Top Security Trends and Takeaways for 2011
Transcription
Top Security Trends and Takeaways for 2011
Top Security Trends and Takeaways for 20112012 Gartner The Future of IT Conference October 4-6, 2011 Centro Banamex Mexico City, Mexico Notes accompany this presentation. Please select Notes Page view. These materials can be reproduced only with written approval from Gartner. Such approvals must be requested via email: [email protected]. Gartner is a registered trademark of Gartner, Gartner Inc. Inc or its affiliates. affiliates This presentation, including any supporting materials, is owned by Gartner, Inc. and/or its affiliates and is for the sole use of the intended Gartner audience or other authorized recipients. This presentation may contain information that is confidential, proprietary or otherwise legally protected, and it may not be further copied, distributed or publicly displayed without the express written permission of Gartner, Inc. or its affiliates. © 2011 Gartner, Inc. and/or its affiliates. All rights reserved. Gregg Kreizman Top Security Trends and Takeaways for 2011-2012 IT security technologies are less important as a discrete CIO priority today than in past years. years However However, security remains an embedded, key aspect of many of the listed high-priority initiatives. For example, security concerns are the greatest inhibitor to the adoption of cloud computing. Security spending may be categorized as "operational" or "project-based." Operational security spending comprises such mature functions as firewall support, antivirus/anti-malware subscriptions and password management, to name but a few on a long list. Even during a recession, most organizations will not reduce p g "buckets" byy much,, because theyy are a true cost of doingg business. Ceasingg to spend p on these securityy spending these items can lead to potentially catastrophic business risk events, just to pare a few dollars from an already constrained security budget. New capital-intensive projects, to choose and implement functions like data loss prevention (DLP), network access control (NAC) or virtualization security, were often tabled, delayed or downsized last year. We see signs that they will be started again in 2011, depending on the level of general economic improvement. In addition, as new enterprise applications start being instituted again, security projects associated with them will follow. As happened in 2009-2010, new projects that present prospects for near to midterm IT savings — such as cloud computing near-to-midterm computing, software as a service (SaaS), (SaaS) managed security service (MSS) and multifunction security platforms to reduce capital and management costs — will often be funded. This presentation, including any supporting materials, is owned by Gartner, Inc. and/or its affiliates and is for the sole use of the intended Gartner audience or other authorized recipients. This presentation may contain information that is confidential, proprietary or otherwise legally protected, and it may not be further copied, distributed or publicly displayed without the express written permission of Gartner, Inc. or its affiliates. © 2011 Gartner, Inc. and/or its affiliates. All rights reserved. Gregg Kreizman MEX38L_118, 10/11 Page 1 Top Security Trends and Takeaways for 2011-2012 This presentation, including any supporting materials, is owned by Gartner, Inc. and/or its affiliates and is for the sole use of the intended Gartner audience or other authorized recipients. This presentation may contain information that is confidential, proprietary or otherwise legally protected, and it may not be further copied, distributed or publicly displayed without the express written permission of Gartner, Inc. or its affiliates. © 2011 Gartner, Inc. and/or its affiliates. All rights reserved. Gregg Kreizman MEX38L_118, 10/11 Page 2 Top Security Trends and Takeaways for 2011-2012 The term APT is new new, but the threat of targeted attacks is not (see "Prevent Prevent Targeted Attacks Attacks" G00130303). G00130303) Gartner estimates that, although fewer than 10% of Internet attacks are targeted against a single company, the financial impact on an individual business of a single, successfully targeted attack will be 50 to 100 times greater than the impact of a successful worm or virus event. Law enforcement agencies continue to report significant increases in targeted attacks launched by cybercriminals. Targeted attacks aim to achieve a specific impact against specific enterprises, and have three major goals: • Denial of service: disrupting business operations • Theft of service: obtaining use of the business product or service without paying for it • Information compromise: stealing, destroying or modifying business-critical information The motivation is usually financial gain, such as through extortion during a denial-of-service attack, trying to obtain "ransom" for stolen information, or selling stolen identity information to criminal groups. Although, recently, we have seen a rash of disclosures as companies publicly announce losses of customer-sensitive data, most targeted attacks do not get any publicity because enterprises do not want to expose the extent of the damage an attack may have caused. g attacks can use custom-created executables that are rarely y detected byy signature-based g techniques. q To be Targeted successful, such attacks generally require some means of communication back to an outside party, whether out of band — as when an insider puts information onto removable media and physically carries it outside of enterprise control — or in band — as when Internet mechanisms are used. This presentation, including any supporting materials, is owned by Gartner, Inc. and/or its affiliates and is for the sole use of the intended Gartner audience or other authorized recipients. This presentation may contain information that is confidential, proprietary or otherwise legally protected, and it may not be further copied, distributed or publicly displayed without the express written permission of Gartner, Inc. or its affiliates. © 2011 Gartner, Inc. and/or its affiliates. All rights reserved. Gregg Kreizman MEX38L_118, 10/11 Page 3 Top Security Trends and Takeaways for 2011-2012 This presentation, including any supporting materials, is owned by Gartner, Inc. and/or its affiliates and is for the sole use of the intended Gartner audience or other authorized recipients. This presentation may contain information that is confidential, proprietary or otherwise legally protected, and it may not be further copied, distributed or publicly displayed without the express written permission of Gartner, Inc. or its affiliates. © 2011 Gartner, Inc. and/or its affiliates. All rights reserved. Gregg Kreizman MEX38L_118, 10/11 Page 4 Top Security Trends and Takeaways for 2011-2012 Do you believe that the security currently applied to mobile devices such as smartphones and tablets used in your organization is adequate and would satisfy an auditor? USA Western Europe Yes, security is adequate to pass an audit 27% Maybe, the adequacy of security is not known 31% 28% 32% No, security is not adequate to pass an audit 41% 42% Source: "CIO attitudes to consumerization of mobile devices and applications," Nick Jones, N = 148-157 The graph provides a framework for comparing the severity of smartphone security incidents to the frequency by which they occur. It shows that most of the incidents that lead to attacks against phones either happen rarely or are limited in their ability to inflict damage. The main risks faced by phone users are brought about by exposures caused by failing to configure their phones in a secure profile and by simply leaving them behind to be lost or stolen. The largest and most consistent source of angst regarding smartphone attacks come from vendors d selling lli smartphone t h security it software. ft If phones h are properly l locked, l k d basic b i data d t encryption ti is i invoked, i k d and all current updates and patches are applied, users face very little risk in 2011 of a major attack. This presentation, including any supporting materials, is owned by Gartner, Inc. and/or its affiliates and is for the sole use of the intended Gartner audience or other authorized recipients. This presentation may contain information that is confidential, proprietary or otherwise legally protected, and it may not be further copied, distributed or publicly displayed without the express written permission of Gartner, Inc. or its affiliates. © 2011 Gartner, Inc. and/or its affiliates. All rights reserved. Gregg Kreizman MEX38L_118, 10/11 Page 5 Top Security Trends and Takeaways for 2011-2012 This presentation, including any supporting materials, is owned by Gartner, Inc. and/or its affiliates and is for the sole use of the intended Gartner audience or other authorized recipients. This presentation may contain information that is confidential, proprietary or otherwise legally protected, and it may not be further copied, distributed or publicly displayed without the express written permission of Gartner, Inc. or its affiliates. © 2011 Gartner, Inc. and/or its affiliates. All rights reserved. Gregg Kreizman MEX38L_118, 10/11 Page 6 Top Security Trends and Takeaways for 2011-2012 Be aware that different cloud models have different risk implications that must be accounted for. for Essentially, Essentially cloud computing enables a decoupling of the layers, with both the buyer and seller taking on whatever level of value add they are most comfortable with. In an increasing number of cases, the provider is itself the buyer of a lower layer service, such as a platform, infrastructure or physical rack space. Different forms of control and security are provided at each level. In a SaaS model, in which virtually the entire system is externally provisioned, the buyer has almost no ability to add security mechanisms or controls, p for the majority j y of other than what the pprovider has made available to it. The service pprovider is responsible the security mechanisms. In a platform as a service (PaaS) model, security controls usually need to be located both within the application and the platform, meaning that both the provider and customer have some level of responsibility. A growing number of SaaS offerings are actually hosted within some other vendors platform or infrastructural service. If a vendor controls your data, then you do not: • Their people, people their code, code their features, features their processes • Their government, their legal system, their culture This presentation, including any supporting materials, is owned by Gartner, Inc. and/or its affiliates and is for the sole use of the intended Gartner audience or other authorized recipients. This presentation may contain information that is confidential, proprietary or otherwise legally protected, and it may not be further copied, distributed or publicly displayed without the express written permission of Gartner, Inc. or its affiliates. © 2011 Gartner, Inc. and/or its affiliates. All rights reserved. Gregg Kreizman MEX38L_118, 10/11 Page 7 Top Security Trends and Takeaways for 2011-2012 For low-security low security environments environments, or for workloads that have simple security requirements, requirements relying on the security built into the private cloud infrastructure or into the public cloud service will be good enough — just as it was in more-traditional insourcing and outsourcing. This will represent roughly 20% of the overall market. At the high end, security will be kept separate from private or public cloud infrastructure — just as we did on when internal network were virtualized. The VMsafe API is an example of a mechanism to require all securityrelevant flows be externalized so that existing and separate security processes can examine them and enforce security policies. This will represent approximately 20% of the market. The vast middle will compromise and run security workloads in the private cloud and public cloud environments, as long as sufficient separation of duties and audit/visibility can be provided. This presentation, including any supporting materials, is owned by Gartner, Inc. and/or its affiliates and is for the sole use of the intended Gartner audience or other authorized recipients. This presentation may contain information that is confidential, proprietary or otherwise legally protected, and it may not be further copied, distributed or publicly displayed without the express written permission of Gartner, Inc. or its affiliates. © 2011 Gartner, Inc. and/or its affiliates. All rights reserved. Gregg Kreizman MEX38L_118, 10/11 Page 8 Top Security Trends and Takeaways for 2011-2012 This presentation, including any supporting materials, is owned by Gartner, Inc. and/or its affiliates and is for the sole use of the intended Gartner audience or other authorized recipients. This presentation may contain information that is confidential, proprietary or otherwise legally protected, and it may not be further copied, distributed or publicly displayed without the express written permission of Gartner, Inc. or its affiliates. © 2011 Gartner, Inc. and/or its affiliates. All rights reserved. Gregg Kreizman MEX38L_118, 10/11 Page 9 Top Security Trends and Takeaways for 2011-2012 There are three potential control points for social media use, use regardless of whether the solution is internal or external, private or public. The endpoints used to access the solution have potential for both monitoring and control, but the increasing diversity of endpoints and increasing use of employee-owned devices limits the ability of the security team to manage a control solution within the endpoint. The network between the user and the social media platform is a logical chokepoint for data movement and supports a variety of robust control options utilizing DLP, firewalls and similar technology to filter, block and capture activity. Unfortunately, as with the endpoint, the user can elect to operate on multiple networks, not all of which enable control by the enterprise. The social media platform itself can be a strong control point, but this strength varies greatly, depending on the ownership and administration of the platform. Of the three control locations, the platform is the one location that persists as the user leverages multiple endpoints and networks to access services. This presentation, including any supporting materials, is owned by Gartner, Inc. and/or its affiliates and is for the sole use of the intended Gartner audience or other authorized recipients. This presentation may contain information that is confidential, proprietary or otherwise legally protected, and it may not be further copied, distributed or publicly displayed without the express written permission of Gartner, Inc. or its affiliates. © 2011 Gartner, Inc. and/or its affiliates. All rights reserved. Gregg Kreizman MEX38L_118, 10/11 Page 10 Top Security Trends and Takeaways for 2011-2012 This presentation, including any supporting materials, is owned by Gartner, Inc. and/or its affiliates and is for the sole use of the intended Gartner audience or other authorized recipients. This presentation may contain information that is confidential, proprietary or otherwise legally protected, and it may not be further copied, distributed or publicly displayed without the express written permission of Gartner, Inc. or its affiliates. © 2011 Gartner, Inc. and/or its affiliates. All rights reserved. Gregg Kreizman MEX38L_118, 10/11 Page 11 Top Security Trends and Takeaways for 2011-2012 Many buyers of enterprise-DLP enterprise DLP solutions are motivated by an immediate corporate or government compliance need but are also very interested in the longer-term vision of granular control over all the data that flows around a modern organization (see "Critical Capabilities for Content-Aware Data Loss Prevention" G00200831). Many implementations only use a small subset of the total capabilities. Often, what has been implemented is often the functionality subset that can be achieved with a channel-DLP solution from an incumbent provider at substantially lower cost and complexity. For example, example DLP on ee-mail mail traffic to identify and encrypt sensitive information is still the most most-frequently frequently deployed feature of an enterprise-DLP solution. Yet, a significant portion of e-mail DLP functionality is available in many incumbent anti-spam e-mail security solutions (for example, Cisco/IronPort, McAfee,Proofpoint, Clearswift, Google, Symantec/MessageLabs, Websense). Furthermore, it is the e-mail solutions that have a tight integration with e-mail encryption, which is the most common remediation technique for data policy compliance. This presentation, including any supporting materials, is owned by Gartner, Inc. and/or its affiliates and is for the sole use of the intended Gartner audience or other authorized recipients. This presentation may contain information that is confidential, proprietary or otherwise legally protected, and it may not be further copied, distributed or publicly displayed without the express written permission of Gartner, Inc. or its affiliates. © 2011 Gartner, Inc. and/or its affiliates. All rights reserved. Gregg Kreizman MEX38L_118, 10/11 Page 12 Top Security Trends and Takeaways for 2011-2012 This presentation, including any supporting materials, is owned by Gartner, Inc. and/or its affiliates and is for the sole use of the intended Gartner audience or other authorized recipients. This presentation may contain information that is confidential, proprietary or otherwise legally protected, and it may not be further copied, distributed or publicly displayed without the express written permission of Gartner, Inc. or its affiliates. © 2011 Gartner, Inc. and/or its affiliates. All rights reserved. Gregg Kreizman MEX38L_118, 10/11 Page 13 Top Security Trends and Takeaways for 2011-2012 There are several use cases that Gartner discusses with clients. clients Prior to 2009 2009, these interactions focused on enterprise access to enterprise systems within the perimeter and on consumers' access to enterprise systems. The greatest trend since 2009 has been the increase focus on provided access to cloud based applications, and enterprise-to-cloud has been the most common thread. This has given rise to increased interest in identity federation and has spawned a market for IAMaaS. Each of the core IAM functions must still be addressed. Moving applications to the cloud does not undo the need for IAM, but does put increased burden on enterprises to manage identity consistently and effectively. This presentation, including any supporting materials, is owned by Gartner, Inc. and/or its affiliates and is for the sole use of the intended Gartner audience or other authorized recipients. This presentation may contain information that is confidential, proprietary or otherwise legally protected, and it may not be further copied, distributed or publicly displayed without the express written permission of Gartner, Inc. or its affiliates. © 2011 Gartner, Inc. and/or its affiliates. All rights reserved. Gregg Kreizman MEX38L_118, 10/11 Page 14 Top Security Trends and Takeaways for 2011-2012 IAMaaS service providers began offering their services with different goals in mind mind. Some vendors began as community or industry federation providers that joined up groups of customers with common needs for the purposes of accessing a common set of applications. Others have taken traditional on-premises IAM software stacks and are using them to provide IAM services to enterprises for new and legacy applications within the enterprise environment. A third IAMaaS class includes vendors that have built their services from the ground up to support Web applications, and to primarily support the employer-to-SaaS use case. Some providers also support access control functions for customers' internal Web applications. They also support the customers' customers for accessing outsourced applications. This gets the customer out of the IAM business for its own customers. While vendors had these different beginnings, the picture has become less clear as vendors extend their models to incorporate the use cases and target system requirements of their current and potential customers. Action Item: Know your potential provider's pedigrees prior to buying services. Your provider may seek to use you to recover costs for extending its offerings to new use cases or target systems. This presentation, including any supporting materials, is owned by Gartner, Inc. and/or its affiliates and is for the sole use of the intended Gartner audience or other authorized recipients. This presentation may contain information that is confidential, proprietary or otherwise legally protected, and it may not be further copied, distributed or publicly displayed without the express written permission of Gartner, Inc. or its affiliates. © 2011 Gartner, Inc. and/or its affiliates. All rights reserved. Gregg Kreizman MEX38L_118, 10/11 Page 15 Top Security Trends and Takeaways for 2011-2012 This presentation, including any supporting materials, is owned by Gartner, Inc. and/or its affiliates and is for the sole use of the intended Gartner audience or other authorized recipients. This presentation may contain information that is confidential, proprietary or otherwise legally protected, and it may not be further copied, distributed or publicly displayed without the express written permission of Gartner, Inc. or its affiliates. © 2011 Gartner, Inc. and/or its affiliates. All rights reserved. Gregg Kreizman MEX38L_118, 10/11 Page 16 Top Security Trends and Takeaways for 2011-2012 Today s security concept is based on noncohesive vulnerability scanning and monitoring along unrelated stovepipes: networks, Today's networks databases, desktops and applications. Security analysis is limited to reviews of monitors' logs and scanners' reports. It lacks knowledge management, analytics and planning capabilities. That concept should be transformed into enterprise security intelligence (ESI), enabling correlation and impact analysis across all intelligence sources, systems' security understanding, knowledge management and actionable advice.ESI should be an implementation, delivery and sales model whose value is based on intelligence, not on the amount of invested efforts; in other words, whose value is based on the ability to deliver intelligent actions and decisions, not on a number of conducted scans, duration of monitoring, volume of analyzed program code or complexity of network topology. Intelligence has two meanings: (1) the ability to acquire and apply knowledge and skills; and (2) the collection of information of military or political value (as defined in the New Oxford American Dictionary). Dictionary) We have learned how to collect information, information but we have not excelled at acquiring and applying knowledge. It is time to do it. It is important to understand that ESI is not a market, but a paradigm, and therefore it is not a substitute for any existing market (for example, SIEM, DAST or DAM). ESI's objective is to encompass all these markets and technologies. ESI should be used as a common reference point (like SOA or BI concepts in their respective use cases). As a concept, ESI mitigates resolutions of the problems that market silos are causing. ESI is bridging those markets. As a concept, ESI enables a common strategy for vendors and enterprises; selection criteria and best practices; common features that technologies should have, regardless of the market they belong g to (for ( example, p , per p ESI,, advanced SAST tools should have SIEM repository, p y, or data-maskingg tools should have static and real-time dynamic correlation capabilities). This presentation, including any supporting materials, is owned by Gartner, Inc. and/or its affiliates and is for the sole use of the intended Gartner audience or other authorized recipients. This presentation may contain information that is confidential, proprietary or otherwise legally protected, and it may not be further copied, distributed or publicly displayed without the express written permission of Gartner, Inc. or its affiliates. © 2011 Gartner, Inc. and/or its affiliates. All rights reserved. Gregg Kreizman MEX38L_118, 10/11 Page 17 Top Security Trends and Takeaways for 2011-2012 This presentation, including any supporting materials, is owned by Gartner, Inc. and/or its affiliates and is for the sole use of the intended Gartner audience or other authorized recipients. This presentation may contain information that is confidential, proprietary or otherwise legally protected, and it may not be further copied, distributed or publicly displayed without the express written permission of Gartner, Inc. or its affiliates. © 2011 Gartner, Inc. and/or its affiliates. All rights reserved. Gregg Kreizman MEX38L_118, 10/11 Page 18 Top Security Trends and Takeaways for 2011-2012 Howard Chase and Ray Ewing are considered the "fathers fathers of issues management" management — and what you see in this slide is known as "The Chase Curve." At the heart of their theory about the life cycle of public policy issues is that regulation or other legislative initiatives grow out of the gap (real or perceived) between societal expectations and the future. Think about some recent and historical regulations and compliance mandates that have come about and what the gaps were in societal expectations. S b Sarbanes-Oxley O l and d the h formation f off the h Public P bl Company C Accounting A Oversight O h Board B d (PCOAB) in the h U.S. US and the 8th Company Law Directive in Europe: The gap in expectation is that corporate executives of publicly held companies will run the business in an honest and ethical way, and accountants are there to catch mistakes and misdeeds. The U.S. Patriot Act: The gap is that the government does not have the extraordinary measures it needs to protect the country and fight the war on terrorism after the events of 11 September 2001. Action Item: Track public policies that affect your organization, and have a strategy to influence and respond to them. This presentation, including any supporting materials, is owned by Gartner, Inc. and/or its affiliates and is for the sole use of the intended Gartner audience or other authorized recipients. This presentation may contain information that is confidential, proprietary or otherwise legally protected, and it may not be further copied, distributed or publicly displayed without the express written permission of Gartner, Inc. or its affiliates. © 2011 Gartner, Inc. and/or its affiliates. All rights reserved. Gregg Kreizman MEX38L_118, 10/11 Page 19 Top Security Trends and Takeaways for 2011-2012 This presentation, including any supporting materials, is owned by Gartner, Inc. and/or its affiliates and is for the sole use of the intended Gartner audience or other authorized recipients. This presentation may contain information that is confidential, proprietary or otherwise legally protected, and it may not be further copied, distributed or publicly displayed without the express written permission of Gartner, Inc. or its affiliates. © 2011 Gartner, Inc. and/or its affiliates. All rights reserved. Gregg Kreizman MEX38L_118, 10/11 Page 20 Top Security Trends and Takeaways for 2011-2012 Strategic Imperative: Raw metrics are the starting point, but they must be contextualized and integrated into your risk decision-making process. Successful security metrics begin at the bottom with raw data, data but they cannot end there. there At the end of the day, day without context, it is just a collection of bits and bytes with no value. It behooves security risk professionals to turn that data into information to support our decision making, which, in turn, helps us support our enterprise's ability to deliver on its goals in a risk-resilient manner. Successful security metrics involve the following: • Not only collecting raw data, but bundling it together in logical groupings, ensuring that it is understood within context, understanding dependencies and impacts placing it within a standard framework to support … g p service • Evaluation — is the threat associated with a pparticular data ppoint relevant? Does it fall outside our agreed-upon levels? Is it really impactful on our business, either today or next year? Or does it represent a theoretical risk, rather than practical one? All of this enables us to … • Managing our risks. Good security metrics should support our risk management program and activities. They should help us prioritize what we treat now, next year or never. Metrics should help us be efficient and effective, and they must represent a understanding of what business we are in. Action Item: Look at what you are reporting. Do your metrics have any relationship to the realities of your enterprise's goals l or mandates? d t ? Action Item: Build up from what you can collect, but ensure that you report on what is meaningful to your audience(s). This presentation, including any supporting materials, is owned by Gartner, Inc. and/or its affiliates and is for the sole use of the intended Gartner audience or other authorized recipients. This presentation may contain information that is confidential, proprietary or otherwise legally protected, and it may not be further copied, distributed or publicly displayed without the express written permission of Gartner, Inc. or its affiliates. © 2011 Gartner, Inc. and/or its affiliates. All rights reserved. Gregg Kreizman MEX38L_118, 10/11 Page 21 Top Security Trends and Takeaways for 2011-2012 The relationship between risk management and performance should be conceptually and intuitively obvious. obvious Improperly managed risk can lead to business failures and poor business performance. However, making this relationship measurable has eluded most organizations. As a result, the benefits of many operational risk management activities are not clear to the business people who are most at risk, and they often fail to take advantage of available risk information when making critical business decisions. To address these issues, a business should develop credible, discrete business performance measures, and risk management efforts should produce credible, discrete risk indicators that directly impact those business performance measures. What Wh iis needed d d is i a deeper d andd common understanding d di off how h risk i k events affect ff business b i performance. f The Th fundamental concept is that KRIs are leading indicators that business performance is at risk. The following is a simple example. An organization has a KRI that measures patching levels on critical systems that host supply chain support applications. It also has a KPI that measures the operation of the supply chain. It's important to note that the supply chain KPI is a business metric — not an IT metric. When the patching KRI turns from green to yellow or red, it is a leading indicator that the supply chain may suffer failures or slowdowns that would impact the supply chain KPI, which is a leading indicator that the company may miss a revenue target. This relationship and mapping can demonstrate to business executives why they need to heed KRIs and can help them make better business decisions based on those KRIs. KRIs This presentation, including any supporting materials, is owned by Gartner, Inc. and/or its affiliates and is for the sole use of the intended Gartner audience or other authorized recipients. This presentation may contain information that is confidential, proprietary or otherwise legally protected, and it may not be further copied, distributed or publicly displayed without the express written permission of Gartner, Inc. or its affiliates. © 2011 Gartner, Inc. and/or its affiliates. All rights reserved. Gregg Kreizman MEX38L_118, 10/11 Page 22 Top Security Trends and Takeaways for 2011-2012 This presentation, including any supporting materials, is owned by Gartner, Inc. and/or its affiliates and is for the sole use of the intended Gartner audience or other authorized recipients. This presentation may contain information that is confidential, proprietary or otherwise legally protected, and it may not be further copied, distributed or publicly displayed without the express written permission of Gartner, Inc. or its affiliates. © 2011 Gartner, Inc. and/or its affiliates. All rights reserved. Gregg Kreizman MEX38L_118, 10/11 Page 23 Top Security Trends and Takeaways for 2011-2012 Network and desktop-based desktop based security controls have been in use for over 15 years. years While threats continue to change, the need for a new security product every time a new threat is launched has lessened as the mature security controls have evolved into security platforms: • Secure E-Mail Gateway • Web Security Gateway • Next-Generation Firewall • Endpoint Protection Platform • Security Information and Event Monitoring These platforms evolve to address new threats and should be used a vehicles to make sure security vendors obey Moore's law — either the cost of the platforms decrease each year or they offer new threat protection while the price remains constant. The consumerization trend also brings in mobility, making the delivery of "security as a service" a key requirement for all security controls. This presentation, including any supporting materials, is owned by Gartner, Inc. and/or its affiliates and is for the sole use of the intended Gartner audience or other authorized recipients. This presentation may contain information that is confidential, proprietary or otherwise legally protected, and it may not be further copied, distributed or publicly displayed without the express written permission of Gartner, Inc. or its affiliates. © 2011 Gartner, Inc. and/or its affiliates. All rights reserved. Gregg Kreizman MEX38L_118, 10/11 Page 24 Top Security Trends and Takeaways for 2011-2012 Most organizations initially implement activity monitoring monitoring. Reports are produced to track system and database administrator activity on critical systems while other reports monitor access to critical resources. Service mapping is needed even in this first step, in order to establish monitoring for asset groupings that have compliance or security relevance (financial reporting systems for SOX, systems that hold proprietary data, etc.). The reports are distributed and examined on a daily basis in a search for exceptions. Report recipients begin to request exception reports to reduce time and effort. Exception reporting requires a reconciliation of observed activity with the user's role and access restrictions and also with the record of approved changes. This requires integration of activity monitoring with identity and access management systems (to obtain role information and access restrictions) and integration with change management systems (to obtain information about approved changes, related IT components, change windows and authorized change implementers). Action Item: Include an evaluation of IAM and change management integration capabilities in SIEM technology selection decisions. This presentation, including any supporting materials, is owned by Gartner, Inc. and/or its affiliates and is for the sole use of the intended Gartner audience or other authorized recipients. This presentation may contain information that is confidential, proprietary or otherwise legally protected, and it may not be further copied, distributed or publicly displayed without the express written permission of Gartner, Inc. or its affiliates. © 2011 Gartner, Inc. and/or its affiliates. All rights reserved. Gregg Kreizman MEX38L_118, 10/11 Page 25 Top Security Trends and Takeaways for 2011-2012 But why do we even care about IAM? What is its true purpose in the enterprise? How do those drivers evolve over time? We have noted a consistency to the drivers of IAM. They remain (1) efficiency, which is primarily an IT advantage, in streamlining those IT operations that usually require labor, time, or cost-intensive procedures regarding the establishment and modification of access for people and systems. There are some business efficiencies, but not as much as IT. (2) Where the business does get more involved is in the effectiveness driver, where the enterprise leads in an effort to leverage IAM in pursuit of specific business requirements, commonly around compliance and risk. (3) Finally there is business enablement, where a transformational experience is possible in situations of mergers, acquisitions or larger reorganizations. These can be more effectively enabled by specific IAM efforts. The aim is to move from IT to the enterprise, from merely an IT experience to a business experience using IAM. This presentation, including any supporting materials, is owned by Gartner, Inc. and/or its affiliates and is for the sole use of the intended Gartner audience or other authorized recipients. This presentation may contain information that is confidential, proprietary or otherwise legally protected, and it may not be further copied, distributed or publicly displayed without the express written permission of Gartner, Inc. or its affiliates. © 2011 Gartner, Inc. and/or its affiliates. All rights reserved. Gregg Kreizman MEX38L_118, 10/11 Page 26 Top Security Trends and Takeaways for 2011-2012 This presentation, including any supporting materials, is owned by Gartner, Inc. and/or its affiliates and is for the sole use of the intended Gartner audience or other authorized recipients. This presentation may contain information that is confidential, proprietary or otherwise legally protected, and it may not be further copied, distributed or publicly displayed without the express written permission of Gartner, Inc. or its affiliates. © 2011 Gartner, Inc. and/or its affiliates. All rights reserved. Gregg Kreizman MEX38L_118, 10/11 Page 27 Top Security Trends and Takeaways for 2011-2012 This presentation, including any supporting materials, is owned by Gartner, Inc. and/or its affiliates and is for the sole use of the intended Gartner audience or other authorized recipients. This presentation may contain information that is confidential, proprietary or otherwise legally protected, and it may not be further copied, distributed or publicly displayed without the express written permission of Gartner, Inc. or its affiliates. © 2011 Gartner, Inc. and/or its affiliates. All rights reserved. Gregg Kreizman MEX38L_118, 10/11 Page 28 Top Security Trends and Takeaways for 2011-2012 Many enterprises still take a narrow, narrow "siloed" siloed approach to risk assessment and management management. Enterprise and IT managers with risk-related responsibilities can use Gartner's guidance to develop risk practices that are effective and appropriate to their specific needs: • No single definition of risk is appropriate for all enterprises or organizations within enterprises. • Risk and the accountability for risk acceptance are, and should be, owned by the businesses creating and managing those risks. • IT tools can automate effective risk management processes, processes but the results delivered by these tools will be only as good as the underlying frameworks, processes and data structures. • Develop enterprise-specific definitions of risk, as well as an organizational structure that aligns and eliminates conflicts and overlaps in responsibilities among all risk-related specialists. • Create an overarching risk framework to address the entire enterprise, and ensure that staff members at all levels clearly understand their risk-related responsibilities. • Take T k a proactive ti approachh to t risk i k assessmentt andd management, t so that th t you are managing i risk, i k nott being b i managed by it. • Make line-of-business managers, not IT managers or auditors, explicitly accountable for residual risk. This presentation, including any supporting materials, is owned by Gartner, Inc. and/or its affiliates and is for the sole use of the intended Gartner audience or other authorized recipients. This presentation may contain information that is confidential, proprietary or otherwise legally protected, and it may not be further copied, distributed or publicly displayed without the express written permission of Gartner, Inc. or its affiliates. © 2011 Gartner, Inc. and/or its affiliates. All rights reserved. Gregg Kreizman MEX38L_118, 10/11 Page 29 Top Security Trends and Takeaways for 2011-2012 This presentation, including any supporting materials, is owned by Gartner, Inc. and/or its affiliates and is for the sole use of the intended Gartner audience or other authorized recipients. This presentation may contain information that is confidential, proprietary or otherwise legally protected, and it may not be further copied, distributed or publicly displayed without the express written permission of Gartner, Inc. or its affiliates. © 2011 Gartner, Inc. and/or its affiliates. All rights reserved. Gregg Kreizman MEX38L_118, 10/11 Page 30 Top Security Trends and Takeaways for 2011-2012 This presentation, including any supporting materials, is owned by Gartner, Inc. and/or its affiliates and is for the sole use of the intended Gartner audience or other authorized recipients. This presentation may contain information that is confidential, proprietary or otherwise legally protected, and it may not be further copied, distributed or publicly displayed without the express written permission of Gartner, Inc. or its affiliates. © 2011 Gartner, Inc. and/or its affiliates. All rights reserved. Gregg Kreizman MEX38L_118, 10/11 Page 31 Top Security Trends and Takeaways for 2011-2012 This presentation, including any supporting materials, is owned by Gartner, Inc. and/or its affiliates and is for the sole use of the intended Gartner audience or other authorized recipients. This presentation may contain information that is confidential, proprietary or otherwise legally protected, and it may not be further copied, distributed or publicly displayed without the express written permission of Gartner, Inc. or its affiliates. © 2011 Gartner, Inc. and/or its affiliates. All rights reserved. Gregg Kreizman MEX38L_118, 10/11 Page 32
Similar documents
The Complete Guide to Effective Vendor Management
These materials can be reproduced only with written approval from Gartner. Such approvals must be requested via email: [email protected]. Gartner is a registered trademark of Gartner, Ga...
More information