Surfing the Wave: Security and the Consumerization

of IT

John Johnson, PhD, CISSPJohn Deere / Global Security Strategist

June 6, 2013

IT Trends: Nexus of Forces

CoIT

Data

Mobile

SocialCloud

Internetof

Things

Threats

Regulations

Secu

rity

A

rch

itectu

re

Risk Opportunity

Cloud Services (SaaS, PaaS, IaaS)(Public, Private)

Social Media Data (Big Data, ERP, CRM) (Structured,

Unstructured) (Classified, Unclassified) Mobile (BYOD) (Corporate, Personal) Internet of Things (Computers, Sensors, PLC,

Product) (Managed, Unmanaged, Rogue) Supply Chain, Vendors, Employees

(Millennials)

How do we define CoIT?

The boundaries are moving, perimeter is eroding The way we are doing business requires new

processes/technologies to spur innovation, support agility, find competitive advantage

Customers are demanding services Employees are demanding mobile devices,

anytime/anywhere access, flexible work/life balance

Business partners/suppliers/vendors need access to resources and data

Drivers of CoIT

HOW DO WE SECURE?

Develop strategies that are aligned to the business objectives: Layered, Synergetic, Informs Decisions Focuses on greatest risk/impact, where the

greatest value is We cannot protect everything equally, nor 100% We cannot say “No” or stop this natural evolution &

convergence of forces, nor should we Enable business objective, listen, partner,

collaborate to develop security solutions that manage risk (the business owns the risk)

Securing The Wave

Security Model

Policies, Awareness, Processes, SLA, Contracts… Find enabling technologies: mature, interoperable,

extensible, offering fine-grained rules. Device-Centric: EPP, Client DLP, Mobile Proxy, DRM,

MDM, Advanced Threat Detection/Mitigation, VDI, Patch Mgmt, Software Inventory, …

Network-Centric: Segmentation, Network Knowledge, Non-Compliant VLANs, Network/Cloud Content Mgmt (AV, DLP), FW, Proxies, APT Detection, IDS/IPS, SIEM, Threat Intelligence, Rogue Detection, Next Gen Network, Fraud Detection, Vuln Mgmt, Network Forensics, Authentication, Federation…

Data-Centric: Classification Policy, Awareness, Discovery, DRM, DLP…

Security Controls

PEOPLE, PROCESSES, TOOLS

Access Action

Data Service

RoleLocati

on/Time

Asset

Access

Method

-Copy-Modify

-Transmit-Process/

View-Support

User

Apply Security Rules

• Security controls are applied to mitigate risk, based on a number of factors. Find technology that makes intelligent decisions at boundaries and automates actions, to ensure policy compliance.

Target•Data (DAR, DIM, DIU)•Code/Software•Services•Databases•Operating Systems•Networks/Infrastructure•Platforms/Hardware/Firmware

Threat Vector

•Copy, Exfiltrate•Modify, Corrupt•Destroy, Denial of Service

Threat Source

• Insider•Hacktivists•Motivated Hobbyist•Corporate Espionage•Cybercriminals•Nation State

Cyber Risk Analysis

Requirements• Level of

knowledgerequired

• Ability, Expertise

• Proximity required

• Access required

• Resources required

• Time required

Motivations• Money• Ideology• Coercion• Ego

RIS

K

{

• Risk can be mitigated, the threat landscape remains unchanged.

BOARD-LEVEL RISK SECURITY PROGRAM ELEMENTSBoard Level Risk Categories Business Areas with Security-related Risk Security Program: Security Strategies/Mitigation

Financial• Asset Management• Accounting & Reporting• Market Fluctuations

• Asset Protection• Exceptions Management• Violation Detection and Reporting• Allegation of Manipulation Investigations• Regulatory Inquiries

Business Continuity & Resiliency

• R&D and Manufacturing• Logistics• Environment & Safety• Distribution• Business Continuity• Outsourcing• Branding

• Information Safeguards and Intellectual Property Protection• Disruption Detection• Mitigation Management• Emergency Response• Disaster Recovery Plans

Reputation & Ethics• Customer Relationship Data• Community Relations• Corporate Governance

• Privacy Policies & Compliance• Law Enforcement & Liaison• Regulatory Security Adherence• Allegation Response

Human Capital

• Misconduct• Environmental Hazards• Turnover• Employee Skills & Performance• Compensation & Benefits• Labor Union Issues• Services

• Background Checks• Awareness & Training• Code of Conduct• Drug Testing• Benefits Loss Prevention• Labor Disruption Planning• Intellectual Property Protection

Information

• Intellectual Property• Information & Privacy• Networks• Applications• Hardware• New Technologies

• Data Classification• Intrusion Detection• Authentication and Access Control• Physical Access Controls• Digital ID Management

Legal, Regulatory/Compliance & Liability

• Antitrust Violations• Noncompliance• Audits• Accreditation• Third-party Vendors• Supply Chain• Liability• Litigation• Partnerships & Service Providers• Sales & Marketing• Procurement

• Regulatory Controls• Risk Assessment• Security Programs Certification• Partner Due Diligence• Records Retention Policy• Investigations• Program Integrity• Regulatory Compliance• Vendor Contracts/Code of Ethics

New or Emerging Markets for Business• Global/International• Mergers & Acquisitions• Competition

• Intelligence Analysis and Mitigation• Country Business Risk Assessment• Due Diligence Investigations• Business Intelligence Gathering• Information Safeguards

Physical/Premises & Product• Partnerships• Inventory & Products• Unauthorized Access

• Warehouse Facility Protection• Product Protection Program• Property Protection Program• Facility Access Policy

©Security Executive Council

Evaluate current state and available security controls: Proactive Technology & Tools Administrative Processes, Policies, Guidelines Education and Deterrent Reactive Monitoring, Alerting, Incident Response

Develop risk mitigation strategy commensurate with severity of threats and prioritize based on risk/benefit analysis This may lead to evaluating and deploying new

controls Measure effectiveness of security controls w/metrics

(hint: it won’t be 100%)

Risk Mitigation

The security portfolio will include a combination of Administrative, Deterrent, Preventative and Detective controls

Security Portfolio & Governance

Directive & AdministrativeControls•Security & Compliance Policies, Guidelines

•IT Standards•IT Procedures•HR Policies•Contracts & SLAs

DeterrentControls•User AwarenessProgram

•Training•Appropriate UseGuidelines

•OrganizationalCulture of Security

Preventative &ProtectiveControls•Authentication•Authorization &Permissions

•OS Hardening•Network Segmentation

•Group Policies•Endpoint Protection

•Encryption, TPM•DLP, DRM•VDI

Detective &Responsive

Controls•IDS/IPS Monitoring

•Event Logging &SIEM

•Fraud Detection

•DLP•Auditing•Forensics

A mature security program leverages security in depth to address a broad range of threats effectively

Sphere of Protection

© Cengage Learning, Management of Information Security, 3rd ed (2010), Whitman & Mattord

It is important to understand what data you want to protect. Utilize DRM, watermarks, fingerprinting, etc.

Limit access to data and systems with AAA & role-based access control (across layers). Only let people who need to get to it access.

Utilize VDI and other tools to enable appropriate data access and use, without data loss.

When and where possible look at how data is being used, destination, content and apply rules (i.e. DRM, encryption) appropriately. End-users may intentionally or unintentionally fail and automation that takes into account the context may provide better assurance that data is not being used inappropriately.

Inspect data and make decisions as it crosses boundaries. (Web, Network Zones, Endpoint, Email…)

If you have less control (i.e. SaaS) you may enable the use, but enforce encryption or keep the restricted data from getting there.

Classification is not static and you won’t get it all or be perfect out of the gate. Utilize DLP to discover what is sensitive and where sensitive data resides and how it is used, as well.

Data-Centric Approach

The data-centric model is crucial, because the risk associated with cloud, mobile, social, data is much less when the data (information) is managed well, or kept out of those zones.

In order to enable the business, you sometimes need to accept equivalent services (w/SLA) from vendors.

Consumerization is a wave that we cannot stop, and we can surf it or drown. We need to partner with the business to develop reasonable solutions, focusing on the greatest risk/value, and that means architecting flexible solutions that draw upon security controls across all layers.

Conclusion

1. What do you see as the biggest challenges of CoIT?How is or will CoIT impact your organization?

2. How do you work with business/IT leaders to explain the risk and get buy-in for your mitigation strategy?

3. What are the key components of your security or risk management strategy?

4. What technologies do you see today, or feel are needed to better enable these IT trends?(Cloud, Mobile, Data, Social, Internet of Things)

Workshop Questions