Balancing deployment of emerging technologies with legacy ecosystems is a challenge when IT is constantly bombarded with new threats, regulations and the seemingly endless “fix it now” issues of cybersecurity. Chevron’s road to cybersecurity maturity included developing a flexible approach to build a strong foundation based on long-term research with new agility to adapt to emerging threats.
(Source : RSA Conference USA 2017)
6. #RSAC
TDS Name Description
1 Initiation Basic principles observed and reported
2 Concept
Technology concept and/or application
formulated
3
Proof of
Concept
Analytical and experimental critical funcitons
and/or characteristic proof of concept
4 Integration
Component and/or bench configured sub-
system validation in laboratory environment
5 Demonstration
Component and/or bench configured sub-
system validation in relevant ‘real world’
environment
6 Prototype
System/sub-system model or prototype
demonstration in a relevant environment
7 Pre-production
System prototype or demonstration in the
intended operating conditions and
environment
8 Production
Acutal system completed and qualified thorugh
test and demonstration in realistic operating
environments
9 Field Proven
Actual system(s) proven thorugh successful
field operations
Chevron’s Technology Qualification Process
10. #RSAC
Discovering Existing Usage and Risk Exposure
Executed simultaneous threads of discovery and analysis in 2015/2016
Ø Enterprisewide
view of usage and
risk exposure
Ø Recommended
monitoring
solutions
identify
Cloud
Access
Security
Brokers
compare
test results
and
recommend
best product
analyze
results and
prepare
stakeholder
reports
Understand current usage of
infrastructure and platform
services
Prepare
report on
overall
cloud usage
& projected
risks
11. #RSAC
Discovery Results as of December 2016
8356
Discovered Services
7067
Filtered Services
400
Services in Registry
107
Active Services
(In Registry)
Risks Reviewed Service 1 Service 2 Service 3 Service 4 Service 5 Service 6 Service 7 Service 8
Service Has Known
Vulnerabilities & Exploits
3 3 3 3 3 3 3 3
Ownership of uploaded
data
3 0 0 3 0 3 3 3
Timely Data Purge
on Customer Departure
0 0 0 2 0 3 3 3
Personal Info Shared with
3rd Parties
0 0 0 0 0 0 0 3
Third-party
Cookies
0 0 0 0 0 0 0 0
Data Center
Is Certified
3 3 0 3 0 3 3 3
Data Encrypted
In transit
3 3 3 3 3 3 3 3
Data Encrypted
At Rest
3 0 0 3 3 3 3 3
Role-based Authentication 3 0 0 3 0 3 3 3
Rating Score
Positive 3
Not Yet Determined 2
Negative 0
Enterprise Risk Analysis of Significant Cloud Services