4. qualityaustria Forum Upravljanje identitetom, bezbednošću i rizikom Dragutin Bošnjaković,...

4. qualityaustria Forum

Upravljanje identitetom, bezbednošću i rizikomDragutin Bošnjaković,Savetnik za bezbednost informacijaAtos IT Solutions and Services d.o.o. Beograd

Stvaranje mogućnosti kroz nove zahteve!

02.10.2013.g.

4. qualityaustria Forum, Beograd 202-okt-13

Identity, Security & Risk Management

Identity, Security & Risk Management

Agenda

▶ Introduction▶ Atos Security Solutions▶ Future Trends▶ Summary/Questions


Todays World Computers Everywhere

▶ Desktop computers account for less than 1% of the total embedded microprocessors globally. It is estimated that there are more than 10 billion embedded microprocessors produced annually.

▶ ‘A typical luxury salon car today may use more than 100 megabytes of computer code spread across 50 to 70 microprocessors, researchers say’

▶ Researchers from Rutgers University hacked into the computer of a car travelling at 60 mph via a wireless system used to monitor tire pressure.

▶ Microprocessors are now embedded into water control systems, nuclear power stations, the electrical grid - everything we depend on.

Computerized Tire Pressure Monitor


Challenges in the security area

The spread of possible security threats and their effects on enterprises increases steadily.

Computerized business processes will connect to customers and suppliers.

Potential offenders have changed their behavior.New forms of attacks results in data losses daily.

Compliance requirements will be more stringent and complex.

New trends such as Cloud Computing, Social Media and Mobile Devices introduce new security risks.


New threats are emerging fast…


Risks: diverse and ubiquitous …

Internal Threats Compliance External Threats

• Theft of data• Cost pressure• Spread of

company secrets• Unsatisfied

employees• Illegal downloads• Private surfing• Misconduct• Industrial

espionage

• SOX• Privacy Laws• Basel II/III• PCI DSS• Risk-Management• ISO 27001• Governance• Cobit• HIPAA

• Spam• Hacker• Worms• Trojans• Denial-of-Service• Industrial

espionage• Insecure e-mails• Phishing• Data trade


A paradigm shift has to take place…

From: Systems To: Information

From: Barriers To: Behavior

From: IT To: Critical Infrastructures

9

Agenda



(GRC) Governance Risk and Compliance: Helping customers to understand and adapt to regulatory compliance issues for their specific market sector. Ensuring that governance and process controls are strategically aligned with a customer’s market vertical and business value drivers.

(IABS) Identity, Access, Biometrics and Smart Cards: Helping customers to centrally understand and manage “who has access to what” and “who should have access to what” across the processes within their enterprise, customer and partner space.

(STA) Security Technical Advisory: Allowing customers to understand and foresee their IT control risks whilst successfully integrating and refreshing security control technologies which aligned with their business needs.

(MSS) Managed Security Services: Helping customers to reduce their total cost of compliance and security management by delivering “Atos High Performance Security” (AHPS) the worlds leading example of highly efficient effective business process and IT security.

Atos’ ISRM Combined Portfolio:From the router to the board room

GRC(Governance, Risk & Compliance)

IABS(Identity and

AccessManagement)

MSS(Managedsecurityservices)


ISO 27000 Family

HIPAA

SoX / MIFID / BASEL II

NERC / CIP

PCI DSS

SAS70 / ISAE3402

HMG SPF/IS1

FDA

Analysis

Assessment

Appetite

Treatments

Process optimisation

Security Awareness

Risk Management and Business Intelligence integration

Oversight and workflow creation

Riskdashboards

Deming Cycle

Role mapping& analysis

▶ Atos helps clients understand their compliance obligations and risks.

▶ Atos automates as much of GRC as possible.

▶ Atos helps you keep ‘on course’ and with as little distraction as possible.

Governance Risk and Compliance: Integrating governance

GRC GRC GRC


IAM Maturity assessment

Project Management

Design and Development

Identity Management as a

Service

SSO as a Service

Trusted Identity as a Service

Provisioning

Web Access Management

Single Sign-On

Identity Federation

Privileged User Account

Management

Metadirectory

Strong Authentication

DirX Identity &Access

Management

ID Center –biometric

authentication

CardOS smart card

Problem▶ Numerous ‘identities’ and multiple

passwords providing access to highly valuable resources

▶ Passwords are not secure, not free and not appropriate for today’s ways of working

Solution▶ Atos portfolios of Identity and

Access Management products▶ Biometrics and smart cards▶ Single sign-on▶ Password self service

IABSServices

IABSTechnology

IABS Products

Identity, Access, Biometrics and Smart Cards:Authentication, Authorization, Administration and Audit

USB token withCardOS®

Outcome ▶ Reduce costs and improve security

and compliance


▶ Solution: Atos advises our clients about the costs and benefits of the latest technologies available, trying to find an optimal spend for our clients risk appetite.

EffectiveRisk Management

Strategy

Business Risk Mitigation Effort

Security Technical Advisory

Security architecture

Security and compliance requirements collection

IT risk assessment

Cloud security

assessment

Compliance gap analysis

GRC as a Service

Disaster recovery design

Government information assurance services

PEN testing

PKI design services

PKI Trust center

services

Biometric & smart card

solution design

Physical access control systems design

STA STA STA

Exp

osu

re, €

Cost

, €

Problem▶ How do I know what technology is

‘best’ and most cost effective from the dozens of choices available?


Endpoint Protection Services

Data Encryption Services

Mobile Security

Security for Cloud

Atos High Performance

Security

Malware Scanning

Perimeter & Remote Access

Intrusion Protection

Business Partner Access

Vulnerability Management

Identity & Access

Management

Single Sign-On as a Service

Identity Management as

a Service

Secure Directory Services

Managed PKI and Biometrics

Physical Access Control Systems

Managed Security Services

Workplace Security

InfrastructureSecurity

Identity & Access

Management

Problem▶ We spend a lot of money and time

on IT security and this distracts us from our core business

Solution▶ Atos Managed Security Services

offers a range of services so enterprises can outsource the costs and complexities of security and compliance.

Outcome▶ Improved focus on clients’ business▶ Reduced spend on security


▶ Goals– Being able to react to cyber threats in real time 24x7 as well as enable forensic

analysis. – Hackers are increasingly sophisticated and their targets are increasingly valuable:

AHPS helps companies defend against critical losses– Reduce security operation expenses caused by explosive growth of security threats

and reactive manual approach– Achieve compliance with government and industry standards

▶ Solution– AHPS monitors the business and IT environment to see if significant incidents are

occurring--24x7. Find suspicious activity while it is occurring, not after.– The Atos Secure Operating Center responds to failures of policy compliance as new

security, legislative and regulatory control requirements emerge.– This service is based on our Olympic security solution which has a track record of more

than 10 years. ▶ Benefits

– Reducing costs by using the Atos security as a service model. – Global presence of the AHPS service.– Customer enablement to react in real time

to security events.

Atos Olympic Security (Atos High Performance Security) ▶ Goals

– Being able to react to cyber threats in real time 24x7 as well as enable forensic analysis.

– Hackers are increasingly sophisticated and their targets are increasingly valuable: AHPS helps companies defend against critical losses

– Reduce security operation expenses caused by explosive growth of security threats and reactive manual approach

– Achieve compliance with government and industry standards▶ Solution

– AHPS monitors the business and IT environment to see if significant incidents are occurring--24x7. Find suspicious activity while it is occurring, not after.

– The Atos Secure Operating Center responds to failures of policy compliance as new security, legislative and regulatory control requirements emerge.

– This service is based on our Olympic security solution which has a track record of more than 10 years.

▶ Benefits– Reducing costs by using the Atos security as a service model. – Global presence of the AHPS service.– Customer enablement to react in real time

to security events.

Atos Olympic Security (Atos High Performance Security)


Fragmented ViewIntegrated View

Firewall IDS

Server Logs

Vulnerability Management

By understanding our customers business rather than just the IT infrastructure we are able to understand the potential business impact of the events occurring and therefore weight the risk management response to the severity of the threat, delivering a risk driven, operating model for each of our customers.


Integrated ViewAtos High Performance

Switch logs

Windows logs

Client & file server logs

Wireless access logs

Windows domain logins

Database Logs

San File Access Logs

VLAN Access & Control logs

DHCP logs

Linux, Unix, Windows OS logs

Mainframe logs

Oracle Financial Logs

Web server activity logs

Content management logs

Web cache & proxy logs

VA Scan logsRouter logs

IDS/IDP logs

VPN logs

Firewall logs


Some Significant Cost Drivers

► IT Security Managers

► UNIX Server Managers

► Wintel Server Managers

► Network Security Managers

► Patch and Vulnerability Management

► Firewall Engineers

Roles

► Security Policy Creation and Management

► PCI Compliance

► SOX Compliance

► Market Research

► Testing

► Problem Discovery

► Problem Resolution

► Audit

► Forensics

► Training

► Access / Authorization Reviews

Functions

► Hardware

► Software Licenses

► Maintenance Fees

► Storage

Infrastructure

The bullet points above typically represent at least $75k pa and can often exceed millions of dollars each.


Our Cost Conscious Approach

► IT Security Managers

► UNIX Server Managers

► Wintel Server Managers

► Network Security Managers

► Patch and Vulnerability Management

► Firewall Engineers

Roles

► Security Policy Creation and Management

► PCI Compliance

► SOX Compliance

► Market Research

► Testing

► Problem Discovery

► Problem Resolution

► Audit

► Forensics

► Training

► Access / Authorization Reviews

Functions

► Hardware

► Software Licenses

► Maintenance Fees

► Storage

Infrastructure

The bullet points above typically represent at least $75k pa and can often exceed millions of dollars each.

AHPS can reduce a variety of these costs via external service provision, domain and delivery expertise, and concentration of functions into one delivery unit. We estimate we can save you at least 10 to 25% of your current IT compliance and security spend, and we will demonstrate this to your satisfaction before contract signing.


Lifting the Performance of Security and Compliance Operations

SILVERBRONZE

Log monitoring& storage

Faster reaction to security issues and better

compliance with log storage but issue management

focused on obvious tactical issues

GOLD

‘Joining up the dots’ across the IT landscape to

enable proactive IT security. Control monitoring based on

IT landscape not business information landscape

360° IT Security Control monitoring and

auditing based on business information landscape aligning

security and compliance measures with highest

value business information

Business information

security

Alignment of security measures & spend with business information value & business impact

Proactive management of digital threats and business control issues

Manually driven performance based on pace of staff activity

and tacit knowledge of staff

Manual security / control co-ordination


Operational Efficiency and Cost Reduction

90 Critical Events

1,500 Alarms

443k Correlated

Events

201m Filtered Events

From Beijing Olympic Games: AHPS takes millions of raw events and via intelligent processing and correlation reduces them to a few critical events. This reduces manpower requirements and improves operational efficiency, and results in zero downtime, zero business effect.


AHPS for the Olympic Games, AHPS for You

Beijing 2008 environment

► 28 Sports

► 302 Sport Events

► 70 Venues

► 10,000 Athletes

► 20,000 Journalists

► 230,000 Accreditations

► 4,000 IT team members

► 40,000 IT components

► 10,000 PCs

► 1,000 Servers

► 1,000 Network devices

Pre-Games Games

Cri

tica

lity

Olympic Project Specifics

► Business

► Highly visible, highly critical

► Technology

► Real-time & near real-time applications

► Last minute massive infrastructure deployment

► Heterogeneous environment

► People

► Consortium of partners and suppliers

► High level of dependency on volunteers

Requirements

► Availability, integrity, confidentiality

► Ready on time, the deadline will not move

► Few seconds’ response time, no second chance


Agenda


Future tendencies for ISRM

User Owned DeviceMobile Data ProtectionCyber SecurityAtos High Performance Security

Security and Compliance in a Box (GRCaaS)

Cloud Single Sign-On

Leverage DirX

Federated IAMNext Gen AV

Atos Integrated SecurityCloud Encryption

2013

2014

2015

2016

Cyber Threat Center

GRCaaS IDaaS

Atos HighPerformance Security


Agenda



Summary

▶ The information security threat landscape is changing at a rapid pace.

▶ Organizations must prepare itself to withstand advanced targeted attacks, aiming at the intellectual property of the company.

▶ Atos has a complete portfolio in the identity, security and risk management area, covering the whole value chain, from consulting to operations.

▶ Atos has committed resources to develop in the security area to enable us to provide state of the art services.

▶ Atos is one of the few providers being able to deliver services to its customers around the globe.

Dragutin Bošnjaković,Savetnik za bezbednost informacijaAtos IT Solutions and Services d.o.o. [email protected]

Hvala na pažnji!

www.qa-center.net

4. qualityaustria Forum, Beograd

mailto:[email protected]

4. qualityaustria Forum Upravljanje identitetom, bezbednošću i rizikom Dragutin Bošnjaković,...

Documents

Transcript of 4. qualityaustria Forum Upravljanje identitetom, bezbednošću i rizikom Dragutin Bošnjaković,...