securing your information technology infrastructure...
TRANSCRIPT
© 2010 IBM Corporation
Securing Your InformationTechnology Infrastructure / Investment
Pat TomlinsonServices and Solutions ManagerIBM World Trade [email protected] 6, 2010
© 2010 IBM Corporation2
Agenda
What is IT Infrastructure?
The current threat
Holistic approach to securing the IT Infrastructure (Risk Mitigation)
– Business Resilience
– Security
Next steps
Questions
© 2010 IBM Corporation3
Holistic view of the Enterprise
Strategy and vision
Organization
Processes
Applications and data
Technology
Facilities
Ris
k M
itiga
tion
Six layers of the business - each open to different risks
© 2010 IBM Corporation4
Information Technology Infrastructure
Everything that supports the flow and processing of information Including:
– Servers, storage and workstations– System and application software– Networking and other interconnecting hardware and software
Strategy and vision
Organization
Processes
Applications and data
Technology
Facilities
Ris
k M
itiga
tion
© 2010 IBM Corporation5
Today’s business world poses a whole new level of risk for organizations large and small.
Bacs system failure hits 400,000 salary payments Friday 30 March 2007 Up to 400,000 people will receive their salary three days late because the Bacs payment processing system - used by every bank in the UK - experienced a failure on Wednesday. By Will Hadfield
iTunes back to normal after holiday traffic quadruplesABC News, 12/28/06
Bill Would Punish Retailers For Leaks of Personal Data by Joseph Pereira (February 22, 2007)
February 15, 2007 Massive Insider Breach At DuPont
A research chemist who worked for DuPont for 10 years before accepting a job with a competitor downloaded 22,000 sensitive documents and viewed 16,706 more in the company's electronic library.By: Larry Greeenemeier
FBI loses 3-4 laptops a month, auditor says (02/12/07)
Head Of Nuclear Agency Leaving Under Pressure Over Security LapsesAP Press Release, January 5, 2007
IT glitch 'could hit elections'Burnley Council says problems could be nationwideIT problems could cause disruption for more than 100 councils at May's local elections, the BBC has learned. March 27, 2007, BBC Staff Writer
Sidestepping Disaster; Raynor argues for a governance structure that will allow for
safer growth by Dean Foust March 19, 2007
January 29, 2007 03:00 PM TJX Stored Customer Data, Violated Visa Payment Rules The company held on too long to cardholder data… By Larry Greenemeier
Telstra's $11M Network and IT Overhaul in Trouble February 14, 2007 — CIO — Australian telecommunications giant Telstra is struggling to successfully upgrade its IT infrastructure…
• Changing environment• Expanding risk exposures • Increased global and regional interdependencies• Higher risks with complicated Supply Chains
• Heightened impact of business disruption• Greater financial implications of downtime• Brand vulnerabilities • Data integrity requirements
• More complex regulations• Changing industry and regulatory standards• Geographic dispersal requirements • Varying regulations per country
© 2010 IBM Corporation6
Different risks exist… in today’s complex business world—all of which can be mitigated by a single, enterprise
resilience strategy.
Frequency ofoccurrences
per year
1,000
100
10
1
1/10
1/100
1/1,000
1/10,000
1/100,000
Freq
uent
Infre
quen
t
Consequences (single occurrence loss) in dollars per occurrenceLow High
Virus
Worms Disk failure
System availability failures
Pandemic
Natural disaster
Application outage
Data corruption
Network problem
Building fire
Terrorism/civil unrest
Data driven
Event driven
Business driven
Failure to meet regulatory compliance
Workplace inaccessibility
Failure to meet industry standards
Regional power failures
Lack of governance
Source: IBM
US $1,000 US $10,000 US $100,000 US $1,000,000 US $10,000,000 US $100,000,000
© 2010 IBM Corporation7
In working to help business meet these challenges, CIOs face their own set of concerns.
Risk mitigation pain points
Ensuring data is secure, available and
accessibleConsistently meeting
compliancy regulations
Recovering from disruptive
events
Identifying and encrypting business-
critical data
Archiving data and accessing for legal
recovery
Protecting vital customer data from threats
Maintaining Web services security
Coordinating enterprise-wide data and facilities security
© 2010 IBM Corporation8
Cost
Consequence
Risk
An effective risk mitigation approach also needs to balance the costs of action against the consequences of non-action.
© 2010 IBM Corporation9
Cost vs Consequences
Cost of action
Hardware, software and services costs
Cost of recovery facilities
Need for new IT skills (internal or external)
Cost to business of more restricted access to information
Need for new and/or revised security and data management processes
Consequences of non-action
Loss of revenue
Lost productivity
Damaged reputation and brand image
Fines
Impaired financial performance
Customer dissatisfaction
© 2010 IBM Corporation10
Once the risks are adequately understood, the appropriate strategy and actions can be clearly identified.
Transfer When a safeguard is not cost-effective and it is more cost- effective to
transfer the risk to another entity
(e.g., insurance, leaseback, outsource)
Accept When no effective safeguards are found or are too costly in relationship to the asset value, or when the risk is deemed acceptable
Avoid/ mitigate
When you can implement appropriate safeguards to reduce risks to an acceptable level at an investment cost appropriate to the exposed asset
Risk
© 2010 IBM Corporation11
What is needed is a holistic, integrated approach to risk management
Integrated risk management
addresses today’s
challenges and provides the
processes and best
practices to handle
tomorrow’s changeSecurity
Business Resilience
Identity management
Data security
Web and network security
Business continuity
Disaster recovery
Physical security
© 2010 IBM Corporation12
Security
© 2010 IBM Corporation13
Chen-Ing HauCIH Virus
Joseph McElroyHacked US Dept
of Energy
Jeffrey Lee ParsonBlaster-B copycat
The Old Enemy
Photos from colleagues at F-Secure
© 2010 IBM Corporation14
Jeremy Jaynes$24M SPAM KING
Jay EchouafniCompetitive DDoS
Andrew SchwarmkoffRussian Mob Phisher
The New Enemy
Photos from colleagues at F-Secure
© 2010 IBM Corporation15
The Evolving Security Threat
– Big business driven by profit
– Innovation to capture new markets (victims)
– Victim segmentation and focus
– Rate of attacks is accelerating
– Form of attack is more malicious
– Attacks are “Designer” in Nature
© 2010 IBM Corporation16
Pressure: Consumers are afraid
1. Data security
2. Global Warming
3. Terrorism
4. Job loss
5. Disease or epidemics
6. Natural disasters
Source: Global Survey of Consumer Attitudes, Visa International
© 2010 IBM Corporation17
Pressure: Failures are big news…
LOST OPPORTUNITY
50% of consumers avoid making purchases online because they are afraid their financial information will be stolen (Source: Cyber Security Industry Alliance survey of consumers, 2007)
LOST REVENUE
The average cost per hour of unplanned downtime = $42,000, per 1000 transactions (Source: Alinen ROI Report)
LOST CUSTOMERS
33% of consumers notified of a security breach will terminate their relationship with the company they perceive as responsible (Source: Ponemon Institute, 2007)
© 2010 IBM Corporation18
…and big costs!!!
Typical Threats Avg. Risk of Breaches per Year (per 1,000 users)
Avg. IT Staff Hours per Breach (Respond, Resolve and
Forensics)
Avg. Business and Collateral Damage per Breach
Virus / Worms / Trojans 2 4 hours per infected asset $24,000
Denial of Service 2 serious incidents 32 hours per system $122,000
Data Destruction / Damage 1 120 hours $350,000
Physical Theft Disclosure 1 in 4 former employees leaves with assets
2 hours $5,000
Information Theft and Disclosure
1 180 hours $250,000
Policy Violation 30 2 hours $20,000
Errant User Behavior
15 2 hours
$20,000
Source: The Alinen ROI Report, “Is There a Business Case for Security?”
© 2010 IBM Corporation19
Pressure: CEOs don’t look good in orange
1 - 2 years Escaping from prison
3 - 5 years Kidnapping involving Ransom
10 - 20 years Fraudulent SOX Certification
11 - 14 years Second Degree Murder
20 - 25 years Hijacking
© 2010 IBM Corporation20
Pressure: The “Barbarian” is inside the gate
The enemy is “us”:
– 90% of insider incidents are caused by privileged or technical users
– Most are inadvertent violations of:
• Change management process
• Acceptable use policy
• Account management process
– Others are deliberate, due to:
• Revenge (84%)
• “Negative events” (92%)
– Regardless, too costly to ignore:
• Internal attacks cost 6% of gross annual revenue or 9 dollars per employee per day
Privileged or technical users (90%)
Other (10%)
Sources: Forrester research, IdM Trends 2006; USSS/CERT Insider Threat Survey 2005/6; CSI/FBI Survey, 2005; National Fraud Survey; CERT, various documents.
Who Causes Internal Incidents?
© 2010 IBM Corporation21
Or is this the security problem?
Cost of “Effective Security” has been rising faster than our budgets
While Compliance continues to be the hammer with which we can secure funding – spending results in more point products to solve more point problems
The Complexity of the security problem and the solution makes it difficult to know how much security is “good enough”
Meanwhile… Too much security can reduce operating efficiency
© 2010 IBM Corporation22
The CSO Challenge: Manage Cost, Decrease Complexity, Improve Effectiveness, Assure Agility
Cost of the average security and compliance program
Effectiveness of controls in addressing security risk
Effect of security on operating Agility
Time
Complexity of the control environment
© 2010 IBM Corporation23
A new approach to Security
The IBM Security Framework
Common Policy, Event Handling and Reporting
The IBM Security Framework
Common Policy, Event Handling and Reporting
Security Governance, Risk Management and Compliance
Security Governance, Risk Management and Compliance
Network, Server, and End-point
Physical Infrastructure
People and Identity
Data and Information
Application and Process
Designed to….
Enable innovation through secured infrastructure and platforms
Reduce number and complexity of required security controls
Reduce redundant security expenses
Improve organizational and operational agility and resiliency
Deliver needed visibility, control and automation
© 2010 IBM Corporation24
Managing digital identities reduces cost and increases efficiency
Dormant IDs or shared identities being used to inappropriately access resources
Cost of administering users and identities in-house
Privileged user activity unmonitored
Failing an audit
Understanding the identity risk gap
© 2010 IBM Corporation25
Securing data and information assures your most precious business asset
Data stored on removable media that can be lost/stolen
Data stored in the clear is easily accessible
Inconsistent data policies Sensitive business data in
unstructured forms Costs of data breaches,
notification, brand value Failing an audit
© 2010 IBM Corporation26
Application security assures ability to transact business online
Web applications are #1 target of hackers seeking to exploit vulnerabilities
PCI regulatory requirements mandate application security
80% of development costs spent on identifying and fixing defects
Real and/or private data exposed to anyone with access to development and test environments, including contractors and outsourcers
© 2010 IBM Corporation27
End-to-end infrastructure security improves operational availability
Poor understanding of risks in new technologies and applications, including virtualization and cloud
Parasitic, stealthier damaging attacks
Inability to establish forensic evidence
Undetected breaches due to privilege access misuse and downtime from incidents
Compounding cost of managing an ever increasing array of security technologies
© 2010 IBM Corporation28
The IBM Security Framework
Common Policy, Event Handling and Reporting
Securit y Governance, Risk Management and Compliance
Network, Server, and End-point
People and Ident it y
Data and Informat ion
Applicat ion and Process
Physical Infrast ructure
Reduce human cost of monitoring
Improve efficiency through continuous coverage
Integration with IT transaction systems and logical security systems
Preserve privacy with fewer humans watching screens, ability to recognize and obscure faces
Physical security infrastructure with environmentally aware systems
© 2010 IBM Corporation29
Proven Methodology for Security Management
Phase 5.Education
Phase 4.Management and Support
Phase 2.Design
Phase 1.Assessment
Phase 3.Deployment
Action: Assess current level of security effectiveness and strengthen network and security posture by identifying vulnerabilities and weakness against best-practices
Result: Gap analysis and resolution recommendations between current state and requirements.
Action: Design and documentation of policies, procedures, and architecture/solutions to ensure protection and extension of business capabilities
Results: Creation of gap closure plan for short and long-term resolution to ensure optimization of security infrastructure
Action: Management of security infrastructure/program to meet defined business objectives
Result: Insures gaps remain closed and new gaps are not opened by providing improved protection, lowering TCO, and demonstrating compliance
Action: Expert deployment, implementation, tuning, and change support
Results: Helps client execute gap closure plan, improve performance and cost savings
Action: Education of organization on security best practices and best-of-breed technology
Result: Ensure employees understand their responsibilities with security best practices and regulatory compliance.
© 2010 IBM Corporation30
Business Resilience
© 2010 IBM Corporation31
Disruptions come in various guises
“What was the cause(s) of your most significant disaster declaration(s) or major business disruption?”
Power failureIT hardware failure
Network failureIT software failure
Human errorFlood
HurricaneFire
Winter stormTerrorism
EarthquakeTornado
Chemical spillOther
Don’t knowNever declared a disaster or
major business disruption
4%12%
1%2%
3%
24%
4%6%
7%10%
12%16%16%
21%31%
42%
” “Building The Business Case For Disaster Recovery Spending”, Forrester Research, Inc., April 2008
© 2010 IBM Corporation32
. . . and disruptions range in business impact
Downtime ranges from 300–1,200 hours per year, depending on industry1
In some industries, downtime costs can equal up to 16 percent of revenue1
For 32 percent of organizations, just four hours of downtime could be severely damaging2
Online security attacks are accelerating, causing downtime and loss of revenue
Data is growing at explosive rates Security and resiliency are a top area of concern and spend for all size
companies Some industries are enforcing fines for downtime and inability to meet
regulatory compliance Mitigation of compromised personal information is calculated at over $500
per incident3
1 Infonetics Research, The Costs of Enterprise Downtime: North American Vertical Markets 2005, Rob Dearborn and others, January 2005.2 Continuity Central, “Business Continuity Unwrapped,” 2006, http://www.continuitycentral.com/feature0358.htm3 IBM Research 2007
© 2010 IBM Corporation33
The bottom line: disruptions can end in bankruptcy
“According to the U.S. National Archives and Records Administration, 25% of the companies that experienced an IT outage of two to six days went bankrupt immediately.”
- The Economist Intelligence Unit 2007, Business resilience: Ensuring continuity in a volatile environment
© 2010 IBM Corporation34
Reactive
Approach to Business Continuity and Resiliency
Helps identify, quantify, and prioritize business and IT risks, then develop strategies and implement designs to address those risks
Helps eliminate the impact of disruptive events with IT andwork area recovery
Helps balance workloads and reduce application, data, and system loss
Advisory
Proactive Responsive
Resiliency Consulting
Services
Resiliency Consulting
Services
Managed Resiliency Services
Managed Resiliency Services
Infrastructure Recovery Services
Infrastructure Recovery Services
© 2010 IBM Corporation35
Resiliency Consulting
Services
Resiliency Consulting
Services
© 2010 IBM Corporation36
Lifecycle methodology to help achieve sustainable improvements in business resilience.
Manage
Set objectives
Design
Deploy
Plan
Implem
e nt
ControlMonitor
Evaluate
Analyze
Resilience lifecycle
Asse
ss
Inputs: Business objectives, goals, priorities, policies and current capabilities
Information risk management
Regulatory compliance
Corporate governance
Business imperatives:
Outputs:Reduced risk, improved governance and facilitated compliance management
© 2010 IBM Corporation37
To build a business resilience program, we start with an analysis of potential risks, their impact and your ability to mitigate them.
Assess Analyze current and potential risks,
and establish a risk profile by location, line-of-business function and business process.
Determine impact of event: financial, opportunity and reputation.
Analyze capabilities for mitigation to define customized risk framework and IBM business resilience framework.
Identify risk areas for further analysis.
Assess maturity of mitigation capabilities, including basic, managed, predictive, adaptive and resilient capabilities.
Manage
Set objectives
Design
Deploy
Plan
Implem
e nt
ControlMonitor
Evaluate
Analyze
Resilience lifecycle
Asse
ss
© 2010 IBM Corporation38
Next, objectives must be set for the reach and range of what risks you may need to mitigate.
Plan Set objectives for risk mitigation or
enhancement to help:– Define the scope for the
risk strategy.
– Select the risks that need to be mitigated or enhanced.
Manage
Set objectives
Design
Deploy
Plan
Implem
e nt
ControlMonitor
Evaluate
Analyze
Resilience lifecycle
Ass
ess
© 2010 IBM Corporation39
Design and implement your strategy and architecture to help protect your critical information and improve business resilience.
Implement Design for business resilience:
– Business and financial justification
– Governance and authority and policies
– Systems management disciplines
– Physical and logical security
– Application and data
– Program execution
– Facilities
Deployment of business resilience– Protection of critical information
– Recoverability of business functionsManage
Set objectives
Design
Deploy
Plan
Implem
ent
ControlMonitor
Evaluate
Analyze
Resilience lifecycle
Ass
ess
© 2010 IBM Corporation40
A centralized governance program is required to ensure continued business resilience management, control and monitoring.
Manage Control negative risk while
enhancing positive risk.
Monitor current conditions to detect and respond to risks.
Manage
Set objectives
Design
Deploy
Plan
Implem
e nt
ControlMonitor
Evaluate
Analyze
Resilience lifecycle
Ass
ess
© 2010 IBM Corporation41
The resilience lifecycle enables continuous improvement to ensure your resilience strategy and architecture are current.
Re-assess Evaluate performance:
– Utilize resilience project office.
– Evaluate resilience performance.
Report on performance:– Produce daily, weekly,
monthly, quarterly, yearly reports for management.
– Produce appropriate reports for corporate, industry or government auditors.
– Use resilience dashboard.Manage
Set objectives
Design
Deploy
Plan
Implem
e nt
ControlMonitor
Evaluate
Analyze
Resilience lifecycle
Ass
ess
© 2010 IBM Corporation42
Infrastructure Recovery Services
Infrastructure Recovery Services
© 2010 IBM Corporation43
Infrastructure Recovery Services can help you recover your IT and work area during times of disruption.
Mobile recovery
Information Protection
Work area recovery
IT recoveryVirtual recovery
Global Business Resilience Centers
Information ProtectionInformation Protection
© 2010 IBM Corporation44
Consider how you can prepare for and quickly recover from unexpected outage events
Does your enterprise currently have an IT recovery plan in place?
Do you know how quickly your business can recover from a disaster or unplanned disruption?
Are your customers and partners demanding that you have a disaster recovery plan?
When was the last time you exercised or tested your disaster recovery plan?
IT recovery
© 2010 IBM Corporation45
IT Recovery
Data center recovery – Hardened and protected facilities
– Fully configured replacement technology and network connectivity
– Strategically located facilities
Bundled, preconfigured solutions mainly for small businesses
Portable, temporary recovery technology shipped within certain, agreed time
© 2010 IBM Corporation46
Recommended Facility (at a minimum)
24 hour a day, 7 day a week staffing by IBM recovery experts
Uninterruptible power supply (UPS) and diesel generator backup
Dual power grids
Badge access requirements and around-the-clock security patrol
Comprehensive fire-, smoke- and water-detection systems
Abundant parking with lighting and security patrols
Hurricane / earthquake resilient
© 2010 IBM Corporation47
Think about how your employees will stay productive during a disaster or disruption
How will you conduct business during a disaster or other disruption?
Can you ensure that key resources stay productive during an event?
Does your current recovery plan comply with regulatory requirements?
Where would your end users go to continue working? Do they know where to go?
Work Area Recovery
© 2010 IBM Corporation48
Work Area Recovery options
Dedicated seats: designed for the exclusive use of an individual company, dedicated seats provide around-the-clock, virtually real-time access to all seats and can be configured to meet your unique end user requirements (back office, trading room, call center)
Shared seats: multiple companies subscribe to the same recovery area.
Mobile seats: delivers mobile units to your site or an alternate site for temporary use
You can select one or any combination of options:
© 2010 IBM Corporation49
Managed Resiliency Services
Managed Resiliency Services
© 2010 IBM Corporation50
Managed Resiliency Services include information protection and continuous availability services to help support operational resiliency and information recovery.
Services designed, implemented and managed by IBM
Services that help you manage your remote dedicated environment
Services to back up and protect your data and email onsite or remotely
Leve
l of e
ngag
emen
t
CONTINUOUS AVAILABILITY
Managed Resiliency Services
INFORMATION PROTECTION
Data
Technology
Facilities
Skilled resources
LEVEL OF RESILIENCY
Managed continuity Rapid recovery
© 2010 IBM Corporation51
Getting started can be as simple as working with your technology partner to answer a few questions.
How resilient is your organization?– What’s your cost of downtime?– What’s your cost of uptime?– Are you spending too much or too little?– Do you know what is in your risk profile?– Do you feel comfortable mitigating your risks?
Your partners’ risks?– How robust is your resilience strategy?
How secure is your organization’s data?– What critical/sensitive data do I have?– Where is the data located?– What are the points of access to the critical data?– How are those access points protected?– Who has access to what data?– How do I monitor and report on who accesses my
critical data?
© 2010 IBM Corporation52
Complimentary services to get you started
Business Continuity self-assessment toolAvailable online via ibm.com; provides a personalized graph that identifies potential gaps within the business, data and event threat areas
IBM Security Health ScanComplimentary scan of up to 25 IP addresses.
© 2010 IBM Corporation53
© 2010 IBM Corporation54
© 2010 IBM Corporation55
Trademarks and notes
IBM Corporation 2010
IBM, the IBM logo and ibm.com are trademarks or registered trademarks of International Business Machines Corporation in the United States, other countries, or both. If these and other IBM trademarked terms are marked on their first occurrence in this information with the appropriate symbol (® or ™), these symbols indicate US registered or common law trademarks owned by IBM at the time this information was published. Such trademarks may also be registered or common law trademarks in other countries. A current list of IBM trademarks is available on the Web at “Copyright and trademark information” at www.ibm.com/legal/copytrade.shtml
Adobe, the Adobe logo, PostScript, the PostScript logo, Cell Broadband Engine, Intel, the Intel logo, Intel Inside, the Intel Inside logo, Intel Centrino, the Intel Centrino logo, Celeron, Intel Xeon, Intel SpeedStep, Itanium, IT Infrastructure Library, ITIL, Java and all Java-based trademarks, Linux, Microsoft, Windows, Windows NT, the Windows logo, and UNIX are trademarks or service marks of others as described under “Special attributions” at: http://www.ibm.com/legal/copytrade.shtml#section-special
Other company, product and service names may be trademarks or service marks of others.
References in this publication to IBM products or services do not imply that IBM intends to make them available in all countries in which IBM operates.