21 st Century Security: Convergence Collaboration and Competition??

Page 1

21st Century Security: Convergence Collaboration and Competition??

April 5, 2005

Bill.Boni @ Motorola.com

Vice President and Chief Information Security Officer

IT Governance Page 2

Agenda• The “Warring Tribes” of Security• Convergence• Collaboration• Competition• Conclusions


Warring Tribes?

• Badges• Bytes• Beans


Badges – Corporate Security /Physical Security

• Typically drawn from law enforcement or military• Reports Administration, Facilities, Human Resources• Frames the issue as protection of people, facilities,

operations• Values authority and command• Contributes prevention skillsets


Bytes – IT or Information Security

• Typically drawn from technologist ranks• Reports to CIO or IT Operations• Frames the issue as availability, integrity,

confidentiality of information and systems• Values creativity and technology innovation• Contribution is continuity and availability of IT capacity


Beans – The Financial Wizards

• Typically drawn from financial community• Reports to Chief Financial Officer or • Frames the issue as “Risk Management”• Values financial efficiency and loss avoidance• Contribution is quantitative rigor


Convergence?

• What challenges are generally the same ?1. Extended enterprise risks

2. Diverse operational risks

3. Increased legal and regulatory scrutiny

4. Complexity

5. Common approach

6. Common philosophy

7. Mobility and choices


Dissolution of Perimeter Security

Joint Ventures

Parts

Servicess

Contract Manufacture

Contract Design

““Organization (Risk) Organization (Risk) Community”Community”

Customers

Un-trusted Un-trusted IntranetsIntranets

Transportation

1.Extended Enterprises


b

Hostile Internet

Every system must be secured

Inside is almost as risky as outside

Individual Individual systemssystems

Un-trusted Un-trusted IntranetIntranetData

Center

=

Data Center

Foundational Issues

• Ubiquitous connectivity• Microcomputers everywhere• Mobile workforce• Many assets not protected• “Contingent workers”

– Contractors and consultants• Links to partners / suppliers

2.Diverse Operational Risks


Web / Internet

Databases

Collaboration

Wireless

Mobile Devices

CustomersCompetitorsGovernmentsSuppliers/ PartnersEmployees

3.Legal and Regulatory Issues

Pressure mounting on organizations to prove compliance with an increasing array of laws and regulations. All elements of

security become ever more challenging.

Laws/Regulations Technologies Stakeholders

Sarbanes-Oxley

GLB/HIPAA/Patriot

EU Data Protection

U.S. Info Security Responsibility Act


4.Complexity of Protection Systems

• Many bits & pieces• Too few qualified security

personnel~.005% of employees

• Lack of standards• Integrated safeguards

– Smart cards– Digital forensics

Network AccessControl Interceptionand Enforcement

Facility

PKI ManagerCentralized

SecurityPolicy Manager

DigitalSignatureInterface

Other SecurityEntity Manager

Token CardManager

OS SecurityManagement

Tools

CertificateAuthorityInterface

Virus Interception& Correction

VPN Session orTunnel

Manager

Single Sign-onTools

Security EventReport

Writer(s)

EncryptionFacilities for

NetworkConnections

Security PolicyDistributor

Cyberwall/FirewallRule Base

ConnectionManager and

Logging

Application ProxyImplementations

Security TrafficEvent Analyzer

ApplicationLogging Facility

VPN IPSec andVPN

ConnectionManager

StatefulInspection

IntrusionLogging

IntrusionPrevention

ApplicationInspection

Security EventLogging

Security IntegrityManager

PacketInspection

Frame Inspection

SecurityFilter Engine

Real-timeFrame

Management

IntrusionDetection

Network

Host-based

Application-based

Authentication

Cryptography

Anti-Virus

Intrusion Detection

Auditing

Security Management


5. A Common Approach to Strategy?

• PROTECT – Key assets and capabilities

• DETECT– Attacks and malicious actions

• RESPOND– Rapid notification and reaction

• Recover– Disaster / business continuity planning


6. Common Philosophy : Security Must Be Rational

COST OF SECURITYCOUNTERMEASURES

COST OF SECURITYBREACHES

OPTIMAL LEVEL OF SECURITY AT MINIMUM

COSTCOST ($)

0%

SECURITY

LEVEL

100%

TOTAL COST


7a. IP Networking - Mobility

Terminals

Nomadic

IP Based PBX

Automobiles Hot Spot EnterpriseHome

COMMUNICATION DOMAINS

Subs Database

NetworkManagement

BROADBAND IP NETWORKS

Content ProvidersContent

Providers

Application DevelopersApplication Developers

Routers

PSTNPSTN

Gateway

INTERNETINTERNET

PoCServer

Access TechnologiesWireless | Cable | DSL

Middleware

SoftSwitch

IMS

Public Safety

InFiNet, IP Phone, Web Phone


7b. Securing the Mobile Users

As the person responsible for the organization you only have “control” in this space

But the mobile users moving throughout the entire set of possibilities


Competition

• Overall leadership• Staffing• Budget• Access to leadership


State of the Security Profession?

• Corporate – Physical security - CSO• IT – Information Security - CISO• The Security Alliance Initiative

– ASIS

– ISSA

– ISACA

• CRO• ERM : Revenge of the “bean counters” ?


Enterprise Risk Management

• Top Down - comprehensive risk management– Insurance

– Financial

– Strategic

– Operational

• Operational Risks Security Professionals• Financial Expertise benefits from metrics/data


The board should manage enterprise risk by: Ascertaining that there is transparencytransparency about the significant

risks to the organization Being aware that the final responsibilityresponsibility for risk management

rests with the board Considering that a proactive risk management approach creates

competitive advantagecompetitive advantage Insisting that risk management is embeddedembedded in the operation of

the enterprise Obtaining assuranceassurance that management has put processes and

technology in place for (information) security

Risk Management Risk Management

Source: IT Governance Institute


3 Generic Approaches to Organization Security

• Silo’s of independence– Little or no communication and coordination

• Councils of collaboration– Periodic, ad hoc, often incident focused

• Unified organization– Formal, structured, aligned


Protection Program Focus Areas

• Security Governance– Organization operations and partners

• Network Defense– Security strategy and architecture

• Protection Management– Projects and continuity program


Security Roles

Information Protection

Physical Security

Financial

Protect people, property and tangible assets

from loss, destruction, theft, alteration, or unauthorized

access

Enterpriserisks

Secure digital assets

Inspectionprocedures

Information securityDisaster/business continuity

Risk assessmentsSecurity technology Investigations

Independent controls

assessmentInternal / external

regulatory complianceRisk management

IncidentResponse


Changes Ahead for Security Professionals

• Cybercrime failures will result in major liability judgments

• Public / Private Sector formally share infrastructure protection roles

– Certification / licensing for (all?) security professionals

• CSO’s assume responsibility for operational risks

• Security is subsumed into ERM and Finance/CRO’s predominate


A Security Professional for All Seasons….

• Grounded in multiple protection disciplines• Capable project/program manager• Life long passion to learn• Business acumen• Diplomatic and adaptable• Adept at framing issues as risk management• Professional training / certifications


A Security Mantra

• Vision without Action is Imagination

• Action without Vision creates Chaos

Vision with Right Action is Transformation

See the Future and Plan Backwards

Documents

21 st Century Security: Convergence Collaboration and Competition??