If you think that data breaches only happen to the big guys, think again. Risk is everywhere, accountability is uncertain, and liability is not well defined. Worse yet, every breach can be attributed to one single commonality (and it’s not what you might think). Learn the keys to protecting your organization’s financial, payroll, ERP and other sensitive data with these best practices.

1. ERP in the Time of Breaches
Protect Yourself with the Right
Governance, Risk and Compliance

2. • The Role of Information
Security
• IT Security Conundrums
• Best Practices for Security
• How Providers can Alleviate
Concerns
• Q&A

3. Today’s Presenter
Greg Pierce
• Chief Cloud Officer, Concerto Cloud
Services
• Pioneer in Enterprise Cloud Computing
• Veteran business leader and entrepreneur
with over 20 years experience
• Helps businesses transform through the use
of disruptive technologies

4. The Role of Information Security

5. Goal of Information Security
Administrative, Technical and
Physical Controls work
together to ensure the
confidentiality, integrity
and availability (CIA) of
critical systems and
confidential information

6. Information
Security is a goal
- we must
continually strive for
it with no guarantee
of achievement.
IT Security Conundrum One

7. Regulatory
compliance
and/or
certification
ONLY serves as a
guideline.
IT Security Conundrum Two

8. IT Security Conundrum
Three
Spending
more (without
other security
processes) can
deliver a false
sense of security.
IT Security Conundrum Three

9. IT Security Conundrum Four
YOU are the
target -
regardless of
your industry
vertical or
company size.

10. IT Security Conundrum Five
It is easy to
drive the
wrong behavior
from your
users.
Education is key
and policies
can’t be too
restrictive.

11. Information Security Domains
1. Access Control
2. Application Security
3. Business Continuity and Disaster Recovery
Planning
4. Cryptography
5. Information Security and Risk Management
6. Legal, Regulations, Compliance and
Investigations
7. Operations Security
8. Physical (Environmental) Security
9. Security Architecture and Design
10. Telecommunications and Network Security

12. Security – A Year In Review

13. Security Has Everyone’s Attention
APR SEPTMAY JUN JUL AUG OCT NOV DEC JAN FEB MAR APR SEPTMAY JUN JUL AUG
$70MM Records
Stolen
$40MM Credit & Debit
Nov 15 – Dec 15, 2013$56MM Credit &
Debit
Apr - Sept, 2013
$76MM of $83MM
Accounts Stolen
July14 – Sept 2014
2013 2014
$9000
Credit & Debit

14. The Target Breach – How did they do it?
• Compromised HVAC contractor likely via a phishing email
– Used free version of anti-malware that lacked real-time protection
– Malware stole credentials to Target supplier portal
• Portal
– Not properly segmented on the network from other critical systems
– Lacked two-factor authentication
– Supplier/Vendor info was public, so attackers used this info for social
engineering attack (HVAC contractor)
– Supplier/Vendor ecosystem lacked security awareness training( best
practice, etc…)
• Took advantage of Monitoring system’s default username and password
– Installed “RAM Scrapping” Malware on POS System
– Disguised communications as legitimate monitoring traffic
– Exfiltration of data was sent to an FTP server in Russia of the course of two
days

15. Target Breach - By the numbers
• 70 million – # of records stolen
• 40 million - # of Credit/Debit
cards stolen
• 100 million - $ they will spend
upgrading payment terminals
• 46% - percentage drop in profits
at Target in the fourth quarter of
2013, compared with the year
before
• 53.7 million - The income that
hackers likely generated from the
sale of 2 million cards stolen from
Target and sold at the mid-range
price of $26.85
• ZERO – Chief Information
Security Officer (CISO) or Chief
Security Officer (CSO) jobs at
Target

16. The Target Breach – Why they got away
“Target was certified as meeting the
standard for the payment card industry (PCI)
in September 2013. Nonetheless, we
suffered a data breach. As a result, we are
conducting an end-to-end review of our
people, processes and technology to
understand our opportunities to improve
data security”
Gregg Steinhafel, CEO

17. The Target Breach – Why they got away
• Failure or lack of established process and procedure
– Security systems rapidly detected the security event but
there was no response by IT
• Weakness in the architecture of the Supplier portal
– Insufficient oversight during the planning and implement
phase allowed logical connectivity to sensitive systems
and data– Architectural review board?
– Infrequent assessment against systems to understand
their impact on Information Security?
• Lack of security awareness training

18. Users are the Common Link
• Trojans – software
downloads - Kaaza
• Viruses – Emails
• Zombies or Botnets
• Phishing (Identity Theft)
• Spywaresource
http://www.pcworld.com/article/2010527/f
orrester-report-finds-most-data-breaches-
are-caused-by-employees.html
“Application users are
most often the
determining factor in
whether or not a
security breach occurs”

19. What can we learn?
A breach can
happen to any
company of
any size and
any industry –
learning from
others is
critical.

20. Best Practices to Secure Your
ERP Solution and Organization

21. Best Practice One: Holistic Planning
Security is a Holistic Program
– Process (not a project)
 Never 100%
– Risk Management
 Improve Security Posture
– Changing Security Landscape
 Threats (motives)
 Countermeasures

22. Best Practice Two: Building Awareness
• Security awareness is the knowledge, skill and attitude an individual possesses
regarding the protection of information assets.
• Being Security Aware means you understand
that there is the potential for some people to
deliberately or accidentally steal, damage,
or misuse your account, computer or the
data stored on your computer.
• Awareness of the risks and available
safeguards is the first line of defense
for the security of information,
systems and networks.
“Application users are
most often the determining
factor in whether or not a
security breach occurs”
– source
http://www.pcworld.com/article/2010527/forrester-
report-finds-most-data-breaches-are-caused-by-
employees.html

23. Security Awareness Includes
• Information about how to
 Protect
 Detect
 React
• Knowledge, Skill and Attitude
 The What
 The How
 The Why
• Culture Change

24. Best Practice Three: Encryption
Data in Use, Data in Motion, and Data at
Rest - Ensure encryption for ALL classes of data

25. Best Practice Four: Layered Structure
A High Level Summary of Security Layers include:
• Centralized and automated anti-malware and OS patching
• Identity management
• True network segmentation and isolation from ingress to egress at layer 2
and 3
• Data in-motion encryption by default
• Multiple firewall segments operating at layer 1-7 of the OSI stack
• State-of-the-art IDPS solution monitored and managed 24x7 by a dedicated
security operations center (SOC)
• Reverse Proxy services
• “Other” confidential and proprietary security mechanisms and practices
• Intelligent, multi-point syslog solution

26. Best Practice Five: Triangulate

27. Process, Process, Process

28. Best Practice Six: Compliance Blueprint
FIPS

29. How Providers Can Alleviate
Concerns

30. The Market Has Gone to the Clouds
• 45% of companies
plan to move ERP
to the cloud in the
next 5 years
• Other studies state
that market is
moving even faster
than predicted here

31. The Cloud Changes Everything
…Except
Security
Ensure hosting/cloud solution
is subject to IT audit with your
IT security team.
Is your hosting/cloud solution subject to
internal IT audit with your IT security team?

32. Not All Clouds Are Equal
• ISC2 and CSA have partnered to offer a new
Cloud Security Certification
– SecurityWeek: ISC and CSA Partner for
Certification offering
• Amazon S3 Poor Configuration Puts Sensitive
Data at Risk
– SecurityWeek: Amazon Puts S3 Data At Risk
• Web Application Attack Challenge Cloud and On-
Premise Infrastructures
– SecurityWeek: Web Application Attacks Increase
• Trust in the Cloud?
– SecurityWeek: Lieberman: IT Doesn't Trust the
Cloud

33. What’s So Troubling About Cloud Security?

34. How Cloud Providers Can Address Concerns
• Transparency/Control Over Datacenter/Data Locality/Security Audibility
• Verifiable End-to-end Encryption – Data in Transit
• Industry/Government Regulation Compliance
• Proven Tools and Control with Restricted Access
• Control Over Security/Encryption
• Dedicated Resources/Data Isolation
• Provide Proven References
• Industry Standards for Data Privacy and Security
• Explicit Contractual Responsibilities for Service Levels/Security
• Provider Certification Standards
• Region/Country Specific Datacenter Locations

35. Things to Remember
Ensure the security and
privacy of your Cloud
application with:
 The Right Cloud for the Right
Application
 Compliance
 IDS/IPS
 Protection for Data at Rest

36. • Simplicity for Complex Applications. Concerto was designed to
meet the toughest regulatory challenges and the most complex
demands – and has earned an industry leading customer
retention rate as a result.
• Comprehensive Channel Enablement Services. Innovative private
and hybrid cloud and business transformation services help
channel partners go to market quickly.
• Recognized Cloud Provider for Microsoft Applications. Concerto
Cloud is the go-to cloud provider for Microsoft applications and
is recognized as Microsoft’s ISV of the Year for Cloud Services.
The Cloud That’s Up to Your Challenge

37. Cloud Services Quick Facts

38. FOR MORE INFORMATION:
(844) 760-1842
www.concertocloud.com
info@concertocloud.com