Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Making Security Work—Implementing a Transformational Security Program

281 views

Published on

Recent newsworthy data breaches have business and IT leaders asking, “Are we learning from the mistakes of others?” In an ever-increasing threat environment, security leaders face mounting pressures to deliver effective security capabilities that protect business assets while balancing budgets, security risks and regulatory issues.

For more information on Security, please visit: http://cainc.to/CAW17-­Security

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Making Security Work—Implementing a Transformational Security Program

  1. 1. Making  Security  Work—Implementing  a   Transformational  Security  Program Brent  Comstock SCT06S SECURITY Group  Vice  President  – Identity,  Access  and  Data  Protection  Strategy SunTrust  Banks
  2. 2. 2 COPYRIGHT  ©  2017  CA.  ALL  RIGHTS  RESERVED#CAWORLD #NOBARRIERS ©  2017  CA.  All  rights  reserved.  All  trademarks  referenced  herein  belong  to  their  respective  companies. The  content  provided  in  this CA  World  2017  presentation  is  intended  for  informational  purposes  only  and  does  not  form  any  type   of  warranty. The information  provided  by  a  CA  partner  and/or  CA  customer  has  not  been  reviewed  for  accuracy  by  CA.   For  Informational  Purposes  Only   Terms  of  this  Presentation
  3. 3. 3 COPYRIGHT  ©  2017  CA.  ALL  RIGHTS  RESERVED#CAWORLD #NOBARRIERS Abstract Recent  newsworthy  data  breaches  have  business  and  IT  leaders  asking,  “Are  we   learning  from  the  mistakes  of  others?”    In  an  ever-­increasing  threat  environment,   security  leaders  face  mounting  pressures  to  deliver  effective  security  capabilities  that   protect  business  assets  while  balancing  budgets,  security  risks  and  regulatory  issues. SunTrust  has  started  the  journey  of  transforming  security  capabilities.  This  session  will   explore  the  driving  factors  that  resulted  in  SunTrust  re-­evaluating  its  identity,  access  and   information  security  program.  Furthermore,  it  will  explore  the  key  inputs  and  building   blocks  of  what  it  is  looking  to  establish  in  its  program  and  people,  processes  and   technologies  that  will  be  required  to  achieve  this  vision. Brent   Comstock SunTrust  Banks Group  VP  -­ Identity,  Access  and   Data  Protection   Strategy The  thoughts,  views  and  opinions  I  express  are  my  own.  None  of  these  statements  should  be  considered  to  represent  my  employer,   SunTrust  Banks,  Inc.  in  any  way.
  4. 4. 4 COPYRIGHT  ©  2017  CA.  ALL  RIGHTS  RESERVED#CAWORLD #NOBARRIERS Why  I’m  Here  Today THE  WEATHER  OUTSIDE  IS  FRIGHTFUL… WE’RE  NOT  IN  KANSAS  ANYMORE BREAK  THE  MOLD THE  FORK  IN  THE  ROAD FROM  THE  INSIDE  OUT 1 2 3 4 5
  5. 5. 5 COPYRIGHT  ©  2017  CA.  ALL  RIGHTS  RESERVED#CAWORLD #NOBARRIERS The  Weather  Outside  is  Frightful…
  6. 6. 6 COPYRIGHT  ©  2017  CA.  ALL  RIGHTS  RESERVED#CAWORLD #NOBARRIERS *2017  Verizon  Data  Breach  Investigations  Report Exploited  privileged  user   accounts  are  the  common   thread  of  most  data  breaches* “Looking  back  at  the  breaches  that  have  happened  in  the  recent  past  and  looking   ahead  to  GDPR,  ….  it’s  clear  that  security  continues  to  be  critically  important.”   Mike  Gregoire,  Q2  2018  Earnings  Conference  Call,  October  25,  2017  
  7. 7. 7 COPYRIGHT  ©  2017  CA.  ALL  RIGHTS  RESERVED#CAWORLD #NOBARRIERS
  8. 8. 8 COPYRIGHT  ©  2017  CA.  ALL  RIGHTS  RESERVED#CAWORLD #NOBARRIERS
  9. 9. 9 COPYRIGHT  ©  2017  CA.  ALL  RIGHTS  RESERVED#CAWORLD #NOBARRIERS The  Problem: There  are  large  numbers  of  users,   environments  and  end  points  to   patch,  secure  &  manage,  all  with   changing  security  profiles  over   time.   The  work  load  is  overwhelming.
  10. 10. 10 COPYRIGHT  ©  2017  CA.  ALL  RIGHTS  RESERVED#CAWORLD #NOBARRIERS After  CA  World,  You  Return  Home… Enlightened… Energized… Enthused… And  pretty  freaked  out!
  11. 11. 11 COPYRIGHT  ©  2017  CA.  ALL  RIGHTS  RESERVED#CAWORLD #NOBARRIERS We’re  Not  in  Kansas  Anymore
  12. 12. 12 COPYRIGHT  ©  2017  CA.  ALL  RIGHTS  RESERVED#CAWORLD #NOBARRIERS So  Where  Are  We?
  13. 13. 13 COPYRIGHT  ©  2017  CA.  ALL  RIGHTS  RESERVED#CAWORLD #NOBARRIERS Break  The  Mold
  14. 14. 14 COPYRIGHT  ©  2017  CA.  ALL  RIGHTS  RESERVED#CAWORLD #NOBARRIERS We  protect  what’s   important  to  us. How  we  provide  that   protection  has  to   change.
  15. 15. 15 COPYRIGHT  ©  2017  CA.  ALL  RIGHTS  RESERVED#CAWORLD #NOBARRIERS BREAK  THE  MOLD
  16. 16. 16 COPYRIGHT  ©  2017  CA.  ALL  RIGHTS  RESERVED#CAWORLD #NOBARRIERS The  Fork  in  the  Road
  17. 17. 17 COPYRIGHT  ©  2017  CA.  ALL  RIGHTS  RESERVED#CAWORLD #NOBARRIERS Level  of  effort? Budget? Time? • Align  with  Significant   Company  Initiatives • Establish  Security   capabilities  quickly • “Fix”  existing  platforms • Upgrade   • Address  Process  gaps Can  current  technology  and  processes   be  adequately  improved?
  18. 18. 18 COPYRIGHT  ©  2017  CA.  ALL  RIGHTS  RESERVED#CAWORLD #NOBARRIERS From  the  Inside  Out
  19. 19. 19 COPYRIGHT  ©  2017  CA.  ALL  RIGHTS  RESERVED#CAWORLD #NOBARRIERS FORMULA FOR  CHANGE Discover  &  unlock   WHY Impact  Leadership Execute  with   Advocates Organizational  Culture   Change
  20. 20. 20 COPYRIGHT  ©  2017  CA.  ALL  RIGHTS  RESERVED#CAWORLD #NOBARRIERS IAM  – Focus  &  Objectives Creation  of  Identity  credentials,  knowledge  of  high  risks  assets  and  associated  Access  grants  &  controls  are  essential  to   effective  Security  in  this  time  of  unprecedented  threats.  IAM  and  Data  Protection  capabilities  are  highly  interdependent. Mitigate  enterprise  cyber  risks  and  transition  to  proactive  detection  of  control  failures  by  implementing  effective  capabilities &   controls  for  access  to  company  assets: Focus Objectives The  top  areas  of  IAM  focus  include:  a)  acquire  modern  identity  management  capabilities,  b)  gain  visibility   into  movement  of  data  and  usage  of  cloud  services    c)  gain  insights  into  users'   behavior  d)  define  roles  and  responsibilities  and  e)  adhere  to  regulatory  requirements Ø Simplify,  standardize  and  automate  IAM  functions  across  the  enterprise   Ø Utilize  asset  risk  scoring  to  focus  on  securing  highest  risk  assets  first Ø Invest  in  people,  processes,  and  technologies  to  better  monitor  and  detect  malicious  activity Ø Define  and  implement  roles  and  responsibilities  for  IAM  framework  execution  including  increased   Business  engagement  and  accountability Ø Secure  privileged  accounts:  servers,  databases,  applications,  domains,  devices,  service  accts   Ø Integrate  user  behaviors  associated  with  access  and  data  movement  with  all  our  environments  to  detect   threats  and  suspicious  behaviors Ø Enhance  capabilities  to  secure  connections  &  data  movement  to  the  cloud  and  3rd parties Discover  &  Unlock   WHY
  21. 21. 21 COPYRIGHT  ©  2017  CA.  ALL  RIGHTS  RESERVED#CAWORLD #NOBARRIERS IAM  &  Data  Protection  Scope   Given  the  growth  of  cyber  threats,  the  value  of  the  data  and  transactions  that  we  protect  continues  to  increase.  We  must  evolve   our  IAM  practices  to  include  deeper  partnership  and  a  “One  Team”  approach  for  “Modern  IAM”  that  is  much  more  intelligent,   agile  and  transparent.   Cloud  &  Emerging  Technologies  ‘Modern  IAM’  is  a  foundational  tenet  to  enable  the   business  to  benefit  from  emerging  technologies  such  as  the  Cloud  and  Internet  of  Things  (IOT).   Modern  IAM  capabilities  are  faster,  more  secure  and  more  efficient  in  transitioning  applications   and  infrastructure  to  the  cloud.     Asset  Type Applications enable  business  functions  and  meet  access  risk  objectives  through  roles,   entitlements,  and  permissions.  They  are  managed  by  traditional  IAM  solutions  and  are  the   company  asset  type  that  have  the  most  mature  access  controls. End  Users  and  Devices  are  at  the  center  of  business  functions.  Ease  of  use  must  be     balanced  by  the  necessity  to  protect  company  assets.  The  increased  scale  from  the  growing  use   of  mobile  devices  stretches  traditional  IAM  practices  and  capabilities. Data is  stored  in  a  variety  of  formats  and  locations,  and  is  growing  rapidly.  This  growth  is   compounded  by  End  User  compute  environments  (e.g.,  file  shares,  SharePoint)  which  are  not   currently  managed  and  protected  using  traditional  IAM  practices  and  capabilities. Big  Data  (i.e.  Atlas  Data  Lake)  environments  combine  data  from  numerous  sources.  The   complexity  of  defining  access  permissions  to  voluminous,  diverse,  and  sensitive  information   environments  is  not  scalable  using  currently  available  IAM  access  models  and  technology. IAM  Scope Impact  Leadership
  22. 22. 22 COPYRIGHT  ©  2017  CA.  ALL  RIGHTS  RESERVED#CAWORLD #NOBARRIERS Why  Are  Advocates  Essential? § With  limited  resources  and  reach,   you  can  tap  into  the  energy  of  passionate   employees.  They  have  knowledge  and   insight § These  employees  become  the  eyes  and   ears  on  the  ground  and  help  to  drive   change  from  within  their  teams § This  feeling  of  ownership,  responsibility   and  influence  creates  engagement   across  the  organization § By  building  direct  relationships  with  different   parts  of  the  business,  you  can  find  out  so  much   more  through  two  way  communications § By  keeping  our  advocates  informed  of  the   latest  news  and  views  around  security  – you  make  them  smarter  and  also  by  proxy  – their  teams  too! Security  is  a  team  sport…engage  the   rest  of  the  team Execute  With   Advocates
  23. 23. 23 COPYRIGHT  ©  2017  CA.  ALL  RIGHTS  RESERVED#CAWORLD #NOBARRIERS Analytics  Enablement • Facilitate  Onboarding  &  Data  Access • Document  &  Maintain  Role  Definition   • Request  Data  Group  Setup Provisioning   Facilitator Data  Lake  Domain   Work  Area  (Zone  2) Domain   Role   Security     Group Data   Asset Data   Asset Data   Asset Domain   Users Domain  Team   Manager • “Owns”  Domain • Requests  New  Domain  Roles • Designate  Role  Champion • Develop  Data  Source  Access  Requirements  * Domain   Owner Domain  Role  Owner • Approve  User  Access  to  Role • Attest  to  Role  and  User  Access  Annually • Validation  of  Role  Data  Source  Access  Annually Role   Champion Source  Data  Owner(s) • Approve  Role  Creation • Approve  Data  (not  user)  Access  for  Role Data  Access   Owner Data  Management   Manager  or  Analyst • Identify  &  Validate  Sensitive  Data  for  Data  SourcesData  SME Data  Lake  Operations • Configure  user  on  Data  Lake • Configure  data  access Data  Lake Setup Security   Team  Tasks Organizational  Culture   Change Engage  the  Team  (Example)
  24. 24. 24 COPYRIGHT  ©  2017  CA.  ALL  RIGHTS  RESERVED#CAWORLD #NOBARRIERS None  of  us   is  as  smart   as  all  of  us. People  cannot   help  but  resist   change.   It’s  in  our  DNA  to  want  to   remain  with  known   approaches. Those  who  resist  improved   security  aren’t  crazy,  they’re   human. Landing  the  Plane “People  don’t   buy  what  you   do,  they  buy   why  you  do  it.” SIMON  SINEK No  one  can  tell  us  what   “right”  looks  like,  because  of   experience  &  perspectives. Your  Advocates  will  help  fuel   the  cultural  change.   Empower  them.
  25. 25. 25 COPYRIGHT  ©  2017  CA.  ALL  RIGHTS  RESERVED#CAWORLD #NOBARRIERS Questions?
  26. 26. 26 COPYRIGHT  ©  2017  CA.  ALL  RIGHTS  RESERVED#CAWORLD #NOBARRIERS Stay  connected  at  communities.ca.com Thank  you.
  27. 27. 27 COPYRIGHT  ©  2017  CA.  ALL  RIGHTS  RESERVED#CAWORLD #NOBARRIERS Security For  more  information  on  Security, please  visit:  http://cainc.to/CAW17-­Security

×