View
82
Download
0
Embed Size (px)
DESCRIPTION
Abstract: Digital technologies have made customers powerful, giving them the option to choose and the means to instantaneously spread their opinions widely. They have become demanding, and they change brands without a blink if their experience with the product or service isn’t what they expect. Brand loyalty, therefore, has taken a backseat and customer experience has emerged supreme. In an IBM survey, 95% of CEOs said enhancing customer experience was top priority for them. Security forms a core foundation for enhancing customer experience! Typically security has been inward looking focusing more on technology vulnerabilities and less on securing business objectives. Securing the digital enterprise entails looking outside-in, to protect customer experience its strategic objective. Also, internally the digital enterprise needs assurance against vulnerabilities introduced by digital technologies like cloud, IoT etc. Bio: Mohan is an acknowledged expert and thought leader in information security. He was the Snr VP and Global CISO at Bharti Airtel, where he had also held charge as the company’s Chief Architect and CIO for its Bangladesh and Sri Lankan operations. Prior to his stint in Bharti, he was an advisor at a Big-4 consultancy, CEO of a security company he helped start, and the Director of the Indian Navy’s Information Technology, where he was awarded the Vishist Seva Medal by the President of India for innovative work in information security. He has also been a member of several national and international committees on security, including the National Task Force on information security, DOT Joint Working Group on Telecom Security, Indo-US Cyber Security Forum, IBM Security Board of Advisors, RSA Security for Business Innovation Council, and has been chairperson of the CII National Committee on data security among others. For his contribution to the information security practice he has also been awarded the DSCI Security Leader Award, CSO Forum Security Visionary Award, and the RSA Security Strategist Award.
Citation preview
Securing the Digital enterprise Felix Mohan Chief Knowledge Officer
09 Sept 2014 CERC@IIIT-‐D
Security Controls
Agenda : Securing the Digital enterprise
Technology & Digital Enterprise
Customer Experience
LOWER OPERATING COST BETTER CUSTOMER EXPERIENCE
3D prinUng revoluUonizing supply chains
Manufacturer Distributors Retailers Customers
Manufacturer Distributors Retailers Customers
Print part using their 3D printer
Print part using their 3D printer
Manufacturer Distributors Retailers Customers
Print part using personal 3D printer
Manufacturer Distributors Retailers Customers
InformaUon flow Physical part flow
LOWER OPERATING COST BETTER CUSTOMER EXPERIENCE
TransformaUon of the Digital Enterprise
2005 2012
1% 28% 12% 41% 22%
Objec,v
es Value
Power
Delivering great Customer Experience
• Customer Experience is the manifestaUon of value
• OrganizaUons don’t sell products or services. They sell experiences. Forrester • Customers buy experiences that are embedded in products. Gartner
• 95% of CEOs stated that ‘Delivering great Customer Experience’ was the Top priority for realizing their strategy in the next 5 years. IBM CEO Survey
• Digital technologies have made customers powerful. And they are demanding good experience!
• Customers have low brand loyalty or sUckiness.
• They can quickly change product or vendor if not saUsfied • Less than 25% of retail purchases in US were due to brand loyalty. EY Survey, 2013
• They can spread their bad experience in their social network affecUng company reputaUon badly
Customer Power
Empowered customers can ,p the balance of power in contemporary buyer / seller rela,ons.
So what are organizaUons doing about all this?
EmoUonal Fulfillment
Ease of use/engagement & features
Value & Quality
The Customer Experience Pyramid
Loyalty & SUckiness
EmoUonal Fulfillment
Ease of use/engagement & features
Value & Quality
Enhancing Customer Loyalty
• quanUty of personal data collected is spiraling rapidly • big data correlaUons are creaUng addiUonal privacy issues
Customer’s demographic
data
Social media
interacUons
TransacUon data
Online acUviUes
Real-‐ Ume Contextual data
AnalyUcs
Insights
Customized Offerings
The Customer Experience Pyramid
Privacy
• Privacy has emerged the Number 1 concern for digital businesses overtaking security • Privacy concern both amongst regulators and customers – leading to major regulatory enactments
EmoUonal Fulfillment
Ease of use/engagement & features
Value & Quality
Proposed Regulatory Environment
Seeks to mandate: 1. Data privacy impact assessments
2. Privacy by design 3. Privacy by default (i.e. Data minimizaUon at the level of applicaUon) 4. Data portability (i.e. Enabling right to withdraw consent) 5. Right to be forgolen 6. Rights against being profiled
OrganizaUons’ Privacy Bind
CollecUng data for enhancing Customer Experience
Impending storm in the regulatory environment
OrganizaUons
Need for balancing Commercial acUvity with Privacy concerns
PosiUve Sum – Not Zero Sum
Balancing Privacy and Commercial Viability
Full Privacy
Full Economic Value
PrivAd AdnosUc RePriv
PrivAd : Online adverUsing system designed to be more private than exisUng system. Uses proxy to hide customer IP addresses.
AdnosUc: Developed by Stanford and NYU
Behavioral profiling and targeUng takes place in the user’s browser and not in the adverUsing network’s servers. Based on profile AdnosUc downloads a set of adverUsements from the ad network and serves the most appropriate one as per the profile.
RePriv: Developed by Microsop Research
System’s plugin located in the browser discovers user’s interests and shares them with 3rd parUes but only aper explicit permission of user.
The Customer Experience Pyramid
Privacy
Business CRM strategies seek to use the customer insights for other purposes also.
EmoUonal Fulfillment
Ease of use/engagement & features
Value & Quality
• Improve product/service quality • Capture customer senUment • Increase up selling opportuniUes • Trigger new product/service innovaUon
MoneUzing Customer Data
By 2016, 30% of businesses will have begun directly or indirectly moneUzing their customer informaUon assets via bartering or selling them outright.
Gartner, March 2014
The Customer Experience Pyramid
Privacy ReputaUonal Damage/ExtorUons
EmoUonal Fulfillment
Ease of use/engagement & features
Value & Quality
ReputaUonal Damage
80% of the value of a business is its reputaUon. ReputaUon is a top concern of the CEO.
• Social media acUvity that can severely damage an organizaUon’s reputaUon. • The harm can potenUally be carried out by:
• Customers / Individuals -‐ giving vent to their feelings
• NGOs like Greenpeace -‐ pushing for corporate social responsibility
• Cyber criminals -‐ launching cyber extorUon
ReputaUonal Damage
80% of the value of a business is its reputaUon. ReputaUon is a top concern of the CEO.
• Social media acUvity that can severely damage an organizaUon’s reputaUon. • The harm can potenUally be carried out by:
• Customers / Individuals -‐ giving vent to their feelings
• NGOs like Greenpeace -‐ pushing for corporate social responsibility
• Cyber criminals -‐ launching cyber extorUon
The Customer Experience Pyramid
Privacy ReputaUonal Damage/ExtorUons
Omni-‐channel Experience
EmoUonal Fulfillment
Ease of use/engagement & features
Value & Quality
Omni-‐channel Experience
Good customer experience demands fricUonless engagement across every channel and every screen
• Federated IdenUty Management & SSO • Social IdenUUes • Centralized Opt-‐in & Opt-‐out • Context-‐based AuthenUcaUon • IntegraUon with SIEM
Security controls
The Customer Experience Pyramid
Privacy ReputaUonal Damage/ExtorUons
Omni-‐channel Experience
Business model security vulnerabiliUes
EmoUonal Fulfillment
Ease of use/engagement & features
Value & Quality
Business Model Security VulnerabiliUes
Digital business is the creaUon of new business designs by blurring the digital and physical worlds. -‐ Gartner
• Two major Vulnerabili,es:
• Impact of applica,on development “velocity” on tes,ng & security • Vulnerabili,es caused when “things” are connected
Enterprise Security Infrastructure
EmoUonal Fulfillment
Ease of use/engagement & features
Value & Quality
Enterprise Security Infrastructure
EmoUonal Fulfillment
Ease of use/engagement & features
Value & Quality
IdenUty & Access Management
IdenUty FederaUon is becoming the heart of the Digital enterprise.
Technologies: SAML 2.0; Oauth 2.0; OpenID Connect
IdenUty Management
Support for Social IdenUUes & Third party credenUals
Context-‐based AuthenUcaUon
Emergence of Mandatory Access Control (MAC)
Enterprise Security Infrastructure
EmoUonal Fulfillment
Ease of use/engagement & features
Value & Quality
API Layer & Security
APIs are the core engines of the Digital Era. The digital economy is an API-‐driven economy.
• IdenUty management • AuthenUcaUon using API Keys, Oauth 2.0, SAML 2.0 • AuthorizaUon using OAuth 2.0 • RBAC
• Traffic Control • TLS • DoS miUgaUon & Rate LimiUng
• Malware/Hacking • XML poisoning, JSON injecUon, SQL injecUon, quota/spike arrest
• Logging & integraUon with SIEM
• AnalyUcs • User acUvity intelligence
Security controls
Mobile API Layer Security
• IdenUty management • AuthenUcaUon using API Keys, Oauth 2.0, SAML 2.0 • AuthorizaUon using OAuth 2.0 • RBAC
• Traffic Control • TLS • DoS miUgaUon & Rate LimiUng
• Malware/Hacking • XML poisoning, JSON injecUon, SQL injecUon, quota/spike arrest
• Logging & integraUon with SIEM
• AnalyUcs • User acUvity intelligence
API Security controls
Enterprise Security Infrastructure
EmoUonal Fulfillment
Ease of use/engagement & features
Value & Quality
Data Governance
Emergence of the Data Plavorm
Access controls
API controls
IdenUty controls
Data Governance
Security Tools
• MulUple data security tools • SIEM, Content-‐aware DLP, Database Audit & ProtecUon (DAP), Data Access
Governance (DAG), Fraud prevenUon, Data masking, EncrypUon and IAM • No exisUng tool that can protect across all data silos
• Data-‐centric Audit & ProtecUon (DCAP) • This is a new category of data security tool that is emerging which can work across data silos
Assessment Ac,vity Monitoring Protec,on
1 . Data Security Policy 4. Privileged User Monitoring and AudiUng
7. Vulnerability and ConfiguraUon Management
2. Data Discovery and ClassificaUon
5. ApplicaUon User Monitoring and AudiUng
8. PrevenUon & Blocking of Alacks
3. Assessment of Users and Permissions
6. Event CollecUon Analysis and ReporUng
9. EncrypUon, TokenizaUon and Data Masking
• The DCAP typically would have following capabiliUes across data silos:
Data-‐centric Audit & ProtecUon (DCAP) tool
Enterprise Security Infrastructure
EmoUonal Fulfillment
Ease of use/engagement & features
Value & Quality
Privacy Management
Privacy is emerging as the “biggest” concern in the Digital Business era.
“Finding the right balance between Privacy Risks & Big Data rewards may very well be the biggest policy challenge of our ,me” -‐ Stanford Law Research
• Managing Privacy starts by understanding the difference between Privacy and Security
Privacy-‐focused technologies: • Data masking -‐ staUc, dynamic, redacUon • TokenizaUon • Format Preserving EncrypUon (FPE) • AnonymizaUon • Privacy Enhancing Technologies (PET)
StaUc Data Masking: Masks non-‐producUon database not in real Ume Dynamic Data Masking: Masks producUon data in real Ume Data RedacUon: Masks unstructured content such as PDF & word files
Privacy Controls -‐ OrganizaUonal & Technical
Technical controls Organiza,onal controls (Non-‐technical)
Internal controls (AdministraUve & physical
processes)
External controls (Contractual & legal
processes)
• Policies • Accountability • Data access & usage • Employee training • Data segregaUon • Data retenUon & deleUon • Physical safeguards
• Contractual terms to restrict how partners share & use data • SLA liabiliUes • AudiUng rights
Security-‐focused technologies: • FW, IPS • DLP, DRM, DAM • IAM • EncrypUon • SSL
Technical controls
Enterprise Security Infrastructure
EmoUonal Fulfillment
Ease of use/engagement & features
Value & Quality
• Data -‐ confidenUality, ownership, remanence • Audit • Legal / Regulatory -‐ Privacy, jurisdicUon • Business conUnuity -‐ Dependence on provider, migraUon complexity
• Unmanaged & insecure user devices • Loss / leakage of sensiUve enterprise data • Unauthorized access to enterprise applicaUons • Device support / management complexity • Unsecured / rogue marketplaces
• Leakage of sensiUve enterprise data • Avenue for malware • Targeted spear-‐phishing alacks on employees (APT ingress)
• Privacy & compliance • Unauthorized access/queries • Leakage of data / intelligence • Veracity of input data
SMACI Concerns
IoT VulnerabiliUes
• Things cause privacy issues
• Things can be easily hacked
• Things can be physically stolen
• Denial of service alacks / jamming alacks can be launched on Things
• Man-‐in-‐middle alacks easy
• Rogue things can be inserted
IoT Security Architecture
IoT Security Protocols
IoT Security Framework
EU effort to define IoT Security
Mission: “To holisUcally embed effecUve and efficient security and privacy mechanisms into IoT devices and the protocols and services they uUlise”
IoT Security Protocols
t
Eclipse M2M Industry Working Group
t
March 2013
Enterprise Security Infrastructure
EmoUonal Fulfillment
Ease of use/engagement & features
Value & Quality
Enterprise Security TransformaUon
• Security technologies have become obsolete & ineffecUve to stop alacks. • Today, 100% of enterprises are breached. Two major transformaUons are currently underway: 1. Security focus is shiVing from “protec,on” to “detec,on and response”
• Enterprises are implemenUng: • Security Intelligence • Context-‐based and adapUve security
2. Security approach is shiVing from “Technical controls “to “Behaviourial controls”
• Enterprises are adopUng: • People-‐centric security (PCS)
UJ
Network
IAM
End Point
Database Applica,on
• IdenUty manager • FIM • ESSO • privileged ID management • MOTP • AD • ID intelligence
• Routers • Switches • VPN
• End Point ProtecUon • AV, WhitelisUng • VA Scanner • MDM
Perimeter
• IPS • FW • Proxy
• DAM • Oracle • Data mask
Content Advanced Threats
• FireEye, Dambala etc
• EncrypUon • DLP • DRM • URL filter • Mail GW
• DAST & SAST • WAF Systems
• Unix • Windows • Linux
SOA
• WAF • Federated IM • SOA registry security • Policy manager
• Higher accuracy of vulnerability detec,on
• BeZer protec,on from advanced aZacks
• Quicker response People
Data
Applica,ons
Infrastructure
Security Intelligence – Technology InteracUon
Events/Logs • monitoring
• privileged ac,vity • user ac,vity • database ac,vity • performance • transac,on • applica,on
• data/informa,on • sensor data • vulnerability info • configura,on info • change management • content-‐related data • IAM data • web log data • router, switch data
Security Informa@on
Network Flows • NW telemetry data • DPI for layer-‐7 visibility • classifica,on of applica,ons & protocols • behaviour analysis • anomaly informa,on
Contextual assessments
• BeZer risk management
• Priori,za,on of risks into ac,onable items
Context Contextual Informa@on
• Environmental • external threat info • loca,on, ,me, etc
• Process • customer facing, revenue producing
• Content • sensi,vity of content, reputa,on of email
• Iden,ty • strength of authen,ca,on, role, group, trnx amt limit
• Applica,on • business cri,cality of app, known vulnerabili,es
• System & OS • asset cri,cality, patch level, known vulnerabili,es, CMDB
• End user Device • health -‐ owner, IP address reputa,on
• Compliance • Privacy, RA GW
Internal
External
Security Intelligence – InformaUon IntegraUon
1. Risk Management 2. Fraud Management
4. Advanced Threat prevenUon 3. Regulatory Compliance
Events Flows
Context infusion
Security Devices Network Devices Assets & Systems
SIEM (aggregaUon, correlaUon, data repository, query)
GRC plaaorm
Big Data plaaorm
• IAM • End point security • Perimeter security • SOA • etc
• App security • Advanced threat • Database sec • etc
• Routers • Switches • Load balancers • etc
Security Intelligence Layer
• Servers • Devices • OS • Middleware • etc
Technology interac,on
Security Intelligence – Framework
Enterprise Security TransformaUon
• Security technologies have become obsolete & ineffecUve to stop alacks. • Today, 100% of enterprises are breached. Two major transformaUons are currently underway: 1. Security focus is shiVing from “protec,on” to “detec,on and response”
• Enterprises are implemenUng: • Security Intelligence • Context-‐based and adap,ve security
2. Security approach is shiVing from “Technical controls “to “Behaviourial controls”
• Enterprises are adopUng: • People-‐centric security (PCS)
Legacy security policies are binary and staUc yes/no decisions that has been defined in advance
Context-‐based Security
Enterprise Security TransformaUon
• Security technologies have become obsolete & ineffecUve to stop alacks. • Today, 100% of enterprises are breached. Two major transformaUons are currently underway: 1. Security focus is shiVing from “protec,on” to “detec,on and response”
• Enterprises are implemenUng: • Security Intelligence • Context-‐based and adapUve security
2. Security approach is shiVing from “Technical controls “to “Behaviourial controls”
• Enterprises are adopUng: • People-‐centric security (PCS)
PCS represents a major departure from convenUonal security strategies, but reflects the reality that current security approaches are insufficient
– Gartner 2013
People Centric Security (PCS)
Enterprise Security Infrastructure
EmoUonal Fulfillment
Ease of use/engagement & features
Value & Quality
Security Governance
Emergence of the Digital risk Officer (DRO)
By 2017, one-‐third of large enterprises engaging in digital business will have a digital risk officer.
The DRO will report to a senior execuUve role outside IT, such as the chief digital officer or the chief operaUng officer.
They will manage risk at an execuUve level across digital business units, working directly with peers in legal, privacy, compliance, digital markeUng, digital sales and digital operaUons.
The DRO and CISO are separate roles. Many CISOs will evolve into DROs. However, if they don’t upgrade their skills they will report to the DRO.
Gartner, June 2014
Security Skills for the Digital Business Era
Con c l u s i o n
• Today every business is a Digital Business – business that do not understand this become irrelevant
• Delivering great Customer experiences is the strategic focus
• VulnerabiliUes related directly to delivering customer experiences must be addressed • manage privacy & reputaUonal damage • enable secure omi-‐channel engagement • manage the inherent vulnerabiliUes that velocity driven business designs open • miUgate the threats and vulnerabiliUes related to Internet of Things and OT
• And this must be backed up by a comprehensive and layered enterprise security capability
Thank You
Infosec thought leadership