Securing the Digital Enterprise

Securing the Digital enterprise Felix Mohan Chief Knowledge Officer

09 Sept 2014 CERC@IIIT-‐D

Security Controls

Agenda : Securing the Digital enterprise

Technology & Digital Enterprise

Customer Experience

LOWER OPERATING COST BETTER CUSTOMER EXPERIENCE

3D prinUng revoluUonizing supply chains

Manufacturer Distributors Retailers Customers


Print part using their 3D printer

Print part using their 3D printer


Print part using personal 3D printer


InformaUon flow Physical part flow

LOWER OPERATING COST BETTER CUSTOMER EXPERIENCE

TransformaUon of the Digital Enterprise

2005 2012

1% 28% 12% 41% 22%

Objec,v

es Value

Power

Delivering great Customer Experience

•  Customer Experience is the manifestaUon of value

•  OrganizaUons don’t sell products or services. They sell experiences. Forrester •  Customers buy experiences that are embedded in products. Gartner

•  95% of CEOs stated that ‘Delivering great Customer Experience’ was the Top priority for realizing their strategy in the next 5 years. IBM CEO Survey

•  Digital technologies have made customers powerful. And they are demanding good experience!

•  Customers have low brand loyalty or sUckiness.

•  They can quickly change product or vendor if not saUsfied •  Less than 25% of retail purchases in US were due to brand loyalty. EY Survey, 2013

•  They can spread their bad experience in their social network affecUng company reputaUon badly

Customer Power

Empowered customers can ,p the balance of power in contemporary buyer / seller rela,ons.

So what are organizaUons doing about all this?

EmoUonal Fulfillment

Ease of use/engagement & features

Value & Quality

The Customer Experience Pyramid

Loyalty & SUckiness



Value & Quality

Enhancing Customer Loyalty

•  quanUty of personal data collected is spiraling rapidly •  big data correlaUons are creaUng addiUonal privacy issues

Customer’s demographic

data

Social media

interacUons

TransacUon data

Online acUviUes

Real-‐ Ume Contextual data

AnalyUcs

Insights

Customized Offerings


Privacy

•  Privacy has emerged the Number 1 concern for digital businesses overtaking security •  Privacy concern both amongst regulators and customers – leading to major regulatory enactments



Value & Quality

Proposed Regulatory Environment

Seeks to mandate: 1. Data privacy impact assessments

2. Privacy by design 3. Privacy by default (i.e. Data minimizaUon at the level of applicaUon) 4. Data portability (i.e. Enabling right to withdraw consent) 5. Right to be forgolen 6. Rights against being profiled

OrganizaUons’ Privacy Bind

CollecUng data for enhancing Customer Experience

Impending storm in the regulatory environment

OrganizaUons

Need for balancing Commercial acUvity with Privacy concerns

PosiUve Sum – Not Zero Sum

Balancing Privacy and Commercial Viability

Full Privacy

Full Economic Value

PrivAd AdnosUc RePriv

PrivAd : Online adverUsing system designed to be more private than exisUng system. Uses proxy to hide customer IP addresses.

AdnosUc: Developed by Stanford and NYU

Behavioral profiling and targeUng takes place in the user’s browser and not in the adverUsing network’s servers. Based on profile AdnosUc downloads a set of adverUsements from the ad network and serves the most appropriate one as per the profile.

RePriv: Developed by Microsop Research

System’s plugin located in the browser discovers user’s interests and shares them with 3rd parUes but only aper explicit permission of user.


Privacy

Business CRM strategies seek to use the customer insights for other purposes also.



Value & Quality

•  Improve product/service quality •  Capture customer senUment •  Increase up selling opportuniUes •  Trigger new product/service innovaUon

MoneUzing Customer Data

By 2016, 30% of businesses will have begun directly or indirectly moneUzing their customer informaUon assets via bartering or selling them outright.

Gartner, March 2014


Privacy ReputaUonal Damage/ExtorUons



Value & Quality

ReputaUonal Damage

80% of the value of a business is its reputaUon. ReputaUon is a top concern of the CEO.

•  Social media acUvity that can severely damage an organizaUon’s reputaUon. •  The harm can potenUally be carried out by:

•  Customers / Individuals -‐ giving vent to their feelings

•  NGOs like Greenpeace -‐ pushing for corporate social responsibility

•  Cyber criminals -‐ launching cyber extorUon

ReputaUonal Damage

80% of the value of a business is its reputaUon. ReputaUon is a top concern of the CEO.

•  Social media acUvity that can severely damage an organizaUon’s reputaUon. •  The harm can potenUally be carried out by:

•  Customers / Individuals -‐ giving vent to their feelings

•  NGOs like Greenpeace -‐ pushing for corporate social responsibility

•  Cyber criminals -‐ launching cyber extorUon



Omni-‐channel Experience



Value & Quality


Good customer experience demands fricUonless engagement across every channel and every screen

•  Federated IdenUty Management & SSO •  Social IdenUUes •  Centralized Opt-‐in & Opt-‐out •  Context-‐based AuthenUcaUon •  IntegraUon with SIEM

Security controls




Business model security vulnerabiliUes



Value & Quality

Business Model Security VulnerabiliUes

Digital business is the creaUon of new business designs by blurring the digital and physical worlds. -‐ Gartner

•  Two major Vulnerabili,es:

•  Impact of applica,on development “velocity” on tes,ng & security •  Vulnerabili,es caused when “things” are connected

Enterprise Security Infrastructure



Value & Quality




Value & Quality

IdenUty & Access Management

IdenUty FederaUon is becoming the heart of the Digital enterprise.

Technologies: SAML 2.0; Oauth 2.0; OpenID Connect

IdenUty Management

Support for Social IdenUUes & Third party credenUals

Context-‐based AuthenUcaUon

Emergence of Mandatory Access Control (MAC)




Value & Quality

API Layer & Security

APIs are the core engines of the Digital Era. The digital economy is an API-‐driven economy.

•  IdenUty management • AuthenUcaUon using API Keys, Oauth 2.0, SAML 2.0 • AuthorizaUon using OAuth 2.0 • RBAC

•  Traffic Control • TLS • DoS miUgaUon & Rate LimiUng

•  Malware/Hacking •  XML poisoning, JSON injecUon, SQL injecUon, quota/spike arrest

•  Logging & integraUon with SIEM

•  AnalyUcs •  User acUvity intelligence

Security controls

Mobile API Layer Security

•  IdenUty management • AuthenUcaUon using API Keys, Oauth 2.0, SAML 2.0 • AuthorizaUon using OAuth 2.0 • RBAC

•  Traffic Control • TLS • DoS miUgaUon & Rate LimiUng

•  Malware/Hacking •  XML poisoning, JSON injecUon, SQL injecUon, quota/spike arrest

•  Logging & integraUon with SIEM

•  AnalyUcs •  User acUvity intelligence

API Security controls




Value & Quality

Data Governance

Emergence of the Data Plavorm

Access controls

API controls

IdenUty controls

Data Governance

Security Tools

•  MulUple data security tools •  SIEM, Content-‐aware DLP, Database Audit & ProtecUon (DAP), Data Access

Governance (DAG), Fraud prevenUon, Data masking, EncrypUon and IAM •  No exisUng tool that can protect across all data silos

•  Data-‐centric Audit & ProtecUon (DCAP) •  This is a new category of data security tool that is emerging which can work across data silos

Assessment Ac,vity Monitoring Protec,on

1 . Data Security Policy 4. Privileged User Monitoring and AudiUng

7. Vulnerability and ConfiguraUon Management

2. Data Discovery and ClassificaUon

5. ApplicaUon User Monitoring and AudiUng

8. PrevenUon & Blocking of Alacks

3. Assessment of Users and Permissions

6. Event CollecUon Analysis and ReporUng

9. EncrypUon, TokenizaUon and Data Masking

•  The DCAP typically would have following capabiliUes across data silos:

Data-‐centric Audit & ProtecUon (DCAP) tool




Value & Quality

Privacy Management

Privacy is emerging as the “biggest” concern in the Digital Business era.

“Finding the right balance between Privacy Risks & Big Data rewards may very well be the biggest policy challenge of our ,me” -‐ Stanford Law Research

•  Managing Privacy starts by understanding the difference between Privacy and Security

Privacy-‐focused technologies: •  Data masking -‐ staUc, dynamic, redacUon •  TokenizaUon •  Format Preserving EncrypUon (FPE) •  AnonymizaUon •  Privacy Enhancing Technologies (PET)

StaUc Data Masking: Masks non-‐producUon database not in real Ume Dynamic Data Masking: Masks producUon data in real Ume Data RedacUon: Masks unstructured content such as PDF & word files

Privacy Controls -‐ OrganizaUonal & Technical

Technical controls Organiza,onal controls (Non-‐technical)

Internal controls (AdministraUve & physical

processes)

External controls (Contractual & legal

processes)

•  Policies •  Accountability •  Data access & usage •  Employee training •  Data segregaUon •  Data retenUon & deleUon •  Physical safeguards

•  Contractual terms to restrict how partners share & use data •  SLA liabiliUes •  AudiUng rights

Security-‐focused technologies: •  FW, IPS •  DLP, DRM, DAM •  IAM •  EncrypUon •  SSL

Technical controls




Value & Quality

•  Data -‐ confidenUality, ownership, remanence •  Audit •  Legal / Regulatory -‐ Privacy, jurisdicUon •  Business conUnuity -‐ Dependence on provider, migraUon complexity

•  Unmanaged & insecure user devices •  Loss / leakage of sensiUve enterprise data •  Unauthorized access to enterprise applicaUons •  Device support / management complexity •  Unsecured / rogue marketplaces

•  Leakage of sensiUve enterprise data •  Avenue for malware •  Targeted spear-‐phishing alacks on employees (APT ingress)

•  Privacy & compliance •  Unauthorized access/queries •  Leakage of data / intelligence •  Veracity of input data

SMACI Concerns

IoT VulnerabiliUes

• Things cause privacy issues

• Things can be easily hacked

• Things can be physically stolen

• Denial of service alacks / jamming alacks can be launched on Things

• Man-‐in-‐middle alacks easy

• Rogue things can be inserted

IoT Security Architecture

IoT Security Protocols

IoT Security Framework

EU effort to define IoT Security

Mission: “To holisUcally embed effecUve and efficient security and privacy mechanisms into IoT devices and the protocols and services they uUlise”

IoT Security Protocols

t

Eclipse M2M Industry Working Group

t

March 2013




Value & Quality

Enterprise Security TransformaUon

•  Security technologies have become obsolete & ineffecUve to stop alacks. •  Today, 100% of enterprises are breached. Two major transformaUons are currently underway: 1.   Security focus is shiVing from “protec,on” to “detec,on and response”

•  Enterprises are implemenUng: •  Security Intelligence •  Context-‐based and adapUve security

2.   Security approach is shiVing from “Technical controls “to “Behaviourial controls”

•  Enterprises are adopUng: •  People-‐centric security (PCS)

UJ

Network

IAM

End Point

Database Applica,on

•  IdenUty manager •  FIM • ESSO •  privileged ID management •  MOTP •  AD •  ID intelligence

•  Routers •  Switches •  VPN

•  End Point ProtecUon •  AV, WhitelisUng •  VA Scanner • MDM

Perimeter

•  IPS •  FW •  Proxy

•  DAM •  Oracle •  Data mask

Content Advanced Threats

•  FireEye, Dambala etc

•  EncrypUon •  DLP •  DRM •  URL filter •  Mail GW

•  DAST & SAST •  WAF Systems

•  Unix •  Windows •  Linux

SOA

•  WAF • Federated IM •  SOA registry security •  Policy manager

•  Higher accuracy of vulnerability detec,on

•  BeZer protec,on from advanced aZacks

•  Quicker response People

Data

Applica,ons

Infrastructure

Security Intelligence – Technology InteracUon

Events/Logs •  monitoring

•  privileged ac,vity •  user ac,vity •  database ac,vity •  performance •  transac,on •  applica,on

•  data/informa,on •  sensor data •  vulnerability info •  configura,on info •  change management •  content-‐related data •  IAM data •  web log data •  router, switch data

Security Informa@on

Network Flows •  NW telemetry data •  DPI for layer-‐7 visibility •  classifica,on of applica,ons & protocols •  behaviour analysis •  anomaly informa,on

Contextual assessments

•  BeZer risk management

•  Priori,za,on of risks into ac,onable items

Context Contextual Informa@on

•  Environmental •  external threat info •  loca,on, ,me, etc

•  Process •  customer facing, revenue producing

•  Content • sensi,vity of content, reputa,on of email

•  Iden,ty •  strength of authen,ca,on, role, group, trnx amt limit

•  Applica,on •  business cri,cality of app, known vulnerabili,es

•  System & OS •  asset cri,cality, patch level, known vulnerabili,es, CMDB

•  End user Device •  health -‐ owner, IP address reputa,on

•  Compliance •  Privacy, RA GW

Internal

External

Security Intelligence – InformaUon IntegraUon

1. Risk Management 2. Fraud Management

4. Advanced Threat prevenUon 3. Regulatory Compliance

Events Flows

Context infusion

Security Devices Network Devices Assets & Systems

SIEM (aggregaUon, correlaUon, data repository, query)

GRC plaaorm

Big Data plaaorm

• IAM • End point security • Perimeter security • SOA • etc

• App security • Advanced threat • Database sec •  etc

• Routers • Switches • Load balancers • etc

Security Intelligence Layer

•  Servers •  Devices •  OS •  Middleware • etc

Technology interac,on

Security Intelligence – Framework



•  Enterprises are implemenUng: •  Security Intelligence •  Context-‐based and adap,ve security



Legacy security policies are binary and staUc yes/no decisions that has been defined in advance

Context-‐based Security



•  Enterprises are implemenUng: •  Security Intelligence •  Context-‐based and adapUve security



PCS represents a major departure from convenUonal security strategies, but reflects the reality that current security approaches are insufficient

– Gartner 2013

People Centric Security (PCS)




Value & Quality

Security Governance

Emergence of the Digital risk Officer (DRO)

By 2017, one-‐third of large enterprises engaging in digital business will have a digital risk officer.

The DRO will report to a senior execuUve role outside IT, such as the chief digital officer or the chief operaUng officer.

They will manage risk at an execuUve level across digital business units, working directly with peers in legal, privacy, compliance, digital markeUng, digital sales and digital operaUons.

The DRO and CISO are separate roles. Many CISOs will evolve into DROs. However, if they don’t upgrade their skills they will report to the DRO.

Gartner, June 2014

Security Skills for the Digital Business Era

Con c l u s i o n

•  Today every business is a Digital Business – business that do not understand this become irrelevant

•  Delivering great Customer experiences is the strategic focus

•  VulnerabiliUes related directly to delivering customer experiences must be addressed •  manage privacy & reputaUonal damage •  enable secure omi-‐channel engagement •  manage the inherent vulnerabiliUes that velocity driven business designs open •  miUgate the threats and vulnerabiliUes related to Internet of Things and OT

•  And this must be backed up by a comprehensive and layered enterprise security capability

Thank You

Infosec thought leadership

Education

Securing the Digital Enterprise