Services and Facility Overview

International Trends in IT SecurityState of CIO, 25 May 2004

Glen Noble, General Manager Hosting Solutions, Macquarie Corporate

James Southworth, CEO & Chief Technical Officer, Secure Pathways, Inc

Agenda

1. Corporate Governance – the escalating need for information security in organisations

2. Security issues of the CIO3. Trends driven by the Internet

• Managed Security Services model• From reactive to proactive models• Architecture changes

4. The US experience5. Summary

Macquarie Corporate

• IT&T Solutions to Corporate & Government

• Voice, Mobile, Data, Internet, Hosting, Security Solutions

• Australia & Asia

• Hosting Solutions– World class facility : DSD Accreditation, BS7799, Sun

Tone– Broadband multi-homed; carrier independent– Managed Dedicated Hosting, Managed Colocation – BCP / DR, Managed Security, Managed Storage, WAN

Connectivity

Is the threat real?

• Yes - not many corporates “owning up” there is plenty of evidence– AusCert Report– The consultants, Gartner et all– Macquarie’s experience

• 95%+ of corporate & government customers have a online presence

• ~100% of customers have a permanent internet connection*

Every business has a 24 x 7 security concern -

The threat is real and growing* Macquarie Corporate Survey of Customer Base 2002

Legislation which will Drive Security

• Privacy (Private Sector) Amendment Act 2000

• Cybercrime Act 2001• Commonwealth Criminal Code - Corporate

Culture Offences• NOIE/Attorney General Dept 1992 -

Director’s responsibility• US Sarbanes-Oxley Act of 2002

Legislation & Corporate Governance has forced security to a board room issue

Internal Vs External

• Most corporates can’t afford the level of security they require – Capital cost many $100ks - $1.0m – HR costs of specialists & 24x7 is significant $750k-$1.5m

• Hackers don't respect business hours. – Detection, responses & counter-measures 24x7

• Higher security implementation than internal deployment– skill set, priority of security management vs IT issues

• Managed Security Services from $400 pm• Select which parts to be done internally vs

externally with a partner

CIO issues

• Budget restraints• Skills shortages• Increasing need for 24 x 7 x 365 operations• Current architecture• WAN and internet security• The ability to monitor and respond• Counter measures• Identifying the real threats

Secure Pathways, Inc

• Security Technology Systems Integrator and Consultancy

• Based in Virginia, USA in the Washington DC area

• Servicing US government markets and Fortune 100 Companies.

• Consulting to US Federal Law Enforcement domestically and to Interpol HQ in France

• Experts in internet access technologies and technologies needed to protect access in all forms.

Real Security, A Culture !

• Three Major Components• Technical,

– Firewalls, – Software, – Authentication / Identification, Biometrics, PKI

– Physical, • Locks, • Walls and cages, • Guys with Guns (or whistles)

– Procedure (Everybody Forgets this one !)• No exceptions• No Road Blocks• Authority to Act

Static

Connections

Site-to-Site Networks Today

Complexity = Time = $$$

Branch Office

Primary ISPNetwork

SecondaryISP Network

VPN Router

Branch LAN

Branch Office

Enterprise LAN - WAN

Headquarters Site

VPN Concentrator

Branch LAN

FirewallFirewall

FirewallInternet Mobile

VPN ConcentratorMobile

Mobile MobileMobile

With Today’s Mobile Workforce, the Complexity Multiplies

DSLCable

Remote Office

DSLCable

Remote Office

Teleworker

DSLCable

DSLCable

Teleworker

Traditional SolutionsDo NOTNOT Scale

Mobile/Telecommuters/Customers

Customer orVendor

Secure Hosting & the Role of a Security MSSP

Customer orVendor

Internet

VPN Cloud aka

Walled Garden

Secure with QoSSecure without QoS

Headquarters

Firewalland/or

EncryptorRouter

Branch Office

Customer orVendor

Hosting Center

Ethernet Switch

Security

Intranet orExtranetServers

VPN & Secure Hosting – Role of Security MSSP

Field Office

Field Office

Enterprise LAN - WAN

Headquarters

LAN

Firewall

Mobile

Teleworker

Mobile

Mobile

Mobile

Mobile

Paradigm shift – internet mobility

Firewall

Teleworker

Secure Ad Hoc Project Teams Needed

Internet

It is It is simplesimple to make things complex. to make things complex.

It is It is complexcomplex to make things simple. to make things simple.

Core Belief

The US experience

• Spyware and Computer Monitoring, existing firewall and normal security precautions are usually circumvented by spyware.

• Trend to selective security outsourcing• Too much data => correlation engines• New Architectures required for Gig-Ethernet

and 10-Gig Ethernet • Voice and Video over IP• Existing firewall and corporate LAN’s need

to be re-designed to gain the advantages of VOIP

Conclusion and Summary

Every business has an ongoing 24x7x365 security problem

• Corporate governance, privacy regulations & high cost of loss dictates that security needs to be taken seriously

• Information Security is a multi-divisional implementation process (including BCP, DR, Access Policy, etc).

• Every organisation must evaluate their risk & then determine their needs. The worst plan is no plan!

• Customisation and management are the keys to effective security solutions.