Security as an Enabler · 2015. 4. 1. · Approaching Information Security (1) • Awareness of...
Transcript of Security as an Enabler · 2015. 4. 1. · Approaching Information Security (1) • Awareness of...
![Page 1: Security as an Enabler · 2015. 4. 1. · Approaching Information Security (1) • Awareness of Information Security –“Security says no” –“Security is a regulatory requirement”](https://reader034.fdocuments.net/reader034/viewer/2022051603/5fec4f0f7e3915773b1c1183/html5/thumbnails/1.jpg)
Security-as-an-Enabler
The new security “delivery model”
Infocom Security 2015
Uni Systems Copyright © 2015 1
Andreas Athanasoulias, CISM, CISSP Information Security Officer & Security Consultant
![Page 2: Security as an Enabler · 2015. 4. 1. · Approaching Information Security (1) • Awareness of Information Security –“Security says no” –“Security is a regulatory requirement”](https://reader034.fdocuments.net/reader034/viewer/2022051603/5fec4f0f7e3915773b1c1183/html5/thumbnails/2.jpg)
The fragile equilibrium of Information Security (1)
• Am I secure enough?
• Is there 100% security?
• Securing business or “securing security”?
• Balance between:
– Needs (business, user)
• Working efficiently
• Achieving goals
– Security & Protection
• Operations
• Assets
• Goals & Expectations
• Chasing 100% is like chasing Chimera.
• Business Enabler ≠ Security Paranoia
Uni Systems Copyright © 2015 2
![Page 3: Security as an Enabler · 2015. 4. 1. · Approaching Information Security (1) • Awareness of Information Security –“Security says no” –“Security is a regulatory requirement”](https://reader034.fdocuments.net/reader034/viewer/2022051603/5fec4f0f7e3915773b1c1183/html5/thumbnails/3.jpg)
The fragile equilibrium of Information Security (2)
Proactive
Reactive
Uni Systems Copyright © 2015 3
![Page 4: Security as an Enabler · 2015. 4. 1. · Approaching Information Security (1) • Awareness of Information Security –“Security says no” –“Security is a regulatory requirement”](https://reader034.fdocuments.net/reader034/viewer/2022051603/5fec4f0f7e3915773b1c1183/html5/thumbnails/4.jpg)
Approaching Information Security (1)
• Awareness of Information Security
– “Security says no”
– “Security is a regulatory requirement”
– “I am not the target of a cyber attack”
• “Selling” Information Security: Fear oriented, not business
oriented.
– Examples:
• Lose confidential data
• Hackers
• Industrial Espionage
• Fraud
Uni Systems Copyright © 2015 4
![Page 5: Security as an Enabler · 2015. 4. 1. · Approaching Information Security (1) • Awareness of Information Security –“Security says no” –“Security is a regulatory requirement”](https://reader034.fdocuments.net/reader034/viewer/2022051603/5fec4f0f7e3915773b1c1183/html5/thumbnails/5.jpg)
Uni Systems Copyright © 2015 5
Approaching Information Security (2)
![Page 6: Security as an Enabler · 2015. 4. 1. · Approaching Information Security (1) • Awareness of Information Security –“Security says no” –“Security is a regulatory requirement”](https://reader034.fdocuments.net/reader034/viewer/2022051603/5fec4f0f7e3915773b1c1183/html5/thumbnails/6.jpg)
Investing in Security:
Why it ‘s hard to “convince” (1)
Uni Systems Copyright © 2015 6
![Page 7: Security as an Enabler · 2015. 4. 1. · Approaching Information Security (1) • Awareness of Information Security –“Security says no” –“Security is a regulatory requirement”](https://reader034.fdocuments.net/reader034/viewer/2022051603/5fec4f0f7e3915773b1c1183/html5/thumbnails/7.jpg)
Investing in Security:
Why it ‘s hard to “convince” (2)
Uni Systems Copyright © 2015 7
![Page 8: Security as an Enabler · 2015. 4. 1. · Approaching Information Security (1) • Awareness of Information Security –“Security says no” –“Security is a regulatory requirement”](https://reader034.fdocuments.net/reader034/viewer/2022051603/5fec4f0f7e3915773b1c1183/html5/thumbnails/8.jpg)
Our Approach (1)
Information Security
Enabling Business
Proactive technologies
Proactive Information
Security Management
System
Uni Systems Copyright © 2015 8
![Page 9: Security as an Enabler · 2015. 4. 1. · Approaching Information Security (1) • Awareness of Information Security –“Security says no” –“Security is a regulatory requirement”](https://reader034.fdocuments.net/reader034/viewer/2022051603/5fec4f0f7e3915773b1c1183/html5/thumbnails/9.jpg)
Our Approach (2)
Business needs
Security criteria
Proactive architecture
Security as an Enabler
Uni Systems Copyright © 2015 9
![Page 10: Security as an Enabler · 2015. 4. 1. · Approaching Information Security (1) • Awareness of Information Security –“Security says no” –“Security is a regulatory requirement”](https://reader034.fdocuments.net/reader034/viewer/2022051603/5fec4f0f7e3915773b1c1183/html5/thumbnails/10.jpg)
Modern Standards address Security as an “Enabler”
• ISO 27001:2013 (ISMS)
– “It is important that the information security management system is part of and integrated with the organization’s processes and overall management structure [..]. It is expected that an information security management system implementation will be scaled in accordance with the needs of the organization.”
• Cobit Framework (ISACA)
– COBIT is an IT governance framework and supporting toolset that allows managers to bridge the gap between control requirements, technical issues and business risks.
• Solvency II
– Pillar 2: Governance & Supervision
– Effective risk management system.
Uni Systems Copyright © 2015 10
![Page 11: Security as an Enabler · 2015. 4. 1. · Approaching Information Security (1) • Awareness of Information Security –“Security says no” –“Security is a regulatory requirement”](https://reader034.fdocuments.net/reader034/viewer/2022051603/5fec4f0f7e3915773b1c1183/html5/thumbnails/11.jpg)
Our approach:
Uni Systems Case Study
• Our approach in action
• It’ all about users and access to company resources.
• Secure access of users to resources.
• Users may be internal or external. – Insider threat
– External threats (e.g. remote support)
Users
Access
Resources
Uni Systems Copyright © 2015 11
![Page 12: Security as an Enabler · 2015. 4. 1. · Approaching Information Security (1) • Awareness of Information Security –“Security says no” –“Security is a regulatory requirement”](https://reader034.fdocuments.net/reader034/viewer/2022051603/5fec4f0f7e3915773b1c1183/html5/thumbnails/12.jpg)
User & Access & Resources
User
• Identity
• Location
• Workspaces (e.g. Mobility)
Access
• Identification
• Authentication
• Authorization
Resources
• Shares
• Privileged accounts
• Systems & Services
Uni Systems Copyright © 2015 12
![Page 13: Security as an Enabler · 2015. 4. 1. · Approaching Information Security (1) • Awareness of Information Security –“Security says no” –“Security is a regulatory requirement”](https://reader034.fdocuments.net/reader034/viewer/2022051603/5fec4f0f7e3915773b1c1183/html5/thumbnails/13.jpg)
Which are the risks?
• Insider threat
• Exposing internal, trusted resources to external parties
• Privileged accounts
– Shared?
– Leapfrogging?
– Limitations of network access controls? (e.g. firewalls)
• Multiple – shared accounts & identities
• Non-conformities (regulations)
• Advanced persistent threats
Uni Systems Copyright © 2015 13
![Page 14: Security as an Enabler · 2015. 4. 1. · Approaching Information Security (1) • Awareness of Information Security –“Security says no” –“Security is a regulatory requirement”](https://reader034.fdocuments.net/reader034/viewer/2022051603/5fec4f0f7e3915773b1c1183/html5/thumbnails/14.jpg)
Solution Architecture
Application /
Session and
Desktop
Access
Video-like and CLI
Logging and
Recording
& SIEM
SSO, Password and
Shared Account
Management
User Repository
(A.D.)
Sessions
Token
Infrastructure
(Hard, SMS)
Password Vault
Internal Protected
Systems
User, Session access control, APT & DLP & encryption
Leapfrog prevention
Server, Storage, Network, Security Devices,
Report & Workflow
db
Workflow & Report Engine
Gateway
Access
Control (SSL,
Proxy (ICA))
Portal Web
Interface
Internal/External/Mobile
User Device
Endpoint
Management
(MDM, USB Boot,
Isolated Browser) Desktop, Thin client,
Laptop, Mobile Device, Smartphone
ICA Client
USB Boot Desktop
Token
USB Secure Web
Browser
Certificate
Sandboxed Apps
Any Device
1
2
4
5
7
3
6
8
10
11
9
Trusted and Protected Zone Secure Access Component Zone User Zone
Uni Systems Copyright © 2015 14
![Page 15: Security as an Enabler · 2015. 4. 1. · Approaching Information Security (1) • Awareness of Information Security –“Security says no” –“Security is a regulatory requirement”](https://reader034.fdocuments.net/reader034/viewer/2022051603/5fec4f0f7e3915773b1c1183/html5/thumbnails/15.jpg)
Workflow
Uni Systems Copyright © 2015 15
![Page 16: Security as an Enabler · 2015. 4. 1. · Approaching Information Security (1) • Awareness of Information Security –“Security says no” –“Security is a regulatory requirement”](https://reader034.fdocuments.net/reader034/viewer/2022051603/5fec4f0f7e3915773b1c1183/html5/thumbnails/16.jpg)
Business Scenarios
• Privileged User Access Management
– Perpetual - On-demand
• Remote Access Scenario
– Support engineers
• Mobile Device Management (MDM)
• Mobile Application Management (MAM)
• Data Loss Prevention
– Trusted & protected zone
• Compliance monitoring on critical infrastructure:
– Session Recording
– Security Incident & Event Management (SIEM)
• Enforcing compliance & governance
– Regulatory mandates (e.g. PCI)
Uni Systems Copyright © 2015 16
![Page 17: Security as an Enabler · 2015. 4. 1. · Approaching Information Security (1) • Awareness of Information Security –“Security says no” –“Security is a regulatory requirement”](https://reader034.fdocuments.net/reader034/viewer/2022051603/5fec4f0f7e3915773b1c1183/html5/thumbnails/17.jpg)
What is being offered…
• … through a secure architecture.
• Workspaces
– Mobile | Virtual | Secure
• Risk Reduction
– Access Provisioning & De-provisioning Workflow
– Control on data. Prevention on leakage.
– Security Incidents Recorded. Guaranteed Audit Trail.
• Costs Reduction
– Access solution for both internal & external users
• Confidentiality & Availability
Uni Systems Copyright © 2015 17
![Page 18: Security as an Enabler · 2015. 4. 1. · Approaching Information Security (1) • Awareness of Information Security –“Security says no” –“Security is a regulatory requirement”](https://reader034.fdocuments.net/reader034/viewer/2022051603/5fec4f0f7e3915773b1c1183/html5/thumbnails/18.jpg)
Technologies offering both
proactive & reactive approach
Uni Systems Copyright © 2015 18
Proactive Risk Assessment
Two factor authentication
Network & Application Access Controls
Network & Application Firewalls
Command white/blacklisting
Data Loss Prevention
Advanced Persistent Threat Detection
Reactive Session recording
Security Information & Event Management
Encryption
Advanced Persistent Threat Remediation
![Page 19: Security as an Enabler · 2015. 4. 1. · Approaching Information Security (1) • Awareness of Information Security –“Security says no” –“Security is a regulatory requirement”](https://reader034.fdocuments.net/reader034/viewer/2022051603/5fec4f0f7e3915773b1c1183/html5/thumbnails/19.jpg)
Security as an Enabler – Conclusions
Proactive or… Pro-acting?
• Security must be proactive.
– When designing solutions.
– But…
• What about pro-acting?
– Technology and needs drive IT
– Security is reactive; criteria are set & met when technology has dominated the market
– What about smartphones and tablets? Modern workplaces? Internet of Things?
– Virtualization has practically changed the classic model of “perimeter security”
– Cloud service changed the landscape of how users consume services
• “Every business need should be injected with security doses”!
Uni Systems Copyright © 2015 19
![Page 20: Security as an Enabler · 2015. 4. 1. · Approaching Information Security (1) • Awareness of Information Security –“Security says no” –“Security is a regulatory requirement”](https://reader034.fdocuments.net/reader034/viewer/2022051603/5fec4f0f7e3915773b1c1183/html5/thumbnails/20.jpg)
Uni Systems Copyright © 2015 20
Thank you
Andreas Athanasoulias, CISM, CISSP Information Security Officer & Security Consultant