Putting security silos out to pasture: Best practices learned from Citi's IT security operations
-
Upload
algosec -
Category
Technology
-
view
312 -
download
2
Transcript of Putting security silos out to pasture: Best practices learned from Citi's IT security operations
What’s in the Network?
0.00%
10.00%
20.00%
30.00%
40.00%
50.00%
60.00%
70.00%
80.00%
90.00%
Source: Dangers of Complexity in Network Security, October 2012
3
55% of Midsize &
Enterprise firms
said complex
policies caused
a known breach,
outage or both
4
Complexity Leads to Risk
Caused a security incident 16.5%
Caused both a security
incident and a system outage 9.7%
Caused a system outage 29.1%
Had no known impact on security or
system availability
44.7%
Impact of Complex or Conflicting Security Policies, Midsize and Enterprise
Source: Dangers of Complexity in Network Security, October 2012
Siloed Security Management Just Makes it Worse!
5
• Reduced Business Agility
• Time-Consuming Audits
• Poor Change Control
• Inability to Meet SLAs
• Increased Network Security Management Costs
Inefficient & poor security policy management
SLOWS DOWN BUSINESS & IMPACTS YOUR BOTTOM LINE!
8
• General
• Global Operations and Engineering
• Global Information Security Standards (policy and technical)
• 24 x 7 x 365 Security and Networks Operations Centres
• Environment
• 1.2MM end points
• Large, global network
• 30 enterprise Internet facilities
• 1000 firewall end points not including management / IPS / Proxy
• 800 firewall changes (i.e. simple modification or the addition of
hundreds of rules) on average per month
An Introduction
9
• Background on the environment Pre-2004
• Regional Security Operations control of external connectivity
• No common criteria for establishing data access and connection
security controls – shared good practices
• Inconsistent application of solutions to the same requests
• No easily viewable auditing and logging capabilities for the process
• No real-time aggregated view of the “Relationships” and
“Connections” with various 3rd Parties
• No consistent process to determine status of the connection request
Complex, Segmented Environment
10
• Development of CCR
• Centralized relationship between business requirements, contractual
obligations and technical configurations
• Implemented to improve the end-to-end accountability of connections and to
minimize risk to data, operations and the brand
• All global Firewall and IP registration requests are analyzed by contractual
and risk obligations as well as technical requirements
• Continuous Enhancements of CCR
• Significant investment in NEW additional processes and development
• Finding owners and workflow
• Time to Market for requests was significantly slower
• Technical knowledge required in CCR (business and technical data)
• Rule base bloat
The Next Step…
11
• What did Citi look for in a solution and process?
• Customer-centric experience – workflow/updates/time to market
• Automate decision making in rules and risks
• Reporting
• Integration with existing Citi systems (change management)
• Overall performance of system compared to current tools
• What other key ingredients were involved?
• Senior sponsorship of a re-engineering program
• Metrics, metrics, metrics
• Process re-engineering
• Customer experience / business backing
How Citi Manages these Obstacles
12
• Comprehensive Market Evaluation of External Products
in the Security Policy Management Space
• Buy v Build Discussion
• Multi-firewall platforms, extending to ACLs, Proxy, etc.
• Existing tool would not scale and was very simplistic
• Stakeholders
• Communication and Clear goals defined and aligned to POC
• Tailored to the audience
• Obtained Business buy-in – significant impact on them
Strategic Internal Discussions
Copyright (c) 2007, Principle Logic, LLC - All Rights Reserved 13
The Decision: AlgoSec
13
• Why AlgoSec?
• Automated change management workflow with Fireflow and the
Active Change capability – end-to-end firewall rule history
• Very user-friendly and a good customer experience – both from
technical and business personnel
• Multiple platform vendor support with commitment on roadmap
• AlgoSec’s commitment to work with Citi – over 150 “asks” to date
• Ease of integration with Citi systems
14
• Process Re-engineering
• Measurable process metrics feed into overall program
• Do not shoe-horn a product into something that is flawed
• Business backing into improvements / metrics
• System and Application Integration
• CCR development initially not considered the end-to-end view
• The process highlights the systems integration required
• Customer Centricity
• The “business”, CCR team, Firewall Operations team, Audit and
Compliance, Network Engineering all use the solution differently
• Reporting – general reporting and customer-centric
• Automation
Lessons Learned & Considerations
• Firewall Policy Management for Dummies http://bit.ly/JOLT9r
• Firewall Management ROI Calculator http://www.algosec.com/roi
• Evaluate the AlgoSec Security Management Suite AlgoSec.com/eval
Visit AlgoSec at Stand D51
Q&A and Additional Resources
16
Security Management. Made Smarter.
www.AlgoSec.com
Connect with AlgoSec on: