The Evolving Security Landscape€¦ · Cloud Security Cloud computing adoption is < 1% of organizations h Security and compliance issues Top concerns of cloud computing: h Service

The Evolving Security Landscape

Andreas M AntonopoulosSenior Vice President & Founding Partner

www.nemertes.com

© Copyright 2010 Nemertes Research

About NemertesSecurity and Compliance TrendsTechnology Overview and Business DriversConclusion and Recommendations

Agenda


Quantifies the business impact of emerging technologies Conducts in-depth interviews withIT professionalsAdvises businesses on critical issues such as:

Unified CommunicationsSocial ComputingData Centers & Cloud ComputingSecurityNext-generation WANs

Cost models, RFPs, Architectures, Strategies

Nemertes: Bridging the Gap Between Business & IT


Security and Compliance Trends


Security and Compliance Outlook

Amended FRCP

Breach Notification National Breach Disclosure

HITECHPCI-DSSHIPAA, GLBA, Sarbanes Oxley

2001-2009 20010-2011+1990-2000

Organized CybercrimeHacking for Fun and Fame Cyber Warfare

RISE OF THE BOTNETS/ DDOS Silent BOTNETSDOS

Worms/Trojans Polymorphic Attacks/ MalwareViruses

XSS and SQL InjectionWebsite Defacement Website defacement

Phishing/Identity Theft


De-Perimeterization

Is that a word?No, but it’s happening anyway!You used to have “The Internet Connection” and “The Firewall”We are rapidly moving to ubiquitous connectivity and mobilityThe Internet is everywhere! There is no INSIDE and OUTSIDE in your network


The Changing End-User Landscape

Employee personal use of technology influences IT decisions for 46% of organizationsAbout 67% of organizations have a formal telework policyiPhone already target of attacks against known vulnerabilitiesMobile devices are a significant data loss riskThe line between personal and work computing is blurring


Security by Location

Most security today is LOCATION-CENTRICServers and desktops are becoming virtualFirewalls, VLANs, ACLs, IP Addresses – LocationsLocation should not be the foundation of your security policy!


Compliance on the Rise

If Enron gave us Sarbanes-Oxley, what will 100xEnron give us?Legislation to pass a national breach disclosure lawHITECH Act adds more teeth to HIPAAPCI-DSS is driving security behaviorCompliance drives security spending for 37% of organizationsCompliance requirements will get more prescriptive with sharper teeth


Data-Centric Security

Data-centric means INSPECTING and PROTECTING the dataRegardless of where it is Anti-malware inwards, data leakage outwardsContent inspectionEncryptionFingerprintingDigital certificatesSecurity meta-data

ALL DATASUBJECT

TO SEARCH


Technology Overview and Business Drivers


Application and Endpoint

Technology Architecture & Evolution

Network Security

Virtualized Security

Management

PKI

Application Policy

Identity Mgt

Incident and Event Mgt

Network Mgt

Identity Layer

Data Encryption and Inspection

Application Security


Cyber Crime

A coordinated approach to cyber crime:PeoplehEducation about phishing, malware and detection of

social engineering

ProcesshPassword management, user account

deprovisioning, privileged user management, alert notification process and incident response

TechnologyhWeb application firewall, endpoint protection (AV, anti-malware), email

scanning, IDS/IDP, firewall, VPN, NAC, encryption/key management, multi-factor authentication and physical security


Anti-Malware

Anti-malware delivery is evolving with four delivery modes: endpoint, appliance, cloud and hybrid

White/Black listing is becoming obsolete. A “good” web page can turn “bad” and then back to “good” before the next scan

Anti-malware – Worms, viruses and trojans are stealthier than ever, vastly more numerous and proliferate mainly via web pageshBotnets, buffer overflow, cross-site

scripting, SQL injections, invisble iFrames


Identity Management

© Nemertes Research 2009 www.nemertes.com 1-888-241-2685 DN045715

Identity is the foundation of trustThree key identity management areashUser management, Authentication

management, Authorization management

Most organizations have a scattered collection of directories and controls.Evolving standards

SAML – Secure Assertion Markup Language Single Sign-on (SSO)XACML – eXtensible Access Control Markup Language least privilegeOAuth – Open Authentication sharing data between clouds


Regulatory Compliance

Compliance is typically a component of governance, risk management and compliance (GRC)The most onerous compliance requirement is privacy protection:hHIPAA (1996) and HITECH (2009), FERPA (1974), PCI-DSS (2002), GLBA

(1999) and breach disclosure laws such as CA SB1386 (2002)

Compliance requires adoption, implementation, verification and auditing of security best practiceLook for security products that include compliance templates to ease the selection of controls and procedures


Data Loss Prevention

Multiple approaches to Data Loss Prevention (DLP):

Advantage DisadvantageEndpoint Local knowledge and

offline protectionRequires install on every machine and susceptible to malware

Appliance Global knowledge, dedicated performance and hardened device

No protection for offline machines and no local USB support

Cloud No hardware/software investment and support for mobile and teleworkers

No local protection and leaks are caught in the cloud rather than inside the firewall


e-Discovery

The ground rules for e-discovery are the Federal Rules of Civil Procedure (FRCP), amended in 2006.h “produce and permit the party making the request, to inspect, copy, test, or

sample any designated documents or electronically stored information-(including writings, drawings, graphs, charts, photographs, sounds recordings, images, and other data in any medium from which information can be obtained, - translated , if necessary, by the respondent into reasonably usable form.”

Warning! Voicemail is discoverable – ramifications for unified messagingThe scope of electronically stored information (ESI) requires use of e-discovery tools to locate, categorize, copy and manage retentionSafe Harbor provision protects inadvertent deletion


Virtualization Security

Virtualization reduces defense in depth requiring virtualization security such as virtual FW, virtual IDS and virtual anti-malwareAdoption of virtualization security is low with less than 10% of organizations deploying todayCompliance will drive virtualization security adoptionhRequires prescriptive guidance

All major security vendors will have VirtSec products in 2010

Physical Network Infrastructure

Strong perimeter Defense

Virtualization SecurityNew Defense in Depth

Virtualized Network

Physical Legacy Systems

Virtualized Storage

IaaSPaaSSaaS


Cloud Security

Cloud computing adoption is < 1% of organizationshSecurity and compliance issues

Top concerns of cloud computing:hService provider lock-in hCompliance risksh Isolation failure hUndetected breaches hData location

Cloud requires VirtSec plus identity management, encryption, data leak prevention and control over data location


Enabling TechnologiesRisks Addressed Business Drivers

TechnologyInsider Threat Malware

Data Leakage Compliance Agility Mobility

Network Security ● ● ● ● ● ●Content Inspection ● ● ● ● ● ●Encryption ● ● ● ● ● ●Security Information And Event Management ● ● ● ● ● ●

OS Security ● ● ● ● ● ●Identity And Authentication ● ● ● ● ● ●Application Security ● ● ● ● ● ●Virtualized Security ● ● ● ● ● ●Security As A Service ● ● ● ● ● ●


Conclusion and Recommendations


What Should You Be Doing?

Urgent: Act Now

Short-Term Plans

Long-Term Plans

Specific Needs

Technology has become mainstream. R&D for predecessor technology has dried up. Competitors will gain advantage.

Technology is becoming mainstream. Business benefit too large to ignore. Implement within 1 year.

Technology can provide some benefits. Some may be too new for business adoption. Implement in 1-3 years

Technology is relevant for certain companies. Implementation is case-by-case, depending on industry or size.


Security Roadmap

Move Security Up the StackImplement Identity InfrastructureImplement DLPImplement EncryptionReview employee security training

Urgent: Act Now


Security Roadmap

Assess compliance issuesEvaluate e-discovery preparednessCentralize and protect logsImplement SIM/SEMOutsource Specialized Functions

Short-Term Plans


Security Roadmap

Evaluate OS choicesHarden OS Implement Application Security Implement Virtualized SecurityPrepare for de-perimeterizationPrepare for continuous mobility

Long-Term Plans


Conclusions and Recommendations

Perimeters are melting awayUbiquitous data and people need ubiquitous securityThreats from organized crime and giant botnets

Identity-centric and data-centric security is the futureDefense-in-depthh Network securityh Endpoint securityh OS securityh Application securityh Security information and event management

Thank You

Andreas M AntonopoulosSVP & Founding [email protected]

Documents

The Evolving Security Landscape€¦ · Cloud Security Cloud computing adoption is < 1% of organizations h Security and compliance issues Top concerns of cloud computing: h Service