Your SlideShare is downloading. ×
  • Like

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Now you can save presentations on your phone or tablet

Available for both IPhone and Android

Text the download link to your phone

Standard text messaging rates apply

Putting security silos out to pasture: Best practices learned from Citi's IT security operations

  • 242 views
Published

Enterprise network environments continue to increase in complexity with growing security policies across more devices, managed across multiple organizational silos. A siloed approach to managing …

Enterprise network environments continue to increase in complexity with growing security policies across more devices, managed across multiple organizational silos. A siloed approach to managing security leads to limited visibility, inconsistent processes and human error - reducing an organization’s ability to quickly adapt to changing business requirements and opening the door to increased risk.

In a recent AlgoSec survey, more than half of mid-to-large organizations reported that network security complexity ultimately led to a system outage, a security breach or both. Security management traditionally has been managed across different silos such as information security, network operations, and audit teams. In large organizations running hundreds if not thousands of business applications, and applications being introduced to the network, updated or decommissioned on a weekly basis, the DevOps team is yet another silo.

Each of these silos is often overburdened and can fall into the trap of “putting the blinders on”. With each silo focused on their specific responsibility, the organization ends up with fractured visibility and no true owner of the complete security management process. What is the impact of making a security policy change? Does it introduce new risk? How long does this process take? What’s the impact to a critical business application such as a trading platform and vice-versa?

To ensure the highest level of security without slowing down business, organizations must be able to quickly translate business requirements into technical requirements and then implement and verify these changes. This requires automation and a comprehensive business process that is enforced in a uniform way across these multiple silos.

This session will examine new research findings on the impact of network security complexity, tips to improve security management and will share a real-life use case from CitiGroup, detailing how this enterprise shifted from a siloed security approach to a unified, end-to-end process and the return on its investment.

Published in Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
242
On SlideShare
0
From Embeds
0
Number of Embeds
0

Actions

Shares
Downloads
5
Comments
0
Likes
0

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. Putting Security Silos out to Pasture:Best Practices Learned from Citi’s IT SecurityOperations
  • 2. 2“Complexityis the worstenemy ofsecurity”- Bruce SchneierNavigating the Network Security Maze
  • 3. What’s in the Network?0.00%10.00%20.00%30.00%40.00%50.00%60.00%70.00%80.00%90.00%Source: Dangers of Complexity in Network Security, October 20123
  • 4. 55%of Midsize &Enterprise firmssaid complexpolicies causeda known breach,outage or both4Complexity Leads to RiskCaused asecurityincident16.5%Caused botha securityincident anda systemoutage9.7%Caused asystemoutage29.1%Had noknown impacton security orsystemavailability44.7%Impact of Complex or ConflictingSecurity Policies, Midsize and EnterpriseSource: Dangers of Complexity in Network Security, October 2012
  • 5. Siloed Security Management Just Makes it Worse!5• Reduced Business Agility• Time-Consuming Audits• Poor Change Control• Inability to Meet SLAs• Increased NetworkSecurity ManagementCostsInefficient & poor security policy managementSLOWS DOWN BUSINESS & IMPACTS YOUR BOTTOM LINE!
  • 6. The AlgoSec Security Management Suite6
  • 7. Best Practicesto Align IT & theBusiness throughSecurity PolicyManagement
  • 8. 8• General• Global Operations and Engineering• Global Information Security Standards (policy and technical)• 24 x 7 x 365 Security and Networks Operations Centres• Environment• 1.2MM end points• Large, global network• 30 enterprise Internet facilities• 1000 firewall end points not including management / IPS / Proxy• 800 firewall changes (i.e. simple modification or the addition ofhundreds of rules) on average per monthAn Introduction
  • 9. 9• Background on the environment Pre-2004• Regional Security Operations control of external connectivity• No common criteria for establishing data access and connectionsecurity controls – shared good practices• Inconsistent application of solutions to the same requests• No easily viewable auditing and logging capabilities for the process• No real-time aggregated view of the “Relationships” and“Connections” with various 3rd Parties• No consistent process to determine status of the connection requestComplex, Segmented Environment
  • 10. 10• Development of CCR• Centralized relationship between business requirements, contractualobligations and technical configurations• Implemented to improve the end-to-end accountability of connections and tominimize risk to data, operations and the brand• All global Firewall and IP registration requests are analyzed by contractualand risk obligations as well as technical requirements• Continuous Enhancements of CCR• Significant investment in NEW additional processes and development• Finding owners and workflow• Time to Market for requests was significantly slower• Technical knowledge required in CCR (business and technical data)• Rule base bloatThe Next Step…
  • 11. 11• What did Citi look for in a solution and process?• Customer-centric experience – workflow/updates/time to market• Automate decision making in rules and risks• Reporting• Integration with existing Citi systems (change management)• Overall performance of system compared to current tools• What other key ingredients were involved?• Senior sponsorship of a re-engineering program• Metrics, metrics, metrics• Process re-engineering• Customer experience / business backingHow Citi Manages these Obstacles
  • 12. 12• Comprehensive Market Evaluation of External Productsin the Security Policy Management Space• Buy v Build Discussion• Multi-firewall platforms, extending to ACLs, Proxy, etc.• Existing tool would not scale and was very simplistic• Stakeholders• Communication and Clear goals defined and aligned to POC• Tailored to the audience• Obtained Business buy-in – significant impact on themStrategic Internal Discussions
  • 13. Copyright (c) 2007, Principle Logic, LLC - All Rights Reserved 13The Decision: AlgoSec13• Why AlgoSec?• Automated change management workflow with Fireflow and theActive Change capability – end-to-end firewall rule history• Very user-friendly and a good customer experience – both fromtechnical and business personnel• Multiple platform vendor support with commitment on roadmap• AlgoSec’s commitment to work with Citi – over 150 “asks” to date• Ease of integration with Citi systems
  • 14. 14• Process Re-engineering• Measurable process metrics feed into overall program• Do not shoe-horn a product into something that is flawed• Business backing into improvements / metrics• System and Application Integration• CCR development initially not considered the end-to-end view• The process highlights the systems integration required• Customer Centricity• The “business”, CCR team, Firewall Operations team, Audit andCompliance, Network Engineering all use the solution differently• Reporting – general reporting and customer-centric• AutomationLessons Learned & Considerations
  • 15. Summary
  • 16. • Firewall Policy Management for Dummieshttp://bit.ly/JOLT9r• Firewall Management ROI Calculatorhttp://www.algosec.com/roi• Evaluate the AlgoSec Security Management SuiteAlgoSec.com/evalVisit AlgoSec at Stand D51Q&A and Additional Resources16
  • 17. Security Management. Made Smarter.www.AlgoSec.comConnect with AlgoSec on: