Security Trends in the Commercial World

1
Security Trends in the Commercial World

• By Christopher Ray
• cray_at_aflac.com

2
Agenda
1. Goals of Business
2. Security Models
3. Where to Begin
4. Closing
Encourage open dialogue seeking input
3
Goals of the Business

• Why are companies in existence?
• Why is security needed?
• How is security like any other job?
• Scope of discussion focuses on
• Commercial service-based business (healthcare,
  banking, etc)
• Regulatory environment
• Security alignment within IT or the COO/CFO
• Reasonable amount of staffing (not a one-man
  show)
• Reasonable amount of budget (4)

4
Security Models
Yesterday
Today
Text
Security Models
Tomorrow
5
Traditional Security Model

• Isolationist Perspective
• Draw a perimeter around your sandbox
• Do not allow outsiders
• Trust your employees
• Typical Setup
• Firewall
• DMZ environment
• Segmented LANs
• Antivirus
• Perimeter IDS

6
Todays Security Model

• No Boundaries Perspective
• Complex systems with a much bigger sandbox
• Try to determine who the outsiders are
• Trust (but verify) your employees
• Deliver more, faster, cheaper, and to smaller
  devices
• Typical Setup
• Varies per company depending on architecture,
  industry, and budget

7
Todays Security Model cont
Solutions found today in many corporate security
programs

• Firewall
• IDS/IPS
• Spam/Email virus filtering
• Layered switching
• VPN (IPSEC/SSL)
• URL filtering
• Host-based antivirus
• Host-based firewall

• Patching (system/application)
• Configuration management
• Access controls
• File transmission security (SSL)
• Remote access controls (VPN, ACLs)
• Disaster Recovery
• Education and awareness training

8
Todays Security Model cont
More developed programs may include

• Malware / Botnet detection
• Database encryption
• Tape encryption (mainframe / backup)
• Application layer firewalls
• Network access controls
• Security event management
• Secure code development validation
• Data Leakage Prevention (DLP)
• Internet virus filtering
• Configuration management
• Host-base forensics
• Network-based forensics
• Mobile device encryption
• - Notebooks
• - PDAs or smart phones
• - USB or other external storage devices

• Wireless Security
• Data masking
• Email encryption
• Virtualization to segment off environment
• Fraud detection
• Advanced access management using strong
  authentication (i.e. biometrics, retina scans,
  etc.)
• Identity management
• - Role-based access controls
• - User provisioning
• E-discovery
• Data Labeling

9
Todays Security Model cont

• Whats needed today
• Tools and automation
• Layered security solutions there is no magic
  snake oil
• Example of mobile device security
• Access controls
• Two-factor authentication for remote access
• Device encryption
• Database encryption
• Periodic purging of data
• Antivirus software
• Host-based firewall technology
• Theft recovery software (with lojack capability)
• Talented professionals who can keep up with
  technology

10
Tomorrows CISO

• Roles are changing for infosec leaders, with more
  focus on
• Legal issues (e-discovery, employee relations,
  contracts)
• Compliance (regulatory, PCI, privacy laws)
• Policy/Procedures (have always been needed)
• Formalized risk management with better business
  alignment
• Future trends (opinion only)
• Federated identity and other ways to implement
  SSO
• Tighter network access controls (i.e. device
  authentication)
• Application Level Security
• Digital rights management
• Managed Services
• Social Networking (LinkedIn, Second Life,
  Facebook)

11
Where to Begin

• With all of the technologies and gaps that may
  exist, you have to be able to
• Prioritize
• Sell the ideas
• Plan
• Implement methodically
• Sell some more
• Leverage relationships within other departments
• So where would you begin?
• What challenges do you see facing security?

12
Ongoing Challenges

• Shift in the threat
• Moved from individuals hacking for fun to
  organized crime
• Thoughts on cyber warfare?
• Amount of change
• Increasing volumes of data
• Mobile device management (more, smaller,
  cheaper)
• Complexity of applications / systems
• Speed of delivery in an Internet world

13
Questions?