Text of Information Security as a Business Enabler Panos Dimitriou, MSc InfoSec, CISSP,CISM Director,...
Information Security as a Business Enabler Panos Dimitriou, MSc InfoSec, CISSP,CISM Director, Managed Security Services 2007
Agenda Visualizing Information Security Information Security as a Business Enabler...Case Studies e-Banking/Business Authentication Identity & Access Management Remote Access Outsourcing Epilogue
Visualizing Information Security You are here Information Security
Internet Banking and more Banks approach Internet Banking as a Strategic Alternative Channel Cost reduction Customer Reach Bear necessity The first approach was to secure their side (the Banks side) and leave the customers side as easy as possible (i.e. username & passwords) However, after a series of incidents they realised that in order to keep and extend their e-customer reach they had to secure also the client side
Internet Banking and more Currently Banks give One Time Passwords Authentication Tokens Customers are willing to pay for them! Customers are being less reluctant to jump on the Internet Banking bandwagon Some Banks are going a step further and they provide both the good-old ease of use (username & passwords) without the good-old risks, by leveraging: Login Risk Analytics and back-end Fraud Management engines and thus making the best of both worlds!
Identity & Access Management Companies are leveraging ITC and they are expanding, streamlining and optimising their business operations and functions However, as they expand at the same time they get with numerous persons to manage and even more user accounts More applications More complexity So, It takes them a long time to get new starters productive They have to utilise valuable IT resources to manage accounts and passwords, when they could have been used in expanding your IT capabilities Its more difficult to ensure a secure operating environment
Identity & Access Management Who are your users? User Name: Password: x What do your users have access to? X What are they doing with their access? Who approved their access? Lifecycle management of employees Extend the reach to partners, customers, vendors Audit & compliance
Identity & Access Management
By using an IAM system they Streamline and automate the user provisioning process Reduce costs from Less help desk calls for trivial tasks (password resets) Less IT personnel is required for trivial tasks (provisioning) or for resource-intensive ones (Compliance) Enhance User Productivity Are able to allocate their IT personnel to tasks that really matter Achieve Business Agility More services to more people M&As with less risks and less time
Remote Access Companies need to provide Remote Access to their IT and Information resources in order to: Support their road warriors (Sales teams) Resolve technical issues 24/7 in the minimum time possible Reduce cost from onsite visits from third-party service providers Support their teleworkers However, when they are thinking about the risks they are bit reluctant to give such access So, they usually: Minimize services available Introduce cumbersome manual processes Or in other words they lose half of the benefits but not reducing the corresponding risks accordingly
Remote Access Advanced RAS Infrastructures can address all the concerns: Ensure authorised access to only the resources allowed Ensure complete auditability of authorised users actions on systems and data Ensure critical data containment And thus allow companies to provide the entire range of required services Quickly, in a standardized fashion, securely And get the full potential of RAS
Outsourcing Outsourcing is a main trend for modern enterprises Collection Agencies Call Centers Printing Houses Software Development IT Operations However, just as in the case of RAS, when companies are thinking about the security risks and the corresponding regulatory compliance they get more reluctant to follow the trend
Outsourcing Leading International companies are currently using Data Leak Prevention systems to achieve Accountability & Control on Outsourcers and corresponding data access and processes
Epilogue We have to approach Information Security as a Business Enabler We have to see Info Sec as the railing at our balcony that enable us to go (our company) to the edge without being at risk of getting crashed by the smallest wrong step