same scale where 10 means “the top challenge” and 0 means “not currently a challenge”, rate the challenge level of the following SECURITY, COMPLIANCE AND DATA PROTECTION issues. N=530
Detecting security attacks or breaches (70%, ‘7’ or higher; 20%, highest) and reducing data loss in the event of a major disaster(67%; 19%) are the highest rated security challenges.
Although fewer rate backing up data as a challenge (59%), 21% see this as a top challenge (rated a ’10’).
Complying with government regulations is also a key challenge (63%), with 18% indicating a top challenge (rated a ’10).
Source: IBM Market Intel, Market Needsin ITSM Workshop Summary Mar 2006
Global Technology Services
8
Clients experience challenges in developing a comprehensive security plan
• Understanding required Security Governance and Organization capability
• Identifying where security exposures lie
• Understanding which security capabilities meet business requirements
• Prioritizing which activities to focus on first
• Need for a closed-loop process to enable improvement
• Skilled/trained resources
• Time constraints
Global Technology Services
9
We work with clients to assess their entire security landscape
Road Map
Reference library
1
Assessment tool
2
Roadmap
Create roadmap forsecurity enhancement program
Assessment tool
Global Technology Services
10
The IBM Value Model
Global Technology Services
11
Our approach to Security helps clients understand, mitigate, andmanage security
• Security Health Check
• Assessments:– Site– Process– System– Network– Internet– Application– Wireless
• Ethical Hacking
• Enterprise Architecture• Internet Architecture• Secure Solution Design• Secure Wireless Solution
Design• Product Selection• PKI enabled VPN• Systems Management
Services for Security• Secure Networks• Digital Video Surveillance• Other IBM and OEM
Product Implementation
• Managed Security Services
– Intrusion Detection– Vulnerability
Scanning– Firewall
Management– Incident
Management– Anti-virus
Management– email Security– Security Intelligence
• Workshops– Security– Privacy– PKI– Wireless
• Policy Definition• Standards Definition• Process Development• Information Asset
Profile• Privacy Strategy and
Implementation• PKI Planning and
Design
Assess Plan & Build Manage
Help me understand my current security
posture
Help me do it Manage it for me
Global Technology Services
12
IT Security offerings leverage key service products within the IBM Information Security framework
Identity managementProcesses for recognizing and monitoring users,
and granting or restricting their access to business assets or resources
Digital video surveillanceIncludes consulting, design,& integration of the
components, including storage, networks, cameras, smart surveillance applications
Network securityProcesses for managing access and threats
to networking capabilities, including wireless networks
Data securityProcesses for data/backup encryption, content
security, as well as protecting the security of information about the business and its customers, employees and partners
Global Technology Services
13
Application developmentenvironment
• Secure coding practices• Operational application support
environment• Design patterns
Systems development lifecycle (SDLC)
• Security in the SDLC process
Application security
• Employment lifecycle management
Workforce security• Awareness and training• Code of conduct
Personnel security
Data, rules and objects• Privacy data taxonomy and classification• Privacy business process model • Data usage compliance process
Policy, practices and controls• Policy taxonomy and glossary• Policy rules definitions• Privacy impact assessment (proactive)• Privacy audit (reactive)• Awareness and training
Privacy and information management strategy• Define privacy information strategy• Requirements and compliance process• Incident response
Privacy
Secure storage• Data retrieval• Data storage protection• Data destruction• Archiving
Systems integrity• Security in systems management• Security in business continuity
planning
Business process transaction security
• Fraud detection• Data transaction security
Database security• Database configuration• Master data control
Message protection• Public key infrastructure• Message protection security
Transaction and data integrityVulnerability management
• Standard operating environment• Patch management• Vulnerability scanning and
assessmentIncident management
• Incident management• Event correlation• Forensics
Network segmentation and boundary protection
• Network zone management and boundary security infrastructure
• Remote access infrastructure• Intrusion defense• Network security infrastructure
Content checking• Virus protection• Content filtering
Threat mitigation
Compliance program• Regulatory compliance• Technical, policy and standards compliance• Health checking• Internal audit and response
Security risk management framework• Threat risk assessment• Information asset profile• Project risk assessment• Security risk management
Strategy• Information security policy• Enterprise security architecture
Governance framework• Governance structure
Information security advisory• Consulting and advisory services
Governance
Identity lifecycle management• User provisioning• Other entity provisioning• Identity credential management
Identity proofing• Background screening• Identity establishment
Access management• Single sign-on• Authentication services• Access control services
Identity and access management
Physical asset management• Asset management• Document management
Site security• Site planning• Site management
Physical security
We have eight themes that are described through a number of capabilities.IBM Information Security Framework
Global Technology Services
14
A quick snapshot into Security Solutions
Global Technology Services
15
These areas sound simple – but processes can be complex and generate a great deal of customer pain and cost! (Identity management)
All security auditing must be performed manually across every machine –IT must spend weeks auditing security configurations across every resource
Up to 40% of user access is invalid –IT must spend weeks manually auditing user access provisioned to business systems
Up to 30% of application development expenses are to implement secure access – IT is not able to add new services quickly and efficiently
Up to 80% of help desk calls are for password resets –
Every call incurs $20 in IT costs
Global Technology Services
16
Consider Typical inefficiencies in provisioning a new user…
Newuser
Request for access
generatedWho do I call? Where’s the right form?
Policy and role examinedMultiple user data sources
Approval routing
Inconsistent, audit-exposed
IT inboxManual processes mean inconsistent
handling
User with accounts3 weeks later
Elapsed activation time: up to 3 weeks per user
Administratorscreate accountsCan’t scale to meet
enterprise requirements
Each administrator only handles 300-500 users.
Organizations use slow and inconsistent processes to create user accounts and provision user access rights.
Global Technology Services
17
Or, inefficiencies and costs to deploying a new initiative
Newbusinessinitiativeapproved
Applicationrequirements
identified
Custom security access model planned and
coded
User preferences and data privacy rules identified,
planned and codedNew accountscreated for each user
of this application
New initiativedeployed
Late and over budgetApplication with
custom securityand privacyrules tested
Users now have yet another unique security login.
Application and data security is custom-written into each business initiative.
Custom security can cost US$40K-$80K to develop per
application, and take up to 30% of development time.
Global Technology Services
18
Now, compare that with a best-of-breed process to provision a new user…and look at the real value!
New user
Online request for
access • For new
employees, may be fed by automated HR processes
Policy and role verified
• Pre-established access and authorization policy, based on user role
• Integrated user identity directory
Approval routing
• Policy and role-based approval
• Workflow engine routes to approvers and tracks response, per set criteria
User with accounts
Hours, not weeks!
Elapsed activation time: hours, not weeks
Systemcreates accounts
• Single sign-on user ID and password generated automatically, based on established policies
Scalability not constrained by administrative staffing
• Automated process based on user role authorization and predefined policies
• Established workflow and response/ escalation criteria when human intervention required
• Consistent policy administration and enforcement
New initiatives define access policies, leverage established process
Global Technology Services
19
A solution set for Data Security is Information Asset Profile.(Asset Management)
• Identifies information that requires protection, from a business perspective and a technology perspective.
• Identifies specific sets of information, who has responsibility in several categories, and how and where the information is primarily used.
Opportunity Trigger for Information Asset Profile
Organization is complex, but has not-yet identified sources of information needing protection.
Customer Success Story –Freddie Mac:
IBM GTS performed an Information Asset Profile along with a security architecture strategy.
Enabled Freddie Mac to implement policies enterprise-wide, and led to a long-term strategic relationship with IBM.
Information Security Investment
Business Impact
Risk Mitigation
Risk to Business
Residual Risk to Manage
Global Technology Services
20
Physical Security is now becoming an issue that the entire enterprise, all sectors and industries, must address.
• Unprecedented and monumental events of the last 10 years have accumulated -heightening the receptivity to physical security measures
– Unimaginable before the calamities. – Revised perception of the two key dimensions of danger and risk: Threat and Vulnerability
• Beyond public safety and security, video systems are useful in gathering information as a form of documentation, even in private commercial situations with no real sense of threat or danger
– Retail Shrink– Logistics and Billing– Risk Management
• Emphasis on having the means to use video and access information as information in a more proactive way.
– Prevention – Proactive incident management– Coordination and Control
• Major leverage for digital information in ability to retrieve, to distribute, to retain, to not retain, and to analyze through advanced technologies.
Global Technology Services
21
Technology is transitioning from pure analog systems….
Analog “Legacy” Architecture–Analog Cameras–Coax from Camera to Video Switch–Video Matrix Switch to Support Cameras–Analog/Digital Recorder–Typically less than one frame per second–Video Viewed from Single Location–Typically unable to view and tape
simultaneously
Matrix Video Switch
Analog Monitor
VTR
Analog Cameras
VTR
Video Matrix Switch
PTZ
• Video Surveillance vocabulary–“Digital Video Surveillance” – Using digitally encoded video–“Analog Video Surveillance” or CCTV – Using TV-encoded video–Digital or Analog Sources versus End-to-End Digital or Analog–Typical Components -- Cameras, Cabling, Encoding, Servers, Storage
• Physical Security versus Information or Logical Security
Global Technology Services
22
….moving to a pure IP architecture with IP cameras feeding directly into an IP network enabling remote access. …
(Digital Video Survey lance)
IP Architecture–Digital Camera (integrated Codec)–10/100 Ethernet Camera–Digital Recorder–Variety of codec formats–Flexible Video Viewing/Monitor–PC or PDA–Hardwired 10/100 Ethernet, VPN,
Wireless–Retrieval (Event/Time Based Non-
Linear)–Support for Wireless Viewing–Centralized Storage
Analog Monitor
Storage Server
Wireless Transmitter
Wireless Receiver
PTZ
Digital Workstation
DVR
_
Remote Access
Internet
Benefits: reduced cost, improved efficiency
Global Technology Services
23
IBM Security Digest / Intelligence services• E-mail notification of security vulnerabilities and threats• Daily reports outlining pervasive IT threats and attacks • Emergency paging for high-risk security events Monthly summaries of
the IT threat environment • Self-management of mailing list subscriptions Web management portal
Global Technology Services
24
Summary and Conclusion
Global Technology Services
25
Security should become the fabric of an organization
PeopleLayer
FacilitiesLayer
Data/App.Layer
StrategyLayer
TechnologyLayer
Security Do you have these check points?
ProcessLayer
Is your security strategy complete?Does it address your business issues?
Roles and Responsibilities?
Ensure that your security processes function and produce intended results.
Sensitive and critical data must be available, managed, and utilized in a secure fashion.
IT is the foundation for data management and process execution… maximize uptime and security
The best strategies and processes will be undermined if availability and security of physical assets is not ensured.
Global Technology Services
26
Back up
Global Technology Services
27
Client DemographicsFinance IndustryOne of the top 5 banks in ChinaProminent brandGrowing IT infrastructure due to increasing client base
Infrastructure Risk management and security product implementation
ChallengesIT security investments were phenomenal but
security lapses were very high.Business was driving security investments and
initiatives however loss of information to competition and lapses of client privacy information were causing tremendous churn in the client basePhishing of client data was not being noticedManagement of security components was a
nightmareChoking of network links was a normal activity
due to worms and viruses
Actions• Detailed Risk Assessment of Infrastructure
supporting business – and developing a Risk Management framework
• Security policy assessment and procedure planning.• Definition of a Information security framework from
an architecture perspective providing a 4 year investment road map
• Project lasted 8 months and cost USD $ 1.5 M including product supplyBenefits
• Security lapses estimated to reduce by 93%• client churn was reduced (Cannot confirm whether
this was attributable only to this) by more than 28%• Phishing was detected and network bandwidth was
optimized for usage. (improvement was noticed - A 30% reduction in utilization)
• Information loss was tracked and processes were put in place to cater to the same.
• 35%