security in today s business environment l.
Skip this Video
Loading SlideShow in 5 Seconds..
Security in Today’s Business Environment PowerPoint Presentation
Download Presentation
Security in Today’s Business Environment

Loading in 2 Seconds...

play fullscreen
1 / 41

Security in Today’s Business Environment - PowerPoint PPT Presentation

  • Uploaded on

Jim Tiller CSO & Managing Vice President of Security Services Tuesday, June 7, 2005 Security in Today’s Business Environment Overview Today’s Business Climate Threats and Vulnerabilities Regulatory Landscape Simplifying the Business of Security Controlling Access

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

Security in Today’s Business Environment

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
  • Today’s Business Climate
  • Threats and Vulnerabilities
  • Regulatory Landscape
  • Simplifying the Business of Security
  • Controlling Access
  • Managing People, Process & Technology
  • Aligning Security to Business Objectives
today s business climate
Today’s Business Climate
  • Running a business in the 21st Century isn’t easy!
  • Security Regulations are abound
    • 62% of companies spend more on compliance than protection*
  • Evolution of technology and business demands has resulted in highly diverse environments
  • Managing increasing number of vulnerabilities in the face of sophisticated threats
  • Difficulties in aligning People, Process and Technology
  • Challenges in leveraging security knowledge and business process

*Source: RedSiren

three simple security perspectives
Three Simple Security Perspectives
  • The Unlawful (Vulnerability Sensitive)
    • Increasing sophistication
    • Unprecedented collaboration
    • Growing aggressiveness
    • Harmful impacts
  • The Law (Compliance Driven)
    • Increasing number of regulations
    • International impacts
    • Operational challenges
    • Lack of investment predictability
  • Security Posture (Risk Adverse)
    • Segmentation of people, process, and technology
    • Poor visibility
    • Inability to determine effectiveness
    • Inability to align to business objectives
security and business infrastructure




Business demands strain IT and Security in the light of diversity

Complex data value chain


Multi-Tier Application Architecture

Traditional application development complicates security visibility

Application Specific

Diversity of IT and Security

Security begins to diverge as systems become more distributed

Processes became departmental

Client / Server


Business security incorporated into the system

If SAP didn’t do it, the company didn’t do it

Pre 1980’s




Security and Business Infrastructure
diversity is a double edge blade
Diversity is a Double Edge Blade
  • Value to the business
    • Provides foundation for best of breed solutions
    • Supports business initiatives
    • Allows for evolutionary investment strategies
    • Allows organizations respond to market changes
  • But what does this mean to security?
    • Increased technical gaps
    • Leads to fragmented processes
    • Difficultly in gaining visibility
    • Complicates command and control
  • Security Nemeses
    • Inconsistency and Complexity
    • Result – Vulnerable Security Posture
a regulated environment

Organizations face an increasing amount of liability and regulations, like HIPAA, Gramm-Leach-Bliley and SB 1386. Even in the case of Sarbanes-Oxley, you've got disclosure requirements. They all have pretty harsh penalties, and your liabilities don't stop when you outsource. They only grow.

– Michael Rasmussen, principal analyst, Forrester

A Regulated Environment
  • Security Regulations are abound
    • HIPAA for HealthCare
    • GLBA & FFIEC for Financial
    • Sarbanes-Oxley for US public companies
    • CyberSecurity for Utilities
    • SB-1386 (AB-700)
      • Notification of Risk to Personal Data Act (NORPDA)
    • Multiple Privacy regulations
      • US, Canada, Japan, EU, and others
  • Industry reports suggest $80B over the next 5 years in compliance expenditures*

*Source: AMR Research

current status
Current Status
  • Security’s omnipresence challenges meaningful management in the light of business objectives
  • Security is segmented: process, risk, policy, technology
    • Focus is applied when demands surface, examples:
      • Firewalls & IDS were significant during the network attacks of the 90s
      • Today, regulations demand more emphasis on process and documentation
    • Meanwhile… Increased sophistication and number of threats continue to challenge the IT environment
  • Result - regardless of vulnerability or regulation…
    • Security has become complex and painful
    • Misalignment between process and technology
    • Inability to bind security investments to larger business imperatives
cio worries
CIO Worries
  • I worry about a hacker gaining access to our Oracle data base and coping social security numbers
  • I worry about, a converged network, if the network goes down you loose both voice and data, increasing the risk and worry
  • I worry about staff, I can't protect the network from internal sabotage, disgruntled network administrators, IT personal, etc
  • I worry about new computers being plugged into the network after they have been off net
  • I worry about the new wide range of handheld IP devices which people plug in at will from near and far flung locations
  • I worry about employees working at home bridging networks via WLANs opening up access to our network

Source: Nick Lippis, Trusted Networks Symposium

cycle of security pain
Cycle of Security Pain
  • Security investments based on “FUD”
  • Executives growing weary
    • Less talk, more revenue
  • Diminishing expectations of security investments
    • “More money? What did you do with the last check?”
  • Constant deluge of “new” security problems
  • Regulatory compliance challenges
  • Cultural challenges inside and outside IT
information security in business terms
Information Security in Business Terms
  • What organizations really want from security
    • Simplicity – Simplified management and focus
    • Predictability – In systems and investments
    • Effectiveness – Does what is supposed to for the business
  • Enablers
    • Visibility – In controls, industry, compliance, activity, events, and threat status
    • Alignment – People, process, and technology focused in the same direction
  • Results
    • Confidence – Make changes with a clear understanding of the impact to business operations, risk, and compliance
    • Efficiency – Leverage proven business processes and automation
getting there

Establish meaningful, early-win technical solutions

Align People & Process to meet multiple Regulations

Increase technical visibility, command and control

Employ metrics to measure against the business goals

Getting There
  • Technical / Tactical

“Build Success Early”

    • Vulnerability Management
    • Identity Management
  • Management

“Organize and Architect”

    • Information Security Management Framework
  • Technical / Strategic

“Actionable Foundation”

    • Integrated Security Operations Capability
    • Network Access Control
  • Business Management
    • “Balanced Approach to the Business”
    • Security Services Management
vulnerability management
Vulnerability Management
  • Information driven
    • Internal status
    • Industry status
      • Events, warnings, etc.
  • Based on Data Acquisition and Employment
  • Collaboration & Tools
    • Testing, validation, deployment
  • Comprehensive Reporting
  • Basic concept:
    • Apply flexible business process to dynamics in technology
    • Integrate with multiple systems to drive automation
    • Support meaningful communication and collaboration
vulnerability mgt architecture

Service Driven Provisioning

System Service Support

System Inputs

Policy & Profile Server

Asset Database

System Owners

Vulnerability Data Service (CVE)

Abstraction Layer



IDS / IPSVirus


Business Processes


Patches & Service Packs


Activity Reporting & Metrics


Service Reporting

Web Services

Systems & Applications



Vulnerability Mgt. Architecture
identity management
Identity Management
  • Combination of Technology and Processes
  • Comprehensive control over who has access to IT resources
  • Controls authorization and entitlement of resource use
  • A business solution, not simply a technical solution
  • Highly pervasive, highly effective
business enablement

T h r e a t s


Access Policies & Profiles


C o m m u n i t i e s




Process & Business Management

S e r v i c e s

Smart Cards, SSO


Distributed Resources

Web Services

R e s o u r c e s


Partner Resources

Business Enablement
elements of identity management
Elements of Identity Management
  • Identity Consolidation and Synchronization
  • Credential Provisioning and Management
  • Delegation of Administration
  • Authentication and Access Management Profile Management
  • Auditing and Monitoring
  • Single Sign-on
  • User self-service
positive business impacts
Positive Business Impacts
  • Increased IT Operational Costs
    • Roughly 48% of help desk calls are password resets
    • User management consumers 5.25% of all IT productivity
    • Most user admin tasks (moves, adds, changes) takes 10x longer than necessary
  • Additional security risks
    • Only 70% of users deleted on departure
    • New users provisioned to 16 apps, on departure deleted from 10

Source: Metagroup/PwC Survey

security policy challenges
Security Policy Challenges
  • Security Policies
    • Controls
      • People, Process, and Technology security requirements
    • Management
      • The on-going capability to organize, maintain, and distribute
    • Enforcement
      • The ability to ensure policies are being followed by people and technology
    • Feedback Loop
      • Learning from the application of the policies
  • Challenges in Policy
    • Misalignment of policy to technology
    • Diversity complicates comprehensive security management
    • Difficult to manage people and processes consistently
information security management gap


Process & Documentation

ISMS Framework


Enforcement Gaps

Alignment Gaps

Feedback Gaps

People (Roles & Responsibilities)

Information Security Management Gap
information security management framework
Information Security Management Framework
  • Information Security Management System
    • Supports the Information Security Program by the identification, selection, and deployment of controls in order to mitigate information security risk
  • Security Service Orientation
  • Controls Optimization
    • Logical Controls
    • Organizational Controls
    • Technical Controls
  • Process Management
  • Governance Processes
  • Reporting and Validation
framework characteristics
Framework Characteristics
  • Policy
    • A high level, implementation neutral, conceptual goal that addresses who and what
  • Program
    • Supports policy by managing multiple plans
  • Plan
    • Supports program by defining activities or projects
  • Standard
    • Supports policy goals, AND implements procedural vision by defining requirements that can be implemented and measured. Standards offer implementation detail and therefore should be protected
  • Process
    • Supports standards by presenting methodology to meet requirements
  • Procedure
    • Supports process by offering reliable, repeatable technique for predictable outcome
  • Specifications
    • Supports standards by defining specific criteria that control devices must meet in order to be considered for use
  • Guidelines
    • Supports standards by “best practice” advice on how to meet requirements
deeper look
Deeper Look
  • Define control areas horizontally
  • Define security services vertically
  • Intersection is:
    • Roles & Responsibilities
    • Policies and processes
    • Standards
    • Metrics
driving relationships
Driving Relationships
  • Quality and Reporting will expose operational efficiencies and actionable patterns
    • This is especially true for Incident Management
obscurity to operational
Obscurity to Operational
  • The framework provides the policy structure
    • Defines security goals
    • Defines controls
    • Defines management
  • Framework’s Achilles’ Heal
    • Technical enforcement
    • Comprehensive feedback loop
  • Information systems need alignment
    • Systems do not speak “security” natively to one another
    • People & Security managers cannot effectively access information
  • Options
    • Integrated Security Operations
    • Network Access Control
integrated security operations center
Integrated Security Operations Center
  • Currently seeing significant trends in this area
    • Companies are leveraging their NOC investment to support security objectives
  • There are several definitions for “integration”
    • Should practice separation of duties
    • Leverage existing infrastructure
    • Alignment of tools, i.e….
      • Ticketing systems linked to incident response
      • Asset and change control linked to patch management
  • Challenge areas
    • Culture
      • “Whose problem?”, “Who fixes it”, “Who pays for it?”
    • Process
      • When does security take the initiative?
    • Technology
      • What tools do I have the I can leverage?, How can I work security into my product management lifecycle?
isoc business value
ISOC Business Value
  • Proactive problem identification and response, reducing the cost and impact of threats
    • Faster response
    • Faster recovery
  • Potentially a cost-effective alternative to outsourcing
  • Opportunities for efficiencies through automation, work flow improvement, centralized enterprise intelligence
  • Significant security advantages
    • Visibility
    • Command and Control
  • Potential problems
    • Do you have the skills necessary?
    • What “phase” is your NOC in?
network access admission control nac
Network Access/Admission Control (NAC)
  • Cisco started the flood
    • 48 vendors participating in the group
  • Represents a rebirth of the network’s role in security
  • Leverages the network for what it can really accomplish
    • Network touches everything
    • Enabler for threats, Enabler for business defense
  • Intelligent networking
    • Provides conduit for upper-layer security services
    • Binds security policy to network capability
    • Investigates systems, services, applications, and users prior to association
    • Isolates potential threats
    • Establishes an “Expectation Envelope”
next big step
Next Big Step
  • Vulnerability management reduces exposure
  • Identity management offers flexibility and security
  • ISOC increases visibility, command and control
  • Advances in network security offer proactive controls
  • Result
    • Proactive, Focused, Compliant…. Measurable
  • Utilizing metrics for Long-Term security Management
    • It’s Here, Start now
    • NIST sp800-55
    • Security Working Group (Gov. Reform Committee, US House of Rep. (1/2005) (43 pages of Security Metrics)
      • Report of the Best Practices and Metrics Team
security services management
Security Services Management
  • Service Measurement & alignment to the business
  • Metrics Strategy
    • Defines the layer between business initiatives and services
    • Defines optimal level
      • Too much or too little can be a bad thing
    • Reporting
  • Metrics Alignment
    • Business owners and industry specifics
    • Governance and approval
  • Key Performance Indicators
    • What’s being measured
metrics example
Metrics Example
  • Vulnerability to System Ratio (Tech)
    • Understanding the pervasiveness of known vulnerabilities
      • Number of Vulnerabilities
      • Criticality level
      • Affected system/data classification and role
  • Patch Rate (Tech & Proc)
    • Managing the window of vulnerability, test, deployment, verify
      • Number of patches available, pipeline, tested
      • Percentage of deployment
      • Percentage validated
  • People & Process CMM (P&P)
    • Understanding the level of maturity and effectiveness of management practices
      • Localized control management
      • Completeness of control processes & documentation
      • Process interaction
  • Compliance Rate (Tech)
    • Feedback from the technical infrastructure on the adoption of policies
      • Percentage of polices obtained
      • Percentage in compliance
      • Percentage validated
bringing it together

Business Imperatives

Security Alignment

Business Alignment

Align Security to Assets

Flexible & Proactive Controls

Identity ManagementVulnerability Management

Operational Integrity

Gain Awareness of Investment Effectiveness, Predictability of Effort

Security Services Management (SSM)

Service Level

Enhanced Visibility

Command and Control

Increased Security

Integrated Security OperationsCapability (ISOC)

Risk Management




Regulatory Compliance

People & Process (ISMF)

Bringing it Together
supporting the business

Technical Architecture

IT executives will be seeing more demands to specify and quantify not just efforts and actions, but performance. Try to benchmark your cybersecurity performance against outside measures. The key is to develop ways of demonstrating—specifically, quantifiably, and defensibly—your impact on your organization's cybersecurity.

Security Services Framework

Security Services Management

– Jeffrey Hunker, professor of technology and public policy, Carnegie Mellon University

Supporting the Business

Business Aware Security

thank you

Thank You!