Resiliency and the Next Generation Business ~ The ISO 27001 Way Awareness on Security Risks and Tools to Mitigate Risks

3i Infotech’s perspective on Confronting Security Challenges

6th June 2011

2 - Confidential2 - Confidential

…every organization is at risk

Web Threats Access Restrictions Data Leakage

• Virus

• Spyware

• Phishing

• Dangerous

files

• Dangerous

Websites

• Content

Scanning

• Reporting

• File Sharing

• URL Filtering

• Trusted

Domains

• Lexical /

Keyword

Analysis

• Online

Shopping

• Oversize

Downloads

• Non-

Business

Downloads

• Games

• File Sharing

• Stock Trading

• Inappropriate

Language

• Social

Networking

• Streaming

Media

• Time & MB

Quotas

• Intellectual

Property

• Confidential

Data

• User

Authentication

• Web-Based

Email

• Unauthorized

uploads

• Private

Information

• Policy

Breaches

• Data

Integrity

• Data

Storage &

disposal

INTERNET

YOUR

ORGANIZATION

Web

Incoming

?

Web

Incoming

?

Web

Outgoing

?

Web

Outgoing

?

3 - Confidential3 - Confidential

… and financial organizations’ even more

E-Finance

Mobility

• E-Finance’s four primary categories:

– Electronic Funds Transfer (EFT)

– Electronic Benefits Transfers (EBT)

– Electronic Data Interchange (EDI)

– Electronic Trade Confirmations (ETC)

• E-Finance accounts for over $10 trillion a day

• Percentage of banking online has risen from 5% to 60% in 7years

• Proliferation of e-credit mechanisms

• Additionally, the communications channels used for E-Finance have grown

– Home PCs

– E-Banking

– Phones and PDAs

• Number of connected countries and individuals has exploded globally

– Internet availability in developing countries

– 90% penetration of mobile phone markets

– Wireless applications for daily business

• Electronic Fraud

– Identity theft

– Access manipulation

• Security Breaches

– Hacking

– Viruses and "spy-ware"

4 - Confidential4 - Confidential

Service Organizations Are Evolving ….to meet customer demands

Open Computing Environments increases the RISK EXPOSURE

5 - Confidential5 - Confidential

Risks Exposure

...and business impact thereof

Legal Records

R&D InformationHR Records

Customer Records

Financials

DNS

NT DomainDHCP

NTP

LDAP

Project

Mgmt

RADIUS

X.509 CA

Web

Sales Automation

Mail

TelephonyExchange

SQL

ERP

An attack here can result in:

•Loss of data integrity

•Theft of data

•Loss of privacy

•Legal liability

An attack here can result in:

•Loss authentication key integrity

•Loss of access to resources

•Loss of availability

•Network slowdown

•Network shutdown

An attack here can result in:

•Loss of Confidentiality

•Loss of business function

•Business shutdown

Implications of loss

of Availability,

Integrity,

Confidentiality,

Privacy and

Competitive

information

Loss of competitive

advantage

Penalties

Loss of reputation

Loss of customer

confidence

Risk Exposure = f($)

6 - Confidential6 - Confidential

SecurityUncover vulnerabilities with

latest attacks and evasions

Reduce Risks by ensure system is

protected against latest Day 0 attacks

& secure sensitive data

How Result

PerformanceUnder high load determine

hidden stress fractures &

ability to scale

Improve performance by validating

data center design & configuration.

Determine performance under load

under various changing conditions

StabilitySimulate real-world conditions

(malformed packets) to

determine system-wide stability

Proactively identify areas of weakness

to prevent system degradation or

costly downtime

RE

SIL

IEN

CY

Network Infrastructure

Database Systems

Application Software

Information Assets

IT Resources(Assurance for resilient

business operations)

Thus, the need to build resiliency …to counter risks

7 - Confidential7 - Confidential

MetricsGoals

SECURITY

Assurance

STABILITY

Reviews

Best

PRACTICES

Automation

TOOLS

PERFORMANCE

Engineering RESILIENCY

FRAMEWORK

3i Infotech’s IT Resiliency Architecture…aligned to IT Security & Continuity Standards

ISO 31000NIST

OSSTMM

OCTAVE

COBIT

Security

Baseline

OECD

COSO

ISO 27000

IT Security

& Continuity

StandardsOWASP

RISK IT

(from ITGI)

Regulatory

Compliance

(DSS PII, HIPPA,

SOX, BASELII

etc.)

8 - Confidential8 - Confidential

INFORMATION PROTECTION & SECURITY ASSURANCE

Endurance / Soak

Testing

Baseline

Testing

Spike Testing

APPLICATION SECURITY ASSURANCE

DATABASE SECURITY ASSURANCE

Consistency

Verification TestRecovery/Failover

Testing

Load Testing

INFRASTRUCTURE SECURITY ASSURANCE

Script Based

Penetration TestingVulnerability

Assessment

App. Security

Gap Analysis

App. Security

Functionality Testing

App. Static Code

Review & Scanning

DB Architecture

Review

DB Vulnerability

AssessmentDB Penetration

Testing

User Rights

AuditDB

Audit

Security Code

ReviewVolume Testing

Security

Architecture Review

White-Blue-Black Hat or

Overt-Covert Testing

Host Hardening Asmt. &

IDS Benchmarking

Security

Configuration Audit

Stress Testing

PERFORMANCE

ENGINEERING

STABILITY REVIEWS

Data Protection

Assessment

Privacy Impact

AssessmentData Security Standards

Compliance Testing

Data Privacy

Audit

Random Destruction

Testing

Resiliency Architecture implemented by 3i Infotech …for assurance of IT Risks & Controls

9 - Confidential9 - Confidential

Resiliency Architecture – Infrastructure Security…Infrastructure resilience through logical and physical controls

Network &

File Servers

FIREWALL

/ IDS/IDP /

AAA –

TACACS /

TOOLS

LAN: Internal

Services

LAN: Client

#1

LAN:

Client #2

Network

level Application

Level

Physical

access

levelOperating

system

level

• WAN, LAN /

VLANS

segregating

the

Development

and Production

Area • Segregation

through

Active

Directory

system

• Unique

user id

and

password

• General area -

identification

cards,

Automated

access control

systems

• Sensitive area

/ Data centre –

Biometric

access system

10 - Confidential10 - Confidential

Sensitive Information Management

DISCOVER PROTECT MANAGE

Lower the Cost of Compliance

→ Discover , document and assess all sensitive data

locations

→ Respond quickly to new legislation (PII, FDA,

SEC, Data Protection Act etc.)

Protect against Data Breaches (internal &

external)

→ Secure and mask sensitive data

→ Ongoing monitoring and audit of access controls

Extend across Enterprise Applications /

Databases

→ Packaged or custom applications on Oracle &

SQL Server

→ Automated discovery and metadata classifications

Fast Time to Value

→ Automated discovery/scanning

→ Template-driven configuration & flexibility

→ Rapid implementation

Resiliency Architecture – Data & Info SecurityLimited the data security and privacy breach ~ 99.9%

11 - Confidential11 - Confidential

Compliance

Template

(PCI)

Credit Card #

Compliance

Template

(PII)

National ID #

Name

Address

Driver’s License #

MANAGE

PRIVILEGED

ACCESS

MONITOR

USER

ACTIVITIES

RESPONSIVE

AUDIT &

COMPLIANCE

SECURE

DATABASE

ACCESS

Prod

Non-

Prod

Reporting

&

Documentation

Offshore/

Outsource

Alerts,

Breach

Notifications

Sensitive Information Management™ Platform

DISCOVER PROTECT MANAGE

Employees

Customers

Partners

Business/

Information

Users

IT

Users

Contractors

Repeatable Auditing, Masking and Monitoring

Resiliency Architecture – Data & Info SecurityAn automated approach to Data Protection & Security

12 - Confidential12 - Confidential

PROD

DATABASES

NON-PROD

DATABASESAPPLICATIONS

DEFINITIONS METADATA CLASSIFICATIONS

TEMPLATES RESULTS HISTORY/ LOGS

RULES

ACCESS CONTROLS

Data Protection & Information Management Platform

Resiliency Architecture – Data & Info SecurityAn automated approach to Data Protection & Security

13 - Confidential13 - Confidential

IT Compliance – Balancing the need

Best tools to

improve

productivity

Abide by policies,

sub-policies and

upgrades

Optimize Licenses

Management PublisherUser

Resiliency Architecture – Asset Management…Software Asset Management Compliance driving > 70% optimization

• Created a streamlined SAM process

• Evaluate the appropriate tools to meet collective user needs

Create

• Capture user request / approvals

• Parameters to conduct inventory

• Up-to- date Purchase records

Refine

• Evaluated and implemented auto discovery open source tool

• Software Usage Metering

• Reconcile Purchase records

Detect

• Enforced through HR & legal policies

Discipline

14 - Confidential14 - Confidential

Capture the need of a

user / business

request

Raise the

purchase request

Add to inventory and

directly allocate to the

business groups

Check for availability in

the inventory?

Purchased and delivered

Business says not

required now

NoAllocate the asset to the

respective business and

debit the cost

Then move back

to inventory

for re-allocation

Yes

Evaluate the

best

alternatives

Resiliency Architecture – Asset Management…Software Asset Management Compliance

15 - Confidential15 - Confidential

Value Delivered ~ Integrated approach to IT ServicesAn Example of Test Automation Services delivered on a VPN

Client Org.

Application

Tester

VPN Port

Static IP

Firewall / Network policies

VPN Server

HP QTP

Services Org.

VPN Client

Firewall / Network policies

RDP Security Login

“abc” Client Org. “xyz” Services Org.

Tester &

Application

Testing Tool

Firewall / Network policies

HP License

Server

License Server

Tester1

Level 1

Level 3

Level 2

Level 4

Thank You

vivek.mahendra@3i-infotech.com