Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Securing the Digital Enterprise

608 views

Published on

Abstract: Digital technologies have made customers powerful, giving them the option to choose and the means to instantaneously spread their opinions widely. They have become demanding, and they change brands without a blink if their experience with the product or service isn’t what they expect. Brand loyalty, therefore, has taken a backseat and customer experience has emerged supreme. In an IBM survey, 95% of CEOs said enhancing customer experience was top priority for them. Security forms a core foundation for enhancing customer experience!
Typically security has been inward looking focusing more on technology vulnerabilities and less on securing business objectives. Securing the digital enterprise entails looking outside-in, to protect customer experience its strategic objective. Also, internally the digital enterprise needs assurance against vulnerabilities introduced by
digital technologies like cloud, IoT etc.

Bio: Mohan is an acknowledged expert and thought leader in information security. He was the Snr VP and Global CISO at Bharti Airtel, where he had also held charge as the company’s Chief Architect and CIO for its Bangladesh and Sri Lankan operations. Prior to his stint in Bharti, he was an advisor at a Big-4 consultancy, CEO of a security company he helped start, and the Director of the Indian Navy’s Information Technology, where he was awarded the Vishist Seva Medal by the President of India for innovative work in information security. He has also been a member of several national and international committees on security, including the National Task Force on information security, DOT Joint Working Group on Telecom Security, Indo-US Cyber Security Forum, IBM Security Board of Advisors, RSA Security for Business Innovation Council, and has been chairperson of the CII National Committee on data security among others. For his contribution to the information security practice he has also been awarded the DSCI Security Leader Award, CSO Forum Security Visionary Award, and the RSA Security Strategist Award.

Published in: Education
  • Be the first to comment

Securing the Digital Enterprise

  1. 1. Securing the Digital enterprise Felix Mohan Chief Knowledge Officer 09 Sept 2014 CERC@IIIT-­‐D
  2. 2. Agenda : Securing the Digital enterprise Security Controls Technology & Digital Enterprise Customer Experience
  3. 3. LOWER OPERATING COST BETTER CUSTOMER EXPERIENCE
  4. 4. 3D prinUng revoluUonizing supply chains Manufacturer Distributors Retailers Customers Manufacturer Distributors Retailers Customers Print part using their 3D printer Manufacturer Distributors Retailers Customers LOWER OPERATING COST BETTER CUSTOMER EXPERIENCE Print part using their 3D printer Manufacturer Distributors Retailers Customers Print part using personal 3D printer Physical part flow InformaUon flow
  5. 5. TransformaUon of the Digital Enterprise 1% 28% 12% 41% 22% 2005 2012 Objec,ves Value Power
  6. 6. Delivering great Customer Experience • Customer Experience is the manifestaUon of value • OrganizaUons don’t sell products or services. They sell experiences. Forrester • Customers buy experiences that are embedded in products. Gartner • 95% of CEOs stated that ‘Delivering great Customer Experience’ was the Top priority for realizing their strategy in the next 5 years. IBM CEO Survey • Digital technologies have made customers powerful. And they are demanding good experience! • Customers have low brand loyalty or sUckiness. • They can quickly change product or vendor if not saUsfied • Less than 25% of retail purchases in US were due to brand loyalty. EY Survey, 2013 • They can spread their bad experience in their social network affecUng company reputaUon badly
  7. 7. Customer Power Empowered customers can ,p the balance of power in contemporary buyer / seller rela,ons. So what are organizaUons doing about all this?
  8. 8. The Customer Experience Pyramid EmoUonal Fulfillment Ease of use/engagement & features Value & Quality Loyalty & SUckiness
  9. 9. EmoUonal Fulfillment Ease of use/engagement & features Value & Quality Enhancing Customer Loyalty • quanUty of personal data collected is spiraling rapidly • big data correlaUons are creaUng addiUonal privacy issues Customer’s demographic data TransacUon data Social media interacUons Online acUviUes Real-­‐ Ume Contextual data AnalyUcs Insights Customized Offerings
  10. 10. The Customer Experience Pyramid Privacy • EmoUonal Fulfillment Ease of use/engagement & features Value & Quality Privacy has emerged the Number 1 concern for digital businesses overtaking security • Privacy concern both amongst regulators and customers – leading to major regulatory enactments
  11. 11. Proposed Regulatory Environment Seeks to mandate: 1. Data privacy impact assessments 2. Privacy by design 3. Privacy by default (i.e. Data minimizaUon at the level of applicaUon) 4. Data portability (i.e. Enabling right to withdraw consent) 5. Right to be forgolen 6. Rights against being profiled
  12. 12. OrganizaUons’ Privacy Bind CollecUng data for enhancing Customer Experience Impending storm in the regulatory environment OrganizaUons Need for balancing Commercial acUvity with Privacy concerns PosiUve Sum – Not Zero Sum
  13. 13. Balancing Privacy and Commercial Viability Full Privacy Full Economic Value PrivAd AdnosUc RePriv PrivAd : Online adverUsing system designed to be more private than exisUng system. Uses proxy to hide customer IP addresses. AdnosUc: Developed by Stanford and NYU Behavioral profiling and targeUng takes place in the user’s browser and not in the adverUsing network’s servers. Based on profile AdnosUc downloads a set of adverUsements from the ad network and serves the most appropriate one as per the profile. RePriv: Developed by Microsop Research System’s plugin located in the browser discovers user’s interests and shares them with 3rd parUes but only aper explicit permission of user.
  14. 14. The Customer Experience Pyramid Privacy EmoUonal Fulfillment Ease of use/engagement & • Improve product/service quality • features Capture customer senUment • Increase up selling opportuniUes • Trigger new product/service innovaUon Value & Quality Business CRM strategies seek to use the customer insights for other purposes also.
  15. 15. MoneUzing Customer Data By 2016, 30% of businesses will have begun directly or indirectly moneUzing their customer informaUon assets via bartering or selling them outright. Gartner, March 2014
  16. 16. The Customer Experience Pyramid Privacy ReputaUonal Damage/ExtorUons EmoUonal Fulfillment Ease of use/engagement & features Value & Quality
  17. 17. ReputaUonal Damage 80% of the value of a business is its reputaUon. ReputaUon is a top concern of the CEO. • Social media acUvity that can severely damage an organizaUon’s reputaUon. • The harm can potenUally be carried out by: • Customers / Individuals -­‐ giving vent to their feelings • NGOs like Greenpeace -­‐ pushing for corporate social responsibility • Cyber criminals -­‐ launching cyber extorUon
  18. 18. ReputaUonal Damage 80% of the value of a business is its reputaUon. ReputaUon is a top concern of the CEO. • Social media acUvity that can severely damage an organizaUon’s reputaUon. • The harm can potenUally be carried out by: • Customers / Individuals -­‐ giving vent to their feelings • NGOs like Greenpeace -­‐ pushing for corporate social responsibility • Cyber criminals -­‐ launching cyber extorUon
  19. 19. The Customer Experience Pyramid Privacy ReputaUonal Damage/ExtorUons Omni-­‐channel Experience EmoUonal Fulfillment Ease of use/engagement & features Value & Quality
  20. 20. Omni-­‐channel Experience Good customer experience demands fricUonless engagement across every channel and every screen • Federated IdenUty Management & SSO • Social IdenUUes • Centralized Opt-­‐in & Opt-­‐out • Context-­‐based AuthenUcaUon • IntegraUon with SIEM Security controls
  21. 21. The Customer Experience Pyramid Privacy ReputaUonal Damage/ExtorUons Omni-­‐channel Experience EmoUonal Fulfillment Ease of use/engagement & features Value & Quality Business model security vulnerabiliUes
  22. 22. Business Model Security VulnerabiliUes Digital business is the creaUon of new business designs by blurring the digital and physical worlds. -­‐ Gartner • Two major Vulnerabili,es: • Impact of applica,on development “velocity” on tes,ng & security • Vulnerabili,es caused when “things” are connected
  23. 23. Enterprise Security Infrastructure EmoUonal Fulfillment Ease of use/engagement & features Value & Quality
  24. 24. Enterprise Security Infrastructure EmoUonal Fulfillment Ease of use/engagement & features Value & Quality
  25. 25. IdenUty & Access Management IdenUty FederaUon is becoming the heart of the Digital enterprise. Technologies: SAML 2.0; Oauth 2.0; OpenID Connect IdenUty Management Support for Social IdenUUes & Third party credenUals Context-­‐based AuthenUcaUon Emergence of Mandatory Access Control (MAC)
  26. 26. Enterprise Security Infrastructure EmoUonal Fulfillment Ease of use/engagement & features Value & Quality
  27. 27. API Layer & Security APIs are the core engines of the Digital Era. The digital economy is an API-­‐driven economy. • IdenUty management • AuthenUcaUon using API Keys, Oauth 2.0, SAML 2.0 • AuthorizaUon using OAuth 2.0 • RBAC • Traffic Control • TLS • DoS miUgaUon & Rate LimiUng • Malware/Hacking • XML poisoning, JSON injecUon, SQL injecUon, quota/spike arrest • Logging & integraUon with SIEM • AnalyUcs • User acUvity intelligence Security controls
  28. 28. Mobile API Layer Security • IdenUty management • AuthenUcaUon using API Keys, Oauth 2.0, SAML 2.0 • AuthorizaUon using OAuth 2.0 • RBAC • Traffic Control • TLS • DoS miUgaUon & Rate LimiUng • Malware/Hacking • XML poisoning, JSON injecUon, SQL injecUon, quota/spike arrest • Logging & integraUon with SIEM • AnalyUcs • User acUvity intelligence API Security controls
  29. 29. Enterprise Security Infrastructure EmoUonal Fulfillment Ease of use/engagement & features Value & Quality
  30. 30. Data Governance Emergence of the Data Plavorm IdenUty controls Access controls API controls
  31. 31. Data Governance Security Tools • MulUple data security tools • SIEM, Content-­‐aware DLP, Database Audit & ProtecUon (DAP), Data Access Governance (DAG), Fraud prevenUon, Data masking, EncrypUon and IAM • No exisUng tool that can protect across all data silos Data-­‐centric Audit & ProtecUon (DCAP) tool • Data-­‐centric Audit & ProtecUon (DCAP) • This is a new category of data security tool that is emerging which can work across data silos Assessment Ac,vity Monitoring Protec,on 1 . Data Security Policy 4. Privileged User Monitoring and AudiUng 7. Vulnerability and ConfiguraUon Management 2. Data Discovery and ClassificaUon 5. ApplicaUon User Monitoring and AudiUng 8. PrevenUon & Blocking of Alacks 3. Assessment of Users and Permissions 6. Event CollecUon Analysis and ReporUng 9. EncrypUon, TokenizaUon and Data Masking • The DCAP typically would have following capabiliUes across data silos:
  32. 32. Enterprise Security Infrastructure EmoUonal Fulfillment Ease of use/engagement & features Value & Quality
  33. 33. Privacy Management Privacy is emerging as the “biggest” concern in the Digital Business era. “Finding the right balance between Privacy Risks & Big Data rewards may very well be the biggest policy challenge of our ,me” -­‐ Stanford Law Research • Managing Privacy starts by understanding the difference between Privacy and Security
  34. 34. Privacy Controls -­‐ OrganizaUonal & Technical Organiza,onal controls Technical controls (Non-­‐technical) Technical controls Privacy-­‐focused technologies: • Data masking -­‐ staUc, dynamic, redacUon • TokenizaUon • Format Preserving EncrypUon (FPE) • AnonymizaUon • Privacy Enhancing Technologies (PET) Internal controls (AdministraUve & physical processes) External controls (Contractual & legal processes) StaUc Data Masking: Masks non-­‐producUon database not in real Ume Dynamic Data Masking: Masks producUon data in real Ume Data RedacUon: Masks unstructured content such as PDF & word files • Policies • Accountability • Data access & usage • Employee training • Data segregaUon • Data retenUon & deleUon • Physical safeguards • Contractual terms to restrict how partners share & use data • SLA liabiliUes • AudiUng rights Security-­‐focused technologies: • FW, IPS • DLP, DRM, DAM • IAM • EncrypUon • SSL
  35. 35. Enterprise Security Infrastructure EmoUonal Fulfillment Ease of use/engagement & features Value & Quality
  36. 36. • SMACI Concerns Data -­‐ confidenUality, ownership, remanence • Audit • Legal / Regulatory -­‐ Privacy, jurisdicUon • Business conUnuity -­‐ Dependence on provider, migraUon complexity • Unmanaged & insecure user devices • Loss / leakage of sensiUve enterprise data • Unauthorized access to enterprise applicaUons • Device support / management complexity • Unsecured / rogue marketplaces • Leakage of sensiUve enterprise data • Avenue for malware • Targeted spear-­‐phishing alacks on employees (APT ingress) • Privacy & compliance • Unauthorized access/queries • Leakage of data / intelligence • Veracity of input data
  37. 37. IoT VulnerabiliUes • Things cause privacy issues • Things can be easily hacked • Things can be physically stolen • Denial of service alacks / jamming alacks can be launched on Things • Man-­‐in-­‐middle alacks easy • Rogue things can be inserted
  38. 38. IoT Security Architecture IoT Security Protocols IoT Security Framework
  39. 39. EU effort to define IoT Security Mission: “To holisUcally embed effecUve and efficient security and privacy mechanisms into IoT devices and the protocols and services they uUlise”
  40. 40. IoT Security Protocols t Eclipse M2M Industry Working Group
  41. 41. t March 2013
  42. 42. Enterprise Security Infrastructure EmoUonal Fulfillment Ease of use/engagement & features Value & Quality
  43. 43. Enterprise Security TransformaUon • Security technologies have become obsolete & ineffecUve to stop alacks. • Today, 100% of enterprises are breached. Two major transformaUons are currently underway: 1. Security focus is shiVing from “protec,on” to “detec,on and response” • Enterprises are implemenUng: • Security Intelligence • Context-­‐based and adapUve security 2. Security approach is shiVing from “Technical controls “to “Behaviourial controls” • Enterprises are adopUng: • People-­‐centric security (PCS)
  44. 44. UJ Network IAM End Point Database Applica,on • IdenUty manager • FIM • ESSO • privileged ID management • MOTP • AD • ID intelligence • Routers • Switches • VPN • End Point ProtecUon • AV, WhitelisUng • VA Scanner • MDM Perimeter • IPS • FW • Proxy • DAM • Oracle • Data mask Content Advanced Threats • FireEye, Dambala etc • EncrypUon • DLP • DRM • URL filter • Mail GW • DAST & SAST • WAF Systems • Unix • Windows • Linux SOA • WAF • Federated IM • SOA registry security • Policy manager • Higher accuracy of vulnerability detec,on • BeZer protec,on from advanced aZacks • Quicker response People Data Applica,ons Infrastructure Security Intelligence – Technology InteracUon
  45. 45. Security Informa@on Events/Logs • monitoring • privileged ac,vity • user ac,vity • database ac,vity • performance • transac,on • applica,on • data/informa,on • sensor data • vulnerability info • configura,on info • change management • content-­‐related data • IAM data • web log data • router, switch data Network Flows • NW telemetry data • DPI for layer-­‐7 visibility • classifica,on of applica,ons & protocols • behaviour analysis • anomaly informa,on Contextual assessments • BeZer risk management • Priori,za,on of risks into ac,onable items Contextual Informa@on Context • Environmental • external threat info • loca,on, ,me, etc • Process • customer facing, revenue producing • Content • sensi,vity External of content, reputa,on of email • Iden,ty • strength of authen,ca,on, role, group, trnx amt limit • Applica,on • business cri,cality of app, known vulnerabili,es • System & OS • asset cri,cality, patch level, known vulnerabili,es, CMDB • End user Device • health -­‐ owner, IP address reputa,on • Compliance • Privacy, RA GW Internal Security Intelligence – InformaUon IntegraUon
  46. 46. 1. Risk Management 2. Fraud Management 3. Regulatory Compliance 4. Advanced Threat prevenUon SIEM (aggregaUon, correlaUon, data repository, query) Events Flows Context infusion GRC plaaorm Big Data plaaorm Security Devices Network Devices Assets & Systems • IAM • End point security • Perimeter security • SOA • etc • App security • Advanced threat • Database sec • etc • Routers • Switches • Load balancers • etc Security Intelligence Layer • Servers • Devices • OS • Middleware • etc Technology interac,on Security Intelligence – Framework
  47. 47. Enterprise Security TransformaUon • Security technologies have become obsolete & ineffecUve to stop alacks. • Today, 100% of enterprises are breached. Two major transformaUons are currently underway: 1. Security focus is shiVing from “protec,on” to “detec,on and response” • Enterprises are implemenUng: • Security Intelligence • Context-­‐based and adap,ve security 2. Security approach is shiVing from “Technical controls “to “Behaviourial controls” • Enterprises are adopUng: • People-­‐centric security (PCS)
  48. 48. Context-­‐based Security Legacy security policies are binary and staUc yes/no decisions that has been defined in advance
  49. 49. Enterprise Security TransformaUon • Security technologies have become obsolete & ineffecUve to stop alacks. • Today, 100% of enterprises are breached. Two major transformaUons are currently underway: 1. Security focus is shiVing from “protec,on” to “detec,on and response” • Enterprises are implemenUng: • Security Intelligence • Context-­‐based and adapUve security 2. Security approach is shiVing from “Technical controls “to “Behaviourial controls” • Enterprises are adopUng: • People-­‐centric security (PCS)
  50. 50. People Centric Security (PCS) PCS represents a major departure from convenUonal security strategies, but reflects the reality that current security approaches are insufficient – Gartner 2013
  51. 51. Enterprise Security Infrastructure EmoUonal Fulfillment Ease of use/engagement & features Value & Quality
  52. 52. Security Governance
  53. 53. Emergence of the Digital risk Officer (DRO) By 2017, one-­‐third of large enterprises engaging in digital business will have a digital risk officer. The DRO will report to a senior execuUve role outside IT, such as the chief digital officer or the chief operaUng officer. They will manage risk at an execuUve level across digital business units, working directly with peers in legal, privacy, compliance, digital markeUng, digital sales and digital operaUons. The DRO and CISO are separate roles. Many CISOs will evolve into DROs. However, if they don’t upgrade their skills they will report to the DRO. Gartner, June 2014
  54. 54. Security Skills for the Digital Business Era
  55. 55. Conc lus ion • Today every business is a Digital Business – business that do not understand this become irrelevant • Delivering great Customer experiences is the strategic focus • VulnerabiliUes related directly to delivering customer experiences must be addressed • manage privacy & reputaUonal damage • enable secure omi-­‐channel engagement • manage the inherent vulnerabiliUes that velocity driven business designs open • miUgate the threats and vulnerabiliUes related to Internet of Things and OT • And this must be backed up by a comprehensive and layered enterprise security capability
  56. 56. Thank You Infosec thought leadership

×