The Evolving Security Landscape: Security and Compliance ... · The Evolving Security Landscape: Security and Compliance Trends ... Data Centers & Cloud Computing ... The security

The Evolving Security Landscape:Security and Compliance Trends

Andreas M AntonopoulosSenior Vice President & Founding Partner

www.nemertes.com

Agenda

About NemertesSecurity and Compliance TrendsConclusion and RecommendationsConclusion and Recommendations

© Copyright 2010 Nemertes Research

Nemertes: Bridging the Gap Between Business & IT

Quantifies the business impact of emerging technologies emerging technologies Conducts in-depth interviews withIT professionalsAdvises businesses on critical issues such as:

U ifi d C i tiUnified CommunicationsSocial ComputingData Centers & Cloud ComputingData Centers & Cloud ComputingSecurityNext-generation WANsg

Cost models, RFPs, Architectures, Strategies


Security and Compliance Security and Compliance Trends


Security and Compliance Outlook

Phishing/Identity Theft

XSS and SQL InjectionWebsite Defacement Website defacement

Phishing/Identity Theft

RISE OF THE BOTNETS/ DDOS Silent BOTNETSDOS

Worms/Trojans Polymorphic Attacks/ MalwareViruses

2001-2009 20010-2011+1990-2000

Organized CybercrimeHacking for Fun and Fame Cyber Warfare

HITECHPCI-DSSHIPAA, GLBA, Sarbanes Oxley

2001-2009 20010-2011+1990-2000

Amended FRCP

Breach Notification National Breach Disclosure


De-Perimeterization

Is that a word?No, but it’s happening anyway!You used to have “The Internet You used to have The Internet Connection” and “The Firewall”We are rapidly moving to ubiquitous We are rapidly moving to ubiquitous connectivity and mobilityThe Internet is everywhere! There is no The Internet is everywhere! There is no INSIDE and OUTSIDE in your network


The Changing End-User Landscape

Employee personal use of technology influences IT decisions for 46% of influences IT decisions for 46% of organizationsAbout 67% of organizations have a formal About 67% of organizations have a formal telework policyiPhone already target of attacks against y g gknown vulnerabilitiesMobile devices are a significant data loss i krisk

The line between personal and work computing is blurringcomputing is blurring


Security by Location

Most security today is OC O C CLOCATION-CENTRIC

Servers and desktops are b i i t lbecoming virtualFirewalls, VLANs, ACLs, IP Add L tiAddresses – LocationsLocation should not be the f d ti f it foundation of your security policy!


Compliance on the Rise

If Enron gave us Sarbanes-Oxley what will 100xEnron give Oxley, what will 100xEnron give us?Legislation to pass a national Legislation to pass a national breach disclosure lawHITECH Act adds more teeth to HIPAAPCI-DSS is driving security b h ibehaviorCompliance drives security spending for 37% of organizationsCompliance requirements will get more prescriptive with sharper teeth


Data-Centric Security

Data-centric means INSPECTING and PROTECTING the dataRegardless of where it is Anti-malware inwards data leakage outwardsAnti malware inwards, data leakage outwardsContent inspectionEncryptionFingerprinting ALL DATA

SUBJECTDigital certificatesSecurity meta-data

SUBJECT TO SEARCHSecurity meta data


What Should You Be Doing?

Urgent: Act NowAssess compliance posture against current and future IT environment. Urgent: Act Now Perform a gap analysis.

Short-Term PlansAssess gap analysis and prioritize controls necessary to meet compliance requirements for today and tomorrow.

Long-Term PlansImplement a continuous compliance process that monitors in real-time

li tcompliance posture.

Determine what’s in-scope and what’s out Specific Needs of scope for compliance and plan

separation/isolation of in-scope data.


Compliance Roadmap

Evaluate current IT environmentU t A t NAssume security perimeter is dissolving

Plan future IT environment

Urgent: Act Now

Plan future IT environmentAssess compliance of both plansPerform gap analysis


Compliance Roadmap

Assess output of gap analysisSh t T PlIn-scope versus out-of-scope data

Work with auditors to prioritize gaps

Short-Term Plans

Work with auditors to prioritize gapsh80/20 rule applies – start with low-hanging fruit

People process and technologyPeople, process and technology


Compliance Roadmap

Process in-place to close compliance gapsL T PlRegular self-assessment of compliance

Develop continuous compliance process

Long-Term Plans

Develop continuous compliance process


Conclusions and Recommendations

The security landscape is changing rapidlyh Continually reassess security plans and posture

Security must match changing enterprise use of technologyA t d ’ t h l i t ’ t i t h lh Assume today’s consumer technology is tomorrow’s enterprise technology

Inside firewall is “good” … Outside firewall is “bad” …. Is 20th Century thinkingh The dynamics of computing clash with a rigid firewall plan and mindsetThe dynamics of computing clash with a rigid firewall plan and mindseth Emphasis must shift from location-based to user-based security

Compliance is a driving force in security planning and spendingh Engage the compliance function early and oftenh Pay particular attention to privacy regulations and legislationsh S f l li i f l d t h lh Successful compliance requires focus on people, process and technology


Thank You

Andreas M AntonopoulosSVP & Founding [email protected]

Documents

The Evolving Security Landscape: Security and Compliance ... · The Evolving Security Landscape: Security and Compliance Trends ... Data Centers & Cloud Computing ... The security