Transcript Document
4. qualityaustria Forum
Stvaranje mogućnosti
kroz nove zahteve!
Upravljanje identitetom, bezbednošću
i rizikom
Dragutin Bošnjaković,
Savetnik za bezbednost informacija
Atos IT Solutions and Services d.o.o.
Beograd
02.10.2013.g.
Identity, Security & Risk Management
Identity, Security & Risk Management
02-okt-13
4. qualityaustria Forum, Beograd
2
Agenda
▶
▶
▶
▶
Introduction
Atos Security Solutions
Future Trends
Summary/Questions
Todays World
Computers Everywhere
▶ Desktop computers account for less than 1% of
the total embedded microprocessors globally. It
is estimated that there are more than 10 billion
embedded microprocessors produced annually.
▶ ‘A typical luxury salon car today may use more
than 100 megabytes of computer code spread
across 50 to 70 microprocessors, researchers
say’
▶ Researchers from Rutgers University hacked
into the computer of a car travelling at 60 mph
via a wireless system used to monitor tire
pressure.
▶ Microprocessors are now embedded into water
control systems, nuclear power stations, the
electrical grid - everything we depend on.
02-okt-13
4. qualityaustria Forum, Beograd
Computerized Tire Pressure
Monitor
4
Challenges in the security area
The spread of possible security threats and their
effects on enterprises increases steadily.
Computerized business processes will connect to
customers and suppliers.
Potential offenders have changed their behavior.
New forms of attacks results in data losses daily.
Compliance requirements will be more stringent and
complex.
New trends such as Cloud Computing, Social Media
and Mobile Devices introduce new security risks.
02-okt-13
4. qualityaustria Forum, Beograd
5
New threats are emerging fast…
02-okt-13
4. qualityaustria Forum, Beograd
6
Risks: diverse and ubiquitous …
• Theft of data
• SOX
• Spam
• Cost pressure
• Privacy Laws
• Hacker
• Spread of
company secrets
• Basel II/III
• Worms
• Unsatisfied
employees
• PCI DSS
• Trojans
• Risk-Management
• Denial-of-Service
• ISO 27001
• Industrial
espionage
• Illegal downloads
• Private surfing
• Misconduct
• Industrial
espionage
Internal Threats
02-okt-13
• Governance
• Cobit
• HIPAA
Compliance
4. qualityaustria Forum, Beograd
• Insecure e-mails
• Phishing
• Data trade
External Threats
7
A paradigm shift has to take place…
From: Systems
To: Information
To: Behavior
From: Barriers
From: IT
02-okt-13
To: Critical Infrastructures
4. qualityaustria Forum, Beograd
8
Agenda
▶
▶
▶
▶
Introduction
Atos Security Solutions
Future Trends
Summary/Questions
9
Atos’ ISRM Combined Portfolio:
From the router to the board room
GRC
(Governance, Risk & Compliance)
IABS
(Identity and
Access
Management)
MSS
(Managed
security
services)
02-okt-13
(GRC) Governance Risk and Compliance:
Helping customers to understand and adapt to regulatory
compliance issues for their specific market sector. Ensuring
that governance and process controls are strategically aligned
with a customer’s market vertical and business value drivers.
(IABS) Identity, Access, Biometrics and Smart Cards:
Helping customers to centrally understand and manage “who
has access to what” and “who should have access to what”
across the processes within their enterprise, customer and
partner space.
(STA) Security Technical Advisory:
Allowing customers to understand and foresee their IT control
risks whilst successfully integrating and refreshing security
control technologies which aligned with their business needs.
(MSS) Managed Security Services:
Helping customers to reduce their total cost of
compliance and security management by delivering “Atos
High Performance Security” (AHPS) the worlds leading
example of highly efficient effective business process and IT
security.
4. qualityaustria Forum, Beograd
10
Governance Risk and Compliance:
Integrating governance
GRC
GRC
GRC
ISO 27000
Family
Analysis
Risk
Management
and Business
Intelligence
integration
HIPAA
SoX / MIFID /
BASEL II
NERC / CIP
PCI DSS
SAS70 /
ISAE3402
Assessment
Appetite
Treatments
Process
optimisation
Security
Awareness
Oversight and
workflow
creation
Risk
dashboards
HMG SPF/IS1
Deming Cycle
FDA
Role mapping
& analysis
02-okt-13
▶ Atos helps clients understand their
compliance obligations and risks.
▶ Atos automates as much of GRC as
possible.
▶ Atos helps you keep ‘on course’ and
with as little distraction as possible.
4. qualityaustria Forum, Beograd
11
Identity, Access, Biometrics and Smart Cards:
Authentication, Authorization, Administration and Audit
Problem
IABS
Services
IAM Maturity
assessment
IABS
Technology
Provisioning
Web Access
Management
Project
Management
Single Sign-On
Design and
Development
Identity
Federation
Identity
Management as a
Service
Privileged User
Account
Management
SSO as a Service
Metadirectory
Trusted Identity
as a Service
Strong
Authentication
IABS
Products
DirX Identity &
Access
Management
ID Center –
biometric
authentication
CardOS smart
card
▶ Numerous ‘identities’ and multiple
passwords providing access to
highly valuable resources
▶ Passwords are not secure, not free
and not appropriate for today’s
ways of working
Solution
▶ Atos portfolios of Identity and
Access Management products
▶ Biometrics and smart cards
▶ Single sign-on
▶ Password self service
Outcome
USB token with
CardOS®
02-okt-13
▶ Reduce costs and improve security
and compliance
4. qualityaustria Forum, Beograd
12
Security Technical Advisory
Problem
STA
Security
architecture
Cloud
security
assessment
PEN testing
Compliance
gap analysis
PKI Trust
center
services
Security and
compliance
requirement
s collection
IT risk
assessment
GRC as a
Service
Disaster
recovery
design
Government
information
assurance
services
02-okt-13
PKI design
services
Biometric &
smart card
solution
design
Physical
access
control
systems
design
▶ Solution: Atos advises our clients
about the costs and benefits of the
latest technologies available, trying to
find an optimal spend for our clients
risk appetite.
Effective
Risk Management
Strategy
Business Risk
4. qualityaustria Forum, Beograd
Cost, €
STA
Exposure, €
STA
▶ How do I know what technology is
‘best’ and most cost effective from the
dozens of choices available?
Mitigation Effort
13
Managed Security Services
Workplace
Security
Infrastructure
Security
Endpoint
Protection
Services
Security for
Cloud
Data Encryption
Services
Mobile Security
Identity &
Access
Management
Identity &
Access
Management
Atos High
Performance
Security
Single Sign-On
as a Service
Malware
Scanning
Identity
Management as
a Service
Perimeter &
Remote Access
Business Partner
Access
02-okt-13
▶ We spend a lot of money and time
on IT security and this distracts us
from our core business
Solution
▶ Atos Managed Security Services
offers a range of services so
enterprises can outsource the costs
and complexities of security and
compliance.
Secure Directory
Services
Intrusion
Protection
Vulnerability
Management
Problem
Managed PKI
and Biometrics
Physical Access
Control Systems
Outcome
▶ Improved focus on clients’ business
▶ Reduced spend on security
4. qualityaustria Forum, Beograd
14
Atos Olympic Security
(Atos High Performance Security)
▶ Goals
– Being able to react to cyber threats in real time 24x7 as well as enable forensic
analysis.
– Hackers are increasingly sophisticated and their targets are increasingly valuable:
AHPS helps companies defend against critical losses
– Reduce security operation expenses caused by explosive growth of security threats
and reactive manual approach
– Achieve compliance with government and industry standards
▶ Solution
– AHPS monitors the business and IT environment to see if significant incidents are
occurring--24x7. Find suspicious activity while it is occurring, not after.
– The Atos Secure Operating Center responds to failures of policy compliance as new
security, legislative and regulatory control requirements emerge.
– This service is based on our Olympic security solution which has a track record of more
than 10 years.
▶ Benefits
– Reducing costs by using the Atos security as a service model.
– Global presence of the AHPS service.
– Customer enablement to react in real time
to security events.
02-okt-13
4. qualityaustria Forum, Beograd
15
Fragmented View
Integrated View
IDS
Firewall
Server Logs
02-okt-13
By understanding our
customers business
rather than just the IT
infrastructure we are
able to understand the
potential business
impact of the events
occurring and therefore
Vulnerability
weight the risk
management response
Management
to the severity of the
threat, delivering a risk
driven, operating
model for each of our
customers.
4. qualityaustria Forum, Beograd
16
Integrated View
Atos High Performance
Web cache &
proxy logs
Web server
activity logs
Content
management logs
IDS/IDP
logs
Switch
logs
Router
logs
VA Scan logs
VPN logs
Windows logs
Windows domain
logins
Firewall logs
Wireless
access logs
Linux, Unix,
Windows OS
logs
Database
Logs
Client & file
server logs
Mainframe
logs
San File Access
Logs
02-okt-13
VLAN Access
& Control
logs
DHCP
logs
4. qualityaustria Forum, Beograd
Oracle Financial
Logs
17
Some Significant Cost Drivers
Roles
Functions
►
IT Security Managers
►
UNIX Server Managers
►
Wintel Server Managers
►
►
Network Security
Managers
Patch and Vulnerability
Management
►
►
Firewall Engineers
►
Hardware
►
PCI Compliance
Software Licenses
►
►
SOX Compliance
Maintenance Fees
►
►
Market Research
Storage
►
Testing
►
Problem Discovery
►
Problem Resolution
►
Audit
►
Forensics
►
Training
►
Access / Authorization
Reviews
►
Security Policy Creation
and Management
Infrastructure
The bullet points above typically represent at least $75k pa and can often exceed millions
of dollars each.
02-okt-13
4. qualityaustria Forum, Beograd
18
Our Cost Conscious Approach
Roles
►
IT Security Managers
►
UNIX Server Managers
►
Wintel Server Managers
Functions
►
►
AHPS can reduce a variety of these
►
►
Network Security
costs
via
external
service
Managers
►
provision, domain and delivery
► expertise,
Patch andand
Vulnerability
concentration of ►
Management
functions
into one delivery unit. ►
► We
Firewall
Engineers
estimate
we can save you at►
least 10 to 25% of your current
►
IT compliance and security spend,
and we will demonstrate this to ►
your satisfaction before contract ►
signing.
►
Security Policy Creation
and Management
Infrastructure
►
Hardware
►
PCI Compliance
Software Licenses
►
SOX Compliance
Maintenance Fees
►
Storage
Market Research
Testing
Problem Discovery
Problem Resolution
Audit
Forensics
Training
Access / Authorization
Reviews
The bullet points above typically represent at least $75k pa and can often exceed millions
of dollars each.
02-okt-13
4. qualityaustria Forum, Beograd
19
Lifting the Performance of Security
and Compliance Operations
BRONZE
SILVER
Business
information
security
Alignment of security
measures & spend with
business information
value & business
impact
Manual security /
control co-ordination
Manually driven
performance based on
pace of staff activity
and tacit knowledge of
staff
GOLD
360° IT
Security
Log
monitoring
& storage
Faster reaction to security
issues and better
compliance with log storage
but issue management
focused on obvious tactical
issues
‘Joining up the dots’
across the IT landscape to
enable proactive IT security.
Control monitoring based on
IT landscape not business
information landscape
Control monitoring and
auditing based on
business information
landscape aligning
security and compliance
measures with highest
value business
information
Proactive management of digital threats and business control issues
02-okt-13
4. qualityaustria Forum, Beograd
20
Operational Efficiency and
Cost Reduction
From Beijing Olympic
Games:
AHPS takes millions of raw
events and via intelligent
processing and correlation
reduces them to a few critical
events. This reduces manpower
requirements and improves
operational efficiency, and
results in zero downtime, zero
business effect.
443k
Correlated
Events
201m
Filtered
Events
1,500
Alarms
90 Critical Events
02-okt-13
4. qualityaustria Forum, Beograd
21
AHPS for the Olympic Games,
AHPS for You
Beijing 2008 environment
► 4,000 IT team members
► 302 Sport Events
► 40,000 IT components
► 70 Venues
► 10,000 PCs
► 10,000 Athletes
► 1,000 Servers
► 20,000 Journalists
► 1,000 Network devices
Criticality
► 28 Sports
► 230,000 Accreditations
Olympic Project Specifics
Pre-Games
► Business
Games
► High level of dependency on
volunteers
► Highly visible, highly critical
► Technology
► Real-time & near real-time
applications
► Last minute massive infrastructure
deployment
Requirements
► Heterogeneous environment
► People
► Consortium of partners and suppliers
02-okt-13
►
Availability, integrity, confidentiality
►
Ready on time, the deadline will not move
►
Few seconds’ response time, no second
chance
4. qualityaustria Forum, Beograd
22
Agenda
▶
▶
▶
▶
Introduction
Atos Security Solutions
Future Trends
Summary/Questions
02-okt-13
4. qualityaustria Forum, Beograd
23
Future tendencies for ISRM
2016
2015
Federated IAM
2014
Next Gen AV
Atos Integrated Security
Cloud Encryption
Security and Compliance
in a Box (GRCaaS)
2013
Cyber Threat
Center
Cloud Single Sign-On
Leverage DirX
User Owned Device
GRCaaS
IDaaS
Mobile Data Protection
Cyber Security
Atos High Performance Security
Atos High
Performance Security
Agenda
▶
▶
▶
▶
Introduction
Atos Security Solutions
Future Trends
Summary/Questions
02-okt-13
4. qualityaustria Forum, Beograd
25
Summary
▶ The information security threat landscape is changing at a rapid pace.
▶ Organizations must prepare itself to withstand advanced targeted attacks,
aiming at the intellectual property of the company.
▶ Atos has a complete portfolio in the identity, security and risk management
area, covering the whole value chain, from consulting to operations.
▶ Atos has committed resources to develop in the security area to enable us to
provide state of the art services.
▶ Atos is one of the few providers being able to deliver services to its customers
around the globe.
02-okt-13
4. qualityaustria Forum, Beograd
26
Dragutin Bošnjaković,
Savetnik za bezbednost informacija
Atos IT Solutions and Services d.o.o. Beograd
[email protected]
Hvala na pažnji!
www.qa-center.net
4. qualityaustria Forum, Beograd