Making Security Work—Implementing a Transformational Security Program

Making Security Work—Implementing a Transformational Security Program

Brent Comstock

SCT06S

SECURITY

Group Vice President – Identity, Access and Data Protection StrategySunTrust Banks

2 COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED#CAWORLD #NOBARRIERS

© 2017 CA. All rights reserved. All trademarks referenced herein belong to their respective companies.

The content provided in this CA World 2017 presentation is intended for informational purposes only and does not form any type of warranty. The information provided by a CA partner and/or CA customer has not been reviewed for accuracy by CA.

For Informational Purposes Only Terms of this Presentation


Abstract

Recent newsworthy data breaches have business and IT leaders asking, “Are we learning from the mistakes of others?” In an ever-increasing threat environment, security leaders face mounting pressures to deliver effective security capabilities that protect business assets while balancing budgets, security risks and regulatory issues.

SunTrust has started the journey of transforming security capabilities. This session will explore the driving factors that resulted in SunTrust re-evaluating its identity, access and information security program. Furthermore, it will explore the key inputs and building blocks of what it is looking to establish in its program and people, processes and technologies that will be required to achieve this vision.

Brent ComstockSunTrust BanksGroup VP -Identity, Access and Data Protection Strategy

The thoughts, views and opinions I express are my own. None of these statements should be considered to represent my employer, SunTrust Banks, Inc. in any way.


Why I’m Here Today

THE WEATHER OUTSIDE IS FRIGHTFUL…

WE’RE NOT IN KANSAS ANYMORE

BREAK THE MOLD

THE FORK IN THE ROAD

FROM THE INSIDE OUT

1

2

3

4

5


The Weather Outside is Frightful…


*2017 Verizon Data Breach Investigations Report

Exploited privileged user accounts are the common thread of most data breaches*

“Looking back at the breaches that have happened in the recent past and looking ahead to GDPR, …. it’s clear that security continues to be critically important.”

Mike Gregoire, Q2 2018 Earnings Conference Call, October 25, 2017




The Problem:There are large numbers of users, environments and end points to patch, secure & manage, all with changing security profiles over time.

The work load is overwhelming.


After CA World, You Return Home…

Enlightened…

Energized…

Enthused…

And pretty freaked out!


We’re Not in Kansas Anymore


So Where Are We?


Break The Mold


We protect what’s important to us.

How we provide that protection has to change.


BREAK THE MOLD


The Fork in the Road


Level of effort?Budget?Time?

• Align with Significant Company Initiatives

• Establish Security capabilities quickly

• “Fix” existing platforms• Upgrade • Address Process gaps

Can current technology and processes be adequately improved?


From the Inside Out


FORMULAFOR CHANGE

Discover & unlock WHY

Impact LeadershipExecute with Advocates

Organizational Culture Change


IAM – Focus & ObjectivesCreation of Identity credentials, knowledge of high risks assets and associated Access grants & controls are essential to effective Security in this time of unprecedented threats. IAM and Data Protection capabilities are highly interdependent.

Mitigate enterprise cyber risks and transition to proactive detection of control failures by implementing effective capabilities & controls for access to company assets:

Focus

Objectives

The top areas of IAM focus include: a) acquire modern identity management capabilities, b) gain visibility into movement of data and usage of cloud services c) gain insights into users' behavior d) define roles and responsibilities and e) adhere to regulatory requirements

Ø Simplify, standardize and automate IAM functions across the enterprise Ø Utilize asset risk scoring to focus on securing highest risk assets firstØ Invest in people, processes, and technologies to better monitor and detect malicious activityØ Define and implement roles and responsibilities for IAM framework execution including increased

Business engagement and accountabilityØ Secure privileged accounts: servers, databases, applications, domains, devices, service accts Ø Integrate user behaviors associated with access and data movement with all our environments to detect

threats and suspicious behaviorsØ Enhance capabilities to secure connections & data movement to the cloud and 3rd parties

Discover & Unlock WHY


IAM & Data Protection Scope Given the growth of cyber threats, the value of the data and transactions that we protect continues to increase. We must evolve our IAM practices to include deeper partnership and a “One Team” approach for “Modern IAM” that is much more intelligent, agile and transparent.

Cloud & Emerging Technologies ‘Modern IAM’ is a foundational tenet to enable the business to benefit from emerging technologies such as the Cloud and Internet of Things (IOT). Modern IAM capabilities are faster, more secure and more efficient in transitioning applications and infrastructure to the cloud.

Asset TypeApplications enable business functions and meet access risk objectives through roles, entitlements, and permissions. They are managed by traditional IAM solutions and are the company asset type that have the most mature access controls.

End Users and Devices are at the center of business functions. Ease of use must be balanced by the necessity to protect company assets. The increased scale from the growing use of mobile devices stretches traditional IAM practices and capabilities.

Data is stored in a variety of formats and locations, and is growing rapidly. This growth is compounded by End User compute environments (e.g., file shares, SharePoint) which are not currently managed and protected using traditional IAM practices and capabilities.

Big Data (i.e. Atlas Data Lake) environments combine data from numerous sources. The complexity of defining access permissions to voluminous, diverse, and sensitive information environments is not scalable using currently available IAM access models and technology.

IAM Scope

Impact Leadership


Why Are Advocates Essential?

§ With limited resources and reach, you can tap into the energy of passionate employees. They have knowledge and insight

§ These employees become the eyes and ears on the ground and help to drive change from within their teams

§ This feeling of ownership, responsibility and influence creates engagement across the organization

§ By building direct relationships with different parts of the business, you can find out so much more through two way communications

§ By keeping our advocates informed of the latest news and views around security –you make them smarter and also by proxy –their teams too!

Security is a team sport…engage the rest of the team

Execute With Advocates


Analytics Enablement• Facilitate Onboarding & Data Access• Document & Maintain Role Definition • Request Data Group Setup

Provisioning Facilitator

Data Lake Domain Work Area (Zone 2)

Domain Role

Security Group

Data Asset

Data Asset

Data Asset

Domain Users

Domain Team Manager

• “Owns” Domain• Requests New Domain Roles• Designate Role Champion• Develop Data Source Access Requirements *

Domain Owner

Domain Role Owner• Approve User Access to Role• Attest to Role and User Access Annually• Validation of Role Data Source Access Annually

Role Champion

Source Data Owner(s) • Approve Role Creation• Approve Data (not user) Access for Role

Data Access Owner

Data Management Manager or Analyst • Identify & Validate Sensitive Data for Data SourcesData SME

Data Lake Operations • Configure user on Data Lake• Configure data access

Data LakeSetup

Security Team Tasks

Organizational Culture ChangeEngage the Team (Example)


None of us is as smart as all of us.

People cannot help but resist change. It’s in our DNA to want to remain with known approaches.

Those who resist improved security aren’t crazy, they’re human.

Landing the Plane

“People don’t buy what you do, they buy why you do it.”

SIMON SINEK

No one can tell us what “right” looks like, because of experience & perspectives.Your Advocates will help fuel the cultural change. Empower them.


Questions?


Stay connected at communities.ca.com

Thank you.


Security

For more information on Security,please visit: http://cainc.to/CAW17-Security

Technology

Making Security Work—Implementing a Transformational Security Program