Securing Mobile:A Business-CentricApproachOmar KhawajaFebruary 2013
Mobility this week…@smallersecurityBorderless networksRCS, JoynSIP, IPMDMMonetizationMeans vs. End
Mobileis no longeroptional@smallersecurity
1980 19901970 20102000Difference?Have a closer look:its really not thatdifferent.@smallersecurity
Top BusinessTechnologyTrends VideoSocial EnterpriseBig DataEnterpriseCloudsHigh-IQ NetworksM2M2PComplianceEnergy Efficienc...
What’sthe commontheme across toptechnology trends?@smallersecurity
VideoBig DataEnterprise CloudsHigh-IQ NetworksM2M2PComplianceSocial Enterprise Energy EfficiencyConsumerization of ITPerso...
Mobilityand Cloudfuel eachof these trends.@smallersecurity
Security is about RiskThreatsVulnerabilitiesAssets‘Risk’@smallersecurity
How do wesecuremobiletoday?@smallersecurity
10Programs and Technologies@smallersecurity
11Programs and TechnologiesRisk Assessment Security Policy Organization of Info SecurityAsset Management Human Resources M...
12Programs and TechnologiesApp Security Anti-X Configuration ManagementDLP Encryption IAM, NACPatching Policy Management T...
13Multiple Approaches@smallersecurity
MultipleSingleSecurity Technology SetsSingleMultipleSecurityProgramsAppSecurityAnti-XConfigMgmtDLP Encryption IAM, NACPatc...
Here’s an approach…@smallersecurity
Data-CentricApproach(Follow the data)Inventory (must)Classify (must)Destroy* (ideal)ProtectMonitor@smallersecurity
Data-Centric Security ModelData-centricsecurity isbusiness-centricsecurity@smallersecurity
To protect thedata, protectwhat’s around ittooData-Centric Security Model@smallersecurity
GRC andIntelligencedefine securityprogramData-Centric Security Model@smallersecurity
Start withassets,end with thecontrolsData-Centric Security Model@smallersecurity
How do we execute?@smallersecurity
Data-CentricSecurity:A RecipeImplement Control RequirementsMonitor Control EffectivenessEntitlement DefinitionMobile Envir...
What about Apps?@smallersecurity
What about Apps?Can’t impede appproliferation, buthow do you knowwhich to trust?30 billion app downloadsfrom Apples App St...
What about the Network?(It’s not just for transport)@smallersecurity
Key security imperatives:1) Data Governance2) Application Governance@smallersecurity
Doing things right↓Doing the right thingsBusinessContextFollow the dataNetwork canhelpSimplify securityprogramApps matter@...
QuestionandAnswers@smallersecurity
Thank Youomar.khawaja@verizon.com
This document and any attached materials are the soleproperty of Verizon and are not to be used by you other thanto evalua...
Security LeadershipWhy Verizon?Industry Recognition Largest & highly rated MSSP (Frost & Sullivan, Gartner, Forrester) F...
Upcoming SlideShare
Loading in …5
×

Mobility Security - A Business-Centric Approach

350 views

Published on

This is a deck I presented at the RSA Conference in San Francisco in 2013.

The content is based on discussions with hundreds of enterprises, security experts, operations teams, vendors and regulators on 5 continents.

Presentation Credit: Salahuddin Khawaja

  • Be the first to comment

  • Be the first to like this

Mobility Security - A Business-Centric Approach

  1. 1. Securing Mobile:A Business-CentricApproachOmar KhawajaFebruary 2013
  2. 2. Mobility this week…@smallersecurityBorderless networksRCS, JoynSIP, IPMDMMonetizationMeans vs. End
  3. 3. Mobileis no longeroptional@smallersecurity
  4. 4. 1980 19901970 20102000Difference?Have a closer look:its really not thatdifferent.@smallersecurity
  5. 5. Top BusinessTechnologyTrends VideoSocial EnterpriseBig DataEnterpriseCloudsHigh-IQ NetworksM2M2PComplianceEnergy EfficiencyConsumerizationof ITPersonalizationof Service@smallersecurity
  6. 6. What’sthe commontheme across toptechnology trends?@smallersecurity
  7. 7. VideoBig DataEnterprise CloudsHigh-IQ NetworksM2M2PComplianceSocial Enterprise Energy EfficiencyConsumerization of ITPersonalization ofServiceDATA@smallersecurity
  8. 8. Mobilityand Cloudfuel eachof these trends.@smallersecurity
  9. 9. Security is about RiskThreatsVulnerabilitiesAssets‘Risk’@smallersecurity
  10. 10. How do wesecuremobiletoday?@smallersecurity
  11. 11. 10Programs and Technologies@smallersecurity
  12. 12. 11Programs and TechnologiesRisk Assessment Security Policy Organization of Info SecurityAsset Management Human Resources Management Physical & Environment SecurityCommunication & Ops Mgmt Access ControlInfo Systems Acquisition, Dev, &MaintenanceInfo Security IncidentManagementBusiness ContinuityManagementCompliance@smallersecurity
  13. 13. 12Programs and TechnologiesApp Security Anti-X Configuration ManagementDLP Encryption IAM, NACPatching Policy Management Threat ManagementVPN Vulnerability Management …@smallersecurity
  14. 14. 13Multiple Approaches@smallersecurity
  15. 15. MultipleSingleSecurity Technology SetsSingleMultipleSecurityProgramsAppSecurityAnti-XConfigMgmtDLP Encryption IAM, NACPatchingPolicyMgmtThreatMgmtVPNVuln.Mgmt…AppSecurityAnti-XConfigMgmtDLP Encryption IAM, NACPatchingPolicyMgmtThreatMgmtVPNVuln.Mgmt…AppSecurityAnti-XConfigMgmtDLP Encryption IAM, NACPatchingPolicyMgmtThreatMgmtVPNVuln.Mgmt…RiskAssessmentSecurityPolicyOrganizationof InfoSecurityAssetManagementHumanResourcesManagementPhysical&EnvironmentSecurityComms&OpsMgmtAccessControlInfo SystemsAcquisition,Dev, & Maint.Info SecurityIncidentManagementBusinessContinuityManagementComplianceRiskAssessmentSecurityPolicyOrganizationof InfoSecurityAssetManagementHumanResourcesManagementPhysical&EnvironmentSecurityComms&OpsMgmtAccessControlInfo SystemsAcquisition,Dev, & Maint.Info SecurityIncidentManagementBusinessContinuityManagementComplianceRiskAssessmentSecurityPolicyOrganizationof InfoSecurityAssetManagementHumanResourcesManagementPhysical&EnvironmentSecurityComms&OpsMgmtAccessControlInfo SystemsAcquisition,Dev, & Maint.Info SecurityIncidentManagementBusinessContinuityManagementComplianceAppSecurityAnti-XConfigMgmtDLP Encryption IAM, NACPatchingPolicyMgmtThreatMgmtVPNVuln.Mgmt…RiskAssessmentSecurityPolicyOrganizationof InfoSecurityAssetManagementHumanResourcesManagementPhysical&EnvironmentSecurityComms&OpsMgmtAccessControlInfo SystemsAcquisition,Dev, & Maint.Info SecurityIncidentManagementBusinessContinuityManagementComplianceRiskAssessmentSecurityPolicyOrganizationof InfoSecurityAssetManagementHumanResourcesManagementPhysical&EnvironmentSecurityComms&OpsMgmtAccessControlInfo SystemsAcquisition,Dev, & Maint.Info SecurityIncidentManagementBusinessContinuityManagementComplianceRiskAssessmentSecurityPolicyOrganizationof InfoSecurityAssetManagementHumanResourcesManagementPhysical&EnvironmentSecurityComms&OpsMgmtAccessControlInfo SystemsAcquisition,Dev, & Maint.Info SecurityIncidentManagementBusinessContinuityManagementComplianceAppSecurityAnti-XConfigMgmtDLP Encryption IAM, NACPatchingPolicyMgmtThreatMgmtVPNVuln.Mgmt…RiskAssessmentSecurityPolicyOrganizationof InfoSecurityAssetManagementHumanResourcesManagementPhysical&EnvironmentSecurityComms&OpsMgmtAccessControlInfo SystemsAcquisition,Dev, & Maint.Info SecurityIncidentManagementBusinessContinuityManagementComplianceAppSecurityAnti-XConfigMgmtDLP Encryption IAM, NACPatchingPolicyMgmtThreatMgmtVPNVuln.Mgmt…AppSecurityAnti-XConfigMgmtDLP Encryption IAM, NACPatchingPolicyMgmtThreatMgmtVPNVuln.Mgmt…AppSecurityAnti-XConfigMgmtDLP Encryption IAM, NACPatchingPolicyMgmtThreatMgmtVPNVuln.Mgmt…RiskAssessmentSecurityPolicyOrganizationof InfoSecurityAssetManagementHumanResourcesManagementPhysical&EnvironmentSecurityComms&OpsMgmtAccessControlInfo SystemsAcquisition,Dev, & Maint.Info SecurityIncidentManagementBusinessContinuityManagementComplianceMultiple ApproachesWorst CaseNirvana GoodReally?@smallersecurity
  16. 16. Here’s an approach…@smallersecurity
  17. 17. Data-CentricApproach(Follow the data)Inventory (must)Classify (must)Destroy* (ideal)ProtectMonitor@smallersecurity
  18. 18. Data-Centric Security ModelData-centricsecurity isbusiness-centricsecurity@smallersecurity
  19. 19. To protect thedata, protectwhat’s around ittooData-Centric Security Model@smallersecurity
  20. 20. GRC andIntelligencedefine securityprogramData-Centric Security Model@smallersecurity
  21. 21. Start withassets,end with thecontrolsData-Centric Security Model@smallersecurity
  22. 22. How do we execute?@smallersecurity
  23. 23. Data-CentricSecurity:A RecipeImplement Control RequirementsMonitor Control EffectivenessEntitlement DefinitionMobile Environment DefinitionInventory UsersDefine Business ProcessesDestroy DataInventory DataCategorize Data@smallersecurity
  24. 24. What about Apps?@smallersecurity
  25. 25. What about Apps?Can’t impede appproliferation, buthow do you knowwhich to trust?30 billion app downloadsfrom Apples App StoreApps have overtakenbrowsing@smallersecurity
  26. 26. What about the Network?(It’s not just for transport)@smallersecurity
  27. 27. Key security imperatives:1) Data Governance2) Application Governance@smallersecurity
  28. 28. Doing things right↓Doing the right thingsBusinessContextFollow the dataNetwork canhelpSimplify securityprogramApps matter@smallersecurity
  29. 29. QuestionandAnswers@smallersecurity
  30. 30. Thank Youomar.khawaja@verizon.com
  31. 31. This document and any attached materials are the soleproperty of Verizon and are not to be used by you other thanto evaluate Verizon’s service.This document and any attached materials are not to bedisseminated, distributed, or otherwise conveyed throughoutyour organization to employees without a need for thisinformation or to any third parties without the express writtenpermission of Verizon.© 2011 Verizon. All Rights Reserved. The Verizon andVerizon Business names and logos and all other names,logos,and slogans identifying Verizon’s products and services aretrademarks and service marks or registered trademarks andservice marks of Verizon Trademark Services LLC or itsaffiliates in the United States and/or other countries. Allother trademarks and service marks are the property of theirrespective owners.PROPRIETARYSTATEMENT@smallersecurity
  32. 32. Security LeadershipWhy Verizon?Industry Recognition Largest & highly rated MSSP (Frost & Sullivan, Gartner, Forrester) Founding and Executive Member of Open Identity Exchange Security Consulting practice recognized as a Strong Performer (Forrester) ICSA Labs is the industry standard for certifying security products (started in 1991)Credentials More PCI auditors (140+ QSAs) than any other firm in the world HITRUST Qualified CSF Assessor Actively participate in 30+ standards / certification bodies, professionalorganizations and vertical specific consortia Personnel hold 40+ unique industry, technology and vendor certificationsGlobal Reach 550+ dedicated security consultants in 28 countries speak 28 languages Investigated breaches in 36 countries in 2011 7 SOCs on 4 continents manage security devices in 45+ countries Serve 77% of Forbes Global 2000Experience Verizon’s SMP is the oldest security certification program in the industry Analyzed 2000+ breaches involving 1+ Billion records Manage identities in 50+ countries and for 25+ national governments Delivered 2000+ security consulting engagements in 2011ISO 9001ISO 17025

×