Information Security in Real Business

Yuri & The Cheeseheads

Review of the problem statement and existing work Assessing and managing third party vendor

security requirements and practices for outsourced services Existing solution

Established Vendor Review Process Technical Infrastructure Evaluation Scheduled Reviews & Onsite Visits Contractual Obligations

Review of the problem statement and existing work

Source: Forrester Research, and Infosys Analysis

Real World Problem – VCNA

E-Commerce Portal Technical Literature Integration with Production Lines – VINs Help System Payment Processing VIDA Software Downloads and Configurations

Real World Problem – VCNA Cont… Security Concerns

Personally Identifiable Information Complete VIN List Credit Card Processing Trade Secrets – Software Configurations

Governing Bodies EPA/CARB PCI Ford Motor Company

Technical Solution Personally Identifiable Information

Entire site is encrypted using SSL Passwords are encrypted in database Customer is segregated on individual VLAN Backups are encrypted and shipped off-site

Complete VIN List Encrypted Secure Transmission to Locksmiths

Credit Card Processing Industry Standard Encryption

Technical Solution Cont…

Trade Secrets – Software Configurations Software Subscriptions

Secure Login from Public Internet All information is passed via https Passwords are encrypted in database

Configured in Sweden per Order Software is placed in shopping cart Order is passed to Volvo (Sweden) over a VPN

connection Configured Software Request is Sent Back via VPN

Technical Solution Cont…

Trade Secrets – Software Configurations Sold Via E-Commerce Application

Software is Purchased using Credit Card SSL Encryption Verisign Integration

Transmitted to Ford Network Software Request is sent to Ford

Uses VPN connection with Limited IP and Port Number Request is Dropped into Message Queue

Configured Software is Downloaded from Ford Installed on Cars for Diagnostic Testing

Network Diagram

Business, Risk, and Cost Considerations Benefits of outsourcing services/data

Cost savings Economies of scale

Consistency of quality Expansion of business line

E-Commerce site Risks

Data security Costs of a data breach – Survey conducted by Ponemon Inst.

$197 per company record Average total $6.3 million per breach Ranged from $225K to $35M

Feasibility

The outsourcing vendor has the same incentive to secure the data Breach of their customers’ data will be just as damaging to

them as to the customer Loss of revenue Loss of reputation

Costs of securing data is low compared to the cost of breach 1 year of SSL Validity – VeriSign.com

$400 - $1600 per server Varies based on trust level, security level, encryption strength

Increase in competition will require vendors to provide adequate security levels

Legal Considerations

Legal Compliance SOX EPA/CARB PCI

Conclusion

As long as we need to outsource data, we need to continue to balance security with usability and ensure that our vendors have the proper level of security in place for the data they have

Q&A