ISACA Presentation Feb 2009 Final

8/14/2019 ISACA Presentation Feb 2009 Final

1/28

Leslie K. Lambert

VP and Chief InformationSecurity OfficerSun Microsystems, Inc.

February 17, 2009ISACA/ISSA Joint Chapter MeetingDenver, Colorado

Enterprise Computingin the Open Network


2/28

Sun Microsystems, Inc. - All Rights Reserved 2

The Network Is The

ComputerThe Leading Provider

of Open Network Computing

Infrastructure


3/28


When therelationshipsbetween an

Enterprise and theproviders of theseservices would besafe, reliable andpredictable

When computingwould bevirtualized

beyond thetraditional wallsof the datacenter

When thosesubscriptions wouldbe temporal

lasting only as longas needed to solvea business problem

When we wouldlocate and

subscribe toservices on thenetwork

That Vision Described a Day When . . .


4/28 Sun Microsystems, Inc. - All Rights Reserved 4

Guess what? We are there!


5/28 Sun Microsystems, Inc. - All Rights Reserved5

Enterprise Computing in the Open Network

From Going to Work . . .

Employees are required toconnect to secure networksto acquire access toenterprise applications

Enterprises build, deliver,and operate the servicesthey consume . . .To Connecting to Work

Employees compute fromanywhere using trusted servicesdelivered in an open Internet by

known service providers thatprotect personal and corporateprivacy.

IT becomes an aggregator ofservices vs. creator ofapplications



Business Trends, IT Challenges

Markets are global

Talent is global and knowledge-based

Workforce can be anywhere

Work locations are multiple

Work activity is more team-dependent

Work constraints are time based

Growing Concern24x7 businesscontinuity

Growing DesireFlexibility and choice

Real Estate Trends Now Embrace Flexible Space

Planning

Corporate Precedents Larger Organizations are

Now Adopting Alternative Work

Technology Internet Finally Enables Transparent

Connectivity

Talent, Skills/Demographic HR's Squeeze to Compete

for Talent on a Global Basis

Global Economic Volatility Greater Difficulty

Forecasting

Headcount and Space

Pandemics and Business Continuity Work Flexibility

Needed for Regional Crises/pandemics

Eco-Responsibility Growing sensitivity to environmentalissues and workplace sustainability



IT trends influencing IT

Consumerization of IT

Availability of Services

Social Networking

SOA & Web 2.0 Convergence

Explosion of End User Devices

Extreme Mobility

Massive Network Build-outs

Business intelligence and informationmanagement

Complian

Virtualization

Merger & acquisition activities

UtilityComputing

Compliance

Security



Enterprise Computing in the Open Network

Emerging in the following areas:> Cloud Computing> Virtualization

> Web 2.0> Social Networking


9/28


Cloud Computing


10/28


11/28


Cloud Services Continuum

Source: Robert W. Anderson

http://et.cairene.net/2008/07/03/cloud-services-continuum/

Software as a ServiceApplications on Demand Salesforce.com, Google Apps, Qualys,

Webex, Wikipedia, Wordpress, Webbased email, Netsuite

Platform(PaaS)

Software(SaaS)

Infrastructure(IaaS)

Platform as a Service Development Services on Demand Sun's Project Caroline, Google

AppEngine, Bungee Labs, Heroku,Force.com

Infrastructure as a Service Computer Infrastructure on Demand Sun's Network.com, Amazon EC2,

GoGrid, Mosso, Joyent, Rackspace Sun's Storage.network.com

(OpenStorage), Amazon S3, Nirvanix,Bingodisk, Skydrive


12/28


Is Your Enterprise Ready for CloudComputing?

Can you trust your data with your service provider?

Are there sufficient logging and controls for compliancereporting ?

Reliability is still an issue Can your applications withstand latency?

Large companies already have an internal cloud

Bureaucracy will cause the transition to take longer Portability of application across clouds

The pesky data migration to cloud issue


13/28

Sun Microsystems, Inc. - All Rights Reserved 13Source: Wikipedia


14/28


Leveraging the Consumer Web 2.0

Conversations

Social NetworksReal-time Collaboration

& Sharing

Web Conferencing

DevicesTechnology

Mashups


15/28


Translating Vision into Strategy

IT collaborates withbusiness customers

as needed to definerequirements, identifyservices, and manageservice providers

IT services areaccessible through

the open Internet

IT aggregates andintegrates required

IT services

Sun IT delivers IT services anywhere


16/28


High-level Strategy

EmployeesPartners

Customers

VirtualizationInternet Facing

Open Standards

MobilityUnified Comms

Integration acrossthe cloudBusiness Intelligence

EnterpriseIntegration BPM

Engineering

Environment

EnterpriseManagement

HR

Learning

Recruiting

ERP

Marketing

Sales

Logistics

Security Services

Learning

Next GenData Center

MashUp

User ServicesVoice

Partner Integration

CLM

More Collaboration

Master DataManagement

Private Network

Content Delivery Network

Call Center


17/28


Web 2.0 Risk Assessment

Developed detailed inventory of Web 2.0 services in use at Sun> Productionalized services> Consumer services> Sun services provided to customers

Compiled Threat, Vulnerability and Exploit info Detailed risk assessment of most prolific services

> Policy, standards and processes> Technical controls

> Awareness, direction and guidance> Content review> Social Engineering testing


18/28


19/28


Security 2.0REQUIRES

Responsibilities

SecurityStrategy

Awareness

SecurityProcesses

Policies andStandards

Roles

EnterpriseComputing inthe OpenNetwork

TechnicalControls


20/28


New Models = New Threats?

DOS including DNS poisoning

Escalation of Privilege> via Virtualization technology vulnerabilities> via Administrator backdoors

Unauthorized access due to access managementweakness

Application security threats including XSS, SQL Injection,cookie manipulation

Database servers not adequately protected

Data not encrypted when necessary

Insider abuse or mismanagement of service provider


21/28


New Models = New Security Issues?

The Browser is the new operating system

Loss of control and management of key data

Partner trust issues

Compliance management> Who has access to what?>Ability to audit> Mapping of controls

Alignment with ITIL processes

Security management of the service


22/28


New Models = New Security Challenges?

Lack of visibility - What applications are in use?> We cannot protect what we don't know> Do we know where our IP or Sensitive data are?

Relying on a cloud vendor for the physical and logical isolation ofthe data

Relying on vendor's authentication schemes

Not enough testing tools for secure deployment

Partner assessment transparency Privacy Compliance with Federal, State and International laws

E-discovery Can we support it?


23/28


New Models = New Security Challenges?

Security management Extending security practice, policy,standards, process to Cloud

Incident Response Working with providers

Forensics of incident Sufficient logging? Tamper-evident logs?

Integration with Enterprise Identity and Access ManagementSystems

Web Service security Do we understand all API and securityfeatures?> XML RPC, REST, SOAP (SOA )

Encryption of data and Key management> Level of encryption> What data to encrypt?


24/28


Security 2.0REQUIRES

Responsibilities

SecurityStrategy

Awareness

SecurityProcesses


Roles

EnterpriseComputing inthe OpenNetwork

TechnicalControls


25/28


Getting Ready

Develop strategy to migrate from:> Securing the infrastructure -> Securing the data

Revise policies, standards, guidelines for cloud services

Develop Risk management program with 3rd partyconnectivity, partner services architecture

Institute partner security assessment program

Data Classification and labelling for structured and

unstructured data Revise firewall policies, standards, guidelines for cloud

services

Educate Vendor management on security clauses


SecurityProcesses

SecurityStrategy


26/28


Getting Ready

Review and revise awareness program to ensure that it iscovering new issues related to cloud models and Web 2.0technologies

Identify and communicate new service owner and end userroles and responsibilities

Identify and communicate new expectations for dataprotection in these environments

Educate Vendor management groups about importance ofsecurity clauses

Roles ResponsibilitiesAwareness


27/28


Getting Ready

Security Event management Evaluate APIs for importinglogs, events from cloud services

Formalize Application Security testing process in release

management Execute on Virtualization Roadmap Private cloud

Application architecture Get'em Internet Ready

Identity and Access Management Internet facing identityprovider, federation of single sign-on

Practice encryption and key management

SecurityProcesses

TechnicalControls

F b 17 2009


28/28

[email protected]

February 17, 2009ISACA/ISSA Joint Chapter MeetingDenver, Colorado

Documents

ISACA Presentation Feb 2009 Final