Security in the Digital Age - IBM · 2006-10-30 · • Systems Management Services for Security...

1

Security in the Digital Age

Understand, mitigate and manage security risks

2

Maneesh Tripathi

Service Product Line ExecutiveSecurity and Privacy Services –IBM Global Technology Services Asia Pacific

Global Technology Services

3

Introduction and the Security Industry


4

Its interesting to note security threats are getting personal and commercial

• The incidents reported to CERT.ORG are growing exponentially year after year

• The sophistication of these attacks has reached unprecedented levels

• The weaker point of the chain is often the target. Today: the end user and wireless networks

IBM Security Index

• 237 million security attacks during 1st half 05 • Resurgence of targeted phishing attacks for money laundering

and identity fraud purposes• More and more astute in the creation and delivery of such

attacks• Hackers have turned toward more criminal and lucrative areas

of directing attacks to specific individuals or organizations• During 1st quarter, 35 million attacks specifically designed to

steal critical data and personal information for financial gains• The government was the most targeted industry with more than

54 million targeted attacks, manufacturing ranked second with almost 36 million attacks recorded, and financial services was third with a little over 34 million (Message Labs contributed tothis item)

• Increased critical security events are seen on Fridays and Sundays


5

“Security, compliance and data protection” is the #1 challenge facing IT organizations.

Source: IBM Market Intel, Market Needs in ITSM Workshop Summary March 2006, n=1089

When customers were asked to rate the challenges facing IT organizations today…

• Security, Compliance and Data Protection

#1 Challenge64% rated a 7 or higher(out of 10)18% rated it the “most challenging issue”

When asked to rate the different Security, Compliance and Data Protection Issues, our customers said . . .

Rated Top Challenge

Rated >= 7

Issues

21%59%Backing up data

18%63%Complying with government regulations

19%67%Reducing data loss in the event of a disaster

20%70%Detecting security attacks or breaches

According to IBM client research, of the infrastructure solutions, IT Security has the broadest strategic appeal across all industries and

companies of all sizesSource: IGS Market Assessment Panel, 4Q05


6

64%

55%

47%

44%

42%

36%

18%

10%

8%

6%

4%

3%

Security, Complianceand Data Protection

Optimizing Cost andEfficiency

Alignment of IT andBusiness Objectives

Complexity ofInfrastructureManagement

IT ProcessImplementation and

Integration

Change and ReleaseManagement

Rated 7,8, 9 or 10 Rated 10 (The Top Challenge)

Challenges Facing IT Organizations

Q1. I’d like to turn your attention to some of the challenges facing IT organizations today. Please use a scale of 0 to 10 where 10 means it is “the top challenge” and 0 means that it is “not

currently a challenge.” N=1089

The top challenges are related to the traditional issues facing the IT organization. While between 40% and 50% have begun to address the challenge of maturing their organization through aligning IT with Business needs and formalizing processes and implementation, the top challenges remain addressing the fundamentals of data protection and cost reduction.

The most significant challenge facing IT organizations is Security, Compliance and Data Protection, with almost two-thirds (64%) giving this a rating of ‘7’ or higher, and close to one in five (18%) rating it a most challenging issue.

Optimizing Cost and Efficiency is the second most challenging, with 55% rating it higher than a ‘7.’

Source: IBM Market Intel, Market Needsin ITSM Workshop Summary Mar 2006


7

70%

67%

66%

63%

63%

60%

59%

52%

48%

48%

46%

45%

44%

41%

20%

19%

10%

18%

13%

12%

21%

12%

7%

8%

8%

10%

11%

4%

Detect/identify security breaches

Reduce data loss in event of major disaster

Improving IT security management

Complying w/ government regulations

Enforcing policies for protection

Securing/controlling access to IT resources

Backing up/protecting data

Ensuring compliance against external controls

Ensuring compliance with internal audit controls

Improving granularity in point-in-time recovery

Managing user accounts, etc.

Increase spending to meet compliance targets

Remove access/ IDs from system when employee leaves thecompany

Reducing manual effor to respond to requests for audits

Rated 7,8, 9 or 10 Rated 10 (The Top Challenge)

Security, Compliance, Data Protection Challenges

Q2A. Using the same scale where 10 means “the top challenge” and 0 means “not currently a challenge”, rate the challenge level of the following SECURITY, COMPLIANCE AND DATA PROTECTION issues. N=530

Detecting security attacks or breaches (70%, ‘7’ or higher; 20%, highest) and reducing data loss in the event of a major disaster(67%; 19%) are the highest rated security challenges.

Although fewer rate backing up data as a challenge (59%), 21% see this as a top challenge (rated a ’10’).

Complying with government regulations is also a key challenge (63%), with 18% indicating a top challenge (rated a ’10).

Source: IBM Market Intel, Market Needsin ITSM Workshop Summary Mar 2006


8

Clients experience challenges in developing a comprehensive security plan

• Understanding required Security Governance and Organization capability

• Identifying where security exposures lie

• Understanding which security capabilities meet business requirements

• Prioritizing which activities to focus on first

• Need for a closed-loop process to enable improvement

• Skilled/trained resources

• Time constraints


9

We work with clients to assess their entire security landscape

Road Map

Reference library

1

Assessment tool

2

Roadmap

Create roadmap forsecurity enhancement program

Assessment tool


10

The IBM Value Model


11

Our approach to Security helps clients understand, mitigate, andmanage security

• Security Health Check

• Assessments:– Site– Process– System– Network– Internet– Application– Wireless

• Ethical Hacking

• Enterprise Architecture• Internet Architecture• Secure Solution Design• Secure Wireless Solution

Design• Product Selection• PKI enabled VPN• Systems Management

Services for Security• Secure Networks• Digital Video Surveillance• Other IBM and OEM

Product Implementation

• Managed Security Services

– Intrusion Detection– Vulnerability

Scanning– Firewall

Management– Incident

Management– Anti-virus

Management– email Security– Security Intelligence

• Workshops– Security– Privacy– PKI– Wireless

• Policy Definition• Standards Definition• Process Development• Information Asset

Profile• Privacy Strategy and

Implementation• PKI Planning and

Design

Assess Plan & Build Manage

Help me understand my current security

posture

Help me do it Manage it for me


12

IT Security offerings leverage key service products within the IBM Information Security framework

Identity managementProcesses for recognizing and monitoring users,

and granting or restricting their access to business assets or resources

Digital video surveillanceIncludes consulting, design,& integration of the

components, including storage, networks, cameras, smart surveillance applications

Network securityProcesses for managing access and threats

to networking capabilities, including wireless networks

Data securityProcesses for data/backup encryption, content

security, as well as protecting the security of information about the business and its customers, employees and partners


13

Application developmentenvironment

• Secure coding practices• Operational application support

environment• Design patterns

Systems development lifecycle (SDLC)

• Security in the SDLC process

Application security

• Employment lifecycle management

Workforce security• Awareness and training• Code of conduct

Personnel security

Data, rules and objects• Privacy data taxonomy and classification• Privacy business process model • Data usage compliance process

Policy, practices and controls• Policy taxonomy and glossary• Policy rules definitions• Privacy impact assessment (proactive)• Privacy audit (reactive)• Awareness and training

Privacy and information management strategy• Define privacy information strategy• Requirements and compliance process• Incident response

Privacy

Secure storage• Data retrieval• Data storage protection• Data destruction• Archiving

Systems integrity• Security in systems management• Security in business continuity

planning

Business process transaction security

• Fraud detection• Data transaction security

Database security• Database configuration• Master data control

Message protection• Public key infrastructure• Message protection security

Transaction and data integrityVulnerability management

• Standard operating environment• Patch management• Vulnerability scanning and

assessmentIncident management

• Incident management• Event correlation• Forensics

Network segmentation and boundary protection

• Network zone management and boundary security infrastructure

• Remote access infrastructure• Intrusion defense• Network security infrastructure

Content checking• Virus protection• Content filtering

Threat mitigation

Compliance program• Regulatory compliance• Technical, policy and standards compliance• Health checking• Internal audit and response

Security risk management framework• Threat risk assessment• Information asset profile• Project risk assessment• Security risk management

Strategy• Information security policy• Enterprise security architecture

Governance framework• Governance structure

Information security advisory• Consulting and advisory services

Governance

Identity lifecycle management• User provisioning• Other entity provisioning• Identity credential management

Identity proofing• Background screening• Identity establishment

Access management• Single sign-on• Authentication services• Access control services

Identity and access management

Physical asset management• Asset management• Document management

Site security• Site planning• Site management

Physical security

We have eight themes that are described through a number of capabilities.IBM Information Security Framework


14

A quick snapshot into Security Solutions


15

These areas sound simple – but processes can be complex and generate a great deal of customer pain and cost! (Identity management)

All security auditing must be performed manually across every machine –IT must spend weeks auditing security configurations across every resource

Up to 40% of user access is invalid –IT must spend weeks manually auditing user access provisioned to business systems

Up to 30% of application development expenses are to implement secure access – IT is not able to add new services quickly and efficiently

Up to 80% of help desk calls are for password resets –

Every call incurs $20 in IT costs


16

Consider Typical inefficiencies in provisioning a new user…

Newuser

Request for access

generatedWho do I call? Where’s the right form?

Policy and role examinedMultiple user data sources

Approval routing

Inconsistent, audit-exposed

IT inboxManual processes mean inconsistent

handling

User with accounts3 weeks later

Elapsed activation time: up to 3 weeks per user

Administratorscreate accountsCan’t scale to meet

enterprise requirements

Each administrator only handles 300-500 users.

Organizations use slow and inconsistent processes to create user accounts and provision user access rights.


17

Or, inefficiencies and costs to deploying a new initiative

Newbusinessinitiativeapproved

Applicationrequirements

identified

Custom security access model planned and

coded

User preferences and data privacy rules identified,

planned and codedNew accountscreated for each user

of this application

New initiativedeployed

Late and over budgetApplication with

custom securityand privacyrules tested

Users now have yet another unique security login.

Application and data security is custom-written into each business initiative.

Custom security can cost US$40K-$80K to develop per

application, and take up to 30% of development time.


18

Now, compare that with a best-of-breed process to provision a new user…and look at the real value!

New user

Online request for

access • For new

employees, may be fed by automated HR processes

Policy and role verified

• Pre-established access and authorization policy, based on user role

• Integrated user identity directory

Approval routing

• Policy and role-based approval

• Workflow engine routes to approvers and tracks response, per set criteria

User with accounts

Hours, not weeks!

Elapsed activation time: hours, not weeks

Systemcreates accounts

• Single sign-on user ID and password generated automatically, based on established policies

Scalability not constrained by administrative staffing

• Automated process based on user role authorization and predefined policies

• Established workflow and response/ escalation criteria when human intervention required

• Consistent policy administration and enforcement

New initiatives define access policies, leverage established process


19

A solution set for Data Security is Information Asset Profile.(Asset Management)

• Identifies information that requires protection, from a business perspective and a technology perspective.

• Identifies specific sets of information, who has responsibility in several categories, and how and where the information is primarily used.

Opportunity Trigger for Information Asset Profile

Organization is complex, but has not-yet identified sources of information needing protection.

Customer Success Story –Freddie Mac:

IBM GTS performed an Information Asset Profile along with a security architecture strategy.

Enabled Freddie Mac to implement policies enterprise-wide, and led to a long-term strategic relationship with IBM.

Information Security Investment

Business Impact

Risk Mitigation

Risk to Business

Residual Risk to Manage


20

Physical Security is now becoming an issue that the entire enterprise, all sectors and industries, must address.

• Unprecedented and monumental events of the last 10 years have accumulated -heightening the receptivity to physical security measures

– Unimaginable before the calamities. – Revised perception of the two key dimensions of danger and risk: Threat and Vulnerability

• Beyond public safety and security, video systems are useful in gathering information as a form of documentation, even in private commercial situations with no real sense of threat or danger

– Retail Shrink– Logistics and Billing– Risk Management

• Emphasis on having the means to use video and access information as information in a more proactive way.

– Prevention – Proactive incident management– Coordination and Control

• Major leverage for digital information in ability to retrieve, to distribute, to retain, to not retain, and to analyze through advanced technologies.


21

Technology is transitioning from pure analog systems….

Analog “Legacy” Architecture–Analog Cameras–Coax from Camera to Video Switch–Video Matrix Switch to Support Cameras–Analog/Digital Recorder–Typically less than one frame per second–Video Viewed from Single Location–Typically unable to view and tape

simultaneously

Matrix Video Switch

Analog Monitor

VTR

Analog Cameras

VTR

Video Matrix Switch

PTZ

• Video Surveillance vocabulary–“Digital Video Surveillance” – Using digitally encoded video–“Analog Video Surveillance” or CCTV – Using TV-encoded video–Digital or Analog Sources versus End-to-End Digital or Analog–Typical Components -- Cameras, Cabling, Encoding, Servers, Storage

• Physical Security versus Information or Logical Security


22

….moving to a pure IP architecture with IP cameras feeding directly into an IP network enabling remote access. …

(Digital Video Survey lance)

IP Architecture–Digital Camera (integrated Codec)–10/100 Ethernet Camera–Digital Recorder–Variety of codec formats–Flexible Video Viewing/Monitor–PC or PDA–Hardwired 10/100 Ethernet, VPN,

Wireless–Retrieval (Event/Time Based Non-

Linear)–Support for Wireless Viewing–Centralized Storage

Analog Monitor

Storage Server

Wireless Transmitter

Wireless Receiver

PTZ

Digital Workstation

DVR

_

Remote Access

Internet

Benefits: reduced cost, improved efficiency


23

IBM Security Digest / Intelligence services• E-mail notification of security vulnerabilities and threats• Daily reports outlining pervasive IT threats and attacks • Emergency paging for high-risk security events Monthly summaries of

the IT threat environment • Self-management of mailing list subscriptions Web management portal


24

Summary and Conclusion


25

Security should become the fabric of an organization

PeopleLayer

FacilitiesLayer

Data/App.Layer

StrategyLayer

TechnologyLayer

Security Do you have these check points?

ProcessLayer

Is your security strategy complete?Does it address your business issues?

Roles and Responsibilities?

Ensure that your security processes function and produce intended results.

Sensitive and critical data must be available, managed, and utilized in a secure fashion.

IT is the foundation for data management and process execution… maximize uptime and security

The best strategies and processes will be undermined if availability and security of physical assets is not ensured.


26

Back up


27

Client DemographicsFinance IndustryOne of the top 5 banks in ChinaProminent brandGrowing IT infrastructure due to increasing client base

Infrastructure Risk management and security product implementation

ChallengesIT security investments were phenomenal but

security lapses were very high.Business was driving security investments and

initiatives however loss of information to competition and lapses of client privacy information were causing tremendous churn in the client basePhishing of client data was not being noticedManagement of security components was a

nightmareChoking of network links was a normal activity

due to worms and viruses

Actions• Detailed Risk Assessment of Infrastructure

supporting business – and developing a Risk Management framework

• Security policy assessment and procedure planning.• Definition of a Information security framework from

an architecture perspective providing a 4 year investment road map

• Project lasted 8 months and cost USD $ 1.5 M including product supplyBenefits

• Security lapses estimated to reduce by 93%• client churn was reduced (Cannot confirm whether

this was attributable only to this) by more than 28%• Phishing was detected and network bandwidth was

optimized for usage. (improvement was noticed - A 30% reduction in utilization)

• Information loss was tracked and processes were put in place to cater to the same.

• 35%

Security in the Digital Age - IBM · 2006-10-30 · • Systems Management Services for Security...

Documents

Transcript of Security in the Digital Age - IBM · 2006-10-30 · • Systems Management Services for Security...