Ayn Rand and Austrian Economics Two Peas in a Pod - Walter Block
Two Peas in a Pod: Cloud Security and Mobile Security
-
Upload
omar-khawaja -
Category
Business
-
view
1.246 -
download
1
description
Transcript of Two Peas in a Pod: Cloud Security and Mobile Security
Future of Enterprise IT Infrastructure
2
What is “mobile”?Smarter, faster…
3 …and blurrier
Everything is converging…
4
Voice ↔ Data
Dead Spot ↔ Hot Spot
Distributed Architecture ↔ Centralized Architecture
Home ↔ Office
Fixed ↔ Mobile
Wired ↔ Wireless
Web Applications ↔ Mobile Applications
…to make security more challenging?
The new world…
5 …doesn’t exist without mobile and cloud
Anyone can access Partners and customers too
Access from anywhere Outside firewalls too
Access from any device Non-corporate ones too
Access to all data Sensitive information too
Corporate IT owns and dictates IT direction
Consumerization and Democratization of IT
What makes mobile riskier?
• Convergence• Mobile misuse can cost• Small physical footprint • Increasing processing power• Multiple communication channels• Increasing bandwidth• Ownership• Storage• Fragmentation• Applications• Data
How do you secure mobile?
Security Technology Elements
7
Security Program Elements
App Security Anti-X Config Mgmt
DLP Encryption IAM, NAC
Patching Policy Mgmt Threat Mgmt
VPN Vuln. Mgmt …
Risk Assessment
Security Policy
Organization of Info
Security
Asset Management
Human Resources
Management
Physical & Environment
Security
Comms & Ops Mgmt
Access Control
Info Systems Acquisition,
Dev, & Maint.
Info Security Incident
Management
Business Continuity
ManagementCompliance
Multiple Approaches
Multiple
Single
Single Multiple8 Security Technology Sets
Secu
rity
Prog
ram
s
App Security Anti-X Config
Mgmt
DLP Encryption IAM, NAC
Patching Policy Mgmt
Threat Mgmt
VPN Vuln. Mgmt …
App Security Anti-X Config
Mgmt
DLP Encryption IAM, NAC
Patching Policy Mgmt
Threat Mgmt
VPN Vuln. Mgmt …
App Security Anti-X Config
Mgmt
DLP Encryption IAM, NAC
Patching Policy Mgmt
Threat Mgmt
VPN Vuln. Mgmt …
Risk Assessment
Security Policy
Organization of Info
Security
Asset Management
Human Resources
Management
Physical & Environment
Security
Comms & Ops Mgmt
Access Control
Info Systems Acquisition,
Dev, & Maint.
Info Security Incident
Management
Business Continuity
ManagementCompliance
Risk Assessment
Security Policy
Organization of Info
Security
Asset Management
Human Resources
Management
Physical & Environment
Security
Comms & Ops Mgmt
Access Control
Info Systems Acquisition,
Dev, & Maint.
Info Security Incident
Management
Business Continuity
ManagementCompliance
Risk Assessment
Security Policy
Organization of Info
Security
Asset Management
Human Resources
Management
Physical & Environment
Security
Comms & Ops Mgmt
Access Control
Info Systems Acquisition,
Dev, & Maint.
Info Security Incident
Management
Business Continuity
ManagementCompliance
App Security Anti-X Config
Mgmt
DLP Encryption IAM, NAC
Patching Policy Mgmt
Threat Mgmt
VPN Vuln. Mgmt …
Risk Assessment
Security Policy
Organization of Info
Security
Asset Management
Human Resources
Management
Physical & Environment
Security
Comms & Ops Mgmt
Access Control
Info Systems Acquisition,
Dev, & Maint.
Info Security Incident
Management
Business Continuity
ManagementCompliance
Risk Assessment
Security Policy
Organization of Info
Security
Asset Management
Human Resources
Management
Physical & Environment
Security
Comms & Ops Mgmt
Access Control
Info Systems Acquisition,
Dev, & Maint.
Info Security Incident
Management
Business Continuity
ManagementCompliance
Risk Assessment
Security Policy
Organization of Info
Security
Asset Management
Human Resources
Management
Physical & Environment
Security
Comms & Ops Mgmt
Access Control
Info Systems Acquisition,
Dev, & Maint.
Info Security Incident
Management
Business Continuity
ManagementCompliance
App Security Anti-X Config
Mgmt
DLP Encryption IAM, NAC
Patching Policy Mgmt
Threat Mgmt
VPN Vuln. Mgmt …
Risk Assessment
Security Policy
Organization of Info
Security
Asset Management
Human Resources
Management
Physical & Environment
Security
Comms & Ops Mgmt
Access Control
Info Systems Acquisition,
Dev, & Maint.
Info Security Incident
Management
Business Continuity
ManagementCompliance
App Security Anti-X Config
Mgmt
DLP Encryption IAM, NAC
Patching Policy Mgmt
Threat Mgmt
VPN Vuln. Mgmt …
App Security Anti-X Config
Mgmt
DLP Encryption IAM, NAC
Patching Policy Mgmt
Threat Mgmt
VPN Vuln. Mgmt …
App Security Anti-X Config
Mgmt
DLP Encryption IAM, NAC
Patching Policy Mgmt
Threat Mgmt
VPN Vuln. Mgmt …
Risk Assessment
Security Policy
Organization of Info
Security
Asset Management
Human Resources
Management
Physical & Environment
Security
Comms & Ops Mgmt
Access Control
Info Systems Acquisition,
Dev, & Maint.
Info Security Incident
Management
Business Continuity
ManagementCompliance
Security leaders care most about…
9The Business Cares About Data!
• Requires preventing data from being breached
Breach Prevention
• HIPAA, GLBA, PCI, State Breach Laws , etc. govern specific types of dataCompliance
• of securing data• of maintaining compliance• of enabling business in the information age
Costs…
Treating Data
Inventory (must)
Monitor
Encrypt
Protect
Destroy (ideal)
10
ignoramus et ignorabimus?
11 Minimize data and access to it!
Source: Verizon DBIR
What about apps?
• 33% on NA Smartphone owners download apps
• Multiple versions• Location based apps / social
networking will increase• Games continue to dominate among
apps• Users continue to demand greater
usability• 10 billion app downloads from Apple's
App Store in 2010• Signed Apps = Secure Apps?
12Can’t impede app proliferation, but how do
you know which to trust?
What about everything else?
• Force encryption of data at rest on mobile devices• Force secure connectivity on unsecured public networks • Ensure unauthorized mobile devices do not have access to corporate LAN*• Ensuring mobile user spending is in line with the mobile policy and additional costs
can be recovered• Over-the-air decommissioning (remote brick’ing)• Authentication: set the device to auto-lock; set clipping level• Keep device out of sight when not worn• Handheld devices should be enterprise property• Before an employee departs, obtain device and remove corporate data• Have a clear policy on remote data deletion and do not hesitate to execute it• Classify data according to the sensitivity of the data they carry• Only permit digitally signed applications
Be agile – quickly and flexibly adapt to changing mobile landscape
An approach…
1. Inventory data (technical and consultative)2. Destroy any unnecessary data3. Associate data access w/ users, roles4. Ensure only users that need access to data have access to it (access governance)5. Assign sensitivity level to data types (tier by quantity) - based on business impact6. Assign control requirements for each data set7. Determine feasible controls for each environment (mobile, cloud, etc.)8. Identify how (vendor, etc.) to implement controls across each platform9. For each platform, define what access level (to each of the data sets) is allowed
based on residual risk
14
Slight shift in focus
15
Measuring vulnerabilities / threats Measuring impact
Applying controls Picking the right controls
Securing the enterprise Securing what matters to the
business
Managing projects Selecting the right projects
Protecting the enterprise Enabling the enterprise
Multiple Security Programs Single Security Programs
Multiple sets of Security Technologies Single set of Security Technologies
Finally…
• Follow the data• Consistent security controls• Start w/ the business (data),
not the controls• Simplify security program• Closely align mobile and
cloud security
16
Doing Things Right
Doing the Right Things
Industry Recognition Verizon is the leading global MSSP (Gartner, Forrester) Founding and Executive Member of Open Identity Exchange Security Consulting practice recognized as a Strong Performer (Forrester) ICSA Labs is the industry standard for certifying security products
Credentials BSI Associate Consultant for ISO 27001 and BS 25999 PCI ASV, QSA and PA-QSA CREST approved penetration tester HITRUST Qualified CSF Assessor and member Leadership Roundtable
Global Reach 500+ security consultants based in 23 countries that speak 24 languages Serve 77% of Forbes Global 2000 7 sources of risk intelligence
Experience Verizon’s SMP is the oldest security certification program in the industry Analyzed breaches involving 900+ million records Provide national identity solutions in over 25 countries Provide services to 78% of Fortune 100 Delivered 2000+ security consulting engagements in 2010
Verizon Security Solutions