Information SecurityInformation Security

as a Business Enableras a Business Enabler

Panos Dimitriou, MSc InfoSec, CISSP,CISMDirector, Managed Security Services

2007

Agenda

“Visualizing” Information Security

Information Security as a Business

Enabler...Case Studies

– e-Banking/Business Authentication

– Identity & Access Management

– Remote Access

– Outsourcing

…Epilogue

“Visualizing” Information Security

You are here

Information Security

Case StudiesCase Studies

Internet Banking and more

Banks approach Internet Banking as a Strategic Alternative

Channel

– Cost reduction

– Customer Reach

– Bear necessity

The first approach was to secure their side (the Bank’s side) and

leave the customer’s side as “easy” as possible (i.e. username &

passwords)

However, after a series of incidents they realised that in order to

keep and extend their e-customer reach they had to secure also

the “client side”

Internet Banking and more

Currently Banks give “One Time Passwords”

Authentication Tokens

– Customers are willing to pay for them!

– Customers are being less reluctant to jump on the Internet

Banking bandwagon

Some Banks are going a step further and they provide

both the good-old “ease of use” (username & passwords)

without the good-old risks, by leveraging:

– Login Risk Analytics and back-end Fraud Management

engines

and thus making the best of both worlds!

Identity & Access Management Companies are leveraging ITC and they are expanding, streamlining

and optimising their business operations and functions

However, as they expand at the same time they get with

– numerous persons to manage and even more user accounts

– More applications

– More complexity

So,

– It takes them a long time to get new starters productive

– They have to utilise valuable IT resources to manage accounts and

passwords, when they could have been used in expanding your IT

capabilities

– It’s more difficult to ensure a secure operating environment

– …

Identity & Access Management

Who are your users?Who are your users?

User Name:

Password:

x

What do your users have access to?What do your users have access to?

X

What are they doing with their access? What are they doing with their access? Who approved their access? Who approved their access?

• Lifecycle management of employees• Extend the reach to partners, customers, vendors• Audit & compliance

Identity & Access Management

Database Servers

Systems (OS-level)

NetworkComponents

Data Store

Business Data & Services

ApplicationsSecurity

Infrastructures

User & Access Provisioning (Out-of-the-box, APIs, Custom DB Tables, Biz Logic…)

Access Profiles

Roles

Job Descriptions Workflows

Organisation

Pro

visi

on

ing

Pro

visi

on

ing

Pro

visi

on

ing

Pro

visi

on

ing

Pro

visi

on

ing

`

Users

Feeds (e.g. HR)

Identity & Access Management

By using an IAM system they

– Streamline and automate the user provisioning process

– Reduce costs from

• Less help desk calls for trivial tasks (password resets)

• Less IT personnel is required for trivial tasks (provisioning)

or for resource-intensive ones (Compliance)

– Enhance User Productivity

– Are able to allocate their IT personnel to tasks that

really matter

– Achieve Business Agility

• More services to more people

• M&As with less risks and less time

Remote Access

Companies need to provide Remote Access to their IT and Information

resources in order to:– Support their “road warriors” (Sales teams…)

– Resolve technical issues 24/7 in the minimum time possible

– Reduce cost from “onsite visits” from third-party service providers

– Support their teleworkers

– …

However, when they are thinking about the risks they are bit reluctant to

give such access

So, they usually:

– Minimize services available

– Introduce cumbersome manual processes

Or in other words they lose half of the benefits but not

reducing the

corresponding risks accordingly

Remote Access

Advanced RAS Infrastructures can address all the

concerns:

– Ensure authorised access to only the resources allowed

– Ensure complete auditability of authorised users actions on

systems and data

– Ensure critical data containment

– …

And thus allow companies to provide the entire range of

required services

– Quickly, in a standardized fashion, securely

– And get the full potential of RAS

Outsourcing

Outsourcing is a main trend for modern enterprises

– Collection Agencies

– Call Centers

– Printing Houses

– Software Development

– IT Operations

– …

However, just as in the case of RAS, when companies are

thinking about the security risks and the corresponding

regulatory compliance they get more reluctant to follow

the trend

Outsourcing

Leading International companies are currently

using Data Leak Prevention systems to achieve

Accountability & Control on Outsourcers and

corresponding data access and processes

Epilogue

We have to approach Information Security as a

Business Enabler

We have to see Info Sec as the “railing” at our

balcony that enable us to go (our company) to

the edge

…without being at risk of getting “crashed” by

the smallest wrong step

Epilogue

Sec

urity

Ease-of-use, Flexibility…

Cost

www.encodegroup.com_