ERP in the Time of BreachesProtect Yourself with the Right

Governance, Risk and Compliance

• The Role of Information

Security

• IT Security Conundrums

• Best Practices for Security

• How Providers can Alleviate

Concerns

• Q&A

Today’s Presenter

Greg Pierce

• Chief Cloud Officer, Concerto Cloud

Services

• Pioneer in Enterprise Cloud Computing

• Veteran business leader and entrepreneur

with over 20 years experience

• Helps businesses transform through the use

of disruptive technologies

The Role of Information Security

Goal of Information Security

Administrative, Technical and

Physical Controls work

together to ensure the

confidentiality, integrity

and availability (CIA) of

critical systems and

confidential information

Information

Security is a goal

- we must

continually strive for

it with no guarantee

of achievement.

IT Security Conundrum One

Regulatory

compliance

and/or

certification ONLY serves as a

guideline.

IT Security Conundrum Two

IT Security Conundrum Three

Spending

more (without

other security

processes) can deliver a false sense of security.

IT Security Conundrum Three

IT Security Conundrum Four

YOU are the

target -regardless of

your industry

vertical or

company size.

IT Security Conundrum Five

It is easy to drive the wrong behavior from your users.

Education is key and policies can’t be too restrictive.

Information Security Domains

1. Access Control 2. Application Security 3. Business Continuity and Disaster Recovery

Planning 4. Cryptography 5. Information Security and Risk Management 6. Legal, Regulations, Compliance and

Investigations 7. Operations Security 8. Physical (Environmental) Security 9. Security Architecture and Design 10. Telecommunications and Network Security

Security – A Year In Review

Security Has Everyone’s Attention

APR SEPTMAY JUN JUL AUG OCT NOV DEC JAN FEB MAR APR SEPTMAY JUN JUL AUG

$70MM Records

Stolen

$40MM Credit & Debit

Nov 15 – Dec 15, 2013$56MM Credit &

Debit

Apr - Sept, 2013

$76MM of $83MM

Accounts Stolen

July14 – Sept 2014

2013 2014

$9000

Credit & Debit

The Target Breach – How did they do it?

• Compromised HVAC contractor likely via a phishing email

– Used free version of anti-malware that lacked real-time protection

– Malware stole credentials to Target supplier portal

• Portal

– Not properly segmented on the network from other critical systems

– Lacked two-factor authentication

– Supplier/Vendor info was public, so attackers used this info for social

engineering attack (HVAC contractor)

– Supplier/Vendor ecosystem lacked security awareness training( best

practice, etc…)

• Took advantage of Monitoring system’s default username and password

– Installed “RAM Scrapping” Malware on POS System

– Disguised communications as legitimate monitoring traffic

– Exfiltration of data was sent to an FTP server in Russia of the course of two

days

Target Breach - By the numbers

• 70 million – # of records stolen

• 40 million - # of Credit/Debit cards stolen

• 100 million - $ they will spend upgrading payment terminals

• 46% - percentage drop in profits at Target in the fourth quarter of 2013, compared with the year before

• 53.7 million - The income that hackers likely generated from the sale of 2 million cards stolen from Target and sold at the mid-range price of $26.85

• ZERO – Chief Information Security Officer (CISO) or Chief Security Officer (CSO) jobs at Target

The Target Breach – Why they got away

“Target was certified as meeting the standard for the payment card industry (PCI) in September 2013. Nonetheless, we suffered a data breach. As a result, we are conducting an end-to-end review of our people, processes and technology to understand our opportunities to improve data security”

Gregg Steinhafel, CEO

The Target Breach – Why they got away

• Failure or lack of established process and procedure

– Security systems rapidly detected the security event but

there was no response by IT

• Weakness in the architecture of the Supplier portal

– Insufficient oversight during the planning and implement

phase allowed logical connectivity to sensitive systems

and data– Architectural review board?

– Infrequent assessment against systems to understand

their impact on Information Security?

• Lack of security awareness training

Users are the Common Link

• Trojans – software downloads - Kaaza

• Viruses – Emails

• Zombies or Botnets

• Phishing (Identity Theft)

• Spywaresource

http://www.pcworld.com/article/2010527/forrester-report-finds-most-data-breaches-are-caused-by-employees.html

“Application users are most often the determining factor in whether or not a security breach occurs”

What can we learn?

A breach can happen to any company of any size and any industry –learning from others is

critical.

Best Practices to Secure Your

ERP Solution and Organization

Best Practice One: Holistic Planning

Security is a Holistic Program

– Process (not a project)

Never 100%

– Risk Management

Improve Security Posture

– Changing Security Landscape

Threats (motives)

Countermeasures

Best Practice Two: Building Awareness

• Security awareness is the knowledge, skill and attitude an individual possesses

regarding the protection of information assets.

• Being Security Aware means you understand

that there is the potential for some people to

deliberately or accidentally steal, damage,

or misuse your account, computer or the

data stored on your computer.

• Awareness of the risks and available

safeguards is the first line of defense

for the security of information,

systems and networks.

“Application users are

most often the determining

factor in whether or not a

security breach occurs”– source

http://www.pcworld.com/article/2010527/forrester-

report-finds-most-data-breaches-are-caused-by-

employees.html

Security Awareness Includes

• Information about how to

Protect

Detect

React

• Knowledge, Skill and Attitude

The What

The How

The Why

• Culture Change

Best Practice Three: Encryption

Data in Use, Data in Motion, and Data at

Rest - Ensure encryption for ALL classes of data

Best Practice Four: Layered Structure

A High Level Summary of Security Layers include:

• Centralized and automated anti-malware and OS patching

• Identity management

• True network segmentation and isolation from ingress to egress at layer 2 and 3

• Data in-motion encryption by default

• Multiple firewall segments operating at layer 1-7 of the OSI stack

• State-of-the-art IDPS solution monitored and managed 24x7 by a dedicated security operations center (SOC)

• Reverse Proxy services

• “Other” confidential and proprietary security mechanisms and practices

• Intelligent, multi-point syslog solution

Best Practice Five: Triangulate

Process, Process, Process

Best Practice Six: Compliance Blueprint

FIPS

How Providers Can Alleviate

Concerns

The Market Has Gone to the Clouds

• 45% of companies

plan to move ERP

to the cloud in the

next 5 years

• Other studies state

that market is

moving even faster

than predicted here

The Cloud Changes Everything

…Except

SecurityEnsure hosting/cloud solution

is subject to IT audit with your

IT security team.

Is your hosting/cloud solution subject to internal IT audit with your IT security team?

Not All Clouds Are Equal

• ISC2 and CSA have partnered to offer a new Cloud Security Certification– SecurityWeek: ISC and CSA Partner for

Certification offering

• Amazon S3 Poor Configuration Puts Sensitive Data at Risk– SecurityWeek: Amazon Puts S3 Data At Risk

• Web Application Attack Challenge Cloud and On-Premise Infrastructures– SecurityWeek: Web Application Attacks Increase

• Trust in the Cloud?– SecurityWeek: Lieberman: IT Doesn't Trust the

Cloud

What’s So Troubling About Cloud Security?

How Cloud Providers Can Address Concerns

• Transparency/Control Over Datacenter/Data Locality/Security Audibility

• Verifiable End-to-end Encryption – Data in Transit

• Industry/Government Regulation Compliance

• Proven Tools and Control with Restricted Access

• Control Over Security/Encryption

• Dedicated Resources/Data Isolation

• Provide Proven References

• Industry Standards for Data Privacy and Security

• Explicit Contractual Responsibilities for Service Levels/Security

• Provider Certification Standards

• Region/Country Specific Datacenter Locations

Things to Remember

Ensure the security and

privacy of your Cloud

application with:

The Right Cloud for the Right

Application

Compliance

IDS/IPS

Protection for Data at Rest

• Simplicity for Complex Applications. Concerto was designed to

meet the toughest regulatory challenges and the most complex

demands – and has earned an industry leading customer

retention rate as a result.

• Comprehensive Channel Enablement Services. Innovative private

and hybrid cloud and business transformation services help

channel partners go to market quickly.

• Recognized Cloud Provider for Microsoft Applications. Concerto

Cloud is the go-to cloud provider for Microsoft applications and

is recognized as Microsoft’s ISV of the Year for Cloud Services.

The Cloud That’s Up to Your Challenge

Cloud Services Quick Facts

FOR MORE INFORMATION:(844) 760-1842

www.concertocloud.com

info@concertocloud.com