Upload
darryl-miles
View
1.050
Download
4
Tags:
Embed Size (px)
DESCRIPTION
This presentation outlines how IBM Endpoint Manager can assist organisations be PCI DSS compliant
Citation preview
IBM Endpoint Manager
Meeting the challenges for Payment Card Industry Data Security Standard (PCI DSS) compliance January 2014
© 2013 International Business Machines Corporation 2
Presentation Overview
• Other clients using IBM Endpoint Manager (IEM)
• PCI DSS recap
• IBM Endpoint Manager overview
• How IEM assists with PCI DSS compliance
• Case Study: The Co-‐operaEve Food
• Other IEM services
• Summary
© 2013 International Business Machines Corporation 3
Endpoint complexity continues to increase
Endpoint device counts,
devices and platforms
Compliance requirements to establish, prove and maintain
continuous compliance
Speed, severity and
complexity of malware attacks
Patch O/S and application vulnerabilities with hours
Rapid, agile, automated remediation is needed
Mobile/roaming endpoints
New form factors and platforms
Employee-owned devices
Establish, prove and maintain continuous
compliance
© 2013 International Business Machines Corporation 4
What is PCI DSS and why should you care?
• PCI DSS – Payment Card Industry Data Security Services – 12 Requirements to Protect Credit Card Information – 3 Levels based on transactions per annum
1. >6m transactions per annum 2. 150k to 6m transactions per annum 3. <150k transactions per annum
– Formed in September of 2005 • By these five leading credit card vendors
• Consequences of Non-Compliance
– Steep monetary fines – Revocation of credit card business trading privileges
American Express
Discover
JCB
MasterCard
VISA
© 2013 International Business Machines Corporation 5
IBM Endpoint Manager offers a unified management platform
Desktop and Server Administration Delivers patch, inventory, software distribution, OS deployment, remote control capabilities and near real-time visibility into the state of endpoints including advanced capabilities to support server endpoints.
Software Asset Management Track software usage patterns and trends across Windows, UNIX and Linux endpoints with always on asset management to enhance license compliance. Manages software assets from procurement to retirement using control desk integration.
Mobile Device Management & Security Address issues of security, complexity and bring-your-own-device (BYOD) policies across a unified platform that spans Apple iOS, Google Android, Blackberry, Nokia Symbian and Microsoft Windows Mobile platforms.
Endpoint Security, Protection & Compliance Provides unified, real-time visibility and enforcement to protect distributed environments against threats that target endpoints and helps organizations to comply with regulatory standards on security.
© 2013 International Business Machines Corporation 6
IBM Endpoint Manager (IEM) and PCI DSS The PCI DSS standard applies to network components, servers and applications that are included or connected to a cardholder data environment. The cardholder environment is considered to be made up of the people, processes and technology providing cardholder data services.
A great article by Orb Data on IEM and PCI DSS here
IBM Endpoint Manager can maintain compliance for 8 of the 12 PCI DSS requirements
© 2013 International Business Machines Corporation 7
PCI DSS: The six goals and twelve requirements
American Express
Discover
JCB
MasterCard
VISA
✔ ✔
✔ ✔
✔ ✔
✔
✔
© 2013 International Business Machines Corporation 8
IBM Endpoint Manager implements PCI via two key modules: Lifecycle and Security and Compliance
Vulnerability Management
Patch Management
Security Configuration Management
PCI
IBM Endpoint Manager
PC / Server Configuration Lifecycle Management
IBM Endpoint Manager
Security & Compliance / Endpoint Protection
IBM
End
poin
t Man
ager
Tech
nica
l Con
trols
P
CI
Policy and P
rocess Framew
ork
© 2013 International Business Machines Corporation 9
IBM Endpoint Manager for Security and Compliance: What It Does
• SCM is a library of technical controls and tools based on industry best practices and standards produced by organizations such as DISA and NIST.
• It allows organizations to achieve IT security compliance by detecting, remediating, enforcing, and reporting on security configuration policies across heterogeneous systems in centralized and distributed environments, including servers, desktops, notebooks, and mobile devices
Before… Lack of visibility, lack of standards enforcement, poor
success rates, insecure – Ongoing failures to secure systems and miEgate
against threats
– Systems highly suscepEble to internal abuse and external aKack
ANer… Con8nuous compliance, real-‐8me repor8ng – Leverage out-‐of-‐the-‐box checklists to assess
compliance and automate remediaEon of non-‐compliant systems
– Real-‐Eme security and compliance automaEon and reporEng
Policy libraries that enable detecEon, remediaEon, and conEnuous enforcement of security technical controls
IBM CONFIDENTAL – FOR INTERNAL IBM CORP USE ONLY
© 2013 International Business Machines Corporation 10
Over 5000 out of the box checks are applied for systems hardening, security, and compliance objectives.
PCI
IBM Endpoint Manager
PC / Server Configuration Lifecycle Management
IBM Endpoint Manager
Security & Compliance / Endpoint Protection
IBM
End
poin
t Man
ager
Tech
nica
l Con
trols
P
CI
Policy and P
rocess Framew
ork
© 2013 International Business Machines Corporation 11
Analytics tools enable flexible, easy to use, powerful compliance reporting
© 2013 International Business Machines Corporation 12
The Co-operative Food enhances PCI DSS compliance with IBM Endpoint Manager
The challenge Achieving PCI compliance across a vast retail estate of 70,000 staff and 2,800 stores across the UK. 18,500 endpoints across the UK.
The solution Implemented IBM’s Endpoint Manager to to provide patching and security and compliance: • Patch Management • Security and Compliance
“With IBM Endpoint Manager we will be able to guarantee that all of our endpoints are patched appropriately, and we will be able to provide solid proof that we have a regular, fully documented patch process in place. This will be a huge step in helping us to move closer to full PCI DSS compliance."
– Neil Wakefield, System and Process Change Manager, The Co-operative Food”
Benefits Will be able to provide solid proof that we have a regular, fully documented patch process in place for PCI DSS. See Case Study - http://ibm.co/1jDQlKQ
© 2013 International Business Machines Corporation 13
What else can IBM Endpoint Manager do?
Endpoints
• Common management agent
• Unified management console
• Common infrastructure
• Single server
IBM Endpoint Manager
Patch Management
Lifecycle Management
Software Use Analysis
Power Management
Mobile Devices
Security and Compliance
Core Protection
Desktop / laptop / server endpoint Mobile Purpose specific
Systems Management Security Management
Server Automation
© 2013 International Business Machines Corporation 14
IBM Endpoint Manager continuously monitors the health and security of all enterprise computers in real-time via a single, policy-driven agent
Desktop / laptop / server endpoint Mobile Purpose specific
Endpoints
• Common management agent
• Unified management console
• Common infrastructure
• Single server
IBM Endpoint Manager
Patch Management
Lifecycle Management
Software Use Analysis
Power Management
Mobile Devices
Security and Compliance
Core Protection
Systems Management Security Management
Server Automation
Why IBM Endpoint Manager ?
Concord Hospital achieves 98% first-pass success in hours on their Microsoft
and 3rd party patches
Helped US Foods reduce patch deployment times by 80 percent, saving USD 500,000 on software licenses and avoiding more
than USD1 million in license noncompliance fines.
Bendigo Bank has saved $175,000 off its power bill within 12 months
and avoid 2190 tonnes of carbon emissions
IBM has deployed Endpoint Manager to over
700,000 endpoints on three servers. Expects to save over $10M in Year 1
Over 13,000 mobile devices enrolled in 72
hours!
© 2013 International Business Machines Corporation 15
Single Server & Console • Highly secure, highly scalable • Aggregates data, analyzes & reports • Pushes out pre-defined/custom policies
Cloud-based Content Delivery • Highly extensible • Automatic, on-demand functionality
Single Intelligent Agent • Performs multiple functions • Continuous self-assessment & policy enforcement • Minimal system impact (< 2% CPU)
Lightweight, Robust Infrastructure • Use existing systems as Relays • Built-in redundancy • Support/secure roaming endpoints
How it Works Remote Offices
Manage roaming devices
Identify unmanaged assets
© 2013 International Business Machines Corporation 16
Summary
• IBM Endpoint Manager enables unified management of all enterprise devices – desktops, laptops, servers, smartphones, and tablets
• Real-time/proactive endpoint management: Patch
management, anti-virus/malware, security and compliance for PCI DSS compliance
• Continuous compliance reduces costs and risk • Avoid non-compliance penalties
© 2013 International Business Machines Corporation 17
ibm.com
© 2013 International Business Machines Corporation 18
Additional Information
© 2013 International Business Machines Corporation 19
Patch Management
• IBM Cloud content delivery service (operaEng systems and 3rd party applicaEons)
• Patch capabiliEes for mulEple plaSorms: Windows, Mac OS X, Linux and UNIX
• Intelligent agent
• ReducEon in patch and update Emes from weeks and days to hours and minutes
• Increase first-‐pass success rates from 60-‐75% to 95-‐99+%
• Real-‐Eme reporEng
• Automated self-‐assessment, no centralised or remote scanning required
Benefits: Services:
"We compressed our patch process from 6 weeks to 4 hours" "We consolidated eight tools/infrastructures to one" "We reduced our endpoint support issues by 78%" "We freed up tens of admins to work on higher value projects"
© 2013 International Business Machines Corporation 20
Overview of Patch Management
Start with the Patch Management domain
The patches dashboard provides a real-time view on Windows patches
requirement across your environment
See any New Content here
Application vendor patches
• Adobe Acrobat • Adobe Reader • Apple iTunes • Apple QuickTime • Adobe Flash Player • Adobe Shockwave Player • Mozilla Firefox • RealPlayer • Skype • Oracle Java Runtime Environment • WinAmp • WinZip
…and operating system patches
Patch Management Video - link
© 2013 International Business Machines Corporation 21
Patch Management for Windows now supports non-security updates, specifically critical updates and service packs for the
Microsoft Windows product family
© 2013 International Business Machines Corporation 22
Patch Overview Dashboard
© 2013 International Business Machines Corporation 23
IBM Endpoint Manager License Overview
23
§ Remote Control
§ OS Deployment
§ TPMfOSD
Lifecycle Management
Security & Compliance
§ Platform
§ Asset Discovery
§ Patch Management
§ Inventory
§ SW Distribution
Lifecycle Management Starter Kit
Patch
Power
§ Power
§ Platform
§ Asset Discovery SUA
§ Software Usage
§ Platform
§ Asset Discovery
§ Inventory
Core Protection
§ Platform
§ Core Protection
MDM § MDM
§ Platform
• DP Add-On
Server Automation
§ SA Add-On
§ Asset Discovery
§ CM for Endpoint Protection
§ Network Self Quarantine
§ Security Configuration
§ Vulnerability Management
§ DSS SCM
Security & Compliance Starter Kit
© 2013 International Business Machines Corporation 24
IBM Endpoint Manager elements
Single intelligent agent • Continuous self-assessment • Continuous policy enforcement • Minimal system impact (<2% CPU, <10MB RAM)
Single server and console • Highly secure, highly available • Aggregates data, analyses and reports • Manages up to 250K endpoints per server
Flexible policy language (Fixlets) • Thousands of out-of-the-box policies • Best practices for operations and security • Simple custom policy authoring • Highly extensible/applicable across all platforms
Virtual infrastructure • Designate Endpoint Manager agents as a relay or
discovery point in minutes • Provides built-in redundancy • Leverages existing systems/shared infrastructure
© 2013 International Business Machines Corporation 25
Closed Loop Speed is Our Advantage
Report Publish
Evaluate
Traditional Solutions TEM Software Policies
Evaluate Enforce
Publish Report
Challenge Traditional client/server tools TEM Platform Complete the policy enforcement loop
Everything is controlled by the server, which is slow
A new way to do systems and security management
Increase the accuracy and speed of your knowledge
It can take days to accurately close the enforcement loop
Policy enforcement is accomplished and proven in minutes instead of days
Scalability cannot be attained without large infrastructure investments
Administrators are still managing tools instead of being productive
Distributed processing means scalability is unlimited
Adjust system policies depending on environment, location
Scan-based assessment, leading to stale data false sense of awareness
Real-time situational awareness
Decide
Evaluate
Enforce
Decide