Your SlideShare is downloading. ×
Why physical security just isn’t enough, Sending the heavies into virtualized environments
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Why physical security just isn’t enough, Sending the heavies into virtualized environments

480
views

Published on

Alan Jenkins …

Alan Jenkins
CSO UK T-systems/Deutsche Telekom

Published in: Technology

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
480
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
2
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide
  • How do you measure it? What metrics/KPIs do you use? What about KRIs and/or forecasting mechanisms?
  • How do you measure it? What metrics/KPIs do you use? What about KRIs and/or forecasting mechanisms?
  • Transcript

    • 1. Alan JenkinsChief Security Officer,T-Systems Limited- a Deutsche Telekom company
    • 2. We are a Systems Integrator & Outsource ProviderData Privacy, Risk & Compliance Other Clients include: BP, EADS, E.On, TUI ….
    • 3. Why physical security just isn’t enough -sending the `heavies’ into virtualised environments ….. whilst not neglecting the security basics. And accepting that there is always risk! Discussion & interaction welcome!NB Views expressed are not necessarily representative of either DTAG or T-Systems International Gmbh
    • 4. What does ‘Security’ mean to you and the business that you represent ? Wrong !
    • 5. Security Landscape,courtesy of ISF
    • 6. What is Security’s value to your business? The strategic intent should be to deliver increased value to your business & that of your Clients through the intelligent application Co-shaping of collective Security activities . NB Not silo’ed! Individual expectationsStages in Managing Expectations Shaping Anticipatory Responsive Reactive Internally Hassle-free User- Engaging Co-Shaping oriented friendly & exciting individual experiences
    • 7. NB The strategic intent should be to deliver increased value to your business & that of yourClients through the intelligent application of collective Security activities . No silos allowed!• Apply lessons and (security aspects of) design from physical to virtual environments • Consider both logical and physical separation for boundaries • Beware of cross-domain boundary dataflows • Give more thought to protecting the data as opposed to the infrastructure • Consider enhancing Software Development Lifecycle (SDLC) efforts • “It’s the Application Layer that matters, damn it!” • Test, test and test again! • Don’t neglect dynamic reuse, decommissioning & disposal• What are your Measures of Effectiveness?• Have you linked your Security KPIs to those of your business? • NB Assumes you have KPIs …..!• What about Key Risk Indicators (KRIs)? • Look forwards as much as backwards • Benchmark with other forecasts, e.g. • Information Security Forum : Download the ISFs Threat Horizon 2013 Executive Summary
    • 8. • Let’s not pretend that the Old World was perfect!• The New World – virtualised, in-house or in the Cloud (public/private/hybrid) – hasadvantages too: • Scalability • Resilience • Cost-effectiveness • Support model is arguably less complex • Depends upon technological mix! • Fewer staff, more automation, leads to improved Quality-of-Service • Dynamic asset, license and configuration management should incur lower maintenance effort - and therefore cost - as a result of higher automation• Consider knowledge management as opposed to data/information management • What is business value of data? Meta-data adds context ….. • Is it static, time-dependent and/or actionable? • What is asset value of information to business? Value-at-risk on balance sheet?
    • 9. Risk Management cycle: industry best practise
    • 10. • Virtualisation (on premise or in Cloud) and outsourcing - caveat emptor!• Consider value to business of data and associated processes • What does the cost-benefit case mean to your business? • Conduct business impact assessments to inform criticality discussions• Due diligence is essential (reciprocal) • Don’t rely solely on generic questionnaire • Adopt a security framework, • Eg Common Assessment Assurance Model •http://common-assurance.com/resources/Common-Assurance-Maturity-Model-vision.pdf • ‘Kick the tyres’, i.e. exercise contractual right to conduct audits • Don’t neglect your Supply Chain• Take note of certifications but don’t rely on them • So, your Supplier has ISO27001 certificate ….. • What is the scope of applicability? • How much business does 3rd party auditor have with the supplier? • Regulatory compliance = security (a topic in its own right!)
    • 11. Security controls in the virtualised world• Cloud Security Alliance (CSA) Cloud Controls Matrix (CCM) v1.2 (August 2011) • Specifically designed to provide fundamental security principles to guide cloud vendors and to assist prospective cloud customers in assessing the overall security risk of a cloud provider. • CSA CCM provides a controls framework that gives detailed understanding of security concepts and principles that are aligned to the CSA guidance in 13 domains. • It has a customized relationship to other industry-accepted security standards, regulations, and controls frameworks such as the ISO 27001/27002, ISACA COBIT, PCI, NIST, Jericho Forum and NERC CIP and will augment or provide internal control direction for SAS 70 attestations provided by cloud providers. • CSA CCM provides organizations with necessary structure, detail and clarity relating to information security tailored to the cloud industry. • Strengthens existing information security control environments by emphasizing business information security control requirements, reduces and identifies consistent security threats and vulnerabilities in the cloud, provides standardize security and operational risk management, and seeks to normalize security expectations, cloud taxonomy and terminology, and security measures implemented in the cloud.
    • 12. Cloud Security Alliance Cloud Controls Matrix (CCM) v1.2 (August 2011) Cloud Controls Matrix (CCM) : Cloud Security Alliance
    • 13. Summary • Remember the Security Basics • Physical, People, Process & Technology in harmony • The New World – virtualised, in-house or in the Cloud (public/private/hybrid) – has advantages too: • Scalability • Resilience • Cost-effectiveness • Apply lessons and (security aspects of) design from physical to virtual environments • Establish your Measures of Effectiveness & associated KPIs and KRIs • Consider knowledge management as opposed to data/information management • What is business value of data? • Value-at-risk on balance sheet? • Align with an industry standard such as CAMM or CSA CCM • Regulatory compliance = security (a topic for the next CIO Event!)NB The strategic intent should be to deliver increased value to your business & that of yourClients through the intelligent application of collective Security activities . No silos allowed! NB Views expressed are not necessarily representative of either DTAG or T-Systems International Gmbh
    • 14. Thank you.Q&A

    ×