Business Driven Security Securing the Smarter Planet pcty_020710_rev

Uploaded on


More in: Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads


Total Views
On Slideshare
From Embeds
Number of Embeds



Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

    No notes for slide


  • 1. Balancing Risk with Opportunity Security Trends and Strategies for Business Leaders IBM Software
  • 2. Agenda • Typical security challenges • Foundational Controls • IBM Security Solutions • Customer Casestudies • Why IBM 2 2
  • 3. Typical Challenges  Data Security  Viruses & Worms  Can I ensure that sensitive data will  Are all systems patched and protected against not be compromised, exposed, or virus and other vulnerabilities to prevent an leak outside the company? outbreak that will shut us down?  Identity & Access Management  Regulatory Compliance  Can I certify that the system access  Can I meet all the industry regulatory controls work and only employees requirements and prevent a significant that should gain access to key financial setback prevent the internal staff from systems are entitled? if there is a security exposure?  Financial & Intellectual Property Theft  Resilience, Recovery and Redundancy  Can the systems be safeguarded to  Can the company and the systems continue to prevent either financial abuses or operate in the event of a major catastrophe? intellectual property from being  Application Security stolen?  Can I compromise systems and prevent  Intrusion Detection & Prevention insider theft?  Are we vulnerable to hackers who  Physical Security may be mounting a denial of service  Is the workplace safe and secure for or other type of intrusive attack? employees & clients? 3 IBM Confidential © 2009 IBM Corporation 3
  • 4. Not all risks are created equally Frequency of Occurrences Per Year Virus Data Corruption Worms Disk Failure frequent 1,000 Application Outage 100 System Availability Failures Lack of governance 10 Network Problem Failure to meet 1 Industry standards Failure to meet Compliance Mandates Terrorism/Civil Unrest 1/10 Workplace inaccessibility Natural Disaster infrequent 1/100 Regional Power Failures 1/1,000 Pandemic 1/10,000 Building Fire 1/100,000 $1 $10 $100 $1,000 $10k $100k $1M $10M $100M Consequences (Single Occurrence Loss) in Dollars per Occurrence low high 4
  • 5. Increasing complexity Interconnect, share and protect magnitude of data Death by Confusion on point 15 petabytes of new information approach products are being generated every day. This Where to start? is 8x more than the information in all U.S. libraries Rapidly Disruptive changing technologies like threat Virtualization and environment Cloud Computing 508% increase in the number of new malicious Web links discovered 80% Of enterprises consider security in the first half of 2009 the #1 inhibitor to cloud adoptions Source: IBM X-Force 2009 Mid-year Trend Report 5 5
  • 6. Rising costs Today’s CIOs spend 55% of their time on activities that spur innovation. The remaining 45% is spent primarily on cost reduction, managing risk and automation.* Skills to deploy new IT departments have: technologies like Virtualization and Cloud •Increasing responsibilities computing are costly •Time pressures •Do more with less Bulk of security Administrators and budget is spent help desk resources firefighting rather are strained to than innovating support increasing base of users Source: IBM Global CIO Study, 2009 6 6
  • 7. Cost, complexity and compliance Death by point products People are becoming more and more reliant on Rising Costs: Do more with less security Regulation/Compliance fatigue IBM believes that security is progressively viewed as every individual’s right 7
  • 8. “Foundational Controls” = seatbelts and airbags • Find a balance between effective security and cost – The axiom… never spend $100 dollars on a Pressure Cost fence to protect a $10 horse • Studies show the Pareto Principle (the 80-20 Complexity rule) applies to IT security* Effectiveness – 87% of breaches were considered avoidable through reasonable controls • Small set of security controls provide a Agility disproportionately high amount of coverage – Critical controls address risk at every layer Time of the enterprise – Organizations that use security controls *Sources: W.H. Baker, C.D. Hylender, J.A. Valentine, 2008 Data Breach Investigations Report, Verizon have significantly higher performance* Business, June 2008 ITPI: IT Process Institute, EMA December 2008 • Focus on building security into the fabric of the business – “Bolt on” approaches after the fact are less effective and more expensive 8
  • 9. The IBM security strategy: Make security, by design, an enabler of innovative change Trusted Partner Trusted Security Vendor Delivering secure Providing end-to-end coverage products and services across all security domains • 15,000 researchers, developers and SMEs on security initiatives – Data Security Steering Committee – Security Architecture Board – Secure Engineering Framework • 3,000+ security & risk management patents • Implemented 1000s of security projects • 40+ years of proven success securing the zSeries environment • Managing over 7 Billion security events per day for clients • 200+ security customer references and more than 50 published case studies 9
  • 10. Physical infrastructure BUSINESS VALUE Provide actionable intelligence and improve effectiveness of physical infrastructure security Video Surveillance Video Analytics Command and Control Legacy analog video Video information from many IT and physical security systems with proprietary cameras present an operate in silos and do not interfaces are hard to information overload to integrate. It is increasingly integrate with IT human security personnel, difficult and expensive to Business challenge infrastructure detection is often after the consolidate security fact and response information across locations management is problematic for effectiveness and compliance IT infrastructure, Logical Smart Vision Suite Command Control Center Software Security products, and DVS Solution partner products Base Digital Video Design, Implementation, Command Control Center Professional Services Surveillance Infrastructure Optimization services Solution Services services This is not intended to be a comprehensive list of all IBM products and services 10
  • 11. People and identity BUSINESS VALUE Lower costs and mitigate the risks associated with managing user access to corporate resources Cost and Complexity of Providing Access to Auditing, reporting and Managing Identities Applications managing access to resources • On average, enterprises spend 2 “We would need to spend $60k • Privileged users cause 87% of weeks to setup new users on all on each of our 400 applications internal security incidents, while firms systems and about 40% of accounts to implement security access cannot effectively monitor thousands Business Challenge are invalid rules” of security events generated each day • 30% of help desk calls are for – Global financial services firm • Role management, recertification, etc. password resets, at $20 per call Tivoli® Identity and Access Tivoli Access Manager, Tivoli Tivoli Identity and Access Assurance, Software Assurance, Tivoli zSecure suite Federated Identity Manager Tivoli Security Information and Event Manager Identity and Access Management Identity and Access Management Compliance Assessment Services, Professional Services Professional Services Professional Services Privileged Identity Management Managed Identity and Access Managed Identity and Access Managed User Monitoring and Log Managed Services Management Management Management This is not intended to be a comprehensive list of all IBM products and services 11 11
  • 12. Data and information BUSINESS VALUE Understand, deploy and properly test controls for access to and usage of sensitive business data Protecting Messaging Managing Data Access and Monitoring Data Access Critical Security and Encryption and Preventing Data Databases Content Filtering Loss Mitigate threats Spam and inappropriate Over 82% of firms have had more than 42% of all cases involved third- against databases Web sites pose major one data breach in the past year party mistakes and flubs… from external productivity drains, involving loss or theft of 1,000+ records magnitude of breach events Business attacks and internal resource capacity with personal information; cost of a data ranged from about 5,000 to privileged users strains, and leading breach increased to $204 per 101,000 lost or stolen customer Challenge attack vector for compromised customer record* records* malware Guardium Multi-Function Security Tivoli® Key Lifecycle Manager, Tivoli Data Loss Prevention; Tivoli Software Database appliance, Security Policy Manager, Tivoli Security Information and Event Monitoring & Lotus Protector Federated Identity Manager Manager Protection Data Security Data Security Data Security, Compliance Assessment Data Security, Compliance Professional Assessment Assessment Services Services Assessment Services Services Services This is not intended to be a comprehensive list of all IBM products and services * "Fifth Annual U.S. Cost of Data Breach Study”, Ponemon Institute, Jan 2010 12
  • 13. Application and process BUSINESS VALUE Keep applications secure, protected from malicious or fraudulent use, and hardened against failure Security in App Discovering App Embedding App Providing SOA Security Development Vulnerabilities Access Controls Vulnerabilities caught •74% of vulnerabilities in According to Establishing trust and high early in the development applications have no patch customers, up to 20% performance for services that process are orders of available today* of their application span corporate boundaries is a magnitude cheaper to fix •80% of development costs development costs can top priority for SOA-based Business Challenge versus after the are spent identifying and be for coding custom deployments application is released correcting defects, costing access controls and $25 during coding phase vs. their corresponding $16,000 in post-production** infrastructure Software Rational® AppScan®; Rational AppScan; Ounce Tivoli® Identity and WebSphere® DataPower®; Ounce Access Assurance Tivoli Security Policy Manager Secure App Dev Process App Vulnerability and Source Application Access Enablement, App Code Scanning Services Professional Services Vulnerability and Source Code Scanning Managed Vulnerability Managed Access Managed Services Scanning Control * IBM X-Force Annual Report, Feb 2009 This is not intended to be a comprehensive list of all IBM products and services ** Applied Software Measurement, Caper Jones, 1996 13
  • 14. Application and Process 54% of all vulnerabilities disclosed in 1st half of 2008 were web-based* 75% of attacks are focused on applications** IBM ISS Intrusion protection Define Security Requirements IBM ISS Managed Services and Policy IBM ISS Consulting IBM Global Services Rational Requirements Management Build Manage, Security into Monitor & design and Rational Application Developer Defend models Rational Software Architect WebSphere Business Modeller Deploy Build & Test Rational Change Management Rational BuildForge Tivoli distribution products Rational AppScan 14
  • 15. Network, server and end point BUSINESS VALUE Optimize service availability by mitigating risks while optimizing expertise, technology and process Storage Systems Virtual Network Protecting Protecting Servers Protecting Endpoints Protecting Mainframes Networks Mitigate threats against Effective management can Mitigate network Mitigate threats against servers; prevent data loss cut total cost of ownership based threats and mainframes; protect against Business Challenge for secured desktops by prevent data loss vulnerabilities from 42%* configuration; contain the privileged users Server Protection, Server Desktop security platform; Network Intrusion Tivoli® zSecure suite Software Protection for VMWare encryption Prevention System (IPS) Professional Server security, data Desktop security, data Network security security assessment security assessment assessment services Services services services Managed IDS, Privileged Managed Desktop security Managed Network IPS Managed Services User Mgmt platform * Gartner Desktop Total Cost of Ownership: 2008 Update, Jan 2008 This is not intended to be a comprehensive list of all IBM products and services 15 15
  • 16. Addressing New Threats Virtualization and Cloud Computing  Market-leading network protection now available on a virtual appliance – World class, vulnerability-based protection powered by X-Force research – Integrate virtual security with physical network protection – Runs on VMWare  Segment-based network protection – Physical network segments – Virtual network segments – Cloud-based service providers  Network protection with the speed of an appliance – Replacement for Real Secure Network Sensor – Upgrade to full Proventia protection  Makes virtualized and cloud environments REAL FOR BUSINESS 16
  • 17. Security governance, risk management and compliance BUSINESS VALUE Ensure comprehensive management of security activities and compliance with all security mandates Security Pen Testing & Vuln. Sec. Compliance Incident Strategy Design Assessment Assessment Response Design and implement Identify and eliminate Perform security Design and implement secure deployment security threats that compliance assessments policy and processes for strategies for advanced enable attacks against against PCI, ISO and other security governance, Business Challenge technologies such as systems, applications standards and regulations incident response; Cloud, virtualization, and devices perform timely response etc. and computer forensics Rational® AppScan®; Tivoli Security Information Tivoli® Security Guardium Database and Event Manager; Information and Event Software Monitoring & Protection Guardium Database Manager; Monitoring & Protection; Tivoli zSecure suite Tivoli zSecure suite Consulting Services; Ethical hacking and Qualified Security Policy definition Professional Services Security Design AppSec assessment Assessors services; CERT team App Vulnerability and Source Code Scanning Managed Protection Managed Services OnDemand Services This is not intended to be a comprehensive list of all IBM products and services 17 17
  • 18. We know how… Smarter security enabling client innovation Banco Mercantil do Brasil DTCC Automates access management, reduces Improves the delivery of new the number of help desk calls by 30% with insurance products and services and savings of 450K annually adds 225 new applications per year Washington Metro Area Transit Authority Gruppo Intergea Level 1 merchant with 9 million transactions Protects its network infrastructure from threats yearly protects consumer trust by shielding and ensures business continuity database infrastructure from internal and external threats 18
  • 19. Business Drivers Identity  Cost Containment & Reduction  Reductions in help desk call volumes Management  Reduced manual user intervention Journey  Operational Efficiencies / Productivity  Faster access setup for new hires  Reduced user down-time waiting for password resets Objectives of the Identity Management  Security Improvements Journey @ Cognizant  Immediate access de-activation for terminated / resigned staff  Improved user productivity, due to reduced  Elimination of over provisioning risks wait for new and updated systems access  Provision new accounts in compliance with standards and fewer authentication problems Benefits of the Identity Management Initiative at Cognizant  Lower security administration cost, as the  Improved efficiency of system & application administrators bulk of user administration automated or  Improved employee productivity by self service delegated to business users and password methodologies resets eliminated or resolved with self-  Improved compliance posture service Implementation Approach  Enhanced security, as inappropriate Phase I access terminated quickly and reliably  User provisioning  Regulatory compliance, from the ability to  Password management & self-service audit access rights globally, and ensure  Accountability that only appropriately authorized users Phase II have access to sensitive systems and data  Role-based user-provisioning policies  Identity management workflows – automated ID management process  Automation of HRMS integration  Extension to critical applications like MS Active Directory, MS Exchange, PeopleSoft, and Remedy 19 IBM Confidential © 2009 IBM Corporation 19
  • 20. Smart surveillance helped a large US metropolis to identify safety threats quickly and respond proactively Value  Helped increase patrolling of a convention center during a conference event  Video analytics covered secondary sites, including more than 2 dozen hotels hosting conference attendees  Surveillance solution identified a van parked by a hotel for more than 24 hours and alerted police to avoid a possible threat Physical Infrastructure Business Challenge Solution IBM Smart Surveillance Solutions • Identify public safety threats before they happen • Delivers a broad set of surveillance • Quickly respond to events with tools – including video analytics police, emergency medical and centralized monitoring – to services, and fire and rescue help identify threats and quickly when needed alert police, fire and rescue resources. 20 20
  • 21. Why IBM? IBM is dedicated to cybersecurity advancement “Worldclass Research” IBM researches and monitors latest threat trends with X- Force Institute Focus • Engage in public-private collaboration Provides Specific Analysis of: • Address and mitigate cybersecurity  Vulnerabilities and exploits  Malware challenges  Malicious/Unwanted websites  Other emerging  Spam and phishing trends • Provide a forum for clients to better understand how recent IBM Research Most comprehensive vulnerability database in the world advances can help  Entries date back to the 1990’s Click for more information 21 Source: IBM X-Force Database, 21
  • 22. Why IBM? Recent accolades IBM and a few others can help any sized customer with security, regardless of whether they need “IDC believes IBM has recognized help securing their business, this trend and has created implementing an enterprise security comprehensive security packages initiative, or fixing a big security that leverage various products to problem.” provide for multiple layers of security to customers.” — Jon Oltsik, Enterprise Strategy Group, March 2010 — Charles Kolodgy, IDC, March 2010 In light of IBM’s growing presence in security and compliance, and the weight of its impact on the larger issues of business risk control, these factors should make IBM a primary partner to consider in shaping strategy and evaluating technologies and services that make a difference. Few others have the IBM was named the range of capabilities of today’s IBM for addressing the “Best Security Company”* challenge—fewer still have the resources of an IBM for by SC Magazine understanding the nature of business risks and emerging threats, and how best to address them going forward.” Source: SC Magazine award, March 2, 2010 High Performers and Foundational Controls: Building a Strategy for Security and Risk 22 Management - Enterprise Management Associates® (EMA™), Dec 2009 22
  • 23. Why IBM? IBM has unmatched global and local expertise in security 9 Security 9 Security 133 20,000+ 3,700+ 7 Billion+ Operations Research Monitored Devices under MSS Clients Events Centers Centers Countries Contract Worldwide Per Day 23 3,000+ security and risk management patents 23
  • 24. IBM is your trusted partner… Know how to ensure your success Successfully implemented Deliver value by 1000s of client projects Help you to choose understanding the big picture Security across mainframes, Create the right solution for you desktops, networks, handheld devices Ensure success Expertise to meet by execution your industry needs Manage security for 400,000 IBM Tailor solutions to meet your employees, 7B events/day for industry challenges clients Client success stories Leverage our skills to to demonstrate results meet your goals Provided IT Security for 1000s of researchers and SMEs 30+ yrs, 200 client references Partnership with a huge ecosystem Large business partner community Delivering solutions that enable enterprises to be Secure by Design 24 24
  • 25. 25 25
  • 26. Back Up Slides IBM Software 26
  • 27. Banco Mercantil do Brasil automates access management processes and increases employee productivity Value  Reduced the number of help desk calls by 30%, resulting in savings of at least $450,000 USD annually  Enabled HR managers to create and cancel user accounts in just 2 days instead of 7 – improving productivity  Provided 3,200 employees with a single password, synchronized across several environments in 3 months “ We have already reduced from 7 days to 2 days the People & Identity Business Challenge Solution time it takes to provide employees with • Automate access management IBM’s Identity Management solution access to IT resources, processes for internal applications • Manages and including human resource • Increase agility controls access at a central point processes, identifications • Manage changes in business • Grants access based on roles and passwords.” and increasing demands • Ensures security of — Jaime Roberto Pérez Herrera, critical information Technical Support Manager, Banco • Increases productivity Mercantil do Brasil. 27 27 Source:
  • 28. Community medical center improves patient information security to meet electronic data requirements (HIPAA) Value  Client satisfied the mandated electronic data requirements by required deadline (HIPAA)  Physicians, nurses and administrators are spending less time logging onto and off applications  Reduced operating costs enabling the medical center to focus more on patient care People & Identity Business Challenge Solution “The solution helped address issues in more than Access Manager for Single Sign On • Meet federal guidelines for half of the HIPAA security • Secures access to new and HIPAA compliance standards, specifically legacy applications • Not impede staff convenience addressing many access • Delivers single sign on and sign control and audit tracking off to users issues.” • Easy to deploy with maximum — George Vasquez flexibility 28 28 Source:
  • 29. IBM X-Force IBM Software 29
  • 30. IBM X-Force Research and Development  What does it do? – Researches and evaluates vulnerabilities and security issues – Develops assessment and countermeasure technology for IBM security offerings – Educates the public about emerging Internet threats  Why is it differentiating? – One of the best-known commercial security research groups in the world – IBM X-Force maintains the most comprehensive vulnerability database in the world—dating back to the 1990s. – X-Force develops our Protocol Analysis Module which is the engine inside IBM Security solutions. This technology allows X-Force to regularly and automatically infuse new security intelligence into IBM Security offerings on average 341 days ahead of the latest threats. 30 30
  • 31. IBM X-Force Database IBM X-Force® Database Most comprehensive vulnerability database in the world  Entries date back to the 1990’s Updated daily by a dedicated research team currently tracks over:  7,600 Vendors  17,000 Products  40,000 Versions 31 31
  • 32. IBM Research IBM Software 32
  • 33. Homomorphic Encryption facilitates analysis of encrypted information without sacrificing confidentiality Analyze confidential electronic client data without seeing any private information Store data anywhere while it remains completely secure and private  Query a search engine without will be the engine what you are Service providers telling to easily be able to adopt looking for! new models like cloud 33 computing and deliver 33 smarter services
  • 34. IBM continues to research and test new, more robust and more focused approaches to enterprise security IBM is working with clients worldwide to implement the new Enterprise Security Architecture  Combines: IBM Methodology for Architecting Secure Solutions Enterprise architecture framework of IBM Global Services Method  The new architecture is defined around the concept of six security zones of control (Boundary control, authentication, authorization, integrity services, audit/monitoring, and cryptographic services) 34 34
  • 35. Advanced Risk Analytics is the key to future of IT Security • Mine intelligence from logs and audit records from multitude of event sources • Consolidate and correlate events and data at line speeds and present them to the analyst in Advanced risk calculators to provide faster data processing rates at 15 to 20 times the a meaningful manner scale of today’s model • Put control back into the hands Automatically creates and checks behavioral of decision makers, such as Models for malware detection at real time security analysts, by taking over Provides pre-fraud detectors with extremely repetitive and manual tasks low false positive rates 35 35
  • 36. With these new opportunities come new risks Emerging technology n Virtualization and cloud computing increase infrastructure complexity. n Applications are a vulnerable point for breaches and attack. Data and information explosion n Data volumes are doubling every 18 months. n Storage, security, and discovery around information context is becoming increasingly important. Wireless world n Mobile platforms are developing as new means of identification. n Security technology is many years behind the security used to protect PCs. Supply chain n The chain is only as strong as the weakest link… partners need to shoulder their fair share of the load for compliance and the responsibility for failure. Clients expect privacy n An assumption or expectation now exists to integrate security into the infrastructure, processes and applications. Compliance fatigue n Organizations are trying to maintain a balance between investing in both the security and compliance postures. 36