Securing Your Information Technology Infrastructure ...convention.jamaicaemployers.com/pdfs/2010/thursday... · Network, Server, and End-point Physical Infrastructure People and Identity

© 2010 IBM Corporation

Securing Your InformationTechnology Infrastructure / Investment

Pat TomlinsonServices and Solutions ManagerIBM World Trade [email protected] 6, 2010

© 2010 IBM Corporation2

Agenda

What is IT Infrastructure?

The current threat

Holistic approach to securing the IT Infrastructure (Risk Mitigation)

– Business Resilience

– Security

Next steps

Questions


Holistic view of the Enterprise

Strategy and vision

Organization

Processes

Applications and data

Technology

Facilities

Ris

k M

itiga

tion

Six layers of the business - each open to different risks


Information Technology Infrastructure

Everything that supports the flow and processing of information Including:

– Servers, storage and workstations– System and application software– Networking and other interconnecting hardware and software

Strategy and vision

Organization

Processes

Applications and data

Technology

Facilities

Ris

k M

itiga

tion


Today’s business world poses a whole new level of risk for organizations large and small.

Bacs system failure hits 400,000 salary payments Friday 30 March 2007 Up to 400,000 people will receive their salary three days late because the Bacs payment processing system - used by every bank in the UK - experienced a failure on Wednesday. By Will Hadfield

iTunes back to normal after holiday traffic quadruplesABC News, 12/28/06

Bill Would Punish Retailers For Leaks of Personal Data by Joseph Pereira (February 22, 2007)

February 15, 2007 Massive Insider Breach At DuPont

A research chemist who worked for DuPont for 10 years before accepting a job with a competitor downloaded 22,000 sensitive documents and viewed 16,706 more in the company's electronic library.By: Larry Greeenemeier

FBI loses 3-4 laptops a month, auditor says (02/12/07)

Head Of Nuclear Agency Leaving Under Pressure Over Security LapsesAP Press Release, January 5, 2007

IT glitch 'could hit elections'Burnley Council says problems could be nationwideIT problems could cause disruption for more than 100 councils at May's local elections, the BBC has learned. March 27, 2007, BBC Staff Writer

Sidestepping Disaster; Raynor argues for a governance structure that will allow for

safer growth by Dean Foust March 19, 2007

January 29, 2007 03:00 PM TJX Stored Customer Data, Violated Visa Payment Rules The company held on too long to cardholder data… By Larry Greenemeier

Telstra's $11M Network and IT Overhaul in Trouble February 14, 2007 — CIO — Australian telecommunications giant Telstra is struggling to successfully upgrade its IT infrastructure…

• Changing environment• Expanding risk exposures • Increased global and regional interdependencies• Higher risks with complicated Supply Chains

• Heightened impact of business disruption• Greater financial implications of downtime• Brand vulnerabilities • Data integrity requirements

• More complex regulations• Changing industry and regulatory standards• Geographic dispersal requirements • Varying regulations per country

http://www.cio.com/

http://www.cio.com/


Different risks exist… in today’s complex business world—all of which can be mitigated by a single, enterprise

resilience strategy.

Frequency ofoccurrences

per year

1,000

100

10

1

1/10

1/100

1/1,000

1/10,000

1/100,000

Freq

uent

Infre

quen

t

Consequences (single occurrence loss) in dollars per occurrenceLow High

Virus

Worms Disk failure

System availability failures

Pandemic

Natural disaster

Application outage

Data corruption

Network problem

Building fire

Terrorism/civil unrest

Data driven

Event driven

Business driven

Failure to meet regulatory compliance

Workplace inaccessibility

Failure to meet industry standards

Regional power failures

Lack of governance

Source: IBM

US $1,000 US $10,000 US $100,000 US $1,000,000 US $10,000,000 US $100,000,000


In working to help business meet these challenges, CIOs face their own set of concerns.

Risk mitigation pain points

Ensuring data is secure, available and

accessibleConsistently meeting

compliancy regulations

Recovering from disruptive

events

Identifying and encrypting business-

critical data

Archiving data and accessing for legal

recovery

Protecting vital customer data from threats

Maintaining Web services security

Coordinating enterprise-wide data and facilities security


Cost

Consequence

Risk

An effective risk mitigation approach also needs to balance the costs of action against the consequences of non-action.


Cost vs Consequences

Cost of action

Hardware, software and services costs

Cost of recovery facilities

Need for new IT skills (internal or external)

Cost to business of more restricted access to information

Need for new and/or revised security and data management processes

Consequences of non-action

Loss of revenue

Lost productivity

Damaged reputation and brand image

Fines

Impaired financial performance

Customer dissatisfaction


Once the risks are adequately understood, the appropriate strategy and actions can be clearly identified.

Transfer When a safeguard is not cost-effective and it is more cost- effective to

transfer the risk to another entity

(e.g., insurance, leaseback, outsource)

Accept When no effective safeguards are found or are too costly in relationship to the asset value, or when the risk is deemed acceptable

Avoid/ mitigate

When you can implement appropriate safeguards to reduce risks to an acceptable level at an investment cost appropriate to the exposed asset

Risk


What is needed is a holistic, integrated approach to risk management

Integrated risk management

addresses today’s

challenges and provides the

processes and best

practices to handle

tomorrow’s changeSecurity

Business Resilience

Identity management

Data security

Web and network security

Business continuity

Disaster recovery

Physical security


Security


Chen-Ing HauCIH Virus

Joseph McElroyHacked US Dept

of Energy

Jeffrey Lee ParsonBlaster-B copycat

The Old Enemy

Photos from colleagues at F-Secure


Jeremy Jaynes$24M SPAM KING

Jay EchouafniCompetitive DDoS

Andrew SchwarmkoffRussian Mob Phisher

The New Enemy

Photos from colleagues at F-Secure


The Evolving Security Threat

– Big business driven by profit

– Innovation to capture new markets (victims)

– Victim segmentation and focus

– Rate of attacks is accelerating

– Form of attack is more malicious

– Attacks are “Designer” in Nature


Pressure: Consumers are afraid

1. Data security

2. Global Warming

3. Terrorism

4. Job loss

5. Disease or epidemics

6. Natural disasters

Source: Global Survey of Consumer Attitudes, Visa International


Pressure: Failures are big news…

LOST OPPORTUNITY

50% of consumers avoid making purchases online because they are afraid their financial information will be stolen (Source: Cyber Security Industry Alliance survey of consumers, 2007)

LOST REVENUE

The average cost per hour of unplanned downtime = $42,000, per 1000 transactions (Source: Alinen ROI Report)

LOST CUSTOMERS

33% of consumers notified of a security breach will terminate their relationship with the company they perceive as responsible (Source: Ponemon Institute, 2007)


…and big costs!!!

Typical Threats Avg. Risk of Breaches per Year (per 1,000 users)

Avg. IT Staff Hours per Breach (Respond, Resolve and

Forensics)

Avg. Business and Collateral Damage per Breach

Virus / Worms / Trojans 2 4 hours per infected asset $24,000

Denial of Service 2 serious incidents 32 hours per system $122,000

Data Destruction / Damage 1 120 hours $350,000

Physical Theft Disclosure 1 in 4 former employees leaves with assets

2 hours $5,000

Information Theft and Disclosure

1 180 hours $250,000

Policy Violation 30 2 hours $20,000

Errant User Behavior

15 2 hours

$20,000

Source: The Alinen ROI Report, “Is There a Business Case for Security?”


Pressure: CEOs don’t look good in orange

1 - 2 years Escaping from prison

3 - 5 years Kidnapping involving Ransom

10 - 20 years Fraudulent SOX Certification

11 - 14 years Second Degree Murder

20 - 25 years Hijacking


Pressure: The “Barbarian” is inside the gate

The enemy is “us”:

– 90% of insider incidents are caused by privileged or technical users

– Most are inadvertent violations of:

• Change management process

• Acceptable use policy

• Account management process

– Others are deliberate, due to:

• Revenge (84%)

• “Negative events” (92%)

– Regardless, too costly to ignore:

• Internal attacks cost 6% of gross annual revenue or 9 dollars per employee per day

Privileged or technical users (90%)

Other (10%)

Sources: Forrester research, IdM Trends 2006; USSS/CERT Insider Threat Survey 2005/6; CSI/FBI Survey, 2005; National Fraud Survey; CERT, various documents.

Who Causes Internal Incidents?


Or is this the security problem?

Cost of “Effective Security” has been rising faster than our budgets

While Compliance continues to be the hammer with which we can secure funding – spending results in more point products to solve more point problems

The Complexity of the security problem and the solution makes it difficult to know how much security is “good enough”

Meanwhile… Too much security can reduce operating efficiency


The CSO Challenge: Manage Cost, Decrease Complexity, Improve Effectiveness, Assure Agility

Cost of the average security and compliance program

Effectiveness of controls in addressing security risk

Effect of security on operating Agility

Time

Complexity of the control environment


A new approach to Security

The IBM Security Framework

Common Policy, Event Handling and Reporting



Security Governance, Risk Management and Compliance

Security Governance, Risk Management and Compliance

Network, Server, and End-point

Physical Infrastructure

People and Identity

Data and Information

Application and Process

Designed to….

Enable innovation through secured infrastructure and platforms

Reduce number and complexity of required security controls

Reduce redundant security expenses

Improve organizational and operational agility and resiliency

Deliver needed visibility, control and automation


Managing digital identities reduces cost and increases efficiency

Dormant IDs or shared identities being used to inappropriately access resources

Cost of administering users and identities in-house

Privileged user activity unmonitored

Failing an audit

Understanding the identity risk gap


Securing data and information assures your most precious business asset

Data stored on removable media that can be lost/stolen

Data stored in the clear is easily accessible

Inconsistent data policies Sensitive business data in

unstructured forms Costs of data breaches,

notification, brand value Failing an audit


Application security assures ability to transact business online

Web applications are #1 target of hackers seeking to exploit vulnerabilities

PCI regulatory requirements mandate application security

80% of development costs spent on identifying and fixing defects

Real and/or private data exposed to anyone with access to development and test environments, including contractors and outsourcers


End-to-end infrastructure security improves operational availability

Poor understanding of risks in new technologies and applications, including virtualization and cloud

Parasitic, stealthier damaging attacks

Inability to establish forensic evidence

Undetected breaches due to privilege access misuse and downtime from incidents

Compounding cost of managing an ever increasing array of security technologies




Securit y Governance, Risk Management and Compliance

Network, Server, and End-point

People and Ident it y

Data and Informat ion

Applicat ion and Process

Physical Infrast ructure

Reduce human cost of monitoring

Improve efficiency through continuous coverage

Integration with IT transaction systems and logical security systems

Preserve privacy with fewer humans watching screens, ability to recognize and obscure faces

Physical security infrastructure with environmentally aware systems


Proven Methodology for Security Management

Phase 5.Education

Phase 4.Management and Support

Phase 2.Design

Phase 1.Assessment

Phase 3.Deployment

Action: Assess current level of security effectiveness and strengthen network and security posture by identifying vulnerabilities and weakness against best-practices

Result: Gap analysis and resolution recommendations between current state and requirements.

Action: Design and documentation of policies, procedures, and architecture/solutions to ensure protection and extension of business capabilities

Results: Creation of gap closure plan for short and long-term resolution to ensure optimization of security infrastructure

Action: Management of security infrastructure/program to meet defined business objectives

Result: Insures gaps remain closed and new gaps are not opened by providing improved protection, lowering TCO, and demonstrating compliance

Action: Expert deployment, implementation, tuning, and change support

Results: Helps client execute gap closure plan, improve performance and cost savings

Action: Education of organization on security best practices and best-of-breed technology

Result: Ensure employees understand their responsibilities with security best practices and regulatory compliance.


Business Resilience


Disruptions come in various guises

“What was the cause(s) of your most significant disaster declaration(s) or major business disruption?”

Power failureIT hardware failure

Network failureIT software failure

Human errorFlood

HurricaneFire

Winter stormTerrorism

EarthquakeTornado

Chemical spillOther

Don’t knowNever declared a disaster or

major business disruption

4%12%

1%2%

3%

24%

4%6%

7%10%

12%16%16%

21%31%

42%

” “Building The Business Case For Disaster Recovery Spending”, Forrester Research, Inc., April 2008

http://www.drj.com/index.php?option=com_content&task=view&id=794&Itemid=159&ed=10


. . . and disruptions range in business impact

Downtime ranges from 300–1,200 hours per year, depending on industry1

In some industries, downtime costs can equal up to 16 percent of revenue1

For 32 percent of organizations, just four hours of downtime could be severely damaging2

Online security attacks are accelerating, causing downtime and loss of revenue

Data is growing at explosive rates Security and resiliency are a top area of concern and spend for all size

companies Some industries are enforcing fines for downtime and inability to meet

regulatory compliance Mitigation of compromised personal information is calculated at over $500

per incident3

1 Infonetics Research, The Costs of Enterprise Downtime: North American Vertical Markets 2005, Rob Dearborn and others, January 2005.2 Continuity Central, “Business Continuity Unwrapped,” 2006, http://www.continuitycentral.com/feature0358.htm3 IBM Research 2007

http://www.continuitycentral.com/feature0358.htm


The bottom line: disruptions can end in bankruptcy

“According to the U.S. National Archives and Records Administration, 25% of the companies that experienced an IT outage of two to six days went bankrupt immediately.”

- The Economist Intelligence Unit 2007, Business resilience: Ensuring continuity in a volatile environment


Reactive

Approach to Business Continuity and Resiliency

Helps identify, quantify, and prioritize business and IT risks, then develop strategies and implement designs to address those risks

Helps eliminate the impact of disruptive events with IT andwork area recovery

Helps balance workloads and reduce application, data, and system loss

Advisory

Proactive Responsive

Resiliency Consulting

Services


Services

Managed Resiliency Services


Infrastructure Recovery Services




Services


Services


Lifecycle methodology to help achieve sustainable improvements in business resilience.

Manage

Set objectives

Design

Deploy

Plan

Implem

e nt

ControlMonitor

Evaluate

Analyze

Resilience lifecycle

Asse

ss

Inputs: Business objectives, goals, priorities, policies and current capabilities

Information risk management

Regulatory compliance

Corporate governance

Business imperatives:

Outputs:Reduced risk, improved governance and facilitated compliance management


To build a business resilience program, we start with an analysis of potential risks, their impact and your ability to mitigate them.

Assess Analyze current and potential risks,

and establish a risk profile by location, line-of-business function and business process.

Determine impact of event: financial, opportunity and reputation.

Analyze capabilities for mitigation to define customized risk framework and IBM business resilience framework.

Identify risk areas for further analysis.

Assess maturity of mitigation capabilities, including basic, managed, predictive, adaptive and resilient capabilities.

Manage

Set objectives

Design

Deploy

Plan

Implem

e nt

ControlMonitor

Evaluate

Analyze


Asse

ss


Next, objectives must be set for the reach and range of what risks you may need to mitigate.

Plan Set objectives for risk mitigation or

enhancement to help:– Define the scope for the

risk strategy.

– Select the risks that need to be mitigated or enhanced.

Manage

Set objectives

Design

Deploy

Plan

Implem

e nt

ControlMonitor

Evaluate

Analyze


Ass

ess


Design and implement your strategy and architecture to help protect your critical information and improve business resilience.

Implement Design for business resilience:

– Business and financial justification

– Governance and authority and policies

– Systems management disciplines

– Physical and logical security

– Application and data

– Program execution

– Facilities

Deployment of business resilience– Protection of critical information

– Recoverability of business functionsManage

Set objectives

Design

Deploy

Plan

Implem

ent

ControlMonitor

Evaluate

Analyze


Ass

ess


A centralized governance program is required to ensure continued business resilience management, control and monitoring.

Manage Control negative risk while

enhancing positive risk.

Monitor current conditions to detect and respond to risks.

Manage

Set objectives

Design

Deploy

Plan

Implem

e nt

ControlMonitor

Evaluate

Analyze


Ass

ess


The resilience lifecycle enables continuous improvement to ensure your resilience strategy and architecture are current.

Re-assess Evaluate performance:

– Utilize resilience project office.

– Evaluate resilience performance.

Report on performance:– Produce daily, weekly,

monthly, quarterly, yearly reports for management.

– Produce appropriate reports for corporate, industry or government auditors.

– Use resilience dashboard.Manage

Set objectives

Design

Deploy

Plan

Implem

e nt

ControlMonitor

Evaluate

Analyze


Ass

ess





Infrastructure Recovery Services can help you recover your IT and work area during times of disruption.

Mobile recovery

Information Protection

Work area recovery

IT recoveryVirtual recovery

Global Business Resilience Centers

Information ProtectionInformation Protection


Consider how you can prepare for and quickly recover from unexpected outage events

Does your enterprise currently have an IT recovery plan in place?

Do you know how quickly your business can recover from a disaster or unplanned disruption?

Are your customers and partners demanding that you have a disaster recovery plan?

When was the last time you exercised or tested your disaster recovery plan?

IT recovery


IT Recovery

Data center recovery – Hardened and protected facilities

– Fully configured replacement technology and network connectivity

– Strategically located facilities

Bundled, preconfigured solutions mainly for small businesses

Portable, temporary recovery technology shipped within certain, agreed time


Recommended Facility (at a minimum)

24 hour a day, 7 day a week staffing by IBM recovery experts

Uninterruptible power supply (UPS) and diesel generator backup

Dual power grids

Badge access requirements and around-the-clock security patrol

Comprehensive fire-, smoke- and water-detection systems

Abundant parking with lighting and security patrols

Hurricane / earthquake resilient


Think about how your employees will stay productive during a disaster or disruption

How will you conduct business during a disaster or other disruption?

Can you ensure that key resources stay productive during an event?

Does your current recovery plan comply with regulatory requirements?

Where would your end users go to continue working? Do they know where to go?

Work Area Recovery


Work Area Recovery options

Dedicated seats: designed for the exclusive use of an individual company, dedicated seats provide around-the-clock, virtually real-time access to all seats and can be configured to meet your unique end user requirements (back office, trading room, call center)

Shared seats: multiple companies subscribe to the same recovery area.

Mobile seats: delivers mobile units to your site or an alternate site for temporary use

You can select one or any combination of options:





Managed Resiliency Services include information protection and continuous availability services to help support operational resiliency and information recovery.

Services designed, implemented and managed by IBM

Services that help you manage your remote dedicated environment

Services to back up and protect your data and email onsite or remotely

Leve

l of e

ngag

emen

t

CONTINUOUS AVAILABILITY


INFORMATION PROTECTION

Data

Technology

Facilities

Skilled resources

LEVEL OF RESILIENCY

Managed continuity Rapid recovery


Getting started can be as simple as working with your technology partner to answer a few questions.

How resilient is your organization?– What’s your cost of downtime?– What’s your cost of uptime?– Are you spending too much or too little?– Do you know what is in your risk profile?– Do you feel comfortable mitigating your risks?

Your partners’ risks?– How robust is your resilience strategy?

How secure is your organization’s data?– What critical/sensitive data do I have?– Where is the data located?– What are the points of access to the critical data?– How are those access points protected?– Who has access to what data?– How do I monitor and report on who accesses my

critical data?


Complimentary services to get you started

Business Continuity self-assessment toolAvailable online via ibm.com; provides a personalized graph that identifies potential gaps within the business, data and event threat areas

IBM Security Health ScanComplimentary scan of up to 25 IP addresses.

http://www-935.ibm.com/services/us/bcrs/self-assessment/index.html

https://www14.software.ibm.com/webapp/iwm/web/preLogin.do?lang=en_US&source=healthscan




Trademarks and notes

IBM Corporation 2010

IBM, the IBM logo and ibm.com are trademarks or registered trademarks of International Business Machines Corporation in the United States, other countries, or both. If these and other IBM trademarked terms are marked on their first occurrence in this information with the appropriate symbol (® or ™), these symbols indicate US registered or common law trademarks owned by IBM at the time this information was published. Such trademarks may also be registered or common law trademarks in other countries. A current list of IBM trademarks is available on the Web at “Copyright and trademark information” at www.ibm.com/legal/copytrade.shtml

Adobe, the Adobe logo, PostScript, the PostScript logo, Cell Broadband Engine, Intel, the Intel logo, Intel Inside, the Intel Inside logo, Intel Centrino, the Intel Centrino logo, Celeron, Intel Xeon, Intel SpeedStep, Itanium, IT Infrastructure Library, ITIL, Java and all Java-based trademarks, Linux, Microsoft, Windows, Windows NT, the Windows logo, and UNIX are trademarks or service marks of others as described under “Special attributions” at: http://www.ibm.com/legal/copytrade.shtml#section-special

Other company, product and service names may be trademarks or service marks of others.

References in this publication to IBM products or services do not imply that IBM intends to make them available in all countries in which IBM operates.

http://www.ibm.com/legal/copytrade.shtml



Documents

Securing Your Information Technology Infrastructure ...convention.jamaicaemployers.com/pdfs/2010/thursday... · Network, Server, and End-point Physical Infrastructure People and Identity