The Evolving Security Landscape: Security and Compliance ... · The Evolving Security Landscape:...
Transcript of The Evolving Security Landscape: Security and Compliance ... · The Evolving Security Landscape:...
The Evolving Security Landscape:Security and Compliance Trends
Andreas M AntonopoulosSenior Vice President & Founding Partner
www.nemertes.com
Agenda
About NemertesSecurity and Compliance TrendsConclusion and RecommendationsConclusion and Recommendations
© Copyright 2010 Nemertes Research
Nemertes: Bridging the Gap Between Business & IT
Quantifies the business impact of emerging technologies emerging technologies Conducts in-depth interviews withIT professionalsAdvises businesses on critical issues such as:
U ifi d C i tiUnified CommunicationsSocial ComputingData Centers & Cloud ComputingData Centers & Cloud ComputingSecurityNext-generation WANsg
Cost models, RFPs, Architectures, Strategies
© Copyright 2010 Nemertes Research
Security and Compliance Security and Compliance Trends
© Copyright 2010 Nemertes Research
Security and Compliance Outlook
Phishing/Identity Theft
XSS and SQL InjectionWebsite Defacement Website defacement
Phishing/Identity Theft
RISE OF THE BOTNETS/ DDOS Silent BOTNETSDOS
Worms/Trojans Polymorphic Attacks/ MalwareViruses
2001-2009 20010-2011+1990-2000
Organized CybercrimeHacking for Fun and Fame Cyber Warfare
HITECHPCI-DSSHIPAA, GLBA, Sarbanes Oxley
2001-2009 20010-2011+1990-2000
Amended FRCP
Breach Notification National Breach Disclosure
© Copyright 2010 Nemertes Research
De-Perimeterization
Is that a word?No, but it’s happening anyway!You used to have “The Internet You used to have The Internet Connection” and “The Firewall”We are rapidly moving to ubiquitous We are rapidly moving to ubiquitous connectivity and mobilityThe Internet is everywhere! There is no The Internet is everywhere! There is no INSIDE and OUTSIDE in your network
© Copyright 2010 Nemertes Research
The Changing End-User Landscape
Employee personal use of technology influences IT decisions for 46% of influences IT decisions for 46% of organizationsAbout 67% of organizations have a formal About 67% of organizations have a formal telework policyiPhone already target of attacks against y g gknown vulnerabilitiesMobile devices are a significant data loss i krisk
The line between personal and work computing is blurringcomputing is blurring
© Copyright 2010 Nemertes Research
Security by Location
Most security today is OC O C CLOCATION-CENTRIC
Servers and desktops are b i i t lbecoming virtualFirewalls, VLANs, ACLs, IP Add L tiAddresses – LocationsLocation should not be the f d ti f it foundation of your security policy!
© Copyright 2010 Nemertes Research
Compliance on the Rise
If Enron gave us Sarbanes-Oxley what will 100xEnron give Oxley, what will 100xEnron give us?Legislation to pass a national Legislation to pass a national breach disclosure lawHITECH Act adds more teeth to HIPAAPCI-DSS is driving security b h ibehaviorCompliance drives security spending for 37% of organizationsCompliance requirements will get more prescriptive with sharper teeth
© Copyright 2010 Nemertes Research
Data-Centric Security
Data-centric means INSPECTING and PROTECTING the dataRegardless of where it is Anti-malware inwards data leakage outwardsAnti malware inwards, data leakage outwardsContent inspectionEncryptionFingerprinting ALL DATA
SUBJECTDigital certificatesSecurity meta-data
SUBJECT TO SEARCHSecurity meta data
© Copyright 2010 Nemertes Research
What Should You Be Doing?
Urgent: Act NowAssess compliance posture against current and future IT environment. Urgent: Act Now Perform a gap analysis.
Short-Term PlansAssess gap analysis and prioritize controls necessary to meet compliance requirements for today and tomorrow.
Long-Term PlansImplement a continuous compliance process that monitors in real-time
li tcompliance posture.
Determine what’s in-scope and what’s out Specific Needs of scope for compliance and plan
separation/isolation of in-scope data.
© Copyright 2010 Nemertes Research
Compliance Roadmap
Evaluate current IT environmentU t A t NAssume security perimeter is dissolving
Plan future IT environment
Urgent: Act Now
Plan future IT environmentAssess compliance of both plansPerform gap analysis
© Copyright 2010 Nemertes Research
Compliance Roadmap
Assess output of gap analysisSh t T PlIn-scope versus out-of-scope data
Work with auditors to prioritize gaps
Short-Term Plans
Work with auditors to prioritize gapsh80/20 rule applies – start with low-hanging fruit
People process and technologyPeople, process and technology
© Copyright 2010 Nemertes Research
Compliance Roadmap
Process in-place to close compliance gapsL T PlRegular self-assessment of compliance
Develop continuous compliance process
Long-Term Plans
Develop continuous compliance process
© Copyright 2010 Nemertes Research
Conclusions and Recommendations
The security landscape is changing rapidlyh Continually reassess security plans and posture
Security must match changing enterprise use of technologyA t d ’ t h l i t ’ t i t h lh Assume today’s consumer technology is tomorrow’s enterprise technology
Inside firewall is “good” … Outside firewall is “bad” …. Is 20th Century thinkingh The dynamics of computing clash with a rigid firewall plan and mindsetThe dynamics of computing clash with a rigid firewall plan and mindseth Emphasis must shift from location-based to user-based security
Compliance is a driving force in security planning and spendingh Engage the compliance function early and oftenh Pay particular attention to privacy regulations and legislationsh S f l li i f l d t h lh Successful compliance requires focus on people, process and technology
© Copyright 2010 Nemertes Research
Thank You
Andreas M AntonopoulosSVP & Founding [email protected]