130 likes | 240 Views
Security Trends in the Commercial World. By Christopher Ray cray@aflac.com. Agenda. 1. Goals of Business. 2. Security Models . 3. Where to Begin. 4. Closing . Encourage open dialogue – seeking input. Goals of the Business. Why are companies in existence? Why is security needed?
E N D
Security Trends in the Commercial World By Christopher Ray cray@aflac.com
Agenda 1. Goals of Business 2. Security Models 3. Where to Begin 4. Closing Encourage open dialogue – seeking input
Goals of the Business • Why are companies in existence? • Why is security needed? • How is security like any other job? • Scope of discussion focuses on: • Commercial service-based business (healthcare, banking, etc) • Regulatory environment • Security alignment within IT or the COO/CFO • Reasonable amount of staffing (not a one-man show) • Reasonable amount of budget (4+%)
Security Models Yesterday Today Text Security Models Tomorrow
Traditional Security Model • Isolationist Perspective • Draw a perimeter around your sandbox • Do not allow outsiders • Trust your employees • Typical Setup • Firewall • DMZ environment • Segmented LANs • Antivirus • Perimeter IDS
Today’s Security Model • No Boundaries Perspective • Complex systems with a much bigger sandbox • Try to determine who the outsiders are • Trust (but verify) your employees • Deliver more, faster, cheaper, and to smaller devices • Typical Setup • Varies per company depending on architecture, industry, and budget
Today’s Security Model – con’t Solutions found today in many corporate security programs: • Firewall • IDS/IPS • Spam/Email virus filtering • Layered switching • VPN (IPSEC/SSL) • URL filtering • Host-based antivirus • Host-based firewall • Patching (system/application) • Configuration management • Access controls • File transmission security (SSL) • Remote access controls (VPN, ACLs) • Disaster Recovery • Education and awareness training
Today’s Security Model – con’t More developed programs may include: • Malware / Botnet detection • Database encryption • Tape encryption (mainframe / backup) • Application layer firewalls • Network access controls • Security event management • Secure code development validation • Data Leakage Prevention (DLP) • Internet virus filtering • Configuration management • Host-base forensics • Network-based forensics • Mobile device encryption • - Notebooks • - PDAs or smart phones • - USB or other external storage devices • Wireless Security • Data masking • Email encryption • Virtualization to segment off environment • Fraud detection • Advanced access management using strong authentication (i.e. biometrics, retina scans, etc.) • Identity management • - Role-based access controls • - User provisioning • E-discovery • Data Labeling
Today’s Security Model – con’t • What’s needed today • Tools and automation • Layered security solutions – there is no magic “snake oil” • Example of mobile device security: • Access controls • Two-factor authentication for remote access • Device encryption • Database encryption • Periodic purging of data • Antivirus software • Host-based firewall technology • Theft recovery software (with lojack capability) • Talented professionals who can keep up with technology
Tomorrow’s CISO • Roles are changing for infosec leaders, with more focus on: • Legal issues (e-discovery, employee relations, contracts) • Compliance (regulatory, PCI, privacy laws) • Policy/Procedures (have always been needed) • Formalized risk management with better business alignment • Future trends (opinion only): • Federated identity and other ways to implement SSO • Tighter network access controls (i.e. device authentication) • Application Level Security • Digital rights management • Managed Services • Social Networking (LinkedIn, Second Life, Facebook)
Where to Begin • With all of the technologies and gaps that may exist, you have to be able to: • Prioritize • Sell the ideas • Plan • Implement methodically • Sell some more • Leverage relationships within other departments • So where would you begin? • What challenges do you see facing security?
Ongoing Challenges • Shift in the threat • Moved from individuals hacking for fun to organized crime • Thoughts on cyber warfare? • Amount of change • Increasing volumes of data • Mobile device management (more, smaller, cheaper) • Complexity of applications / systems • Speed of delivery in an Internet world