Upload
cheyanne-ellery
View
219
Download
1
Embed Size (px)
Citation preview
4. qualityaustria Forum
Upravljanje identitetom, bezbednošću i rizikomDragutin Bošnjaković,Savetnik za bezbednost informacijaAtos IT Solutions and Services d.o.o. Beograd
Stvaranje mogućnosti kroz nove zahteve!
02.10.2013.g.
4. qualityaustria Forum, Beograd 202-okt-13
Identity, Security & Risk Management
Identity, Security & Risk Management
Agenda
▶ Introduction▶ Atos Security Solutions▶ Future Trends▶ Summary/Questions
4. qualityaustria Forum, Beograd 402-okt-13
Todays World Computers Everywhere
▶ Desktop computers account for less than 1% of the total embedded microprocessors globally. It is estimated that there are more than 10 billion embedded microprocessors produced annually.
▶ ‘A typical luxury salon car today may use more than 100 megabytes of computer code spread across 50 to 70 microprocessors, researchers say’
▶ Researchers from Rutgers University hacked into the computer of a car travelling at 60 mph via a wireless system used to monitor tire pressure.
▶ Microprocessors are now embedded into water control systems, nuclear power stations, the electrical grid - everything we depend on.
Computerized Tire Pressure Monitor
4. qualityaustria Forum, Beograd 502-okt-13
Challenges in the security area
The spread of possible security threats and their effects on enterprises increases steadily.
Computerized business processes will connect to customers and suppliers.
Potential offenders have changed their behavior.New forms of attacks results in data losses daily.
Compliance requirements will be more stringent and complex.
New trends such as Cloud Computing, Social Media and Mobile Devices introduce new security risks.
4. qualityaustria Forum, Beograd 602-okt-13
New threats are emerging fast…
4. qualityaustria Forum, Beograd 702-okt-13
Risks: diverse and ubiquitous …
Internal Threats Compliance External Threats
• Theft of data• Cost pressure• Spread of
company secrets• Unsatisfied
employees• Illegal downloads• Private surfing• Misconduct• Industrial
espionage
• SOX• Privacy Laws• Basel II/III• PCI DSS• Risk-Management• ISO 27001• Governance• Cobit• HIPAA
• Spam• Hacker• Worms• Trojans• Denial-of-Service• Industrial
espionage• Insecure e-mails• Phishing• Data trade
4. qualityaustria Forum, Beograd 802-okt-13
A paradigm shift has to take place…
From: Systems To: Information
From: Barriers To: Behavior
From: IT To: Critical Infrastructures
9
Agenda
▶ Introduction▶ Atos Security Solutions▶ Future Trends▶ Summary/Questions
4. qualityaustria Forum, Beograd 1002-okt-13
(GRC) Governance Risk and Compliance: Helping customers to understand and adapt to regulatory compliance issues for their specific market sector. Ensuring that governance and process controls are strategically aligned with a customer’s market vertical and business value drivers.
(IABS) Identity, Access, Biometrics and Smart Cards: Helping customers to centrally understand and manage “who has access to what” and “who should have access to what” across the processes within their enterprise, customer and partner space.
(STA) Security Technical Advisory: Allowing customers to understand and foresee their IT control risks whilst successfully integrating and refreshing security control technologies which aligned with their business needs.
(MSS) Managed Security Services: Helping customers to reduce their total cost of compliance and security management by delivering “Atos High Performance Security” (AHPS) the worlds leading example of highly efficient effective business process and IT security.
Atos’ ISRM Combined Portfolio:From the router to the board room
GRC(Governance, Risk & Compliance)
IABS(Identity and
AccessManagement)
MSS(Managedsecurityservices)
4. qualityaustria Forum, Beograd 1102-okt-13
ISO 27000 Family
HIPAA
SoX / MIFID / BASEL II
NERC / CIP
PCI DSS
SAS70 / ISAE3402
HMG SPF/IS1
FDA
Analysis
Assessment
Appetite
Treatments
Process optimisation
Security Awareness
Risk Management and Business Intelligence integration
Oversight and workflow creation
Riskdashboards
Deming Cycle
Role mapping& analysis
▶ Atos helps clients understand their compliance obligations and risks.
▶ Atos automates as much of GRC as possible.
▶ Atos helps you keep ‘on course’ and with as little distraction as possible.
Governance Risk and Compliance: Integrating governance
GRC GRC GRC
4. qualityaustria Forum, Beograd 1202-okt-13
IAM Maturity assessment
Project Management
Design and Development
Identity Management as a
Service
SSO as a Service
Trusted Identity as a Service
Provisioning
Web Access Management
Single Sign-On
Identity Federation
Privileged User Account
Management
Metadirectory
Strong Authentication
DirX Identity &Access
Management
ID Center –biometric
authentication
CardOS smart card
Problem▶ Numerous ‘identities’ and multiple
passwords providing access to highly valuable resources
▶ Passwords are not secure, not free and not appropriate for today’s ways of working
Solution▶ Atos portfolios of Identity and
Access Management products▶ Biometrics and smart cards▶ Single sign-on▶ Password self service
IABSServices
IABSTechnology
IABS Products
Identity, Access, Biometrics and Smart Cards:Authentication, Authorization, Administration and Audit
USB token withCardOS®
Outcome ▶ Reduce costs and improve security
and compliance
4. qualityaustria Forum, Beograd 1302-okt-13
▶ Solution: Atos advises our clients about the costs and benefits of the latest technologies available, trying to find an optimal spend for our clients risk appetite.
EffectiveRisk Management
Strategy
Business Risk Mitigation Effort
Security Technical Advisory
Security architecture
Security and compliance requirements collection
IT risk assessment
Cloud security
assessment
Compliance gap analysis
GRC as a Service
Disaster recovery design
Government information assurance services
PEN testing
PKI design services
PKI Trust center
services
Biometric & smart card
solution design
Physical access control systems design
STA STA STA
Exp
osu
re, €
Cost
, €
Problem▶ How do I know what technology is
‘best’ and most cost effective from the dozens of choices available?
4. qualityaustria Forum, Beograd 1402-okt-13
Endpoint Protection Services
Data Encryption Services
Mobile Security
Security for Cloud
Atos High Performance
Security
Malware Scanning
Perimeter & Remote Access
Intrusion Protection
Business Partner Access
Vulnerability Management
Identity & Access
Management
Single Sign-On as a Service
Identity Management as
a Service
Secure Directory Services
Managed PKI and Biometrics
Physical Access Control Systems
Managed Security Services
Workplace Security
InfrastructureSecurity
Identity & Access
Management
Problem▶ We spend a lot of money and time
on IT security and this distracts us from our core business
Solution▶ Atos Managed Security Services
offers a range of services so enterprises can outsource the costs and complexities of security and compliance.
Outcome▶ Improved focus on clients’ business▶ Reduced spend on security
4. qualityaustria Forum, Beograd 1502-okt-13
▶ Goals– Being able to react to cyber threats in real time 24x7 as well as enable forensic
analysis. – Hackers are increasingly sophisticated and their targets are increasingly valuable:
AHPS helps companies defend against critical losses– Reduce security operation expenses caused by explosive growth of security threats
and reactive manual approach– Achieve compliance with government and industry standards
▶ Solution– AHPS monitors the business and IT environment to see if significant incidents are
occurring--24x7. Find suspicious activity while it is occurring, not after.– The Atos Secure Operating Center responds to failures of policy compliance as new
security, legislative and regulatory control requirements emerge.– This service is based on our Olympic security solution which has a track record of more
than 10 years. ▶ Benefits
– Reducing costs by using the Atos security as a service model. – Global presence of the AHPS service.– Customer enablement to react in real time
to security events.
Atos Olympic Security (Atos High Performance Security) ▶ Goals
– Being able to react to cyber threats in real time 24x7 as well as enable forensic analysis.
– Hackers are increasingly sophisticated and their targets are increasingly valuable: AHPS helps companies defend against critical losses
– Reduce security operation expenses caused by explosive growth of security threats and reactive manual approach
– Achieve compliance with government and industry standards▶ Solution
– AHPS monitors the business and IT environment to see if significant incidents are occurring--24x7. Find suspicious activity while it is occurring, not after.
– The Atos Secure Operating Center responds to failures of policy compliance as new security, legislative and regulatory control requirements emerge.
– This service is based on our Olympic security solution which has a track record of more than 10 years.
▶ Benefits– Reducing costs by using the Atos security as a service model. – Global presence of the AHPS service.– Customer enablement to react in real time
to security events.
Atos Olympic Security (Atos High Performance Security)
4. qualityaustria Forum, Beograd 1602-okt-13
Fragmented ViewIntegrated View
Firewall IDS
Server Logs
Vulnerability Management
By understanding our customers business rather than just the IT infrastructure we are able to understand the potential business impact of the events occurring and therefore weight the risk management response to the severity of the threat, delivering a risk driven, operating model for each of our customers.
4. qualityaustria Forum, Beograd 1702-okt-13
Integrated ViewAtos High Performance
Switch logs
Windows logs
Client & file server logs
Wireless access logs
Windows domain logins
Database Logs
San File Access Logs
VLAN Access & Control logs
DHCP logs
Linux, Unix, Windows OS logs
Mainframe logs
Oracle Financial Logs
Web server activity logs
Content management logs
Web cache & proxy logs
VA Scan logsRouter logs
IDS/IDP logs
VPN logs
Firewall logs
4. qualityaustria Forum, Beograd 1802-okt-13
Some Significant Cost Drivers
► IT Security Managers
► UNIX Server Managers
► Wintel Server Managers
► Network Security Managers
► Patch and Vulnerability Management
► Firewall Engineers
Roles
► Security Policy Creation and Management
► PCI Compliance
► SOX Compliance
► Market Research
► Testing
► Problem Discovery
► Problem Resolution
► Audit
► Forensics
► Training
► Access / Authorization Reviews
Functions
► Hardware
► Software Licenses
► Maintenance Fees
► Storage
Infrastructure
The bullet points above typically represent at least $75k pa and can often exceed millions of dollars each.
4. qualityaustria Forum, Beograd 1902-okt-13
Our Cost Conscious Approach
► IT Security Managers
► UNIX Server Managers
► Wintel Server Managers
► Network Security Managers
► Patch and Vulnerability Management
► Firewall Engineers
Roles
► Security Policy Creation and Management
► PCI Compliance
► SOX Compliance
► Market Research
► Testing
► Problem Discovery
► Problem Resolution
► Audit
► Forensics
► Training
► Access / Authorization Reviews
Functions
► Hardware
► Software Licenses
► Maintenance Fees
► Storage
Infrastructure
The bullet points above typically represent at least $75k pa and can often exceed millions of dollars each.
AHPS can reduce a variety of these costs via external service provision, domain and delivery expertise, and concentration of functions into one delivery unit. We estimate we can save you at least 10 to 25% of your current IT compliance and security spend, and we will demonstrate this to your satisfaction before contract signing.
4. qualityaustria Forum, Beograd 2002-okt-13
Lifting the Performance of Security and Compliance Operations
SILVERBRONZE
Log monitoring& storage
Faster reaction to security issues and better
compliance with log storage but issue management
focused on obvious tactical issues
GOLD
‘Joining up the dots’ across the IT landscape to
enable proactive IT security. Control monitoring based on
IT landscape not business information landscape
360° IT Security Control monitoring and
auditing based on business information landscape aligning
security and compliance measures with highest
value business information
Business information
security
Alignment of security measures & spend with business information value & business impact
Proactive management of digital threats and business control issues
Manually driven performance based on pace of staff activity
and tacit knowledge of staff
Manual security / control co-ordination
4. qualityaustria Forum, Beograd 2102-okt-13
Operational Efficiency and Cost Reduction
90 Critical Events
1,500 Alarms
443k Correlated
Events
201m Filtered Events
From Beijing Olympic Games: AHPS takes millions of raw events and via intelligent processing and correlation reduces them to a few critical events. This reduces manpower requirements and improves operational efficiency, and results in zero downtime, zero business effect.
4. qualityaustria Forum, Beograd 2202-okt-13
AHPS for the Olympic Games, AHPS for You
Beijing 2008 environment
► 28 Sports
► 302 Sport Events
► 70 Venues
► 10,000 Athletes
► 20,000 Journalists
► 230,000 Accreditations
► 4,000 IT team members
► 40,000 IT components
► 10,000 PCs
► 1,000 Servers
► 1,000 Network devices
Pre-Games Games
Cri
tica
lity
Olympic Project Specifics
► Business
► Highly visible, highly critical
► Technology
► Real-time & near real-time applications
► Last minute massive infrastructure deployment
► Heterogeneous environment
► People
► Consortium of partners and suppliers
► High level of dependency on volunteers
Requirements
► Availability, integrity, confidentiality
► Ready on time, the deadline will not move
► Few seconds’ response time, no second chance
4. qualityaustria Forum, Beograd 2302-okt-13
Agenda
▶ Introduction▶ Atos Security Solutions▶ Future Trends▶ Summary/Questions
Future tendencies for ISRM
User Owned DeviceMobile Data ProtectionCyber SecurityAtos High Performance Security
Security and Compliance in a Box (GRCaaS)
Cloud Single Sign-On
Leverage DirX
Federated IAMNext Gen AV
Atos Integrated SecurityCloud Encryption
2013
2014
2015
2016
Cyber Threat Center
GRCaaS IDaaS
Atos HighPerformance Security
4. qualityaustria Forum, Beograd 2502-okt-13
Agenda
▶ Introduction▶ Atos Security Solutions▶ Future Trends▶ Summary/Questions
4. qualityaustria Forum, Beograd 2602-okt-13
Summary
▶ The information security threat landscape is changing at a rapid pace.
▶ Organizations must prepare itself to withstand advanced targeted attacks, aiming at the intellectual property of the company.
▶ Atos has a complete portfolio in the identity, security and risk management area, covering the whole value chain, from consulting to operations.
▶ Atos has committed resources to develop in the security area to enable us to provide state of the art services.
▶ Atos is one of the few providers being able to deliver services to its customers around the globe.
Dragutin Bošnjaković,Savetnik za bezbednost informacijaAtos IT Solutions and Services d.o.o. [email protected]
Hvala na pažnji!
www.qa-center.net
4. qualityaustria Forum, Beograd