Building A Cloud-Ready Security Program

1,139 views

Published on

Presented at ISACA's Enterprise Risk Management: Provide Security from CyberThreats virtual conference.

Published in: Technology
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,139
On SlideShare
0
From Embeds
0
Number of Embeds
32
Actions
Shares
0
Downloads
19
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide
  • Today we’re going to talk about ‘cloud-ready’ security. We’re going to talk about the ways in which cloud computing makes your world a lot more complex. We do know however that there are, however, some things that you do have under your control, and what we’re going to talk about is how to get those things right. How to get what you can do in such a state that it is ready for the cloud, that you’ve got your security in a state that enables you to meet the demands of cloud security, and how do you stay relevant within the business which is critical factor as you think about planning for the impact of cloud. And then finally, how do you extend what you are doing right now, how to re-enforce what is successful and then how NetIQ as an organization, our partners, and the organizations we work with and industry bodies in which were involved, h – how we all can sort of provide help, support, information, technology and so on to enable you to do all the above, to get ready, to be successful and to move into the cloud safely and securely and we would hope, somewhat sanely. 
  • Set up: Why change now?It’s a brave new world. There are new threats and an expanding computing environment that won’t go away soon. Cloud, BYOD (really BYO – anything), mobility and other major technology trends offer increased flexibility, lower costs, and improved productivity. Yet today, IT orgs are challenged with balancing the demands of users who want 24-hour, instant access to services with those of business stakeholders. All while having less visibility and control of their sensitive assets than ever before.
  • Cloud computing greatly increases an organization’s ability to achieve its business goals. One of the main reasons we see companies moving more aggressively to cloud computing is a much more aggressive business environment. They are finding new competitors and new competitive offerings coming from angles they weren’t expecting in the past. Benefits:Clouds helps businesses to scale. Primarily, scale is with regards to personnel. “I don't have enough people and they don't have the skills to do the job.” Also refers to datacenter or IT infrastructure. “I don't have the latest technology or the servers or the capacity. I want to build for a medium level and burst into the cloud as needed.”Cloud improves agility and innovation. Cloud computing as an effective means to implementing new applications quickly to keep pace with application backlogs and business demands. “Give it to me now, don’t get in my way.” Gives you the ability to access data from any device, from anywhere on the Internet, at anytime. Meets customer needs for greater intimacy and integration with the business – for a competitive edge! Also offers opportunities for greater integration with partners – more competitive edge!Cloud helps manage costs. Businesses must operate globally. Datacenters are expensive to build. “I need to build smaller data centers, and have the ability to ‘burst’ into the cloud to support larger workloads.” Companies need to go to market quickly and need a very low cost model that allows them to---with cloud they can take advantage of the pay per use cost model that allows them to experiment and try new things without a heavy amount of investment up front.
  • http://www.istockphoto.com/stock-photo-18566764-tornado.php?st=99a683bSet up: Why change now?But what organizations find is that when they start to look at strategicallymoving to the cloud, many, many organizations will discover that they are already there!There are countless examples of organizations that start to look into just how much cloud they are actually using, only to find that there are hundreds – literally hundreds - of cloud services already in place, already being used by business users that no one had any oversight over or grand plan to implement - it just sort of “happened.” What results is a very chaotic and “bottoms up” environment, driven by the business needs to solve short term problems now. So you can see how cloud computing is highly disruptive. Not only does it change the way an organization gets its services, it also changes the way in which users (individuals and business units) interact with central IT and security teams. Data, systems and services are moving rapidly outside of the control of centralized IT organizations, presenting significant risks to the security of sensitive data and the ability of the organization to maintain compliance with industry regulations and corporate security policies. You need a way to effectively mitigate these risks while ensuring that you achieve your business, security and compliance objectives.Challenges:A cloud service can go live without the IT security team’s knowledge, and therefore outside of their control, introducing risk of breaches and compliance failures.Private cloud implementations can increase the complexity of security management and mix high and low value virtual systems on the same hardware, introducing greater risk that a breach to one system cascades to many others.Use of cloud computing environments, including private clouds or infrastructure provided by a service (IaaS), may trigger regulatory violations due to lack of visibility and control over where data is stored. We believe that security teams need heightened visibility and control of their mixed environments to more quickly detect and disrupt threats to sensitive data and systems.
  • However, I will make the point , and I think this is something I would argue very strongly –these things are all real challenges – we all have to deal with these parts as costs of moving to the cloud but I think ultimately, you can make a very strong case that these are challenges, but they are also really symptoms of a fundamental and deeper challenge associated with the move to cloud and I think none of the above wouldn’t be as difficult if it wasn’t for the fact that as a result of the move to the cloud, things are getting complicated . all of the above have really driven us to a position where a great deal of complexity in the infrastructure we have to deal with and the way we manage risk and even the way we understand risk and as security professionals, we all know, complexity is the enemy of security, the more complex the world gets, the more complex these enviornments get, the worse the security is and frankly it isn’t like it wasn’t particularly complex to begin with – what’s happening is that things are getting more complicated than they were and if you think about how that greater complexity really impacts us – well, lets think about some of the challenges we see when we think about complexity,
  • However, I will make the point , and I think this is something I would argue very strongly –these things are all real challenges – we all have to deal with these parts as costs of moving to the cloud but I think ultimately, you can make a very strong case that these are challenges, but they are also really symptoms of a fundamental and deeper challenge associated with the move to cloud and I think none of the above wouldn’t be as difficult if it wasn’t for the fact that as a result of the move to the cloud, things are getting complicated . all of the above have really driven us to a position where a great deal of complexity in the infrastructure we have to deal with and the way we manage risk and even the way we understand risk and as security professionals, we all know, complexity is the enemy of security, the more complex the world gets, the more complex these enviornments get, the worse the security is and frankly it isn’t like it wasn’t particularly complex to begin with – what’s happening is that things are getting more complicated than they were and if you think about how that greater complexity really impacts us – well, lets think about some of the challenges we see when we think about complexity
  • well – interdependencies grow almost exponentially as all these different parts of the business go out and grab cloud services off the shelf and start running with them, So the systems and services I already have in place now have to deal with the impact of being connected to, serving, responding to and being involved with all kinds of 3rd party cloud offerings and that interdependency becomes really challenging because now I have to manage a whole bunch of additional interdependencies and not just around the sorts of challenges around confidentiality and the sort of informational integrity dealing with security but you’ve got the availability piece too – I’ve got to make sure these systems remain available, that someone doesn’t take them down and that those interdependencies don’t cause me to have problems with availability even of my own systems  So you’ve got a great deal of complexity with a lot of systems now tied together many of which are no longer directly under my own control and that interdependency drives a massive amount of complexity and that complexity is a really signicant problem to deal with  
  • Set up: Why Change Now?Other things that pour gasoline on problem of cloud security is BYO ‘whatever’ – bringing your own device, bringing your own cloud, bringing your own applications and social identity, etc. As these things really start to take hold— prepare for even more IT headaches.BYOD Benefits:BYOD offers greater flexibility for how users access information and the opportunity for productivity gains.BYOD Challenges:Sensitive company information is getting onto personal devices—often in violation of company policy - and increasing the risk of theft or loss of company data. IT remains responsible for the security and compliance of that data. Specifically, BYODcreates increased complexity for IT security teams who must now make sense of unmanaged devices accessing, creating, and storing information which IT Security must ensure remains secure and compliant. The lack of control and visibility to who is accessing what, when, how and from where introduces a level of risk to critical systems and data which may not be acceptable to the business - and which may ultimately create compliance gaps with corporate security policies and regulatory mandates. Additionally, youcan’t deal with cloud or social identity or mobility or BYOD or any of the other pieces independently, they all intimately tied together. Because when business users want to access a cloud service – now more than ever, they want to access it from their smart phone and their tablet device, neither of which the organization owns, over which you have little control and vice versa, the information you’re being required to feed into those devices are from your own corporate network ---so these things are all essentially tied together as part of this growing decentralization of IT,---increasing complexity on the business and you’ve got to deal with all of them at once, making security efforts a lot more challenging ……because as we all know complexity is the enemy of security.Other things that pour gasoline on to the burning flame of problems with cloud security is BYO whatever – bringing your own device, bringing your own cloud, bringing your own applications and social identity, these things really start to take hold  Again the above mentioned complexity to become even more of a problem, even more complex, even more of a challenge and I think partly, it’s because you can’t sort of deal with cloud or social identity or mobility or byod or any of the other pieces independently, they all so intimately tied together that you must deal with the implications of, well, my business users want to access a cloud service and surprisingly, they want to access it from their smart phone and their tablet device, neither of which my organization owns, over which I have little control and vice versa the information I’m being required to feed into those devices are from my own corporate network so these things are all essentially tied together as part of this growing decentralization of IT, growing impacts of complexity on the business and you’ve got to deal with all of them at once and again, it makes things a lot more complex ……
  • http://www.videoamusement.com/whac-a-mole.php….and you start to get the sense of more and more, this idea I’m really starting to play security ‘whack a mole’ with the integration of all these pieces and the proliferation of cloud services and everybody goes out and signs up for ‘stuff’ is really driving at almost a frantic pace within the security and risk management organization as they desparately try to get their arms around who’s doing what, where with what information so that as cloud usage proliferates across the business and as I’m required to tie them together in increasingly complex ways and worse, I’m now having to tie together two or three different cloud service to meet the needs of a business user -- not really sure where the data is going to reside is important and that’s especially important if those services are moved out into a 3rd party cloud infrastructure  I’m running around from place to place whacking security risks on the head and trying to keep the wheels on as the business moves forward and I think we’re reaching that point where I’m actually past the point where the approaches we’re trying to take are simply not scaling . we are fundamentally as organizations as people trying to enable cloud services, -----
  • IT at the Crossroads (will you choose Irrelevance or Significance?)With development of Shadow IT, data, systems, and services are moving outside the control of centralized IT departments. IT still has the liability and responsibility to be secure, compliant, and to govern the business while still delivering business services at the right time, to the right user, in the right place. Controlling Access to Cloud Services and Data…since SaaS is purchased directly by the business, there is a tendency for users to sign up directly, rather than through IT controlsIncreased Risk in Mixed Environments…mixing high and low value workloads on the same hardware introduces risk that a breach to one can cascade to othersCompliance in the Cloud…compliance doesn’t stop at the firewall. Organizations lack controls and cannot effectively certify and report on cloud services, to meet compliance standards
  • ….And I’m going to give you a quick classic example of how fast that’s happening. I’m going to use drop box – and not because I think there’s any problem with drop box, actually I think drop box is a great service, in fact I’ll prove to you drop box is a great service because they just recently announced they have 100M signed up users right now - and if you look at the installation screen for drop box, you know that’ s not an installation screen aimed at your IT organization, that’s an installation screen aimed at your end users, at home users, and at people that  Within your business, not to say that drop box is inherently a security problem, but its absolutely a poster child for the consumerization of cloud services that happen under the radar of the IT and security organizations and it’s happening really fast – if you look at their figures 11 and a half thousand, more than 11 and a half thousand files are being stored on drop box every second of every day – they get a billion files a day saved on drop box and I guarantee those are not just a billion files of peoples holiday snapshots, right,--there is business data being moved into drop box to be shared with other business users and it’s happening all the time.-----
  • IT at the Crossroads (will you choose Irrelevance or Significance?)
  • Can add some Verizon Report stats from 2012 here.An example of aHow do I know what’s going on in the cloud? How do I find out where my data is? How do I know who has access to it within the cloud service provider itself? How do I know what they’re doing to keep their systems secure and equally important, how do I know who they’re doing business with when they’re processing my information? So visibility is a key challenge. data breach, etc.
  • An approach is needed that helps IT teams gain visibility and control of their sensitive data and systems wherever it resides, enabling them to effectively mitigate organizational risks associated with the impact or occurrence of threats that are introduced by these disruptive technologies, while ensuring that business, security, and compliance objectives are achieved. Effective solutions should deliver greater context for security and risk data, enabling security teams to respond rapidly and effectively to the greatest organizational threats. This context must include a combination of information about the system, the event, and the user involved, in order to view the security significance of the event and risk associated with it. Security event data generated by these solutions should be enriched with context about user identity, data, applications, assets, threats and vulnerabilities to help teams discern true threats from “noise.” The data must be presented in an easy-to-consume manner, delivering the timely and effective decision support security teams must have if they are to respond rapidly to threats.
  • How can organizations overcome transform the challenges presented by these disruptive trends into opportunities that define a better way to manage security processes? Is it one that enables the business to achieve its objectives in a way that is faster, more agile, and ultimately more secure?
  • http://www.istockphoto.com/stock-photo-19747710-risk-and-scissors-clipping-path-included.php?st=1c6be61Step 1: Make IT risk mitigation an imperativeHere are a few simple steps to get you on the path to a lower risk IT environment: 1.      Define the Risk:  When security organizations work early on in a project with key business stakeholders to identify those threats that pose the most risk to the enterprise, they can ensure scarce IT resources are used to maximum effect by focusing efforts on only those assets that are at most risk.  2.      Implement the Basics: Once the critical assets and risk thresholds have been identified, security teams can implement a security program that helps put security best practices in place. Research shows that a lack of basic security controls, such as weak passwords or server misconfigurations, is at the root of countless data breaches.  By selectively deploying solutions that help implement security best practices, security teams can get more “bang for their buck.”3.      Keep Risk at Desired Thresholds:  Once in place, security best practices and controls must be kept in place in order to keep organizational risks low.  Scheduled compliance assessments and risk reporting, along with automation of workflows, can go a long ways towards helping teams achieve and maintain a state of “continuous security and compliance.”  
  • Strive for a lower risk IT environment Security teams that are, first and foremost, focused on minimizing organizational risk can achieve better business outcomes by ensuring good security practices are continuously in place.Staying focused on risk mitigation can be tough, especially when you are tasked with achieving and maintaining alignment with key business objectives, while balancing the demands of users who want instant access to their data, applications, and services from anywhere in the world. The first step to proactive risk management is to get a seat at the table. When you work proactively with the business to identify critical assets and risk thresholds, you are effectively able to direct resources towards addressing those threats that pose the most risk to the organization. This approach, rather than “one-size-fits-all”, enables efficient use of IT resources and helps you act in alignment with the business to mitigate security and compliance risks of sensitive data and systems.Once the critical assets and risk thresholds have been identified, security teams should implement a program that helps put security best practices in place. Research shows that a lack of basic security controls, such as weak passwords or server misconfigurations, is at the root of countless data breaches.
  • http://i.istockimg.com/file_thumbview_approve/20503296/2/stock-illustration-20503296-locks-black-amp-white-icon-set.jpgStep 2: Layer on securityOnce the basics are in place, security teams can effectively protect critical data and meet organizational compliance requirements by adopting a data-centric approach to threat defense. To protect even the most complex IT environments, security teams should first deploy basic security solutions to reduce their risk of a data breach and meet compliance gaps. This will help lay a solid foundation of security best practices to build upon.
  • Protect your data with layers of security Once the basics are in place, security teams can effectively protect critical data and meet organizational compliance requirements by adopting a data-centric approach to threat defense. BYOD, cloud, mobility and other major technology trends offer increased flexibility, lower costs, and improved productivity. However, as data, systems and services move outside of the control of central IT, organizations expose themselves to serious security and compliance challenges. Rather than focus protection on a perimeter that now extends well beyond traditional borders, security teams need to target proven security controls at the data itself—wherever it may reside. Data-centric approaches to threat defense, the classic examples being encryption and tokenization, are  among the most effective ways to protect critical data and meet compliance objectives. Security teams should extend the data-centric approach to the sensitive systems and users that regularly access and interact with critical data. When teams surround these systems and users with layers of security defense solutions that deliver visibility and control of the IT environment, they enable themselves to respond rapidly and effectively to potential threats. Examples of data-centric security solutions that focus on sensitive systems and users are those that monitor privileged user activity for unusual behavior or unauthorized access to sensitive files, or that monitor security events and changes in real time to detect accidental or malicious variations to sensitive files and systems. Effective solutions should deliver greater context for security and risk data, enabling security teams to respond rapidly and effectively to the greatest organizational threats. This context must include a combination of information about the system, the event, and the user involved, in order to view the security significance of the event and risk associated with it. Security event data generated by these solutions should be enriched with context about user identity, data, applications, assets, threats and vulnerabilities to help teams discern true threats from “noise.” The data must be presented in an easy-to-consume manner, delivering the timely and effective decision support security teams must have if they are to respond rapidly to threats.By adopting the data-centric approach, security teams can increase their effectiveness at detecting and mitigating risk to sensitive data and systems in a proactive manner, deliver secure business services and applications, and achieve compliance with necessary regulations and policies. This approach enables teams to reliably achieve security, compliance, and business objectives - even when the IT environment is becoming increasingly complex with the adoption of disruptive technologies.
  • http://www.istockphoto.com/stock-photo-19426351-database-archive.php?st=9987216
  • http://ioutdoor.com/air-ground/a-real-florida-cattle-drive/Ensure continuous security and complianceKeep the foundational security processes in place using scheduled, automated compliance assessment and reportingAutomation helps to augment the resources of IT staffs and helps to ensure that security controls and assessment scale reliably and seamlessly across your IT environment of today…and tomorrow.Choose solutions that deliver out of box security intelligence and content.Security is the goal; compliance is the “by-product” of good security practices.Ensure greater visibility of risk for executive stakeholders to enable them to make better business-risk decisions both now and in the long term.
  • http://www.istockphoto.com/stock-photo-20088269-woman-standing-on-top-of-a-mountain-raising-her-arms.php?st=f249c0a…And what what you can do then is, it become much more straight forward to get it right now within your business and extend what’s right out into the cloud as you need to do so. 
  • …Speaking specifically about what we do as an organization, NetIQ is a large organization focused on identity and security and IT operational details we can help you to identify threats more quickly, have a clearer understanding of the ‘who’ youknow the integration of identity as we talked about, simplify management of access to services, reduce the risk from poor configuration and provide tighter controls over what priviledged users are doing
  • Free share photohttp://fc00.deviantart.net/fs71/i/2012/102/6/5/fluffy_puffy_clouds_by_mysteriousfantasy-d4vz509.jpg
  • Building A Cloud-Ready Security Program

    1. 1. Building a Cloud-ReadySecurity ProgramBe ready. Get ahead…stay ahead.@NetIQ - #NetIQCloud
    2. 2. Overview • Cloud makes the world complex. • There are some things you control. • Get those right. • Stay relevant. • Extend and reinforce success. • How (specifically) NetIQ helps.2 © 2012 NetIQ Corporation. All rights reserved. @NetIQ - #NetIQCloud
    3. 3. At the Crossroads
    4. 4. What Keeps You up at Night? Expanding Staff Business New Computing Stretched Keeps Threats Environment Thin Moving Change + Complexity = Loss of Control and Visibility4 © 2012 NetIQ Corporation. All rights reserved. @NetIQ - #NetIQCloud
    5. 5. Fueling the Rush to the Cloud • Greater customer and partner integration and intimacy • Faster response to competitive threats • Faster time to market5 © 2012 NetIQ Corporation. All rights reserved. @NetIQ - #NetIQCloud
    6. 6. Cloud Brings Many Challenges • Security • Visibility • Cost Management • Alignment • Compliance6 © 2012 NetIQ Corporation. All rights reserved.
    7. 7. Things Are Getting Complicated7 © 2012 NetIQ Corporation. All rights reserved. @NetIQ - #NetIQCloud
    8. 8. Things Are GettingMORE Complicated8 © 2012 NetIQ Corporation. All rights reserved. @NetIQ - #NetIQCloud
    9. 9. Interdependencies Grow • Systems and services extend into third-party cloud offerings. • Creates interdependencies that never existing before. • These are highly complex, and potentially very difficult to manage.9 © 2012 NetIQ Corporation. All rights reserved. @NetIQ - #NetIQCloud
    10. 10. BYO…(Anything) • …Device • …Cloud • …Applications • …Identity10 © 2012 NetIQ Corporation. All rights reserved. @NetIQ - #NetIQCloud
    11. 11. Integration and Proliferation • Cloud usage proliferates. • Integration with existing services is complex. • Integration between „clouds‟ can be even harder.11 © 2012 NetIQ Corporation. All rights reserved. @NetIQ - #NetIQCloud
    12. 12. All The Risk… None of the Reward • IT continues to hold liability: • Controls access to critical services and data • Manages organizational risk • Deals with compliance • Yet business users continue to directly engage with the cloud and unmanaged personal devices.12 © 2012 NetIQ Corporation. All rights reserved. @NetIQ - #NetIQCloud
    13. 13. It’s Getting Crazy Out There13 © 2012 NetIQ Corporation. All rights reserved. @NetIQ - #NetIQCloud
    14. 14. It’s Getting Crazy Out There11,500+ files, every second, every day14 © 2012 NetIQ Corporation. All rights reserved. @NetIQ - #NetIQCloud
    15. 15. Cloud Brings Challenges • Security • Visibility • Cost Management • Alignment • Compliance You are here.15 © 2012 NetIQ Corporation. All rights reserved.
    16. 16. Maintain the Status Quo • There is little-to-no knowledge of internal activities – or potential threats. • Most breaches are discovered by a third party – not the breached party.16 © 2012 NetIQ Corporation. All rights reserved. @NetIQ - #NetIQCloud
    17. 17. Gain Visibility and Control • Focus on organizational risk management • Greater context for security and risk data • Know what your internal users are doing • Monitor and audit all activity around sensitive assets17 © 2012 NetIQ Corporation. All rights reserved. @NetIQ - #NetIQCloud
    18. 18. Ready, set..transform!
    19. 19. Risk: Define It, Manage It19 © 2012 NetIQ Corporation. All rights reserved. @NetIQ - #NetIQCloud
    20. 20. What Does That Mean? Focus resources on the most critical assets, then make sure the “basics” are in place: • System configuration • Reduce privileged users • Reduce privileges • Monitor activity • Integrate identity • Improve access controls • Keep it visible, keep it real20 © 2012 NetIQ Corporation. All rights reserved. @NetIQ - #NetIQCloud
    21. 21. Focus on the Data, Then Layer Defenses21 © 2012 NetIQ Corporation. All rights reserved. @NetIQ - #NetIQCloud
    22. 22. It’s All About The Data Data-centric, risk-focused security22 © 2012 NetIQ Corporation. All rights reserved. @NetIQ - #NetIQCloud
    23. 23. Surround with Layers of Data-Centric Solutions…. • Manage who has access • Monitor what they do • Secure where the data is • Build intelligence and use it • Integrate other data-centric technologies23 © 2012 NetIQ Corporation. All rights reserved. @NetIQ - #NetIQCloud
    24. 24. Keep It Rolling • Continuous compliance • Automate where you can, when you can • Smarter security is better than more security • Don‟t just believe the vendors • Make sure it‟s easy to show value24 © 2012 NetIQ Corporation. All rights reserved.
    25. 25. Extending… It‟s easier to extend what‟s right into the cloud.25 © 2012 NetIQ Corporation. All rights reserved.
    26. 26. Fight Fire With Fire • OK, cloud with cloud • Increasing interest in SecaaS • NetIQ closely involved in this • Partnering with cloud providers26 © 2012 NetIQ Corporation. All rights reserved. @NetIQ - #NetIQCloud
    27. 27. NetIQ Will Help • Faster identification of threats • Clearer understanding of “who” • Simpler management of access to services • Reduced risk from poor configuration • Tighter controls on privileged users27 © 2012 NetIQ Corporation. All rights reserved. @NetIQ - #NetIQCloud
    28. 28. cloud nine noun Informal. a state of elation or happiness (usually in the phrase on cloud nine)28 © 2012 NetIQ Corporation. All rights reserved.

    ×