Securing a Dynamic Infrastructure
description
Transcript of Securing a Dynamic Infrastructure
© 2009 IBM Corporation
Securing a Dynamic Infrastructure
How to Tell the IBM Security StoryRobin HoganFebruary 12, 2009
© 2009 IBM Corporation
Securing a Dynamic Infrastructure
2
Agenda
Positioning security in the Smarter Planet Theme/Dynamic Infrastructure Imperative IBM – Securing a Dynamic Infrastructure
© 2009 IBM Corporation
Securing a Dynamic Infrastructure
3
A dynamic infrastructure:addressing the needs of a smarter planet
A dynamic infrastructure…
.…delivers superior business and IT services with agility and speed
© 2009 IBM Corporation
Securing a Dynamic Infrastructure
4
Dynamic Infrastructure:Helping you manage and mitigate risk….
NEW POSSIBILITIES.NEW RISKS.
BUSINESS RESILIENCYacross globally integrated systems.
COMPLIANCE SOLUTIONSfor exploding data volumes and complex regulatory environments.
SECURITY FRAMEWORKSpanning physical, IT, mobile and “smart” assets.
…providing the end-to-end approach needed in aninstrumented, interconnected and intelligent world.
4
© 2009 IBM Corporation
Securing a Dynamic Infrastructure
5
IBM Secures a Dynamic Infrastructure ….
IBM can help you to strategically manage risk end-to-end across all security domains. IBM’s framework-based security offerings provide the solutions and expertise you need to confidently:
• Enable business change through a foundation of flexible security controls
•Deliver improved agility and cost–effective control over your risk posture
•Reduce the complexity of security controls
•Protect against internal and external threats
•Meet operational requirements to address compliance measures
© 2009 IBM Corporation
Securing a Dynamic Infrastructure
6
New Forms of Collaboration
Globalization and Globally Available Resources
Access to streams of information in the Real Time
Billions of mobile devices accessing the Web
New possibilities.New complexities.
New risks.
Welcome to the smart planet… and a smarter infrastructure
© 2009 IBM Corporation
Securing a Dynamic Infrastructure
7
Data and information explosion Data volumes are doubling every 18 months. Storage, security, and discovery around information context is becoming increasingly
important.
Supply chain The chain is only as strong as the weakest link… partners need to shoulder their fair
share of the load for compliance and the responsibility for failure.
Clients expect privacy An assumption or expectation now exists to integrate security into the infrastructure,
processes and applications.
Compliance fatigue Organizations are trying to maintain a balance between investing in both the security
and compliance postures.
Emerging technology Virtualization and cloud computing increase infrastructure complexity. Applications are a vulnerable point for breaches and attack.
Wireless world Mobile platforms are developing as new means of identification. Security technology is many years behind the security used to protect PCs.
With these new opportunities come new risks
© 2009 IBM Corporation
Securing a Dynamic Infrastructure
8
Not all risks are created equal
Frequency ofOccurrences
Per Year
1,000
100
10
1
1/10
1/100
1/1,000
1/10,000
1/100,000 $1 $10 $100 $1,000 $10k $100k $1M $10M $100M
frequ
ent
infre
quen
t
Consequences (Single Occurrence Loss) in Dollars per Occurrencelow high
Virus
Worms Disk Failure
System Availability Failures
Pandemic
Natural Disaster
Application Outage
Data Corruption
Network Problem
Building Fire
Terrorism/Civil UnrestFailure to meet
Compliance MandatesWorkplace inaccessibility
Failure to meet Industry standards
Regional Power Failures
Lack of governance
Data Leakage
© 2009 IBM Corporation
Securing a Dynamic Infrastructure
9
Neither are all Security solutions…
Find a balance between effective security and cost– The axiom… never spend $100 dollars on a fence to
protect a $10 horse Studies show the Pareto Principle (the 80-20 rule)
applies to IT security*– 87% of breaches were considered avoidable through
reasonable controls Small set of security controls provide a
disproportionately high amount of coverage– Critical controls address risk at every layer of the
enterprise– Organizations that use security controls have significantly
higher performance*
Cost
Effectiveness
Agility
Time
Complexity
Pres
sure
*Sources: W.H. Baker, C.D. Hylender, J.A. Valentine, 2008 Data Breach Investigations Report, Verizon Business, June 2008ITPI: IT Process Institute, EMA December 2008
© 2009 IBM Corporation
Securing a Dynamic Infrastructure
10
IBM provides the business answers you need in uncertain times with solutions for all IT domains
IBM is the only security vendor in the market today with end-to-end coverage of critical controls
IBM Proof Points
– 15,000 researchers, developers and SMEs on security initiatives
– 3,000+ security & risk management patents
– 200+ security customer references and 50+ published case studies
– 40+ years of proven success securing the System z environment
– Already managing more than 2.5B security events per day for clients
– IBM Security Framework
IBM Security: Improving service, managing risk and reducing the
cost of Security without compromise
© 2009 IBM Corporation
Securing a Dynamic Infrastructure
11
Expanded Focus for Security in the Dynamic Infrastructure…
IBM Systems Group
IBM Global Business Services
IBM Systems Group
IBM Systems Group
IBM Internal Use Only – Not Client Facing
© 2009 IBM Corporation
Securing a Dynamic Infrastructure
12
Security, compliance, and risk management solutions and proven expertise to reduce the cost and complexity of securing the enterprise, enable trusted connections, supporting the transformation to a dynamic infrastructure…
IBM Security offerings and capabilities.
IBM SECURITY OFFERINGS
Identity & access management. Trusted identity offerings. Data and Information security offerings. Application security offerings. Policy management/enforcement solutions. Network, Server and Endpoint security offerings.
Security compliance and risk management offerings.
Self-encrypting storage and key management solutions.
Security assessment, planning and implementation services.
Managed security services. Education and training offerings.
IBM LEADERSHIP
The only security vendor in the market with end-to-end coverage of the security foundation.
15,000 researchers, developers and SMEs on security initiatives.
3,000+ security & risk management patents.
40+ years of proven success securing the System z environment.
Industry's only Guaranteed Protection SLA for managed security services.
Global managed security reach in over 133 countries.
© 2009 IBM Corporation
Securing a Dynamic Infrastructure
13
Dynamic Infrastructure – SecuritySmart is: End to end industry customized governance, risk management and compliance solutions. Reduce the cost of security
Meet changing business needs.Provide end-to-end risk managementAdopt a business-driven strategic approach to security.
Prioritize security risks by criticality to key business processes.
Enable business change via a foundation of flexible controls. Meet operational needs to address compliance requirements.
Ensure secure service deliveryEffectively manage risk for key business services.
Meet operational needs to address security requirements. Protect business and IT assets to improve confidentiality,
integrity and availability. Build in automation to respond to market needs, reduce
cost and compliance fatigue.
Leverage smart security solutions to lower overall cost Explore a mix of in-house and managed solutions Embed security into projects and infrastructure to
enhance effectiveness.
Ensure risk posture meets policies and regulations. Improve incident response processes. Derive insight via dashboards, alerts and reporting.
Respond with speed and agilityGain control over risk posture and incident response.
© 2009 IBM Corporation
Securing a Dynamic Infrastructure
14
Client requirements IBM Security solutions can address
• Identify, monitor, manage, and mitigate risks and reduce costs of regulatory and industry compliance
• Enable secure transactions and collaboration through effective identity and access lifecycle management
• Mitigate, monitor and manage the latest security threats and vulnerabilities
• Lower the costs of applying the latest security expertise, processes and technologies
• Protect sensitive data and information at rest or in transit from intruders and privileged internal users
• Embed security capabilities to mitigate increasing risk of application-level vulnerabilities
Smarter organizations effectively manage risk to support the secure and resilient transformation to a dynamic infrastructure
© 2009 IBM Corporation
Securing a Dynamic Infrastructure
15
Issues IBM Security Offerings
PEOPLE AND IDENTITY
Manage Identities and
Access
“How can my business benefit from
management of digital identity?”
Reduces the cost, increases efficiency and enables audit-ability of managing flow of users entering, using, and leaving the organization
Decreases risk of internal fraud, data leak, or operational outage Supports globalization of operations Enables shift from traditional brick & mortar sales to delivery of on-line services to customers and
partners across the globe
Improves end-user experience with Web-based business applications by enabling such activities such as single sign-on
Identity Lifecycle Management: Tivoli Identity and Access Management solutions,
High-Assurance Digital Identities: Trusted Identity Initiative
Identity Audit: Tivoli Security Compliance Insight Manager, Tivoli zSecure Audit
Identity & Access Design and Implementation Services
ISS Managed Identity Services
Values
Understanding the identity risk gap Cost of administering users and identities in-house
Privileged user activity unmonitored
Dormant IDs or shared identities being used to inappropriately access resources
Failing an audit
© 2009 IBM Corporation
Securing a Dynamic Infrastructure
16
Reduces the cost, increases ability to meet audit and compliance mandates Provides a cost-effective way to meet legal discovery, hold and retention requirements Assures data is available to the right people, at the right time Assures data is not deliberately or inadvertently taken, leaked, or damaged Decreases number and complexity of controls integrated within the enterprise
ISS Data Security and Data Loss Prevention solution SIEM: Tivoli Compliance Insight Manager, ISS
SiteProtector, ISS Managed Security Services Data Encryption: Tivoli Key Lifecycle Manager,
encrypted tape and disk drives Data Classification: InfoSphere Information
Analyzer, Cognos, Enterprise Content Management, Discovery and Classification
Unstructured Data Security: Tivoli Access Manager, WebSphere MQ Extended Security Edition, WebSphere DataPower SOA Appliances
Data Privacy and Masking: Optim Data Privacy Solution
ISS Professional Security Services
Data stored on removable media that can be lost/stolen
Data stored or transmitted in the clear is easily accessible
Inconsistent data policies Unstructured data Legal, regulatory and ethical exposure for the
organization Costs of data breaches, notification, brand value Failing an audit
DATA AND INFORMATION
Protect Data and
Information“How can I reduce the
cost and pain associated with tracking and
controlling who touched what data when? How do I assure that my data is
available to the business, today and tomorrow?” Values
Issues IBM Security Offerings
© 2009 IBM Corporation
Securing a Dynamic Infrastructure
17
Issues IBM Security Offerings
Reduce risk of outage, defacement or data theft associated with web applications Assess and monitor enterprise-wide security policy compliance Improve compliance with industry standards and regulatory requirements (e.g., PCI, GLBA, HIPAA,
FISMA…) Improve ability to securely integrate business critical applications Automated testing and governance throughout the development lifecycle, reducing long-term security costs
Application Vulnerabilities: Rational AppScan, ISS Managed Security Services, ISS Application Risk Assessment services, WebSphere DataPower SOA Appliances
Application Access Controls: Tivoli Access Manager
Messaging Security: Lotus Domino Messaging, WebSphere MQ Extended Security Edition, IBM ISS Mail security solutions
Security for SOA: WebSphere DataPower SOA Appliances, Tivoli Security Policy Manager, Tivoli Federated Identity Manager
Values
Web applications #1 target of hackers seeking to exploit vulnerabilities
Applications are deployed with vulnerabilities Poor security configs expose clients to business loss PCI regulatory requirements mandate application
security 80% of development costs spent on identifying and
fixing defects Real and/or private data exposed to anyone with
access to development and test environments, including contractors and outsourcers
APPLICATION AND PROCESS
Secure Web Applications
“How can my business benefit from management of application security?”
© 2009 IBM Corporation
Securing a Dynamic Infrastructure
18
Issues IBM Security Offerings
Reduces cost of ongoing management of security operations Improves operational availability and assures performance against SLA, backed by industry’s only
guaranteed SLA for managed protection services Increases productivity by decreasing risk of virus, worm and malcode infestation Decreases volume of incoming spam Drill down on specific violations to quickly address resolution Readily show status against major regulations
Values
Mass commercialization and automation of threats
Parasitic, stealthier, more damaging attacks Poor understanding of risks in new technologies
and applications, including virtualization and cloud
Weak application controls Lack of skills to monitor and manage security
inputs Compounding cost of managing an ever
increasing array of security technologies Undetected breaches due to privilege access
misuse and downtime from incidents Inability to establish forensic evidence or
demonstrate compliance
NETWORK, SERVER AND END POINT
Manage Infrastructure
Security
“How does my business benefit from infrastructure
security protection?”
Systems Storage
Virtual Network
Threat Mitigation: ISS Network, Server and Endpoint Intrusion Detection and Prevention products powered by X-Force®, Managed Intrusion Prevention and Detection, Network Mail Security, Managed firewall services, Vulnerability Management and Scanning, WebSphere DataPower SOA Appliances
SIEM: Tivoli Compliance Insight Manager, Security Event and Log Management services
Security Governance: Regulatory assessments and remediation solutions, Security architecture and policy development
Incident Response: Incident Management and Emergency Response services
Consulting and Professional Security Services: Security Intelligence and Advisory Services
© 2009 IBM Corporation
Securing a Dynamic Infrastructure
19
Phase 5.Education
Phase 4.Management and Support
Phase 2.Design
Phase 1.Assessment
Phase 3.Deployment
• IBM ISS Product Courses
– On-site & off-site classes
• Staff Augmentation• Emergency Response
Service• Forensic Analysis
• Application Security Assessments• Information Security Assessments• PCI Assessments• Penetration Testing• ISO 17799/27002 Gap Assessments• Supervisory Control And Data
Acquisition (SCADA)
• Policy Development• Incident Response Planning• Standards and Procedures
Development• Implementation Planning
• Implementation and Optimization• Migration Services
IBM Professional Security ServicesProven integrated lifecycle methodology that delivers ongoing security solutions
© 2009 IBM Corporation
Securing a Dynamic Infrastructure
20
IBM ISS Managed Security Services Offerings
Our open-vendor architecture enables IBM ISS to deliver a consolidated security view through an industry-leading, single unified system through a high impact Web-based management portal.
© 2009 IBM Corporation
Securing a Dynamic Infrastructure
21
Dynamic Infrastructure – Security Next StepsReduce the cost of securityMeet changing business needs.
End-to-end risk managementAdopt a business-driven strategic approach to security.
Start with a security risk assessment. Leverage IBM’s leading security offerings and unique
expertise combining business and security know-how. Implement security controls to holistically address
compliance requirements.
Ensure secure service deliveryEffectively manage risk for key business services.
Start with security policy, standards and procedures development.
Implement threat and vulnerability management solutions. Automate security and compliance administration,
management and reporting.
Start with TCO challenge offering, security standards and process assessments and design.
Deploy products and outsourced services to reduce cost and risks from people and identities, data and information, applications and infrastructure
Start with a regulatory compliance assessment. Deploy automated incident response products or
services. Implement SIEM products or managed services to drive
improved insight.
Respond with speed and agilityGain control over risk posture and incident response.
© 2009 IBM Corporation
Securing a Dynamic Infrastructure
22
IBM Security Accolades
“Security has become a C-level conversation, and enterprises are looking for reputable vendors with the capability to help customers manage risks and reduce complexity. IDC believes IBM has recognized this trend and has created comprehensive security packages that leverage various products to provide for multiple layers of security to customers.”
November 2008, IDC Insight
Finalist in eight categories, including “Best Security
Company”… a record high number of nominations for
any vendor
“… there is a profound transition in the way organizations assess security needs, acquire security technologies, measure risk, and conduct security operations. All of these trends shift the balance of power from security point tool vendors to larger firms with broad security services and product offerings.
IBM’s combination of products, services, customer reach, and rich resources give it a unique position in the security industry. IBM and a few others can help any sized customer with security, regardless of whether they need help securing their business, implementing an enterprise security initiative, or fixing a big security problem.”
November 2008, Enterprise Strategy Group
© 2009 IBM Corporation
Securing a Dynamic Infrastructure
23
IBM Global Security Reach
IBM has the unmatched global and local expertise to deliver complete solutions – and manage the cost and complexity of security
© 2009 IBM Corporation
Securing a Dynamic Infrastructure
24
Solutions
Only IBM Security is Backed by the IBM X-Force® Research Team
Protection Technology Research
Threat Landscape Forecasting
Malware Analysis
Public Vulnerability Analysis
Original Vulnerability Research
Research Technology
The X-Force team delivers reduced operational complexity – helping to build integrated technologies that feature “baked-in” simplification
X-Force Protection Engines
Extensions to existing engines New protection engine creation
X-Force XPU’s
Security Content Update Development
Security Content Update QA
X-Force Intelligence
X-Force Database Feed Monitoring and Collection Intelligence Sharing
© 2009 IBM Corporation
Securing a Dynamic Infrastructure
25