Top Security Trends and Takeaways for 2011

Transcription

Top Security Trends and Takeaways for 20112012
Gartner The Future of IT Conference
October 4-6, 2011
Centro Banamex
Mexico City, Mexico
Notes accompany this presentation. Please select Notes Page view.
These materials can be reproduced only with written approval from Gartner.
Such approvals must be requested via email: [email protected].
Gartner is a registered trademark of Gartner,
Gartner Inc.
Inc or its affiliates.
affiliates
This presentation, including any supporting materials, is owned by Gartner, Inc.
and/or its affiliates and is for the sole use of the intended Gartner audience or
other authorized recipients. This presentation may contain information that is
confidential, proprietary or otherwise legally protected, and it may not be further
copied, distributed or publicly displayed without the express written permission
of Gartner, Inc. or its affiliates.
© 2011 Gartner, Inc. and/or its affiliates. All rights reserved.
Gregg Kreizman
Top Security Trends and Takeaways for 2011-2012
IT security technologies are less important as a discrete CIO priority today than in past years.
years However
However,
security remains an embedded, key aspect of many of the listed high-priority initiatives. For example, security
concerns are the greatest inhibitor to the adoption of cloud computing.
Security spending may be categorized as "operational" or "project-based." Operational security spending
comprises such mature functions as firewall support, antivirus/anti-malware subscriptions and password
management, to name but a few on a long list. Even during a recession, most organizations will not reduce
p
g "buckets" byy much,, because theyy are a true cost of doingg business. Ceasingg to spend
p
on
these securityy spending
these items can lead to potentially catastrophic business risk events, just to pare a few dollars from an already
constrained security budget. New capital-intensive projects, to choose and implement functions like data loss
prevention (DLP), network access control (NAC) or virtualization security, were often tabled, delayed or
downsized last year. We see signs that they will be started again in 2011, depending on the level of general
economic improvement. In addition, as new enterprise applications start being instituted again, security
projects associated with them will follow. As happened in 2009-2010, new projects that present prospects for
near to midterm IT savings — such as cloud computing
near-to-midterm
computing, software as a service (SaaS),
(SaaS) managed security
service (MSS) and multifunction security platforms to reduce capital and management costs — will often be
funded.
This presentation, including any supporting materials, is owned by Gartner, Inc. and/or its affiliates and is for the sole use of the
intended Gartner audience or other authorized recipients. This presentation may contain information that is confidential,
proprietary or otherwise legally protected, and it may not be further copied, distributed or publicly displayed without the express
written permission of Gartner, Inc. or its affiliates.
Gregg Kreizman
MEX38L_118, 10/11
Page 1
Gregg Kreizman
MEX38L_118, 10/11
Page 2
The term APT is new
new, but the threat of targeted attacks is not (see "Prevent
Prevent Targeted Attacks
Attacks" G00130303).
G00130303)
Gartner estimates that, although fewer than 10% of Internet attacks are targeted against a single company, the financial
impact on an individual business of a single, successfully targeted attack will be 50 to 100 times greater than the impact
of a successful worm or virus event. Law enforcement agencies continue to report significant increases in targeted attacks
launched by cybercriminals.
Targeted attacks aim to achieve a specific impact against specific enterprises, and have three major goals:
• Denial of service: disrupting business operations
• Theft of service: obtaining use of the business product or service without paying for it
• Information compromise: stealing, destroying or modifying business-critical information
The motivation is usually financial gain, such as through extortion during a denial-of-service attack, trying to obtain
"ransom" for stolen information, or selling stolen identity information to criminal groups. Although, recently, we have
seen a rash of disclosures as companies publicly announce losses of customer-sensitive data, most targeted attacks do not
get any publicity because enterprises do not want to expose the extent of the damage an attack may have caused.
g
attacks can use custom-created executables that are rarely
y detected byy signature-based
g
techniques.
q
To be
Targeted
successful, such attacks generally require some means of communication back to an outside party, whether out of band —
as when an insider puts information onto removable media and physically carries it outside of enterprise control — or in
band — as when Internet mechanisms are used.
Gregg Kreizman
MEX38L_118, 10/11
Page 3
Gregg Kreizman
MEX38L_118, 10/11
Page 4
Do you believe that the security currently applied to mobile devices such as smartphones and tablets used in
your organization is adequate and would satisfy an auditor?
USA
Western Europe
Yes, security is adequate to pass an audit
27%
Maybe, the adequacy of security is not known 31%
28%
32%
No, security is not adequate to pass an audit
41%
42%
Source: "CIO attitudes to consumerization of mobile devices and applications," Nick Jones, N = 148-157
The graph provides a framework for comparing the severity of smartphone security incidents to the frequency
by which they occur. It shows that most of the incidents that lead to attacks against phones either happen rarely
or are limited in their ability to inflict damage. The main risks faced by phone users are brought about by
exposures caused by failing to configure their phones in a secure profile and by simply leaving them behind to
be lost or stolen. The largest and most consistent source of angst regarding smartphone attacks come from
vendors
d selling
lli smartphone
t h
security
it software.
ft
If phones
h
are properly
l locked,
l k d basic
b i data
d t encryption
ti is
i invoked,
i
k d
and all current updates and patches are applied, users face very little risk in 2011 of a major attack.
Gregg Kreizman
MEX38L_118, 10/11
Page 5
Gregg Kreizman
MEX38L_118, 10/11
Page 6
Be aware that different cloud models have different risk implications that must be accounted for.
for Essentially,
Essentially
cloud computing enables a decoupling of the layers, with both the buyer and seller taking on whatever level of
value add they are most comfortable with. In an increasing number of cases, the provider is itself the buyer of a
lower layer service, such as a platform, infrastructure or physical rack space.
Different forms of control and security are provided at each level. In a SaaS model, in which virtually the
entire system is externally provisioned, the buyer has almost no ability to add security mechanisms or controls,
p
for the majority
j y of
other than what the pprovider has made available to it. The service pprovider is responsible
the security mechanisms.
In a platform as a service (PaaS) model, security controls usually need to be located both within the application
and the platform, meaning that both the provider and customer have some level of responsibility. A growing
number of SaaS offerings are actually hosted within some other vendors platform or infrastructural service.
If a vendor controls your data, then you do not:
• Their people,
people their code,
code their features,
features their processes
• Their government, their legal system, their culture
Gregg Kreizman
MEX38L_118, 10/11
Page 7
For low-security
low security environments
environments, or for workloads that have simple security requirements,
requirements relying on the
security built into the private cloud infrastructure or into the public cloud service will be good enough — just
as it was in more-traditional insourcing and outsourcing. This will represent roughly 20% of the overall
market.
At the high end, security will be kept separate from private or public cloud infrastructure — just as we did on
when internal network were virtualized. The VMsafe API is an example of a mechanism to require all securityrelevant flows be externalized so that existing and separate security processes can examine them and enforce
security policies. This will represent approximately 20% of the market.
The vast middle will compromise and run security workloads in the private cloud and public cloud
environments, as long as sufficient separation of duties and audit/visibility can be provided.
Gregg Kreizman
MEX38L_118, 10/11
Page 8
Gregg Kreizman
MEX38L_118, 10/11
Page 9
There are three potential control points for social media use,
use regardless of whether the solution is internal or
external, private or public. The endpoints used to access the solution have potential for both monitoring and
control, but the increasing diversity of endpoints and increasing use of employee-owned devices limits the
ability of the security team to manage a control solution within the endpoint. The network between the user
and the social media platform is a logical chokepoint for data movement and supports a variety of robust
control options utilizing DLP, firewalls and similar technology to filter, block and capture activity.
Unfortunately, as with the endpoint, the user can elect to operate on multiple networks, not all of which enable
control by the enterprise.
The social media platform itself can be a strong control point, but this strength varies greatly, depending on the
ownership and administration of the platform. Of the three control locations, the platform is the one location
that persists as the user leverages multiple endpoints and networks to access services.
Gregg Kreizman
MEX38L_118, 10/11
Page 10
Gregg Kreizman
MEX38L_118, 10/11
Page 11
Many buyers of enterprise-DLP
enterprise DLP solutions are motivated by an immediate corporate or government compliance
need but are also very interested in the longer-term vision of granular control over all the data that flows
around a modern organization (see "Critical Capabilities for Content-Aware Data Loss Prevention"
G00200831). Many implementations only use a small subset of the total capabilities. Often, what has been
implemented is often the functionality subset that can be achieved with a channel-DLP solution from an
incumbent provider at substantially lower cost and complexity.
For example,
example DLP on ee-mail
mail traffic to identify and encrypt sensitive information is still the most
most-frequently
frequently
deployed feature of an enterprise-DLP solution. Yet, a significant portion of e-mail DLP functionality is
available in many incumbent anti-spam e-mail security solutions (for example, Cisco/IronPort,
McAfee,Proofpoint, Clearswift, Google, Symantec/MessageLabs, Websense). Furthermore, it is the e-mail
solutions that have a tight integration with e-mail encryption, which is the most common remediation
technique for data policy compliance.
Gregg Kreizman
MEX38L_118, 10/11
Page 12
Gregg Kreizman
MEX38L_118, 10/11
Page 13
There are several use cases that Gartner discusses with clients.
clients Prior to 2009
2009, these interactions focused on
enterprise access to enterprise systems within the perimeter and on consumers' access to enterprise systems.
The greatest trend since 2009 has been the increase focus on provided access to cloud based applications, and
enterprise-to-cloud has been the most common thread. This has given rise to increased interest in identity
federation and has spawned a market for IAMaaS. Each of the core IAM functions must still be addressed.
Moving applications to the cloud does not undo the need for IAM, but does put increased burden on enterprises
to manage identity consistently and effectively.
Gregg Kreizman
MEX38L_118, 10/11
Page 14
IAMaaS service providers began offering their services with different goals in mind
mind. Some vendors began as
community or industry federation providers that joined up groups of customers with common needs for the
purposes of accessing a common set of applications. Others have taken traditional on-premises IAM software
stacks and are using them to provide IAM services to enterprises for new and legacy applications within the
enterprise environment. A third IAMaaS class includes vendors that have built their services from the ground
up to support Web applications, and to primarily support the employer-to-SaaS use case. Some providers also
support access control functions for customers' internal Web applications. They also support the customers'
customers for accessing outsourced applications. This gets the customer out of the IAM business for its own
customers. While vendors had these different beginnings, the picture has become less clear as vendors extend
their models to incorporate the use cases and target system requirements of their current and potential
customers.
Action Item: Know your potential provider's pedigrees prior to buying services. Your provider may seek to use
you to recover costs for extending its offerings to new use cases or target systems.
Gregg Kreizman
MEX38L_118, 10/11
Page 15
Gregg Kreizman
MEX38L_118, 10/11
Page 16
Today s security concept is based on noncohesive vulnerability scanning and monitoring along unrelated stovepipes: networks,
Today's
networks
databases, desktops and applications. Security analysis is limited to reviews of monitors' logs and scanners' reports. It lacks
knowledge management, analytics and planning capabilities. That concept should be transformed into enterprise security intelligence
(ESI), enabling correlation and impact analysis across all intelligence sources, systems' security understanding, knowledge
management and actionable advice.ESI should be an implementation, delivery and sales model whose value is based on intelligence,
not on the amount of invested efforts; in other words, whose value is based on the ability to deliver intelligent actions and decisions,
not on a number of conducted scans, duration of monitoring, volume of analyzed program code or complexity of network topology.
Intelligence has two meanings: (1) the ability to acquire and apply knowledge and skills; and (2) the collection of information of
military or political value (as defined in the New Oxford American Dictionary).
Dictionary) We have learned how to collect information,
information but we
have not excelled at acquiring and applying knowledge. It is time to do it.
It is important to understand that ESI is not a market, but a paradigm, and therefore it is not a substitute for any existing market (for
example, SIEM, DAST or DAM). ESI's objective is to encompass all these markets and technologies. ESI should be used as a
common reference point (like SOA or BI concepts in their respective use cases). As a concept, ESI mitigates resolutions of the
problems that market silos are causing. ESI is bridging those markets. As a concept, ESI enables a common strategy for vendors and
enterprises; selection criteria and best practices; common features that technologies should have, regardless of the market they
belong
g to (for
( example,
p , per
p ESI,, advanced SAST tools should have SIEM repository,
p
y, or data-maskingg tools should have static and
real-time dynamic correlation capabilities).
Gregg Kreizman
MEX38L_118, 10/11
Page 17
Gregg Kreizman
MEX38L_118, 10/11
Page 18
Howard Chase and Ray Ewing are considered the "fathers
fathers of issues management"
management — and what you see in this
slide is known as "The Chase Curve." At the heart of their theory about the life cycle of public policy issues is
that regulation or other legislative initiatives grow out of the gap (real or perceived) between societal
expectations and the future.
Think about some recent and historical regulations and compliance mandates that have come about and what
the gaps were in societal expectations.
S b
Sarbanes-Oxley
O l and
d the
h formation
f
off the
h Public
P bl Company
C
Accounting
A
Oversight
O
h Board
B d (PCOAB) in the
h U.S.
US
and the 8th Company Law Directive in Europe: The gap in expectation is that corporate executives of publicly
held companies will run the business in an honest and ethical way, and accountants are there to catch mistakes
and misdeeds.
The U.S. Patriot Act: The gap is that the government does not have the extraordinary measures it needs to
protect the country and fight the war on terrorism after the events of 11 September 2001.
Action Item: Track public policies that affect your organization, and have a strategy to influence and respond
to them.
Gregg Kreizman
MEX38L_118, 10/11
Page 19
Gregg Kreizman
MEX38L_118, 10/11
Page 20
Strategic Imperative: Raw metrics are the starting point, but they must be contextualized and
integrated into your risk decision-making process.
Successful security metrics begin at the bottom with raw data,
data but they cannot end there.
there At the end of the day,
day without
context, it is just a collection of bits and bytes with no value. It behooves security risk professionals to turn that data into
information to support our decision making, which, in turn, helps us support our enterprise's ability to deliver on its goals
in a risk-resilient manner. Successful security metrics involve the following:
• Not only collecting raw data, but bundling it together in logical groupings, ensuring that it is understood within
context, understanding dependencies and impacts placing it within a standard framework to support …
g
p service
• Evaluation — is the threat associated with a pparticular data ppoint relevant? Does it fall outside our agreed-upon
levels? Is it really impactful on our business, either today or next year? Or does it represent a theoretical risk, rather
than practical one? All of this enables us to …
• Managing our risks. Good security metrics should support our risk management program and activities. They should
help us prioritize what we treat now, next year or never. Metrics should help us be efficient and effective, and they
must represent a understanding of what business we are in.
Action Item: Look at what you are reporting. Do your metrics have any relationship to the realities of your enterprise's
goals
l or mandates?
d t ?
Action Item: Build up from what you can collect, but ensure that you report on what is meaningful to your audience(s).
Gregg Kreizman
MEX38L_118, 10/11
Page 21
The relationship between risk management and performance should be conceptually and intuitively obvious.
obvious Improperly
managed risk can lead to business failures and poor business performance. However, making this relationship measurable
has eluded most organizations. As a result, the benefits of many operational risk management activities are not clear to the
business people who are most at risk, and they often fail to take advantage of available risk information when making
critical business decisions.
To address these issues, a business should develop credible, discrete business performance measures, and risk
management efforts should produce credible, discrete risk indicators that directly impact those business performance
measures. What
Wh iis needed
d d is
i a deeper
d
andd common understanding
d
di off how
h risk
i k events affect
ff business
b i
performance.
f
The
Th
fundamental concept is that KRIs are leading indicators that business performance is at risk. The following is a simple
example. An organization has a KRI that measures patching levels on critical systems that host supply chain support
applications. It also has a KPI that measures the operation of the supply chain. It's important to note that the supply chain
KPI is a business metric — not an IT metric. When the patching KRI turns from green to yellow or red, it is a leading
indicator that the supply chain may suffer failures or slowdowns that would impact the supply chain KPI, which is a
leading indicator that the company may miss a revenue target. This relationship and mapping can demonstrate to business
executives why they need to heed KRIs and can help them make better business decisions based on those KRIs.
KRIs
Gregg Kreizman
MEX38L_118, 10/11
Page 22
Gregg Kreizman
MEX38L_118, 10/11
Page 23
Network and desktop-based
desktop based security controls have been in use for over 15 years.
years While threats continue to
change, the need for a new security product every time a new threat is launched has lessened as the mature
security controls have evolved into security platforms:
• Secure E-Mail Gateway
• Web Security Gateway
• Next-Generation Firewall
• Endpoint Protection Platform
• Security Information and Event Monitoring
These platforms evolve to address new threats and should be used a vehicles to make sure security vendors
obey Moore's law — either the cost of the platforms decrease each year or they offer new threat protection
while the price remains constant.
The consumerization trend also brings in mobility, making the delivery of "security as a service" a key
requirement for all security controls.
Gregg Kreizman
MEX38L_118, 10/11
Page 24
Most organizations initially implement activity monitoring
monitoring. Reports are produced to track system and database
administrator activity on critical systems while other reports monitor access to critical resources. Service
mapping is needed even in this first step, in order to establish monitoring for asset groupings that have
compliance or security relevance (financial reporting systems for SOX, systems that hold proprietary data,
etc.). The reports are distributed and examined on a daily basis in a search for exceptions. Report recipients
begin to request exception reports to reduce time and effort. Exception reporting requires a reconciliation of
observed activity with the user's role and access restrictions and also with the record of approved changes. This
requires integration of activity monitoring with identity and access management systems (to obtain role
information and access restrictions) and integration with change management systems (to obtain information
about approved changes, related IT components, change windows and authorized change implementers).
Action Item: Include an evaluation of IAM and change management integration capabilities in SIEM
technology selection decisions.
Gregg Kreizman
MEX38L_118, 10/11
Page 25
But why do we even care about IAM? What is its true purpose in the enterprise? How do those drivers evolve
over time? We have noted a consistency to the drivers of IAM. They remain (1) efficiency, which is primarily
an IT advantage, in streamlining those IT operations that usually require labor, time, or cost-intensive
procedures regarding the establishment and modification of access for people and systems. There are some
business efficiencies, but not as much as IT. (2) Where the business does get more involved is in the
effectiveness driver, where the enterprise leads in an effort to leverage IAM in pursuit of specific business
requirements, commonly around compliance and risk. (3) Finally there is business enablement, where a
transformational experience is possible in situations of mergers, acquisitions or larger reorganizations. These
can be more effectively enabled by specific IAM efforts. The aim is to move from IT to the enterprise, from
merely an IT experience to a business experience using IAM.
Gregg Kreizman
MEX38L_118, 10/11
Page 26
Gregg Kreizman
MEX38L_118, 10/11
Page 27
Gregg Kreizman
MEX38L_118, 10/11
Page 28
Many enterprises still take a narrow,
narrow "siloed"
siloed approach to risk assessment and management
management. Enterprise and IT
managers with risk-related responsibilities can use Gartner's guidance to develop risk practices that are
effective and appropriate to their specific needs:
• No single definition of risk is appropriate for all enterprises or organizations within enterprises.
• Risk and the accountability for risk acceptance are, and should be, owned by the businesses creating and
managing those risks.
• IT tools can automate effective risk management processes,
processes but the results delivered by these tools will be
only as good as the underlying frameworks, processes and data structures.
• Develop enterprise-specific definitions of risk, as well as an organizational structure that aligns and
eliminates conflicts and overlaps in responsibilities among all risk-related specialists.
• Create an overarching risk framework to address the entire enterprise, and ensure that staff members at all
levels clearly understand their risk-related responsibilities.
• Take
T k a proactive
ti approachh to
t risk
i k assessmentt andd management,
t so that
th t you are managing
i risk,
i k nott being
b i
managed by it.
• Make line-of-business managers, not IT managers or auditors, explicitly accountable for residual risk.
Gregg Kreizman
MEX38L_118, 10/11
Page 29
Gregg Kreizman
MEX38L_118, 10/11
Page 30
Gregg Kreizman
MEX38L_118, 10/11
Page 31
Gregg Kreizman
MEX38L_118, 10/11
Page 32

Top Security Trends and Takeaways for 2011

Transcription

Similar documents

WHAT DOES PSTC Employees Federal Gredit DO WITH YOUR

Bimodal IT

Resurgens PrivacyNotice_NoAffil_NoOptOut_editable

Cached

Harborstone Credit Union

The Complete Guide to Effective Vendor Management

Winter - Augusta VAH Federal Credit Union

The Mobile Uproar

privacy - ASI Federal Credit Union