1 / 13

IT Security Risks

IT Security Risks. Introduction. IT security threats are a growing reality Everyone is at risk - governments, corporations, individuals. Governments. Corporations. Foreign Policy National Security. Financial HR/Employee. Domestic Programs.

demont
Télécharger la présentation

IT Security Risks

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. IT Security Risks

  2. Introduction IT security threats are a growing reality • Everyone is at risk - governments, corporations, individuals Governments Corporations Foreign Policy National Security Financial HR/Employee Domestic Programs Intellectual Property Individuals Financial Medical Personal

  3. Recent Breaches A sampling of some recent high-profile activity makes the point: 27 Apr – Sony PlayStation Network Hacked, 77m Accounts At Risk 16 Apr – Internet Mistake Reveals UK Nuclear Submarine Secrets 15 Apr – Texas Controller Exposes Personal Data On Millions 04 Apr – Targeted Attacks Expected After Massive Epsilon Email Breach 30 Mar – Australian PM Computers Hacked, Chinese Attack Suspected 24 Mar – European Commission Hit By Cyberattack 18 Mar – Hackers Breach EMC Security Division, RSA SecurID Tokens 07 Mar – Hackers Attack French Govt Computers Seeking G20 Secrets 17 Feb – Chinese-Based Cyberattack On Key Canadian Departments

  4. What’s At Stake Control Over Digital Assets • Control over how these assets are used • Control over who has access to these assets (my focus today) The Costs Of Losing Control Are Not Theoretical • Non-financial costs are significant (reputation/credibility)e.g., Wikileaks, Google users in China, Identity Theft • Financial costs are staggering (lost revenues/customers) • In US (2010) an average corporate breach cost $7.2 million ($214/record) • In UK (2010) an average corporate breach cost £1.9 million (£71/record)

  5. The Nature of the Threats Errors: • Unintentional or unrecognised breakdowns in security • System Design Errors, e.g., insecure hardware/software, faulty configurations • Procedural Errors, e.g., insufficient security policies, ineffectual implementation • Human Errors, e.g., the lost laptop problem Attacks: • Unauthorised access to systems and assets • Vandalism, e.g., denial of service • Cybercrime, e.g., criminal intrusion, employee retaliation SUCCESSFUL ATTACKS REQUIRE ERRORS

  6. Three Ways To Confront IT Security Risks Rule #1: PROTECT THE DATA ITSELF • Assume that the system will be compromised • Notwithstanding all other protections, assume environmental or procedural failure • Encrypt all high-value data assets CONTAIN EXPOSURE BY MAKING THE DATA UNUSABLE

  7. Three Ways To Confront IT Security Risks Rule #1: PROTECT THE DATA ITSELF Rule #2: EMPLOY FINE-GRAINED ACCESS CONTROL • Assume that the system will be compromised • Control access over all steps in the path to digital assets • Discrete access control over the system, apps, functions, keys, data • Need-To-Share requires Need-To-Know criteria to control access CONTAIN EXPOSURE BY MANAGING ACCESS

  8. Three Ways To Confront IT Security Risks Rule #1: PROTECT THE DATA ITSELF Rule #2: EMPLOY FINE-GRAINED ACCESS CONTROL Rule #3: IMPLEMENT COMPREHENSIVE AUDIT PROCESSES • Assume that the system will be compromised • Maintain audit over all paths to the digital assets & activity with the assets themselves • Look over everyone’s shoulder all the time • Adopt centralised audit to enable standardized, real-time oversight CONTAIN EXPOSURE WITH FORENSIC-LIKE TRACKING

  9. Applying The Rules – Two Everyday Examples Rule #1: PROTECT THE DATA ITSELF Rule #2: EMPLOY FINE-GRAINED ACCESS CONTROL Rule #3: IMPLEMENT COMPREHENSIVE AUDIT PROCESSES Example 1 (Rules 1, 2, and 3): Protecting Files Outside The Trusted Environment Example 2 (Rules 2 and 3): Securing Access To Network & Cloud Services

  10. Protecting Files Outside The Trusted Environment The Requirement: • Sensitive files must be accessed away from the office, e.g., • Off-site work at a remote customer location • Employees working at home • Remote access back into the trusted environment is prohibited An Unfortunately Common Occurrence • The sensitive file is copied onto a mobile device, e.g., a laptop or USB drive • The mobile device is physically transported outside the trusted environment • This commonly employed formula-for-disaster can easily lead to: COMPLETE LOSS OF CONTROL OVER THE DIGIT ASSETS

  11. Protecting Files Outside The Trusted Environment A Solution Employing The Rules Within The Trusted Environment Prepare the digital file: • Encrypt the file • Manage access to the encryption key • Audit everything From Any Remote Location Retrieve the digital file: • Authorise access for the Remote User • Retrieve encrypted file, retrieve decryption key • Audit everything CONTROL OVER THE DIGITAL ASSET IS MAINTAINED

  12. Securing Network & Cloud Services The Requirement: • Replace legacy applications with a broad array of Network & Cloud services The IT Security Challenge: • Access control over numerous disparate services provided by a multitude of unaffiliated vendors • Little or no uniformity in access control processes/capabilities across services/vendors • Extreme complexity and costs in managing access at the individual service level An Unfortunately Common Occurrence • Proceed with Network & Cloud initiatives, skip over the access control problem for now • Don’t design access control into the solution, slap it on later (if we get hacked)

  13. Securing Network & Cloud Services A Solution Employing The Rules Externalise Access Control From Individual Network & Cloud Services • Centralise access control functions • Relieve individual services of access control administration • Avoid the complexity/costs of managing access control at the individual service level Implement Comprehensive, Fine-Grained Access Control • Control access to all Network & Cloud services & components • Adopt a centralised “War Room” approach controlling who-gets-at-what Implement Comprehensive Audit Of All Activity • Standardised, real-time oversight of access ACCESS CONTROL TO NETWORK & CLOUD SERVICES IS MAINTAINED

More Related