At IBM we see change happening on a global scale. And we see an exciting transformation happening – we see organizations of all types making bold investments in new technologies and new processes that make them more efficient, more agile and more competitive. On a global scale, we see our world literally becoming a Smarter Planet – a planet that is ubiquitously instrumented, interconnected and intelligent. Instrumented, in that sensors are being embedded everywhere. From cars, to roads, to pipelines. Interconnected, in that soon there will be 2 billion people on the Internet and 4 billion mobile subscribers. And, we are seeing an explosion of machine-to-machine communications. Imagine a world with one trillion interconnected people and machines. That’s where our future lies. Intelligent, in that instrumentation and interconnection is causing a data explosion. Powerful new systems for analyzing and deriving insight from this data are providing the world with a new generation of intelligence. Intelligence that not only enables us to run our businesses better, but also helps us save energy, improve crop yields and reduce the impact of natural disasters. “ Smarter Planet” is not just a thought or idea from IBM, it is a vision for IBM and for our customers. It is about how we can work together to make the planet a better place to live, work and play.
This higher level of analytics, intelligence and interconnectedness enable new possibilities, create new complexities, and begets new risks. Some of the risks that organizations worldwide and across sectors / verticals are likely to face in the near future include: Sensitive and a large volumes of data: By one estimate, the volume of created content will quintuple in the next two years – to more than 2.5 zettabytes. (A zettabyte is a 1 followed by 21 zeros.) Smarter Planet domains require more information aggregation and sharing across organizations than is usually found in IT domains, challenging our ability to protect the information and comply with restrictions on data use. Sensors and actuators In the wild: The risks associated with the failure to protect and secure sensor event data are far higher than the risks usually associated with IT event data. Digital identities: Today we use several authenticators – whether in the form of fingerprint scanners, government IDs, employee IDs, bank cards, mobile phones, etc. – to perform multiple functions during a single day. Protecting this information (PII) is critical and there is also the issue about the privacy implications related to the identity trail.
New cyber threat landscape: According to the FBI, cybercrime is now more widespread than narcotics, and its techniques are evolving, its targeting becoming more focused. Adoption of virtualization and cloud computing: The digital and physical infrastructures of our world are increasingly merging, infusing our power grids, banking systems, retail supply chains and city streets with intelligence. Are we now exposing them to the same risks as our Web sites? Also with the growing dependence on smart (mobile) devices, organizations face a new breed of security threats that know no geographical boundaries. Compliance complexity: Depending on the industry, some organizations face multiple regulatory mandates regarding information security, privacy of non-public personal information, and post-data breach notification. If your organization is like most others worldwide, it’s a struggle to keep pace with regulatory mandates, especially given budget and manpower constraints.. Expectation of privacy: The average company’s computer infrastructure is attacked nearly 60,000 times every day. There have been 354 million reported data privacy breaches over the past five years in the US alone. Consumers expect vendors to take every measure possible to protect their personally identifiable information (PII) and privacy.
With new computing models like cloud, we have expanded the ways we can consume computing. And we now have the capability, with advanced software analytic tools, to extract value from data… to see the patterns, the correlations and the outliers. Sophisticated mathematical models are helping us begin to anticipate, forecast and even predict changes in our systems. Not to be overlooked is the growing importance of security and privacy that consumers now expect from companies they do business with.
Secure by Design is a cost-effective approach to constructing safe and reliable systems by applying IBM’s experience with security technologies and best practices in all phases of system creation, from conception through system design, construction and deployment. Being Secure by Design reduces the cost, risk, and unpredictability of integrating new technologies.
This slide shows the diversity of possible events that could have a negative impact on your organization. Typically, the public sector tends to think about the upper two quadrants while the private sector predominantly looks at the lower two. But reality is that both sectors are potentially touched by any of the challenges listed here. Unfortunately, not all infrastructures can be protected from all threats. For example, it would be impossible to fence or guard an electricity transmission network or water delivery system. By applying risk management techniques, attention can be focused on areas of greatest risk, taking into account the prevalence of the threat, the existence of vulnerability, the existing level of protective security and the effectiveness of available mitigation strategies for continuity and sustainability and potential impact.
There is no such thing as 100% security. There is no return without risk. Security involves trade-offs, with cost, complexity, effectiveness and user experience (or agility). To make the right trade-offs, organizations need to align IT security with their business objectives, allocate risk across domains, and enforce the appropriate security level in each area in light of business opportunities, threats, and vulnerabilities. This is business-driven security : orchestrating and fine-tuning security policies across the enterprise to maximize business success. The Pareto principle, often referred to as &quot;the 80-20 rule,&quot; applies to IT controls. The principle states that for many phenomena, 80 percent of the consequences stem from 20 percent of the causes. The IT Process Institute (ITPI) conducted studies for 3 years of top performers that indicate IT audit and control related activities are not just a necessary cost, but actually improve operating performance and that a subset of foundational controls have the biggest impact on performance measures. With data on over 330 IT organizations, their analysis shows that a subset of the foundational controls analyzed predict 60% of the performance variation in the companies studied. (Note: For details on the 2006 and 2007 studies, see comments below.) Transition: Security leaders need a way to balance the pressures of managing cost, decreasing complexity, improving effectiveness and assuring agility . IBM can help. ********************************************************************************************* ITPI: IT Process Institute studies (additional details, if needed) 2006: IT Controls Performance Benchmark With the help of researchers from Carnegie Mellon University, Florida State University, and University of Oregon – ITPI analyzed the survey responses of 98 organizations and studied 63 COBIT controls and 25 performance measures. Key findings of this groundbreaking research suggested: - Best practices outlined in the ITIL and COBIT frameworks improve performance - 21 Foundational Controls have the biggest impact on performance measures - Organizations that use Foundational Controls have significantly higher performance Organizations that use Foundational Controls have: - 12% to 37% less unplanned work - 12% to 26% higher change success rate - 2.5 to 5.4 times higher server to system administrator ratio 2007: Updated IT Controls Performance Benchmark We have repeated our groundbreaking study of the impact IT controls on IT operating performance with funding from the Institute of Internal Auditors Research Foundation. Now, with data on over 330 IT organizations, our analysis shows that just 12 of the 53 controls analyzed predict 60% of the performance variation in the companies studied. We also conclude that process maturity is the key that unlocks performance improvement potential of these key IT control processes.
As businesses try to deploy best practices, they find that there are often thousands of redundant controls to manage. So what are some of the foundational controls that are most important to the management of security in terms of getting a handle on environmental control? IBM has narrowed down the list to 7 security foundational controls (see definitions for these controls below) that are critical and provide the most return on your investment. These set of controls address risk at every layer of the enterprise: People and Identity; Data & Information; Application as well as Network, Server & Endpoint. For example: By managing identities, you can assure the right people have access to the right assets at the right time and for the right reason Of course one of the most important priorities facing organizations today is the need to protect as well as to assure business-critical data, whether it is intellectual property or customer data that is in transit or at rest across the lifecycle. Safeguarding the privacy of client data is not just a good business practice anymore - in many cases, it’s the law. Mandates such as the Health Insurance Portability and Accountability Act (HIPAA) as well as the Payment Card Industry Data Security Standard (PCI-DSS) among others, are prescriptive in terms of what is required of IT for security and risk control. As you glance at the controls listed on this slide, you will start to notice that they are interrelated to some degree. For example, there is a strong relationship between the controls that manage the integrity of sensitive data in databases and other information stores throughout the lifecycle and the controls for authentication and access to secure the data. Tied closely to these are controls for protecting the system infrastructure from new and emerging threats and for security information and event management. In addition to the integration between the controls, also note the synergies between the key controls and best practices in IT service management with processes related to change and configuration management, asset management, and problem and incident management. Beyond using key controls as a pragmatic approach to managing risk, I want to be sure to point out that these controls also support initiatives beyond security and help the business maintain its productivity, efficiency and reliability. An efficient set of controls not only provide more rapid understanding of the business impact of IT events, but allow businesses to take out potentially millions of dollars worth of costs through simplification and automation of manual processes. ******* Foundational Controls Definitions ******** Identity and Access Management: Process for assuring access to enterprise resources has been given to the right people, at the right time, for the right purpose Data and Information Protection: Capability that allows for granular, policy based protection of structured and unstructured data Release Management: Process for assuring efficiency and integrity of the software development lifecycle Change & Configuration Management: Process for assuring routine, emergency and out-of-band changes are made efficiently, and in such a manner as to prevent operational outages. Threat & Vulnerability Management: Process and capabilities designed to protect the enterprise infrastructure from new and emerging threats Problem & Incident Management: Automated workflow and Service Desk designed to assure incidents are escalated and addressed in a timely manner (with forensics teams ready to respond to an emergency) Security Information and Event Management: Automated log management to audit, monitor and report on security and compliance posture
Certain regulations and standards are considered “global”, as they are applied uniformly throughout the world. These would include: PCI, ISO 27001, ITIL, BITS, and BASEL II. Other regulations and standards are considered “international”, such as EUDPD and the SOX variants, because they requirements may vary between countries and regions, and because they may originate in a single country or region, but have cross-border impact. The European Union Data Privacy Directive (EUDPD) is a mandate for the protection of the non-public personal information of all EU citizens. Member states are charged with creating country-specific regulations based upon the general mandate, which will specify restrictions on the use of nonpublic personal information (NPI) within the country, its exchange between EU member states, and its transfer to countries outside the Union. France and Germany reportedly have the most stringent regulations, in some cases not allowing NPI to be shared outside their own borders. Other regulations, such as the United Kingdom Data Protection Act (UKDPA), allow NPI to be shared within the EU with the consent of the data owners. Sharing of certain types of NPI is allowed between the EU and the US under the US Safe Harbor provisions. Many of the other control sets cross over into IT Management (for e.g., data backup/recovery processes, BCDR, post-breach notification requirements, physical facility security and education / awareness / training).
There are 5 unique security focus areas in the Framework that we speak about and that we have organized our solutions around, each with their own value proposition and financial payback: People and Identity Mitigate the risks associated with user access to corporate resources Data and Information Understand, deploy and properly test controls for access to and usage of sensitive business data Application and Process Keep applications secure, protected from malicious or fraudulent use, and hardened against failure Network, Server and End Point Optimize service availability by mitigating risks to network components Physical Infrastructure Provide actionable intelligence on the desired state of physical infrastructure security and make improvements
IBM Confidential ( Note to presenter: The purpose of this slide is to highlight that IBM offers the breadth and depth – unlike any other vendor -- with our security portfolio. The intent is not to engage in a technical discussion at this point or try to cover all areas in detail.) IBM has a unique position in the market as an end-to-end security provider – we can address virtually any dimension of a secure infrastructure – and provide the services and consulting to help customers develop a strategic approach to their security challenges. Across our portfolio, we provide many capabilities that help customers solve a wide range of security problems completely and in the process result in cutting costs , reducing complexity, and assuring compliance . So depending on the types of security risks that are impacting your business, we can look more closely at how we can help address those issues. (Note: There are customer reference examples in the back-up section of this presentation, if you need to highlight how we’re helping customers like DTCC by helping them make their applications more secure.) Notes to presenter: … Point out 1 or 2 capabilities mentioned on this slide and tie it back to a customer example to convey how we help clients meet their business requirements. You can replace reference to DTCC above with another customer reference. If there is interest in a certain domain (i.e., people and identity, application and process, etc.), use some of the backup slides that provide the next level of information on our offerings – including how we can help (1) assess the situation, (2) mitigate or decrease the risk and (3) monitor and manage the risk ongoing. In presentation mode, you can click on the icons displayed on the left hand side of the capabilities boxes to quickly navigate to the appropriate backup slide. Note to presenter: Keep in mind that customers often usually jump in at the wrong point so they may not have completely addressed all security risks. At times they buy something they don’t understand (aka shelfware)… they implement a security solution but forget the need to monitor it ongoing or to invest in training and awareness for a more security aware culture. What this means to you is that even if a customer already has a solution in place… it’s not the end of the story. They may still need services to optimize, or managed services to monitor – for example: Consolidate identity management with Tivoli Identity Manager Work with multiple identity repositories with Tivoli Federated Identity Manager Improve employee productivity with Tivoli Enterprise Single Sign On Protect data center media with STG tape encryption Protect data using zSeries encryption and Lotus Notes encryption Find and remediate application vulnerabilities with Rational app scan Assure privacy compliance with Rational Policy Tester Locate and remediate Malware with ISS IPS Manage incidents with ISS X-Force Emergency Response Services
We believe that no other company is in a better position to assess our clients’ security needs, provide solutions and ensure those solutions are successfully implemented . Why? Because: We have the skills – IBM has X-Force* to understand and remediate threats, and thousands of researchers, developers, consultants and subject matter experts on security initiatives We know how – we have consulted on, and implemented thousands of security projects, so we have the practical expertise in best practices, processes, ROI and we care about our clients’ success We get the big picture – from security strategy and governance to security across mainframes, desktops, networks, pervasive computing and more We know our customers industries – IBM has industry expertise and tailors security solutions to industry vertical challenges – IBM consults on and helps secure business processes We live it – we manage security and privacy for our 400,000 employees worldwide, and our services teams manage more than 7 billion security “events” every day for clients We can prove it – IBM has been providing IT security for 30+ years. We have over 200 security references and more than 50 published case studies We have an ecosystem – IBM has a large business partner community that complements and implements our solutions We can help you choose – IBM Security Services assessors can provide a list of IBM and non-IBM products to assist clients in creating the best solution for their environment
Transcript of "Security solutions for a smarter planet"
Security Solutions for a Smarter Planet: IBM Directions in Security Jason Burn
Welcome to the smarter planet 162 million Almost 162 million smart phones were sold in 2008, surpassing laptop sales for the first time. 90% Nearly 90% of innovation in automobiles is related to software and electronics systems. 1 trillion Soon, there will be 1 trillion connected devices in the world, constituting an “internet of things.” The planet is getting more Instrumented , Interconnected and Intelligent .
Protection of sensitive and large volumes of data, shared globally Protection of sensors and actuators in the wild Protection of digital identities With the smarter planet opportunities come new security and privacy risks
Additional security and privacy risks impacting customers Addressing compliance complexity Adoption of virtualization and cloud computing Addressing the new cyber threat landscape Expectation of privacy
So how can security help us take advantage of opportunities on the smarter planet? <ul><li>Enables safe adoption of new forms of technology like cloud computing and virtualization </li></ul><ul><li>Enables new business models like outsourcing and teleworking </li></ul><ul><li>Addresses emerging compliance constructs , while decreasing IT operations costs </li></ul><ul><li>Assures the quality, availability and integrity of information required for real time decision making </li></ul><ul><li>Addresses consumer expectation of privacy by assuring “trusted brand” status </li></ul>Security enables us to take risks and innovate confidently . Virtualization Tele Working Outsourcing Cloud Computing
“ Secure by design” A new model for building a smarter planet <ul><li>Security cannot solely be the job of regulators or a stand-alone corporate department </li></ul><ul><li>In an interdependent world, security has become both a necessity and a collective responsibility – one that we must take on as an intentional plan, not as an afterthought. </li></ul><ul><li>We need to build solutions where security is factored into the initial design and is intrinsic to the business processes, product development lifecycle and daily operations. </li></ul><ul><ul><li>Securely and safely adopt new technology and business models </li></ul></ul><ul><ul><li>Increase innovation and shorten time to market </li></ul></ul><ul><ul><li>Reduce security costs </li></ul></ul>… IBM can help
IBM’s security strategy Delivering secure products and services Providing end-to-end coverage across all security domains <ul><li>15,000 researchers, developers and SMEs on security initiatives </li></ul><ul><ul><li>Data Security Steering Committee </li></ul></ul><ul><ul><li>Security Architecture Board </li></ul></ul><ul><ul><li>Secure Engineering Framework </li></ul></ul><ul><li>3,000+ security & risk management patents </li></ul><ul><li>Implemented 1000s of security projects </li></ul><ul><li>40+ years of proven success securing the zSeries environment </li></ul><ul><li>Managing over 7 Billion security events per day for clients </li></ul><ul><li>200+ security customer references and more than 50 published case studies </li></ul>IBM Security Solutions. Secure by Design.
So where do we start? …… many scenarios to plan for… External Threats Insider Threats Inadvertent Deliberate <ul><li>Power failures </li></ul><ul><li>Malware </li></ul><ul><li>Denial of service </li></ul><ul><li>Sophisticated, organized attacks </li></ul><ul><li>Natural disasters </li></ul><ul><li>Economic upheaval </li></ul><ul><li>Unpatched systems </li></ul><ul><li>Code and application vulnerabilities </li></ul><ul><li>Lack of change control </li></ul><ul><li>Human error or carelessness </li></ul><ul><li>Developer-created back door </li></ul><ul><li>Information theft </li></ul><ul><li>Insider fraud </li></ul>
“ Foundational Controls” = seatbelts and airbags <ul><li>Find a balance between effective security and cost </li></ul><ul><ul><li>The axiom… never spend $100 dollars on a fence to protect a $10 horse </li></ul></ul><ul><li>Studies show the Pareto Principle (the 80-20 rule) applies to IT security * </li></ul><ul><ul><li>87% of breaches were considered avoidable through reasonable controls </li></ul></ul><ul><li>Small set of security controls provide a disproportionately high amount of coverage </li></ul><ul><ul><li>Critical controls address risk at every layer of the enterprise </li></ul></ul><ul><ul><li>Organizations that use security controls have significantly higher performance* </li></ul></ul><ul><li>Focus on building security into the fabric of the business </li></ul><ul><ul><li>“ Bolt on” approaches after the fact are less effective and more expensive </li></ul></ul><ul><ul><li>Use the small set of security controls as a starting point when designing a system </li></ul></ul>* Sources: W.H. Baker, C.D. Hylender, J.A. Valentine, 2008 Data Breach Investigations Report, Verizon Business, June 2008 ITPI: IT Process Institute, EMA December 2008 Cost Effectiveness Agility Time Complexity Pressure
“ Foundational Controls” represent a hygienic process… <ul><li>“ From the attacker’s perspective, the rationale is simple: When foundational controls fail or do not exist, why seek a more challenging target? Neglecting the fundamentals makes an organization an easy—and hence preferred—target .” (EMA, 2009) </li></ul><ul><li>Controls provide a solid foundation for IT Security Management </li></ul><ul><ul><li>Identity and Access Management </li></ul></ul><ul><ul><li>Data and Information Protection </li></ul></ul><ul><ul><li>Release Management </li></ul></ul><ul><ul><li>Change and Configuration Management </li></ul></ul><ul><ul><li>Threat and Vulnerability Management </li></ul></ul><ul><ul><li>Problem and Incident Management </li></ul></ul><ul><ul><li>Security Information and Event Management </li></ul></ul><ul><li>High performers adhere to “Plan–Do–Check–Act” philosophy </li></ul>N etwork, Server, and End Point P hysical Infrastructure P eople and Identity D ata and Information A pplication and Process Control Govern and secure complex infrastructure and ensure regulatory compliance Understand health and performance of services across your infrastructure Drive down cost, minimize human error and increase productivity Visibility Automation Adherence to ITIL (ITSM) sets apart highest performers in security management
… And “Foundational Controls” provide an effective approach for dealing with the growing compliance landscape <ul><li>Organizations face a growing number and complexity of compliance initiatives, many of which are evolving </li></ul><ul><li>Foundational controls directly affect an organization’s information security posture. </li></ul><ul><li>Prevalent compliance initiatives contain additional domains and control sets that fall under IT Management </li></ul><ul><ul><li>For e.g., data backup/recovery processes, physical facility security, etc. affect an organization’s compliance posture, but are not considered foundational in terms of Information Security. </li></ul></ul>
IBM Security Framework supports Integrated Service Management helping you assess and manage risk DATA AND INFORMATION Understand, deploy, and properly test controls for access to and usage of sensitive data PEOPLE AND IDENTITY Mitigate the risks associated with user access to corporate resources APPLICATION AND PROCESS Keep applications secure, protected from malicious or fraudulent use, and hardened against failure NETWORK, SERVER AND END POINT Optimize service availability by mitigating risks to network components PHYSICAL INFRASTRUCTURE Provide actionable intelligence on the desired state of physical infrastructure security and make improvements GOVERANCE, RISK MGMT AND COMPLIANCE Ensure comprehensive management of security activities and compliance with all security mandates GRC
IBM security portfolio Overview = Professional Services = Products = Cloud-based & Managed Services Identity and Access Management Mainframe Security Virtual System Security Database Monitoring and Protection Encryption and Key Lifecycle Management App Vulnerability Scanning Access and Entitlement Management Web Application Firewall Data Loss Prevention App Source Code Scanning SOA Security Intrusion Prevention System Messaging Security Data Masking Infrastructure Security E-mail Security Application Security Web/URL Filtering Vulnerability Assessment Firewall, IDS/IPS, MFS Mgmt. Identity Management Data Security Access Management GRC Physical Security Security Governance, Risk and Compliance SIEM and Log Management Web / URL Filtering Security Event Management Threat Assessment
How we add value: IBM leverages our skills to help meet your goals IBM has industry’s broadest Security Solutions portfolio IBM understands Security & Risk are business problems first, technical problems second IBM has deep industry expertise IBM has a huge ecosystem of leading security partners IBM has the client success stories to demonstrate results
ONE voice for security . IBM SECURITY SOLUTIONS INNOVATIVE products and services . IBM SECURITY FRAMEWORK COMMITTED to the vision of a Secure Smarter Planet . SECURE BY DESIGN