Mobile, Big Data, Social Platforms, Cloud: la Sicurezza IT al centro della Terza Piattaforma

Fabio Rizzotto

Senior Research and Consulting Director, IDC Italia

Security Summit Milano 2015

2

55% delle aziende europee ha avviato

progetti di riorganizzazione IT negli ultimi

12 mesi.

50% delle aziende europee ha creato una

nuova struttura dedicata all’Innovazione.

Fonte: IDC's European IT Executive Survey, 2014 (n = 1,310)

%6According to ITPercent of Technology

Spending that is Shadow

Source: IDC Business Technology Study, May 2014 and IDC CIO Sentiment Study, January, 2014

According to Business:Percentage of technology spending that is shadow

%6 %6IAccording to IT:

Percentage of technology spending that is shadow

6

Shadow IT: What Your Clients Do Not Know Will Hurt Them

3

IT-enabled services

Transforming business processes

IT-enabled business processes

Automating business processes

IT-enabled products

Creating IT-enabled products

Dove va a finire l’Information Technology..

Degree of innovation

4

IT enabled business

processes

Digital &

IT enabled product & services

Terza PiattaformaTrasformazione guidata da…

5

Nel frattempo però...le aziende sono

esposte e gli attacchi aumentano

6

Sony Picture

Entertainment(The Interview, 40GB vs 100TB,

Guardian of Peace, North Korea?)

Infrastrutture

compromesse(Factoring Attack on Rsa-Export Keys

Vulnerability, Equation Group)

Social Arena(Snapchat/iCloud/Twitter,

beware what you share,

reputation ....)

Belgacom(Regin malware,

European Parliament,

GCHQ/NSA)

Lo scenario dei rischi emergenti

7

Governative

agency

Industrial espionage,

organized crime

Hacktivism

Common

People

Co

mp

lexit

y

of

att

acks

Frequency

of attacks

Influence-oriented

Resource-oriented

Frequency < 1/10

Frequency > 1/5

Not behind my firewall

8

Western European Organizations:

priorità di business

O R G AN I Z AT I O N A L R EST R U C T U R I N G O R M &A AC T I V I T I E S

EN ER G Y EF F I C I EN C Y / G R E E N / S U ST AI N A B I L I T Y

M U L T I C H A N N E L D EL I VE R Y ST R AT EG Y

M AR KET I N G EF F EC T I V EN E S S I M PR O V E M E N T

SU PPL Y C H AI N / P R O C U R E M E N T EF F I C I E N C Y

PR O D U C T O R SER VI C E I N N O VAT I O N

I T O R G AN I Z AT I O N C O N T R I BU T I O N T O BU SI N E S S G O AL S

C U ST O M ER C AR E EN H AN C E M EN T

R ED U C I N G O PER AT I O N A L C O ST S

SAL ES PER F O R M A N C E I M PR O V E M E N T

R EG U L AT O R Y C O M PL I A N C E

SEN SI T I V E D AT A PR O T EC T I O N

WESTERN EUROPE BUSINESS PRIORITIES

9

Could you rate the following business initiatives in terms of how much they are leading your company's business agenda for the

next 12 months? (1 = "not at all important" and 5 = "most important")?

Consumerization of IT and IT-ification of

Consumers

MobilityCloud Computing

ENTERPRISE CONSUMER/

EMPLOYEE BLENDED

Create Many Types of

Content on Many Devices

10

Cloud: una realtà già consolidata

L’80% delle aziende mondiali ritiene che trasformerà nei prossimi 5

anni almeno il 50% del proprio ambiente infrastrutturale e applicativo in

un modello “Cloud”

Secondo l’IDC European CloudTrack Survey, il 97% delle aziende

europee è coinvolto a vari livelli nel Cloud (dalla fase esplorativa fino a

adozione di modelli Public, Private o Ibrida)

Secondo recenti indagini IDC Italia, il 40% delle aziende italiane

utilizza già servizi Cloud

Circa il 40% delle aziende è interessata a fare “bundling” di soluzioni

Saas con altri servizi Cloud

Utilizzando Servizi Cloud, il 39% delle aziende ha incrementato il

fatturato grazie a una più rapida ed efficace creazione di prodotti e

servizi innovativi

11

..ma ci sono sfide legate alle Sicurezza

50% 55% 60% 65%

Localizzazione dei dati

Data privacy/gestionecompliance

Disponibilità dei servizi Cloud

Gestione identità e accesso

Perdita/sottrazione dei dati

12

Fonte: IDC's 2014 European Software Survey, n = 1,309

Principali sfide relative alla Sicurezza degli ambienti Cloud

IT Security Concerns in Italia:

Necessità di espandere le risorse

13

0.0% 10.0% 20.0% 30.0%

I N SU F F I C I E N Z A D EL BU D G ET D ED I C AT O AL L A S I C U R EZ Z A I T

M AN C AN Z A D I C O N F O R M I T À D E I D I PEN D E N T I AL L E PO L I C Y SU L L A S I C U R E Z Z A

M AN C AN Z A D I U N A ST R AT EG I A D EL L A S I C U R EZ Z A E D I PO L I C Y AD EG U AT E

PR ESS I O N E C R ESC EN T E D I AT T AC C H I SEM PR E P I Ù SO F I ST I C AT I

I N AD EG U AT EZ Z A E R API D A O BSO L E S C EN Z A D EL L E SO L U Z I O N I D I I T SEC U R I T Y

D I F F I C O L T À N EL G AR AN T I R E AL L A S I C U R EZ Z A U N SU PPO R T O 2 4 X 7

C AR EN Z A D I PER SO N A L E Q U AL I F I C AT O SU I T EM A D EL L A S I C U R EZ Z A I T

PR ESS I O N E C R ESC EN T E D EL R EG O L AT O R E PU BBL I C O

QUALI SONO LE PRINCIPALI CRITICITÀ DI SICUREZZA IT DELLA SUA AZIENDA?

(IDC Italy, 2015, n=110, Mid-large Enterprise)

IT Security: ancora pochi investimenti

in «next generation» solutions

14

0.0% 10.0% 20.0% 30.0% 40.0%

BUSI NESS CO NT INUITY & D I SASTER RECO VERY

ST RUMENTI D I S I CUREZZA T RADIZ IONALE

SERVI Z I D I S I CUREZZA I NT ELL IGENTE

SERVI Z I D I S I CUREZZA G EST IT I

PRIORITÀ DI INVESTIMENTO NEL 2016

(IDC Italy, 2015, n=110, Mid-large Enterprise)

Cloud Mobile Social NetworksBig Data (Threat

Intelligence)

Early detection & mitigation of targeted, unknown attacks.

Granular logging and policy enforcement of internal and external regulations.

Predictive Privileged Access

Management,

Federated Identity,

Multi-factor

Authentication,

Data Protection, &

Vulnerability

Assessment

Strong

Authentication,

Data Protection,

Web/Messaging

SaaS, & SSO

Data Loss

prevention with

data protection,

global regulatory

policy monitoring,

& real-time policy

enforcement &

education

Raw & analyzed

threat feeds from

multiple sources

integrated with

management

consoles

Proactive VPN, Single Sign-

On, Encryption, &

Strong Passwords

Mobile Device

Management

Keyword-based

monitoring &

logging

Network

monitoring and

SIEM

Reactive Access control Device Password Acceptable Use

Policy

Signature-based

detection

Securing IT’s Four Pillars

15

16

The rise of Security Market

Managed

Business Innovation

Effective partnership between business and IT around 3rd Platform implementations allows organization to outpace competitors through the use of 3rd Platform

Opportunistic

2nd Platform IT

Uncoordinated efforts between business and IT around 3rd Platform implementations; limited progress toward 3rd Platform adoption

Ad Hoc

Core IT

No effort between business and IT to coordinate or incorporate 3rd Platform technology

Repeatable

3rd Platform IT

Coordinated efforts between business and IT around 3rd Platform implementation allow organization to keep pace with peers in 3rd Platform adoption

Optimized

Business Transformation

Highly orchestrated interaction between business and IT around 3rd Platform implementations, enabling a world-class organization with lasting competitive advantage driven by 3rd Platform transformation and an organization that has embraced it.

15%

BusinessInnovation

6%Core IT

4%Business

Transformation

Quale è il vostro stadio di IT Transformation?

17

67% of organizations are operating at a2nd Platform IT or 3rd Platform IT transformational stage

40%

2nd PlatformIT

27%

3rd PlatformIT

n = 156 Source: IDC's Enterprise IT Transformation MaturityScape Benchmark Study, August, 2014

Traditional

Security

approach

Next Generation

Security approach

Il mondo corre veloce...verso nuovi (eco)sistemi

Fantasia o realtà?

Disegno un nuovo prodotto grazie a

processi di engagement su canali social,

costruisco strategie di marketing e vendita

con la correlazione di dati da fonte diverse,

realizzo il prodotto con stampanti 3D,

consegno tramite droni, consento mobile

payment, faccio formazione e assistenza

tramite realtà aumentata..18

…e l’evoluzione sarà sempre più rapida

19

Realizzare oggetti fisici partendo da progetti

digitali

Connettere in modo più

semplice e potente le

persone e la 3rd Platform

attraverso voce, immagini,

movimenti touch e altro

Iper connessione di auto,

palazzi, case, attrezzature

industriali, wearables

strumentazione medica

Sistemi che osservano, imparano, analizzano, offrono suggerimenti e

creano nuove idee

Trasformare la conoscenza

del mondo digitale in azioni

nel mondo fisico attraverso

robots, self-driving car,

droni, nanobot

Una nuova generazione

di tecnologie e

soluzioni di sicurezza,

disegnate per tenere il

passo con l'espansione

della 3rd Platform

Next Generation Security: Accelerates

or Obstructs Innovation?

• IoT-based robotics & drones

connected to cloud, mobile,

and social

• Natural Interfaces driven by

biometrics in mobile

• 3D Printing compliance

controlled from the cloud

• Cognitive systems and

analytics bolster predictive

analysis & threat intelligence20

Perché abbiamo bisogno di una nuova

sicurezza IT

21

• 3rd Platform focus on

User Experience (UX) vs.

cost vs. shared risk

across multiple platforms

• 2nd Platform focused on

risk and cost across PCs

and servers

• 1st Platform focused on

risk-based access on

centralized servers and

terminals

Security is Always an Elastic

Compromise

22

Mobile

3rdPlatform Security Dynamics:

Cloud and Mobile

3rdPlatform Dynamics: Cost Savings Outweighing Risk

3rd Platform Dynamics: User

Experience (UX) Trumps Cost, but

Risk is a Sharply Rising Concern

23

Risk

UX

Cost

IoT

24

Risk

UXCost

3rd Platform Dynamics: User Experience is Paramount, but Awareness of Risk is Growing.

3rd Platform Dynamics: Risk is Critical and Defined by Safety of Personnel and Reliability of Operations.

Social

Risk

UX

Cost

3rdPlatform Security Dynamics:

Social and IoT

25

IDC FutureScape

Perspective on Security

IDC’s CIO AgendaTop 10 Decision Imperatives on IT Security

OR

GA

NIZ

ATI

ON

AL

IMP

AC

T

TIME (MONTHS) TO MAINSTREAMNote: The size of the bubble indicates

complexity/cost to address. Source: IDC, 2014

A s

ingl

e d

epar

tmen

to

r a

bu

sin

ess

un

it

Mu

ltip

le

dep

artm

ents

o

r b

usi

nes

s u

nit

sC

om

pan

ywid

e

0-12 12-24 24+

6

7

4

10

Legend:

1. Risk-based budgeting

2. Biometric ID

3. Threat Intelligence

4. Data Encryption

5. Security SaaS

6. User Management

7. Hardening Endpoints

8. Security as a feature

9. Software Security

10. Executive Visibility

3

5

1

9

8

2

26

Chi è responsabile della sicurezza IT?

Dipartimento IT generale ≈ 60%

Gruppo Sicurezza ≈ 30%

Serviziogestito≈ 10%

Competenze sempre più sofisticate

27

New Skills

Advanced Skills

Basic Skills

• Malware analysis

• Data mining & analysis

• Machine learning

• Project mgmt

• Security Standard Implementation

• Hacking Practices

• Network Administration

• Scripting/ programming

• Software Vulnerabilities

Data Privacy, Compliance, Regulations

28

New (draft) regulations, cornerstones

In attesa della nuova

EU Data Protection Regulation

Sanctions

Right to erasure

Data Protection Officer

Profiling

Explicit consent

Data transfers to non-EU countries

Have CISO's Been Invited to the

(Board) Table?

Frequency of interactions with

their respective boards of

directors

IDC found that 42% of

CISOs were reporting to

their company's board of

directors on a quarterly

basis

On the other hand, there

are still 12% of

organizations in which the

CISO has never

addressed its board

How the frequency level has

changed over past years

62% of security

executives surveyed

believe that the frequency

of communications has

increased and the impact

has been positive

11% of CISOs responded

that the impact was

positive though the

frequency did not change

29Source: IDC's State of the "C" in CISO Survey, 2015

Incident notification and disclosure:

CISO vs Board

Have you ever had to notify senior

management of a breach?

30

Have you ever disagreed with senior

management about the need to

disclose a breach?

Yes

78%

NO

22%

Source: IDC's State of the "C" in CISO Survey, 2015

Yes

45%

NO

55%

Conclusioni

Web / Internet: da nuova frontiera a strumento di controllo

L’industria e l’ecosistema del cybercrime sono più sofisticati,

potenti e collaborativi della maggior parte di imprese e istituzioni

Regulations necessarie, ma non sufficienti

Aumentare il livello di attenzione nelle organizzazioni (verso l’alto

e orizzontalmente) con adeguata preparazione ma senza rigidità

Predictive Security è necessaria, il Cloud può dare una mano

Approcciare la Sicurezza nei futuri scenari economici richiederà

bilanciamento tra molteplici fattori (improving user experience,

reducing risk, lowering costs, etc..)

31

© IDC Visit us at IDC.com and follow us on Twitter: @IDC 32

Fabio Rizzotto

Senior Research and

Consulting Director

IDC Italia

frizzotto@idc.com