Joseph Ferracin

Director IT Security Solutions

GlobalSecurity@SITAGlobalSecurity@SITA

Managing SecurityManaging Security

2

A Security organization

A Security Framework – Guidelines and Policies

Company’s Management support

End-Users involvement

A security plan

A budget

Skilled Security people

In Modern Networked IT Environments

Efficient security requires

3

The organization

Create a Security OfficeThat is Independent of IT. Reports to the top management

Defines the security framework and the high level policies

Drives security Audits & Assessments

Defines the security plan & Proposes security budget

Helps in Security implementations

Create a security councilThat Includes Security Officer, Top management representative(s), IT representative(s)

Endorses Security policies

Validates Security Plan & Security budget

4

The Framework

We recommend BS7799The BS 7799 Information Security Standard is published in two parts:1. Part 2 Specification for ISO/IEC 17799 Part 1 Code of practice for Information Security Management

2. BS 7799 Information Security Management

Purchase on line:http://www.bsi-global.com/Information+Security/04_Standards_infosec/index.xhtml

BS 7799 shall be regarded as a guidance

BS 7799 certification is complex

5

Get management support

Propose a risk assessment

Company’s management is responsible for the security of Company assets

Vulnerabilities in IT security organization and in IT equipment configurations must be know.

Associated risks must be evaluated.

Suggest the necessity of a high level security policy

Suggest to develop a security plan

Costs: $100 000 <-> $600 000

6

Involve End Users

Education

Users must know and understand the security policy

They must be conscious of the value of their own data.

Avoid constraints – Try to suggest – Use flattery

Security has to be as transparent as possible

Use appropriate technology

7

Availability of Information Systems

Confidentiality & Privacy of Sensitive Information

Access control on Networks, Systems & Applications

Integrity of Transactions

Security issues: You want to guarantee

8

Assess risks

Audit implementations

Analyze vulnerabilities

Security policies

Security migration plans

Define secure architectures

Design security solutions

FirewallsEncryptionPublic key infrastructures Centralized management Anti-virusIntrusion detectionStrong authentication

FirewallsStrong authenticationIPSec VPNsDigital certificatesIntrusion detection

Security is a continuous process

9

Security on the Intranet

bbb

MainframesServers

Anti-Virus

Virus DetectionWorkstations

Strong Authentication

PKISmart Cards

Single Sign On

AuthenticationService

Kerberos V5

Role Based Authorization

Active Directory

AuthorizationService

10

Demilitarized Zone (DMZ)

No Security

Consumer

TrustedConsumer

CorporateIntranet

BusinessPartner

IPSec Encrypted VPN

SSL Encrypted Transaction

IPSec Encrypted VPN

IntegrityConfidentiality

Availability

Intrusion Detection

FirewallVPN

AccessControl

Security on the Internet

Authentication

Employee

11

Network Admin.

$65,000

Security Engineer

$109,000

Why Outsource Security?

I.T. resource shortage

“Under-staffed, under-skilled, overwhelmed. That’s the sinking feeling conveyed to us repeatedly by CIOs...”

“The Situation isn’t likely to improve any time soon.”

“For Many CIOs, The staffing crisis is an overriding concern that adds risk to every project .”- CIO Magazine

Specialized IT Security Resources are even harder to

find

12

Security Outsourcing Expenses

$0,00

$2,00

$4,00

$6,00

$8,00

$10,00

$12,00

$14,00

$16,00

1998 1999 2000 2001 2002 2003

Source: IDC, 2000

$14.8 Billion Industry in 2003 – 45% CAGRWhy Companies are outsourcing ?

Dearth of skilled security talent– Universe of CISSPs less 1,500

Sophisticated attacks beyond capability of most IT departments

– DDoS attack, Love Virus, etc. Carrier grade security SLAs unachievable by

most IT departments– Follow the sun 24x7x365 model

Security not typically a core competency of companies

– Scale, budgets, staff usually subjugated to business issues

Security intelligence missing– IT depts lack the ability to monitor hacker underworld

and global events to proactively redress vulnerabilities and attacks

Total Cost of Ownership (“TCO”)– Organizations cannot match economies of scale of a

managed security service provider

13

Professional Services

Partners foremost in Security

Managed Security Services

A portfolio of Solutions

14

Security Professional Services

… for the Winning Approach

Solutions tailored to your needs …

Risk Analysis

SolutionsImplementationSecurity Policies

definition

SecurityManagement

SecurityAudit

A Team of Security Experts

15

Managed Security Services …

IP Secure Gateway IPSec VPNs

Managed Firewall Services

Partnership with Internet Security Systems (ISS) a Leader in Security

High quality of service

Very competitive pricing for small, mid-size and big Extranet & Internet sites

Managed Intrusion Detection

Partnership with ISS

Real time protection of mid-size, big Internet and E-Commerce sites

Available on

SITA Private Network

SITA Internet Network

Remote Access

Features

Scalable Solutions

World class technology

And …Digital Certificates

Vulnerability Scanning

Content Filtering …

16

Thank You !

Q & A