executive customer council 2017 - fujitsu aktuell€¦ · sources: symantec internet security...

0 © Fujitsu Technology Solutions GmbH 2017

Executive Customer Council 2017

30. und 31. Mai 2017 Würzburg


Sicherheitsarchitektur und -kultur als wesentlicher Bestandteil einer „Digital Enterprise Strategy“

Robert Mayer, CIO Office

Senior Director Information Technology Group EMEIA

Head of ITG Product Group Services


Agenda

Increased Demands: Security Frameworks in a Digital & Hyperconnected World

Enterprise Architecture: Integrated Security Architecture

Secured Identities: Identity Access Management

Evolving Lifecycle: Intelligence Led Security

Managed Services: Overview Security Offerings

Bringing it together: Information Security Management System (ISMS)

Food for Thoughts: Putting Security in the first place


Increased Demands: Security Frameworks in a Digital &

Hyperconnected World


Forrester: Top 10 focus areas for CIOs in 2017

relevant (8)

very relevant (9)

highly relevant (10) ; scale from 0 to 10


New Disruptive Technologies

Virtual Reality

Cloud Computing Internet of Things Machine Learning Artificial Intelligence

Cognitive Robotics 3D-Print Communication & Collaboration


The Risk of a „Hyperconnected World“

…and recent attacks

Sources: Symantec Internet Security Threat Report, 2016 and

UK National Cyber Security Centre (NCSC) and the US National Security Agency (NSA), 2017

Medical devices. Researchers

have found potentially deadly

vulnerabilities in dozen of devices

such as insulin pumps and

implantable defibrillators

Smart TVs. Hundreds of millions of

Internet-connected TVs are

potentially vulnerable to click fraud,

data theft and even ransomware

Cars. Fiat Chrysler recalled 1.4 Mio

vehicles after researchers

demonstrated a proof-of-concept

attack where they managed to take

control of the vehicle remotely

The cyber attack on power

supplies in Ukraine

The first confirmed case of cyber-

enabled disruption to electricity

supply on a regional scale

The Yahoo data breaches

Although the breaches happened in

2013-2014, they were revealed

only in 2016 and ultimately reduced

$350m off the sales price of Yahoo

The US Democratic National

Committee (DNC) breach

The sheer scale of the incident,

highlights the vulnerability of

political parties to cyber attacks

…and latest attack: The WannaCry ransomware attack started on Friday, 12 May 2017 and has

been described as unprecedented in scale, infecting more than 230,000 computers in over 150 countries.

Parts of Britain's National Health Service (NHS), Spain's Telefonica, FedEx and Deutsche Bahn were hit,

along with many other countries and companies worldwide.


By 2018 - New Legislation will drive Security Requirements Network & Information Security Directive (NIS) & General Data Protection Regulation (GDPR)

New Legislation Main Customer Tasks Prepare Now!

Network and Information Security Directive (NIS) • Harmonized requirements on

each Member State’s legislation

• Each member state must pass a national law based on the directive by 2018

General Data Protection Regulation (GDPR) • Regulation is valid as is in every

country from 2018 on

• Countries may add national extensions

• Open issue: is relevant law that of consumer’s or provider’s jurisdiction?

Information Systems and Data Governance • Evidence of policies and effective

implementation, e.g.

• Security Audit • Data Protection Impact

Assessments • Data Protection Officer to be

implemented

Reporting • Records of Processing • Specific reporting of security

incidents / data breaches without undue delay

Severe Fines • GDPR: 20M€ or 4% of annual

turnover

Governance, Risk and Compliance • Security Consulting, e.g.

Continuity & Resilience

• Data Protection, e.g. IAM, encryption

• MSS, e.g. vulnerability management, perimeter protection, content inspection

Assessments & Audits • Security Audits • Privacy Impact Assessment

Detect and Response • Cyber Threat Intelligence • SIEM enhanced by reporting

according to NIS/GDPR


Aspects of Security in a Hyperconnected World

CIOs need to consider

effective security

management strategies

backed up with appropriate

processes and technologies

Source: Fujitsu White Book

of Cloud Security

http://www.fujitsu.com/global/

Images/WBOC-2-Security.pdf

http://www.fujitsu.com/global/Images/WBOC-2-Security.pdf









Internal Focus: Global CISO Organization

Partnering with CyberSecurity

Business Strategies Unit to launch

new security solutions

Founded Top Gun Training Program

for Fujitsu Executives and

Cybersecurity Professionals

Naoyoshi Takatsuna

Chief Information Security Officer

Akihiro Yoshida

Head of Corporate Affairs and Risk Management Unit

CISO

Office

Tom Duffy

Deputy Head of Corporate Affairs and Risk Management Unit

Deputy Head of Legal, Compliance & IP Unit

RISK MANAGEMENT & COMPLIANCE COMMITTEE

Jeff Meier

Americas

CISO

Craig MacPherson

EMEIA

CISO

Tsutomu Nishijima

Japan/Asia/

Oceania CISO

Regional CISO


Enterprise Architecture: Integrated Security Architecture


Connected Services to support Digital Transformation

Fujitsu’s Management Direction, October 27, 2016


Enterprise Architecture Lifecycle

Business

Objectives

Business

Strategy

Current

IT Landscape

Corporate

IT Strategy

IT Roadmap

Business

Processes

„AS-IS Evolution“ or „TO-BE Revolution“

Future IT Landscape

Business

Functions

Business

Demand


Enterprise Architecture Domains

Domain Description

Business Architecture The business strategy, governance, organization, and key business processes.

Application Architecture A blueprint for the individual applications to be deployed, their interactions, and their relationships to the core business processes of the organization.

Technology Architecture The logical software and hardware capabilities that are required to support the deployment of business, data, and application services. This includes IT infrastructure, middleware, networks, communications, processing, standards

Information Architecture The theory, principles, guidelines, standards conventions and factors for managing information as an enterprise resource. The structure of an organization’s conceptual, logical and physical data assets and data management resources.

Security Architecture the practice of applying a comprehensive and rigorous method for describing a current and/or future structure and behavior for an organization's security processes, information security systems, personnel and organizational units

Service Architecture The principles, structure and financial characteristics of the current and future services.

People Architecture The organizational alignment and role models required in an organization to govern or provide business and IT related services


Enterprise Architecture Domains

Domain Description

Business Architecture The business strategy, governance, organization, and key business processes.

Application Architecture A blueprint for the individual applications to be deployed, their interactions, and their relationships to the core business processes of the organization.

Technology Architecture The logical software and hardware capabilities that are required to support the deployment of business, data, and application services. This includes IT infrastructure, middleware, networks, communications, processing, standards

Information Architecture The theory, principles, guidelines, standards conventions and factors for managing information as an enterprise resource. The structure of an organization’s conceptual, logical and physical data assets and data management resources.

Security Architecture the practice of applying a comprehensive and rigorous method for describing a current and/or future structure and behavior for an organization's security processes, information security systems, personnel and organizational units

Service Architecture The principles, structure and financial characteristics of the current and future services.

People Architecture The organizational alignment and role models required in an organization to govern or provide business and IT related services 2017: Main Focus is on the „H“ !


Secured Identities: Identity Access Management


Increasing Importance of Digital Identity


Consolidation of >100 Domains in One Global Active Directory


Addressing the Identity Theft Risk with a Secured Central Administration Platform


Evolving Lifecycle: Intelligence Led Security


Cyber Defences result in …


… Intelligence Led Security


End-to-End Attack Points: Endpoint – Transfer – Data Center


Managed Services: Overview Security Offerings


CyberSecurity Business Strategies Unit Fujitsu EMEIA Security Offerings


The Answer to Security is in the Palm of Your Hands

With Fujitsu’s PalmSecure technology,

people can confirm their identity

by scanning their unique palm vein

pattern. Security no longer revolves

around authenticating passwords;

it’s all about authenticating people.

It simplifies procedures,

reduces costs

and, most importantly,

increases security.

25

Position hand

over sensor

Sensor focuses &

detects live hand

Hand is scanned

with near-infrared

light and vein

patterns

are captured

Hand veins are recorded and

compared with pattern stored

either locally (e.g. SmartCard)

or in a database

How palm vein security works


Why Biometrics is the right choice for IAM

Precision of Biometrics

Biometrics clearly is the superior method for processes requiring authentication


PalmSecure at a glance

Very hygienic because contact-free

Easy and intuitive operation

High level of privacy because hidden under the skin

Palm veins are complex >5 million reference points

Palm has thicker veins than fingers – easier to identify

Palm veins are not sensitive to external factors

Hidden under the skin

Unique (even in the case of twins)

Traits do not change for entire lifetime

Live hand detection: only used if blood circulation detected

1 Highest level of security & performance

Extremely precise

Accepted everywhere 2 3


Information Security Management System (ISMS)

EMEIA Operating Model

EMEIA Governance Framework

EMEIA Security Governance Model

Information Security Implementation

• Creation of EMEIA Security Framework

• Definition EMEIA Security Audit Strategy

• Launch of the EMEIA wide ISMS

• Awareness Training (Fujitsu International Online Learning Application)

• Alignment of basic Security Processes (Incident, Risk, Comms)

• Planning and performance of Security Audits

• Management Review (ECSF = EMEIA Cyber Security Forum)


Food for Thoughts: Putting Security in the first place


Aktuelle abschließende Gedanken …

Gibt es einen Mindeststandard für Mobile Device Management ?

Security Patch Management von Milliarden IoT Devices ?

CISO Studie: „Im Schadensfall sind die Kosten Faktor 100 größer“ ?

Bundeswehr stellt Cyber-Truppe in Dienst ! – Wer hätte das gedacht: Israel ?

Arbeitsmarkt IT-Sicherheit: Security-Fachleute werden langsam zur Mangelware -

Sicherheitsingenieure und Hacker verstärkt gesucht ?

(Public) Cloud und IT-Sicherheit / IT-Compliance ?

Cyber Security: Enabler für neue Geschäftsmodelle ?

Industrie 4.0: Industrial Security Operation Center (SOC) ?

Agile, dynamische Sicherheitskonzepte: Sicherheit auf Knopfdruck ?

Wie wird der ‘Mega Security Breach’ in der Zukunft aussehen ?


Thank you for listening!

http://mediaportal.ts.fujitsu.com/pages/view.php?ref=28638&search=!collection3&offset=48&order_by=field12&sort=DESC&archive=0&k=


Contact:

Robert Mayer Head of ITG Product Group Services

Information Technology Group (ITG), EMEIA

Bürgermeister-Ulrich-Straße 100, 86199 Augsburg

Tel.: +49 (821) 804 2043

Mob.: +49 (171) 2250393

Fax: +49 (821) 804 8 2043

E-mail: [email protected]

http://mediaportal.ts.fujitsu.com/pages/view.php?ref=28638&search=!collection3&offset=48&order_by=field12&sort=DESC&archive=0&k=

mailto:[email protected]

executive customer council 2017 - fujitsu aktuell€¦ · sources: symantec internet security...

Documents