1 / 13

Security Trends in the Commercial World

Security Trends in the Commercial World. By Christopher Ray cray@aflac.com. Agenda. 1. Goals of Business. 2. Security Models . 3. Where to Begin. 4. Closing . Encourage open dialogue – seeking input. Goals of the Business. Why are companies in existence? Why is security needed?

albert
Download Presentation

Security Trends in the Commercial World

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Security Trends in the Commercial World By Christopher Ray cray@aflac.com

  2. Agenda 1. Goals of Business 2. Security Models 3. Where to Begin 4. Closing Encourage open dialogue – seeking input

  3. Goals of the Business • Why are companies in existence? • Why is security needed? • How is security like any other job? • Scope of discussion focuses on: • Commercial service-based business (healthcare, banking, etc) • Regulatory environment • Security alignment within IT or the COO/CFO • Reasonable amount of staffing (not a one-man show) • Reasonable amount of budget (4+%)

  4. Security Models Yesterday Today Text Security Models Tomorrow

  5. Traditional Security Model • Isolationist Perspective • Draw a perimeter around your sandbox • Do not allow outsiders • Trust your employees • Typical Setup • Firewall • DMZ environment • Segmented LANs • Antivirus • Perimeter IDS

  6. Today’s Security Model • No Boundaries Perspective • Complex systems with a much bigger sandbox • Try to determine who the outsiders are • Trust (but verify) your employees • Deliver more, faster, cheaper, and to smaller devices • Typical Setup • Varies per company depending on architecture, industry, and budget

  7. Today’s Security Model – con’t Solutions found today in many corporate security programs: • Firewall • IDS/IPS • Spam/Email virus filtering • Layered switching • VPN (IPSEC/SSL) • URL filtering • Host-based antivirus • Host-based firewall • Patching (system/application) • Configuration management • Access controls • File transmission security (SSL) • Remote access controls (VPN, ACLs) • Disaster Recovery • Education and awareness training

  8. Today’s Security Model – con’t More developed programs may include: • Malware / Botnet detection • Database encryption • Tape encryption (mainframe / backup) • Application layer firewalls • Network access controls • Security event management • Secure code development validation • Data Leakage Prevention (DLP) • Internet virus filtering • Configuration management • Host-base forensics • Network-based forensics • Mobile device encryption • - Notebooks • - PDAs or smart phones • - USB or other external storage devices • Wireless Security • Data masking • Email encryption • Virtualization to segment off environment • Fraud detection • Advanced access management using strong authentication (i.e. biometrics, retina scans, etc.) • Identity management • - Role-based access controls • - User provisioning • E-discovery • Data Labeling

  9. Today’s Security Model – con’t • What’s needed today • Tools and automation • Layered security solutions – there is no magic “snake oil” • Example of mobile device security: • Access controls • Two-factor authentication for remote access • Device encryption • Database encryption • Periodic purging of data • Antivirus software • Host-based firewall technology • Theft recovery software (with lojack capability) • Talented professionals who can keep up with technology

  10. Tomorrow’s CISO • Roles are changing for infosec leaders, with more focus on: • Legal issues (e-discovery, employee relations, contracts) • Compliance (regulatory, PCI, privacy laws) • Policy/Procedures (have always been needed) • Formalized risk management with better business alignment • Future trends (opinion only): • Federated identity and other ways to implement SSO • Tighter network access controls (i.e. device authentication) • Application Level Security • Digital rights management • Managed Services • Social Networking (LinkedIn, Second Life, Facebook)

  11. Where to Begin • With all of the technologies and gaps that may exist, you have to be able to: • Prioritize • Sell the ideas • Plan • Implement methodically • Sell some more • Leverage relationships within other departments • So where would you begin? • What challenges do you see facing security?

  12. Ongoing Challenges • Shift in the threat • Moved from individuals hacking for fun to organized crime • Thoughts on cyber warfare? • Amount of change • Increasing volumes of data • Mobile device management (more, smaller, cheaper) • Complexity of applications / systems • Speed of delivery in an Internet world

  13. Questions?

More Related