Transcript Document
4. qualityaustria Forum Stvaranje mogućnosti kroz nove zahteve! Upravljanje identitetom, bezbednošću i rizikom Dragutin Bošnjaković, Savetnik za bezbednost informacija Atos IT Solutions and Services d.o.o. Beograd 02.10.2013.g. Identity, Security & Risk Management Identity, Security & Risk Management 02-okt-13 4. qualityaustria Forum, Beograd 2 Agenda ▶ ▶ ▶ ▶ Introduction Atos Security Solutions Future Trends Summary/Questions Todays World Computers Everywhere ▶ Desktop computers account for less than 1% of the total embedded microprocessors globally. It is estimated that there are more than 10 billion embedded microprocessors produced annually. ▶ ‘A typical luxury salon car today may use more than 100 megabytes of computer code spread across 50 to 70 microprocessors, researchers say’ ▶ Researchers from Rutgers University hacked into the computer of a car travelling at 60 mph via a wireless system used to monitor tire pressure. ▶ Microprocessors are now embedded into water control systems, nuclear power stations, the electrical grid - everything we depend on. 02-okt-13 4. qualityaustria Forum, Beograd Computerized Tire Pressure Monitor 4 Challenges in the security area The spread of possible security threats and their effects on enterprises increases steadily. Computerized business processes will connect to customers and suppliers. Potential offenders have changed their behavior. New forms of attacks results in data losses daily. Compliance requirements will be more stringent and complex. New trends such as Cloud Computing, Social Media and Mobile Devices introduce new security risks. 02-okt-13 4. qualityaustria Forum, Beograd 5 New threats are emerging fast… 02-okt-13 4. qualityaustria Forum, Beograd 6 Risks: diverse and ubiquitous … • Theft of data • SOX • Spam • Cost pressure • Privacy Laws • Hacker • Spread of company secrets • Basel II/III • Worms • Unsatisfied employees • PCI DSS • Trojans • Risk-Management • Denial-of-Service • ISO 27001 • Industrial espionage • Illegal downloads • Private surfing • Misconduct • Industrial espionage Internal Threats 02-okt-13 • Governance • Cobit • HIPAA Compliance 4. qualityaustria Forum, Beograd • Insecure e-mails • Phishing • Data trade External Threats 7 A paradigm shift has to take place… From: Systems To: Information To: Behavior From: Barriers From: IT 02-okt-13 To: Critical Infrastructures 4. qualityaustria Forum, Beograd 8 Agenda ▶ ▶ ▶ ▶ Introduction Atos Security Solutions Future Trends Summary/Questions 9 Atos’ ISRM Combined Portfolio: From the router to the board room GRC (Governance, Risk & Compliance) IABS (Identity and Access Management) MSS (Managed security services) 02-okt-13 (GRC) Governance Risk and Compliance: Helping customers to understand and adapt to regulatory compliance issues for their specific market sector. Ensuring that governance and process controls are strategically aligned with a customer’s market vertical and business value drivers. (IABS) Identity, Access, Biometrics and Smart Cards: Helping customers to centrally understand and manage “who has access to what” and “who should have access to what” across the processes within their enterprise, customer and partner space. (STA) Security Technical Advisory: Allowing customers to understand and foresee their IT control risks whilst successfully integrating and refreshing security control technologies which aligned with their business needs. (MSS) Managed Security Services: Helping customers to reduce their total cost of compliance and security management by delivering “Atos High Performance Security” (AHPS) the worlds leading example of highly efficient effective business process and IT security. 4. qualityaustria Forum, Beograd 10 Governance Risk and Compliance: Integrating governance GRC GRC GRC ISO 27000 Family Analysis Risk Management and Business Intelligence integration HIPAA SoX / MIFID / BASEL II NERC / CIP PCI DSS SAS70 / ISAE3402 Assessment Appetite Treatments Process optimisation Security Awareness Oversight and workflow creation Risk dashboards HMG SPF/IS1 Deming Cycle FDA Role mapping & analysis 02-okt-13 ▶ Atos helps clients understand their compliance obligations and risks. ▶ Atos automates as much of GRC as possible. ▶ Atos helps you keep ‘on course’ and with as little distraction as possible. 4. qualityaustria Forum, Beograd 11 Identity, Access, Biometrics and Smart Cards: Authentication, Authorization, Administration and Audit Problem IABS Services IAM Maturity assessment IABS Technology Provisioning Web Access Management Project Management Single Sign-On Design and Development Identity Federation Identity Management as a Service Privileged User Account Management SSO as a Service Metadirectory Trusted Identity as a Service Strong Authentication IABS Products DirX Identity & Access Management ID Center – biometric authentication CardOS smart card ▶ Numerous ‘identities’ and multiple passwords providing access to highly valuable resources ▶ Passwords are not secure, not free and not appropriate for today’s ways of working Solution ▶ Atos portfolios of Identity and Access Management products ▶ Biometrics and smart cards ▶ Single sign-on ▶ Password self service Outcome USB token with CardOS® 02-okt-13 ▶ Reduce costs and improve security and compliance 4. qualityaustria Forum, Beograd 12 Security Technical Advisory Problem STA Security architecture Cloud security assessment PEN testing Compliance gap analysis PKI Trust center services Security and compliance requirement s collection IT risk assessment GRC as a Service Disaster recovery design Government information assurance services 02-okt-13 PKI design services Biometric & smart card solution design Physical access control systems design ▶ Solution: Atos advises our clients about the costs and benefits of the latest technologies available, trying to find an optimal spend for our clients risk appetite. Effective Risk Management Strategy Business Risk 4. qualityaustria Forum, Beograd Cost, € STA Exposure, € STA ▶ How do I know what technology is ‘best’ and most cost effective from the dozens of choices available? Mitigation Effort 13 Managed Security Services Workplace Security Infrastructure Security Endpoint Protection Services Security for Cloud Data Encryption Services Mobile Security Identity & Access Management Identity & Access Management Atos High Performance Security Single Sign-On as a Service Malware Scanning Identity Management as a Service Perimeter & Remote Access Business Partner Access 02-okt-13 ▶ We spend a lot of money and time on IT security and this distracts us from our core business Solution ▶ Atos Managed Security Services offers a range of services so enterprises can outsource the costs and complexities of security and compliance. Secure Directory Services Intrusion Protection Vulnerability Management Problem Managed PKI and Biometrics Physical Access Control Systems Outcome ▶ Improved focus on clients’ business ▶ Reduced spend on security 4. qualityaustria Forum, Beograd 14 Atos Olympic Security (Atos High Performance Security) ▶ Goals – Being able to react to cyber threats in real time 24x7 as well as enable forensic analysis. – Hackers are increasingly sophisticated and their targets are increasingly valuable: AHPS helps companies defend against critical losses – Reduce security operation expenses caused by explosive growth of security threats and reactive manual approach – Achieve compliance with government and industry standards ▶ Solution – AHPS monitors the business and IT environment to see if significant incidents are occurring--24x7. Find suspicious activity while it is occurring, not after. – The Atos Secure Operating Center responds to failures of policy compliance as new security, legislative and regulatory control requirements emerge. – This service is based on our Olympic security solution which has a track record of more than 10 years. ▶ Benefits – Reducing costs by using the Atos security as a service model. – Global presence of the AHPS service. – Customer enablement to react in real time to security events. 02-okt-13 4. qualityaustria Forum, Beograd 15 Fragmented View Integrated View IDS Firewall Server Logs 02-okt-13 By understanding our customers business rather than just the IT infrastructure we are able to understand the potential business impact of the events occurring and therefore Vulnerability weight the risk management response Management to the severity of the threat, delivering a risk driven, operating model for each of our customers. 4. qualityaustria Forum, Beograd 16 Integrated View Atos High Performance Web cache & proxy logs Web server activity logs Content management logs IDS/IDP logs Switch logs Router logs VA Scan logs VPN logs Windows logs Windows domain logins Firewall logs Wireless access logs Linux, Unix, Windows OS logs Database Logs Client & file server logs Mainframe logs San File Access Logs 02-okt-13 VLAN Access & Control logs DHCP logs 4. qualityaustria Forum, Beograd Oracle Financial Logs 17 Some Significant Cost Drivers Roles Functions ► IT Security Managers ► UNIX Server Managers ► Wintel Server Managers ► ► Network Security Managers Patch and Vulnerability Management ► ► Firewall Engineers ► Hardware ► PCI Compliance Software Licenses ► ► SOX Compliance Maintenance Fees ► ► Market Research Storage ► Testing ► Problem Discovery ► Problem Resolution ► Audit ► Forensics ► Training ► Access / Authorization Reviews ► Security Policy Creation and Management Infrastructure The bullet points above typically represent at least $75k pa and can often exceed millions of dollars each. 02-okt-13 4. qualityaustria Forum, Beograd 18 Our Cost Conscious Approach Roles ► IT Security Managers ► UNIX Server Managers ► Wintel Server Managers Functions ► ► AHPS can reduce a variety of these ► ► Network Security costs via external service Managers ► provision, domain and delivery ► expertise, Patch andand Vulnerability concentration of ► Management functions into one delivery unit. ► ► We Firewall Engineers estimate we can save you at► least 10 to 25% of your current ► IT compliance and security spend, and we will demonstrate this to ► your satisfaction before contract ► signing. ► Security Policy Creation and Management Infrastructure ► Hardware ► PCI Compliance Software Licenses ► SOX Compliance Maintenance Fees ► Storage Market Research Testing Problem Discovery Problem Resolution Audit Forensics Training Access / Authorization Reviews The bullet points above typically represent at least $75k pa and can often exceed millions of dollars each. 02-okt-13 4. qualityaustria Forum, Beograd 19 Lifting the Performance of Security and Compliance Operations BRONZE SILVER Business information security Alignment of security measures & spend with business information value & business impact Manual security / control co-ordination Manually driven performance based on pace of staff activity and tacit knowledge of staff GOLD 360° IT Security Log monitoring & storage Faster reaction to security issues and better compliance with log storage but issue management focused on obvious tactical issues ‘Joining up the dots’ across the IT landscape to enable proactive IT security. Control monitoring based on IT landscape not business information landscape Control monitoring and auditing based on business information landscape aligning security and compliance measures with highest value business information Proactive management of digital threats and business control issues 02-okt-13 4. qualityaustria Forum, Beograd 20 Operational Efficiency and Cost Reduction From Beijing Olympic Games: AHPS takes millions of raw events and via intelligent processing and correlation reduces them to a few critical events. This reduces manpower requirements and improves operational efficiency, and results in zero downtime, zero business effect. 443k Correlated Events 201m Filtered Events 1,500 Alarms 90 Critical Events 02-okt-13 4. qualityaustria Forum, Beograd 21 AHPS for the Olympic Games, AHPS for You Beijing 2008 environment ► 4,000 IT team members ► 302 Sport Events ► 40,000 IT components ► 70 Venues ► 10,000 PCs ► 10,000 Athletes ► 1,000 Servers ► 20,000 Journalists ► 1,000 Network devices Criticality ► 28 Sports ► 230,000 Accreditations Olympic Project Specifics Pre-Games ► Business Games ► High level of dependency on volunteers ► Highly visible, highly critical ► Technology ► Real-time & near real-time applications ► Last minute massive infrastructure deployment Requirements ► Heterogeneous environment ► People ► Consortium of partners and suppliers 02-okt-13 ► Availability, integrity, confidentiality ► Ready on time, the deadline will not move ► Few seconds’ response time, no second chance 4. qualityaustria Forum, Beograd 22 Agenda ▶ ▶ ▶ ▶ Introduction Atos Security Solutions Future Trends Summary/Questions 02-okt-13 4. qualityaustria Forum, Beograd 23 Future tendencies for ISRM 2016 2015 Federated IAM 2014 Next Gen AV Atos Integrated Security Cloud Encryption Security and Compliance in a Box (GRCaaS) 2013 Cyber Threat Center Cloud Single Sign-On Leverage DirX User Owned Device GRCaaS IDaaS Mobile Data Protection Cyber Security Atos High Performance Security Atos High Performance Security Agenda ▶ ▶ ▶ ▶ Introduction Atos Security Solutions Future Trends Summary/Questions 02-okt-13 4. qualityaustria Forum, Beograd 25 Summary ▶ The information security threat landscape is changing at a rapid pace. ▶ Organizations must prepare itself to withstand advanced targeted attacks, aiming at the intellectual property of the company. ▶ Atos has a complete portfolio in the identity, security and risk management area, covering the whole value chain, from consulting to operations. ▶ Atos has committed resources to develop in the security area to enable us to provide state of the art services. ▶ Atos is one of the few providers being able to deliver services to its customers around the globe. 02-okt-13 4. qualityaustria Forum, Beograd 26 Dragutin Bošnjaković, Savetnik za bezbednost informacija Atos IT Solutions and Services d.o.o. Beograd [email protected] Hvala na pažnji! www.qa-center.net 4. qualityaustria Forum, Beograd