Driving Digital Transformation While Mitigating Risks And Ensuring Compliance
Terry Ray
SVP and Imperva Fellow
Proprietary and confidential. Do not distribute.
Agenda
2
● Challenges with Digital Transformation
● Traditional Security Approach
● Risk Assessment Approach
● How Imperva can Help
● Q&A
Proprietary and confidential. Do not distribute.
Challenges with Digital Transformation
3
Proprietary and confidential. Do not distribute.
Transformation is Happening
Drive revenue vs. Reduce cost
4
Methods Waterfall Agile DevOps
Architecture Monolithic Tiers Micro-Services
Servers Physical Virtual Containers
Infrastructure Datacenter Hosted Cloud
Methods Waterfall Agile DevOps
Architecture Monolithic Tiers Micro-Services
Servers Physical Virtual Containers
Infrastructure Datacenter Hosted Cloud
Risks
• Unnoticed attacks
• Too much data, EVERYWHERE
• Lack of visibility into who accesses what data, how
• No assurance in existing controls
• Security isn’t part of DevOps
Proprietary and confidential. Do not distribute.
Pressures in Financial Services Industry
Risk Mitigation, Transformation, Compliance
5
Risk Mitigation
Transformation
Compliance • Innovative Fintech
models
• Big Tech
• Open Banking
• Complex legacy system
• Digital application
• Cloud adoption
• More data, EVERYWHERE
• Increased competition
• Stricter regulations
Proprietary and confidential. Do not distribute.
6
Compliance
Data Breach Risks
Proprietary and confidential. Do not distribute. 7
Why is Detection so Difficult
Incident overload and alert fatigue
54% of companies
admitted that they tend to ignore security alerts2
Lack of skilled security professional
70% of CISOs consider
it their top concern3
Source: 1 https://www.techradar.com/uk/news/the-dangers-of-password-sharing-at-work 2 Security Operations Challenges, Priorities, and Strategies, ESG, 2017 3 What CISOs worry about in 2018, Ponemon Institute, 2018 4 CERT National Insider Threat Center, 2019
Insider threats
Fraud is the most
frequent insider threat incident type for financial services4
More legitimate data access
34% of workers said
they share passwords or accounts with their
coworkers1
Proprietary and confidential. Do not distribute.
Traditional Security Approach
8
Proprietary and confidential. Do not distribute.
Security Spending
Spending in Perimeter-based & Identity-based security continues to grow
9
Proprietary and confidential. Do not distribute.
Challenges of Traditional Security Approach
10
Perimeter-based
Security
Identity & Access
Management • Ex: Endpoint, network security
• False assumption: “Trusted” internal
network where data is safe
• Can’t protect against insider threats
• Fail to empower a digital workforce to
better serve customers while
protecting data
• Ex: User authentication
• Identity-aware is a must but not
sufficient
• Not designed to detect breaches but to
make decisions whether to enable
access
• Can’t protect against insider threats
Proprietary and confidential. Do not distribute.
Data Breaches Still Happen
11
Proprietary and confidential. Do not distribute.
Risk Assessment Approach
12
Proprietary and confidential. Do not distribute.
Taking a Risk Assessment Approach
• Most organizations are evaluating the value of their security investments based on Ability to lower risk
Source: Dark Reading Report, 2018
13
Compliance related
Security related
Proprietary and confidential. Do not distribute.
Example: Gartner Risk Assessment Framework
Source: Develop a Financial Risk Assessment for Data Using Infonomics, Gartner 2018
14
• Get alignment with key stakeholders
• Priority = Identify assets + Assess liabilities
• Security = Mitigate prioritized risks
Proprietary and confidential. Do not distribute.
Example: Gartner Risk Assessment Framework
Source: Develop a Financial Risk Assessment for Data Using Infonomics, Gartner 2018
15
✓
⨯
• Start with balancing between business needs and risks
• Don’t jump to security products/solutions
• Enforce consistent policies across
hybrid environment
Proprietary and confidential. Do not distribute.
To Keep or not to Keep
16
Maintaining and securing data here is a no-brainer
The Problem is:
• Is there any data that you truly
don’t care?
• If so, can you delete it?
Source: Develop a Financial Risk Assessment for Data Using Infonomics, Gartner 2018
Proprietary and confidential. Do not distribute.
Enabling Digital Transformation while Mitigating Risks
17
Proprietary and confidential. Do not distribute.
Data Security is a Must
As the business becomes
digital, security must become
Data-Centric” – Forrester Research, 2018
18
Proprietary and confidential. Do not distribute.
On-Prem Hybrid Cloud
DATA APIs
APPs
Outside the Organization
External Partners
Customers
Contractors
Bad bots
Hackers
Inside the Organization
Trusted
Internal Partners
Malicious
Careless
Compromised
App & Data Security
WAF (Cloud and On-Prem)
RASP
CDN & LB
DDoS
Bot Protection
API Security
App & Data Security
Data Security
Data Insights
Data Audit & Compliance
Data
Classification & masking
WAF Gateway
RASP
Machine Learning & Analytics
Machine Learning
& Analytics
SIEM
*Internal API Security is planned for 2020
Imperva Security Defense In Depth Architecture
19
Proprietary and confidential. Do not distribute.
Example: Buy Down Risks with Data Security
20
Financial Services
Exposure of 100 million unique customer records (e.g. PII) If a breach happens…
All users in the system have to be notified
A physical mail costs $0.5
Fines (e.g. GDPR non-compliant)
Lawsuit
Loss of clients/vital data/productivity
Damage to reputation
Damage to business relationships
= $50 M
= >$50M
− Single query should not exceed 10,000 PII records
Result: Buying down ~$50M
Limits application
compromise down to
10,000 PII records
Improve breach
prevention
= $20,000
Prevent data breach
risks in non-prod.
environments
‒ Service account abuse
‒ Massive data records access
‒ Sensitive data access
‒ Reduce attack surface in non-production environment
• Data access control
• Identify suspicious data access
• Masking sensitive data
Proprietary and confidential. Do not distribute.
Key Takeaways- Start with What Matters Most
• Do you detect and and mitigate application vulnerabilities?
• Are vulnerable apps taken offline or is the risk accepted?
• Can your organization tolerate a DDoS longer than hours?
• Does your app security strategy up level periodically to detect
changing attack methods (i.e. Crypto-Jacking, ransomware)?
APPS
• Do you know where your sensitive data is?
• Can you tell who accesses what data, and how that data is used?
• Can you determine which data access is appropriate?
• Can you detect suspicious data access with high confidence?
• Do you have the necessary records for incident response?
DATA Compliance &
3rd Party Framework
GDPR
Art 5
Art 25
Art 32
Art 33
Art 34
Art 35
Art 44
PCI
DSS
Req. 2
Req. 3
Req.
6.1
Req.
6.6
Req. 7
Req.
8.5
Req. 10
Req. 12
MAS
TRM 2.0.1
2.0.5
5.1.2
5.1.7
12.1.6
SOX
302
404
409
NIST SANS
NYDFS
HIPAA
FISMA
GLBA
HITECH
CCPA
ISO etc.