Date post: | 26-May-2015 |
Category: |
Technology |
Upload: | john-d-johnson |
View: | 149 times |
Download: | 0 times |
Surfing the Wave: Security and the Consumerization
of IT
John Johnson, PhD, CISSPJohn Deere / Global Security Strategist
June 6, 2013
IT Trends: Nexus of Forces
CoIT
Data
Mobile
SocialCloud
Internetof
Things
Threats
Regulations
Secu
rity
A
rch
itectu
re
Risk Opportunity
Cloud Services (SaaS, PaaS, IaaS)(Public, Private)
Social Media Data (Big Data, ERP, CRM) (Structured,
Unstructured) (Classified, Unclassified) Mobile (BYOD) (Corporate, Personal) Internet of Things (Computers, Sensors, PLC,
Product) (Managed, Unmanaged, Rogue) Supply Chain, Vendors, Employees
(Millennials)
How do we define CoIT?
The boundaries are moving, perimeter is eroding The way we are doing business requires new
processes/technologies to spur innovation, support agility, find competitive advantage
Customers are demanding services Employees are demanding mobile devices,
anytime/anywhere access, flexible work/life balance
Business partners/suppliers/vendors need access to resources and data
Drivers of CoIT
HOW DO WE SECURE?
Develop strategies that are aligned to the business objectives: Layered, Synergetic, Informs Decisions Focuses on greatest risk/impact, where the
greatest value is We cannot protect everything equally, nor 100% We cannot say “No” or stop this natural evolution &
convergence of forces, nor should we Enable business objective, listen, partner,
collaborate to develop security solutions that manage risk (the business owns the risk)
Securing The Wave
Security Model
Policies, Awareness, Processes, SLA, Contracts… Find enabling technologies: mature, interoperable,
extensible, offering fine-grained rules. Device-Centric: EPP, Client DLP, Mobile Proxy, DRM,
MDM, Advanced Threat Detection/Mitigation, VDI, Patch Mgmt, Software Inventory, …
Network-Centric: Segmentation, Network Knowledge, Non-Compliant VLANs, Network/Cloud Content Mgmt (AV, DLP), FW, Proxies, APT Detection, IDS/IPS, SIEM, Threat Intelligence, Rogue Detection, Next Gen Network, Fraud Detection, Vuln Mgmt, Network Forensics, Authentication, Federation…
Data-Centric: Classification Policy, Awareness, Discovery, DRM, DLP…
Security Controls
PEOPLE, PROCESSES, TOOLS
Access Action
Data Service
RoleLocati
on/Time
Asset
Access
Method
-Copy-Modify
-Transmit-Process/
View-Support
User
Apply Security Rules
• Security controls are applied to mitigate risk, based on a number of factors. Find technology that makes intelligent decisions at boundaries and automates actions, to ensure policy compliance.
Target•Data (DAR, DIM, DIU)•Code/Software•Services•Databases•Operating Systems•Networks/Infrastructure•Platforms/Hardware/Firmware
Threat Vector
•Copy, Exfiltrate•Modify, Corrupt•Destroy, Denial of Service
Threat Source
• Insider•Hacktivists•Motivated Hobbyist•Corporate Espionage•Cybercriminals•Nation State
Cyber Risk Analysis
Requirements• Level of
knowledgerequired
• Ability, Expertise
• Proximity required
• Access required
• Resources required
• Time required
Motivations• Money• Ideology• Coercion• Ego
RIS
K
{
• Risk can be mitigated, the threat landscape remains unchanged.
BOARD-LEVEL RISK SECURITY PROGRAM ELEMENTSBoard Level Risk Categories Business Areas with Security-related Risk Security Program: Security Strategies/Mitigation
Financial• Asset Management• Accounting & Reporting• Market Fluctuations
• Asset Protection• Exceptions Management• Violation Detection and Reporting• Allegation of Manipulation Investigations• Regulatory Inquiries
Business Continuity & Resiliency
• R&D and Manufacturing• Logistics• Environment & Safety• Distribution• Business Continuity• Outsourcing• Branding
• Information Safeguards and Intellectual Property Protection• Disruption Detection• Mitigation Management• Emergency Response• Disaster Recovery Plans
Reputation & Ethics• Customer Relationship Data• Community Relations• Corporate Governance
• Privacy Policies & Compliance• Law Enforcement & Liaison• Regulatory Security Adherence• Allegation Response
Human Capital
• Misconduct• Environmental Hazards• Turnover• Employee Skills & Performance• Compensation & Benefits• Labor Union Issues• Services
• Background Checks• Awareness & Training• Code of Conduct• Drug Testing• Benefits Loss Prevention• Labor Disruption Planning• Intellectual Property Protection
Information
• Intellectual Property• Information & Privacy• Networks• Applications• Hardware• New Technologies
• Data Classification• Intrusion Detection• Authentication and Access Control• Physical Access Controls• Digital ID Management
Legal, Regulatory/Compliance & Liability
• Antitrust Violations• Noncompliance• Audits• Accreditation• Third-party Vendors• Supply Chain• Liability• Litigation• Partnerships & Service Providers• Sales & Marketing• Procurement
• Regulatory Controls• Risk Assessment• Security Programs Certification• Partner Due Diligence• Records Retention Policy• Investigations• Program Integrity• Regulatory Compliance• Vendor Contracts/Code of Ethics
New or Emerging Markets for Business• Global/International• Mergers & Acquisitions• Competition
• Intelligence Analysis and Mitigation• Country Business Risk Assessment• Due Diligence Investigations• Business Intelligence Gathering• Information Safeguards
Physical/Premises & Product• Partnerships• Inventory & Products• Unauthorized Access
• Warehouse Facility Protection• Product Protection Program• Property Protection Program• Facility Access Policy
©Security Executive Council
Evaluate current state and available security controls: Proactive Technology & Tools Administrative Processes, Policies, Guidelines Education and Deterrent Reactive Monitoring, Alerting, Incident Response
Develop risk mitigation strategy commensurate with severity of threats and prioritize based on risk/benefit analysis This may lead to evaluating and deploying new
controls Measure effectiveness of security controls w/metrics
(hint: it won’t be 100%)
Risk Mitigation
The security portfolio will include a combination of Administrative, Deterrent, Preventative and Detective controls
Security Portfolio & Governance
Directive & AdministrativeControls•Security & Compliance Policies, Guidelines
•IT Standards•IT Procedures•HR Policies•Contracts & SLAs
DeterrentControls•User AwarenessProgram
•Training•Appropriate UseGuidelines
•OrganizationalCulture of Security
Preventative &ProtectiveControls•Authentication•Authorization &Permissions
•OS Hardening•Network Segmentation
•Group Policies•Endpoint Protection
•Encryption, TPM•DLP, DRM•VDI
Detective &Responsive
Controls•IDS/IPS Monitoring
•Event Logging &SIEM
•Fraud Detection
•DLP•Auditing•Forensics
A mature security program leverages security in depth to address a broad range of threats effectively
Sphere of Protection
© Cengage Learning, Management of Information Security, 3rd ed (2010), Whitman & Mattord
It is important to understand what data you want to protect. Utilize DRM, watermarks, fingerprinting, etc.
Limit access to data and systems with AAA & role-based access control (across layers). Only let people who need to get to it access.
Utilize VDI and other tools to enable appropriate data access and use, without data loss.
When and where possible look at how data is being used, destination, content and apply rules (i.e. DRM, encryption) appropriately. End-users may intentionally or unintentionally fail and automation that takes into account the context may provide better assurance that data is not being used inappropriately.
Inspect data and make decisions as it crosses boundaries. (Web, Network Zones, Endpoint, Email…)
If you have less control (i.e. SaaS) you may enable the use, but enforce encryption or keep the restricted data from getting there.
Classification is not static and you won’t get it all or be perfect out of the gate. Utilize DLP to discover what is sensitive and where sensitive data resides and how it is used, as well.
Data-Centric Approach
The data-centric model is crucial, because the risk associated with cloud, mobile, social, data is much less when the data (information) is managed well, or kept out of those zones.
In order to enable the business, you sometimes need to accept equivalent services (w/SLA) from vendors.
Consumerization is a wave that we cannot stop, and we can surf it or drown. We need to partner with the business to develop reasonable solutions, focusing on the greatest risk/value, and that means architecting flexible solutions that draw upon security controls across all layers.
Conclusion
1. What do you see as the biggest challenges of CoIT?How is or will CoIT impact your organization?
2. How do you work with business/IT leaders to explain the risk and get buy-in for your mitigation strategy?
3. What are the key components of your security or risk management strategy?
4. What technologies do you see today, or feel are needed to better enable these IT trends?(Cloud, Mobile, Data, Social, Internet of Things)
Workshop Questions