SlideShare une entreprise Scribd logo
1  sur  15
Télécharger pour lire hors ligne
Alan Jenkins
Chief Security Officer,
T-Systems Limited
- a Deutsche Telekom company
We are a Systems Integrator & Outsource Provider

Data Privacy, Risk & Compliance




                                                      Other Clients include:
                                                      BP, EADS, E.On, TUI ….
Why physical security just isn’t enough -
sending the `heavies’ into virtualised environments

                 ….. whilst not neglecting the security basics.

                           And accepting that there is always risk!



                         Discussion & interaction welcome!


NB Views expressed are not necessarily representative of either DTAG or T-Systems International Gmbh
What does ‘Security’ mean to you and the
     business that you represent ?




                  Wrong !
Security Landscape,
courtesy of ISF
What is Security’s value to your business?
                                                       The strategic intent should be to deliver increased value to your
                                                       business & that of your Clients through the intelligent application
                                  Co-shaping
                                                       of collective Security activities . NB Not silo’ed!
                                  Individual
                                  expectations
Stages in Managing Expectations




                                  Shaping




                                  Anticipatory




                                  Responsive




                                  Reactive


                                                 Internally Hassle-free User-     Engaging     Co-Shaping
                                                 oriented              friendly   & exciting   individual
                                                                                        experiences
NB The strategic intent should be to deliver increased value to your business & that of your
Clients through the intelligent application of collective Security activities . No silos allowed!
•    Apply lessons and (security aspects of) design from physical to virtual environments
     •   Consider both logical and physical separation for boundaries
     •   Beware of cross-domain boundary dataflows
     •   Give more thought to protecting the data as opposed to the infrastructure
     •   Consider enhancing Software Development Lifecycle (SDLC) efforts
         •     “It’s the Application Layer that matters, damn it!”
     •   Test, test and test again!
     •   Don’t neglect dynamic reuse, decommissioning & disposal
•    What are your Measures of Effectiveness?
•    Have you linked your Security KPIs to those of your business?
     •   NB Assumes you have KPIs …..!
•    What about Key Risk Indicators (KRIs)?
     •   Look forwards as much as backwards
     •   Benchmark with other forecasts, e.g.
         •    Information Security Forum : Download the ISF's Threat Horizon 2013 Executive Summary
Why physical security just isn’t enough, Sending the heavies into virtualized environments
•   Let’s not pretend that the Old World was perfect!
•   The New World – virtualised, in-house or in the Cloud (public/private/hybrid) – has
advantages too:
    •    Scalability
    •    Resilience
    •    Cost-effectiveness
    •    Support model is arguably less complex
         •     Depends upon technological mix!
         •     Fewer staff, more automation, leads to improved Quality-of-Service
         •     Dynamic asset, license and configuration management should incur lower
         maintenance effort - and therefore cost - as a result of higher automation

•   Consider knowledge management as opposed to data/information management
    •   What is business value of data? Meta-data adds context …..
    •   Is it static, time-dependent and/or actionable?
    •   What is asset value of information to business? Value-at-risk on balance sheet?
Risk Management cycle: industry best practise
•   Virtualisation (on premise or in Cloud) and outsourcing - caveat emptor!

•   Consider value to business of data and associated processes
    •   What does the cost-benefit case mean to your business?
    •   Conduct business impact assessments to inform criticality discussions

•   Due diligence is essential (reciprocal)
    •   Don’t rely solely on generic questionnaire
        •     Adopt a security framework,
              •    Eg Common Assessment Assurance Model
                   •http://common-assurance.com/resources/Common-Assurance-Maturity-Model-vision.pdf
         •    ‘Kick the tyres’, i.e. exercise contractual right to conduct audits
         •    Don’t neglect your Supply Chain

•   Take note of certifications but don’t rely on them
    •    So, your Supplier has ISO27001 certificate …..
         •    What is the scope of applicability?
         •    How much business does 3rd party auditor have with the supplier?
         •    Regulatory compliance = security         (a topic in its own right!)
Security controls in the virtualised world
•   Cloud Security Alliance (CSA) Cloud Controls Matrix (CCM) v1.2 (August 2011)
    •    Specifically designed to provide fundamental security principles to guide cloud
    vendors and to assist prospective cloud customers in assessing the overall security risk of a
    cloud provider.
    •    CSA CCM provides a controls framework that gives detailed understanding of security
    concepts and principles that are aligned to the CSA guidance in 13 domains.
    •    It has a customized relationship to other industry-accepted security
    standards, regulations, and controls frameworks such as the ISO 27001/27002, ISACA
    COBIT, PCI, NIST, Jericho Forum and NERC CIP and will augment or provide internal control
    direction for SAS 70 attestations provided by cloud providers.
    •    CSA CCM provides organizations with necessary structure, detail and clarity relating to
    information security tailored to the cloud industry.
    •    Strengthens existing information security control environments by emphasizing
    business information security control requirements, reduces and identifies consistent
    security threats and vulnerabilities in the cloud, provides standardize security and
    operational risk management, and seeks to normalize security expectations, cloud
    taxonomy and terminology, and security measures implemented in the cloud.
Cloud Security Alliance Cloud Controls Matrix (CCM) v1.2 (August 2011)

         Cloud Controls Matrix (CCM) : Cloud Security Alliance
Summary
   •   Remember the Security Basics
   •        Physical, People, Process & Technology in harmony
   •   The New World – virtualised, in-house or in the Cloud (public/private/hybrid) – has
   advantages too:
       •    Scalability
       •    Resilience
       •    Cost-effectiveness
   •   Apply lessons and (security aspects of) design from physical to virtual environments
   •   Establish your Measures of Effectiveness & associated KPIs and KRIs
   •    Consider knowledge management as opposed to data/information management
       •    What is business value of data?
       •    Value-at-risk on balance sheet?
   •   Align with an industry standard such as CAMM or CSA CCM
       •    Regulatory compliance = security        (a topic for the next CIO Event!)

NB The strategic intent should be to deliver increased value to your business & that of your
Clients through the intelligent application of collective Security activities . No silos allowed!

                              NB Views expressed are not necessarily representative of either DTAG or T-Systems International Gmbh
Thank you.
Q&A

Contenu connexe

Tendances

What is Integration as a Service? - HIMSS
What is Integration as a Service? - HIMSSWhat is Integration as a Service? - HIMSS
What is Integration as a Service? - HIMSSRyan Adams
 
Ergo - IT Infrastructure Overview Brochure
Ergo - IT Infrastructure Overview BrochureErgo - IT Infrastructure Overview Brochure
Ergo - IT Infrastructure Overview Brochureffurlong
 
The Business Case for Cloud: Critical Legal, Business, & Diligence Considerat...
The Business Case for Cloud: Critical Legal, Business, & Diligence Considerat...The Business Case for Cloud: Critical Legal, Business, & Diligence Considerat...
The Business Case for Cloud: Critical Legal, Business, & Diligence Considerat...Janine Anthony Bowen, Esq.
 
IntraLinks for Corporate Development
IntraLinks for Corporate DevelopmentIntraLinks for Corporate Development
IntraLinks for Corporate DevelopmentDarran Nullmeyers
 
I Own Your Building (Management System)
I Own Your Building (Management System)I Own Your Building (Management System)
I Own Your Building (Management System)Zero Science Lab
 
Xero Risk Product Presentation V3.2
Xero Risk   Product Presentation V3.2Xero Risk   Product Presentation V3.2
Xero Risk Product Presentation V3.2Carl Booth
 
Kostnadseffektiv implementation av er IT-säkerhetsstrategi - PCTY 2011
Kostnadseffektiv implementation av er IT-säkerhetsstrategi - PCTY 2011Kostnadseffektiv implementation av er IT-säkerhetsstrategi - PCTY 2011
Kostnadseffektiv implementation av er IT-säkerhetsstrategi - PCTY 2011IBM Sverige
 
About graycon
About grayconAbout graycon
About grayconmartyrj
 
Is3 Capabilities Brief
Is3 Capabilities BriefIs3 Capabilities Brief
Is3 Capabilities Briefmageeb
 
eFolder Webinar — BDR Pain Relief: eFolder + Replibit
eFolder Webinar — BDR Pain Relief: eFolder + ReplibiteFolder Webinar — BDR Pain Relief: eFolder + Replibit
eFolder Webinar — BDR Pain Relief: eFolder + ReplibiteFolder
 
Risk Management
Risk ManagementRisk Management
Risk Managementrobertgk00
 
Security Management in the Cloud
Security Management in the CloudSecurity Management in the Cloud
Security Management in the CloudGaryArdito
 
Secure Network Administration, Inc. ProActive IT Managed Services
Secure Network Administration, Inc. ProActive IT Managed ServicesSecure Network Administration, Inc. ProActive IT Managed Services
Secure Network Administration, Inc. ProActive IT Managed ServicesRNelson20
 
Oep light
Oep lightOep light
Oep light7change
 
Virtualization and cloud impact overview auditor spin enterprise gr-cv3
Virtualization and cloud impact overview auditor spin   enterprise gr-cv3Virtualization and cloud impact overview auditor spin   enterprise gr-cv3
Virtualization and cloud impact overview auditor spin enterprise gr-cv3EnterpriseGRC Solutions, Inc.
 

Tendances (20)

Security operations center inhouse vs outsource
Security operations center   inhouse vs outsourceSecurity operations center   inhouse vs outsource
Security operations center inhouse vs outsource
 
What is Integration as a Service? - HIMSS
What is Integration as a Service? - HIMSSWhat is Integration as a Service? - HIMSS
What is Integration as a Service? - HIMSS
 
Ergo - IT Infrastructure Overview Brochure
Ergo - IT Infrastructure Overview BrochureErgo - IT Infrastructure Overview Brochure
Ergo - IT Infrastructure Overview Brochure
 
The Business Case for Cloud: Critical Legal, Business, & Diligence Considerat...
The Business Case for Cloud: Critical Legal, Business, & Diligence Considerat...The Business Case for Cloud: Critical Legal, Business, & Diligence Considerat...
The Business Case for Cloud: Critical Legal, Business, & Diligence Considerat...
 
IntraLinks for Corporate Development
IntraLinks for Corporate DevelopmentIntraLinks for Corporate Development
IntraLinks for Corporate Development
 
I Own Your Building (Management System)
I Own Your Building (Management System)I Own Your Building (Management System)
I Own Your Building (Management System)
 
Axoss Security Audit Services
Axoss Security Audit ServicesAxoss Security Audit Services
Axoss Security Audit Services
 
Xero Risk Product Presentation V3.2
Xero Risk   Product Presentation V3.2Xero Risk   Product Presentation V3.2
Xero Risk Product Presentation V3.2
 
Kostnadseffektiv implementation av er IT-säkerhetsstrategi - PCTY 2011
Kostnadseffektiv implementation av er IT-säkerhetsstrategi - PCTY 2011Kostnadseffektiv implementation av er IT-säkerhetsstrategi - PCTY 2011
Kostnadseffektiv implementation av er IT-säkerhetsstrategi - PCTY 2011
 
About graycon
About grayconAbout graycon
About graycon
 
Virtualization security audit
Virtualization security auditVirtualization security audit
Virtualization security audit
 
Is3 Capabilities Brief
Is3 Capabilities BriefIs3 Capabilities Brief
Is3 Capabilities Brief
 
eFolder Webinar — BDR Pain Relief: eFolder + Replibit
eFolder Webinar — BDR Pain Relief: eFolder + ReplibiteFolder Webinar — BDR Pain Relief: eFolder + Replibit
eFolder Webinar — BDR Pain Relief: eFolder + Replibit
 
metricedge
  metricedge    metricedge
metricedge
 
Risk Management
Risk ManagementRisk Management
Risk Management
 
Security Management in the Cloud
Security Management in the CloudSecurity Management in the Cloud
Security Management in the Cloud
 
Secure Network Administration, Inc. ProActive IT Managed Services
Secure Network Administration, Inc. ProActive IT Managed ServicesSecure Network Administration, Inc. ProActive IT Managed Services
Secure Network Administration, Inc. ProActive IT Managed Services
 
Oep light
Oep lightOep light
Oep light
 
Axoss Security Hardening Services
Axoss Security Hardening ServicesAxoss Security Hardening Services
Axoss Security Hardening Services
 
Virtualization and cloud impact overview auditor spin enterprise gr-cv3
Virtualization and cloud impact overview auditor spin   enterprise gr-cv3Virtualization and cloud impact overview auditor spin   enterprise gr-cv3
Virtualization and cloud impact overview auditor spin enterprise gr-cv3
 

Similaire à Why physical security just isn’t enough, Sending the heavies into virtualized environments

Securing the Office of Finance in the Cloud -- Separating Fact from Fiction
Securing the Office of Finance in the Cloud -- Separating Fact from FictionSecuring the Office of Finance in the Cloud -- Separating Fact from Fiction
Securing the Office of Finance in the Cloud -- Separating Fact from FictionWorkday
 
Accelerating OT - A Case Study
Accelerating OT - A Case StudyAccelerating OT - A Case Study
Accelerating OT - A Case StudyDigital Bond
 
OT Security Architecture & Resilience: Designing for Security Success
OT Security Architecture & Resilience:  Designing for Security SuccessOT Security Architecture & Resilience:  Designing for Security Success
OT Security Architecture & Resilience: Designing for Security Successaccenture
 
Kevin Watkins, Enterprise Security Architect at BAT - BAT’s Managed Security ...
Kevin Watkins, Enterprise Security Architect at BAT - BAT’s Managed Security ...Kevin Watkins, Enterprise Security Architect at BAT - BAT’s Managed Security ...
Kevin Watkins, Enterprise Security Architect at BAT - BAT’s Managed Security ...Global Business Events
 
Fortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptxFortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptxYoisRoberthTapiadeLa
 
Fortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptxFortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptxVictoriaChavesta
 
Navigating the risks in implementing Hybrid Cloud, Agile and Project Manageme...
Navigating the risks in implementing Hybrid Cloud, Agile and Project Manageme...Navigating the risks in implementing Hybrid Cloud, Agile and Project Manageme...
Navigating the risks in implementing Hybrid Cloud, Agile and Project Manageme...Livingstone Advisory
 
NUS-ISS Learning Day 2019-Architecting security in the digital age
NUS-ISS Learning Day 2019-Architecting security in the digital ageNUS-ISS Learning Day 2019-Architecting security in the digital age
NUS-ISS Learning Day 2019-Architecting security in the digital ageNUS-ISS
 
MBT Webinar: Does the security of your business data keep you up at night?
MBT Webinar: Does the security of your business data keep you up at night? MBT Webinar: Does the security of your business data keep you up at night?
MBT Webinar: Does the security of your business data keep you up at night? Jorge García
 
Sleeping well with cloud services
Sleeping well with cloud servicesSleeping well with cloud services
Sleeping well with cloud servicesComarch_Services
 
IT Risk Management & Compliance
IT Risk Management & ComplianceIT Risk Management & Compliance
IT Risk Management & Compliancerhanna11
 
Five Essential Enterprise Architecture Practices to Create the Security-Aware...
Five Essential Enterprise Architecture Practices to Create the Security-Aware...Five Essential Enterprise Architecture Practices to Create the Security-Aware...
Five Essential Enterprise Architecture Practices to Create the Security-Aware...UBM_Design_Central
 
Isc2conferancepremay15final
Isc2conferancepremay15finalIsc2conferancepremay15final
Isc2conferancepremay15finalMahmoud Moustafa
 
Executive Perspective Building an OT Security Program from the Top Down
Executive Perspective Building an OT Security Program from the Top DownExecutive Perspective Building an OT Security Program from the Top Down
Executive Perspective Building an OT Security Program from the Top Downaccenture
 
Security of the future - Adapting Approaches to What We Need
Security of the future - Adapting Approaches to What We NeedSecurity of the future - Adapting Approaches to What We Need
Security of the future - Adapting Approaches to What We Needsimplyme12345
 
Global CCISO Forum 2018 | Anthony Dupree "Evolving Role of the CISO: Reshapin...
Global CCISO Forum 2018 | Anthony Dupree "Evolving Role of the CISO: Reshapin...Global CCISO Forum 2018 | Anthony Dupree "Evolving Role of the CISO: Reshapin...
Global CCISO Forum 2018 | Anthony Dupree "Evolving Role of the CISO: Reshapin...EC-Council
 
Indranil Guha - It transformation challenges & choices...
Indranil Guha - It transformation challenges & choices...Indranil Guha - It transformation challenges & choices...
Indranil Guha - It transformation challenges & choices...Global Business Events
 

Similaire à Why physical security just isn’t enough, Sending the heavies into virtualized environments (20)

Securing the Office of Finance in the Cloud -- Separating Fact from Fiction
Securing the Office of Finance in the Cloud -- Separating Fact from FictionSecuring the Office of Finance in the Cloud -- Separating Fact from Fiction
Securing the Office of Finance in the Cloud -- Separating Fact from Fiction
 
Accelerating OT - A Case Study
Accelerating OT - A Case StudyAccelerating OT - A Case Study
Accelerating OT - A Case Study
 
OT Security Architecture & Resilience: Designing for Security Success
OT Security Architecture & Resilience:  Designing for Security SuccessOT Security Architecture & Resilience:  Designing for Security Success
OT Security Architecture & Resilience: Designing for Security Success
 
Kevin Watkins, Enterprise Security Architect at BAT - BAT’s Managed Security ...
Kevin Watkins, Enterprise Security Architect at BAT - BAT’s Managed Security ...Kevin Watkins, Enterprise Security Architect at BAT - BAT’s Managed Security ...
Kevin Watkins, Enterprise Security Architect at BAT - BAT’s Managed Security ...
 
Fortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptxFortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptx
 
Fortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptxFortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptx
 
Navigating the risks in implementing Hybrid Cloud, Agile and Project Manageme...
Navigating the risks in implementing Hybrid Cloud, Agile and Project Manageme...Navigating the risks in implementing Hybrid Cloud, Agile and Project Manageme...
Navigating the risks in implementing Hybrid Cloud, Agile and Project Manageme...
 
SIEM Buyer's Guide
SIEM Buyer's GuideSIEM Buyer's Guide
SIEM Buyer's Guide
 
NUS-ISS Learning Day 2019-Architecting security in the digital age
NUS-ISS Learning Day 2019-Architecting security in the digital ageNUS-ISS Learning Day 2019-Architecting security in the digital age
NUS-ISS Learning Day 2019-Architecting security in the digital age
 
NJVC Brochure
NJVC BrochureNJVC Brochure
NJVC Brochure
 
MBT Webinar: Does the security of your business data keep you up at night?
MBT Webinar: Does the security of your business data keep you up at night? MBT Webinar: Does the security of your business data keep you up at night?
MBT Webinar: Does the security of your business data keep you up at night?
 
Sleeping well with cloud services
Sleeping well with cloud servicesSleeping well with cloud services
Sleeping well with cloud services
 
IT Risk Management & Compliance
IT Risk Management & ComplianceIT Risk Management & Compliance
IT Risk Management & Compliance
 
Five Essential Enterprise Architecture Practices to Create the Security-Aware...
Five Essential Enterprise Architecture Practices to Create the Security-Aware...Five Essential Enterprise Architecture Practices to Create the Security-Aware...
Five Essential Enterprise Architecture Practices to Create the Security-Aware...
 
Isc2conferancepremay15final
Isc2conferancepremay15finalIsc2conferancepremay15final
Isc2conferancepremay15final
 
Executive Perspective Building an OT Security Program from the Top Down
Executive Perspective Building an OT Security Program from the Top DownExecutive Perspective Building an OT Security Program from the Top Down
Executive Perspective Building an OT Security Program from the Top Down
 
Security of the future - Adapting Approaches to What We Need
Security of the future - Adapting Approaches to What We NeedSecurity of the future - Adapting Approaches to What We Need
Security of the future - Adapting Approaches to What We Need
 
Global CCISO Forum 2018 | Anthony Dupree "Evolving Role of the CISO: Reshapin...
Global CCISO Forum 2018 | Anthony Dupree "Evolving Role of the CISO: Reshapin...Global CCISO Forum 2018 | Anthony Dupree "Evolving Role of the CISO: Reshapin...
Global CCISO Forum 2018 | Anthony Dupree "Evolving Role of the CISO: Reshapin...
 
Indranil Guha - It transformation challenges & choices...
Indranil Guha - It transformation challenges & choices...Indranil Guha - It transformation challenges & choices...
Indranil Guha - It transformation challenges & choices...
 
Zero Trust and Data Security
Zero Trust and Data SecurityZero Trust and Data Security
Zero Trust and Data Security
 

Plus de Global Business Events - the Heart of your Network.

Plus de Global Business Events - the Heart of your Network. (20)

CMO BROCHURE NEWdesign
CMO BROCHURE NEWdesignCMO BROCHURE NEWdesign
CMO BROCHURE NEWdesign
 
CIO Speakers Welcome pack
CIO Speakers Welcome packCIO Speakers Welcome pack
CIO Speakers Welcome pack
 
CIO BROCHURE DELEGATES (1)
CIO BROCHURE DELEGATES (1)CIO BROCHURE DELEGATES (1)
CIO BROCHURE DELEGATES (1)
 
IFB PREZ
IFB PREZIFB PREZ
IFB PREZ
 
ppt (1)
ppt (1)ppt (1)
ppt (1)
 
CIO Agenda_Booklet John Funnell (2)
CIO Agenda_Booklet John Funnell (2)CIO Agenda_Booklet John Funnell (2)
CIO Agenda_Booklet John Funnell (2)
 
Event Website template
Event Website templateEvent Website template
Event Website template
 
IBM Case Study CIO Event
IBM Case Study CIO Event IBM Case Study CIO Event
IBM Case Study CIO Event
 
CIO Event Global Whitepaper
CIO Event Global WhitepaperCIO Event Global Whitepaper
CIO Event Global Whitepaper
 
Richard Davies CIO Deutsche Post DHL
Richard Davies CIO Deutsche Post DHL   Richard Davies CIO Deutsche Post DHL
Richard Davies CIO Deutsche Post DHL
 
Mobile – Adoption and Adaption in 2012
Mobile – Adoption and Adaption in 2012Mobile – Adoption and Adaption in 2012
Mobile – Adoption and Adaption in 2012
 
CIO / CMO Convergence
CIO / CMO ConvergenceCIO / CMO Convergence
CIO / CMO Convergence
 
Graham Benson - CIO - M&M Direct presentation
Graham Benson - CIO - M&M Direct presentationGraham Benson - CIO - M&M Direct presentation
Graham Benson - CIO - M&M Direct presentation
 
The Communicating Information Officer
The Communicating Information OfficerThe Communicating Information Officer
The Communicating Information Officer
 
Role of the Cio
Role of the CioRole of the Cio
Role of the Cio
 
Tecom role of the cio
Tecom role of the cioTecom role of the cio
Tecom role of the cio
 
Intelligent Customer
Intelligent CustomerIntelligent Customer
Intelligent Customer
 
Information Leakage - A knowledge Based Approach
Information Leakage - A knowledge Based ApproachInformation Leakage - A knowledge Based Approach
Information Leakage - A knowledge Based Approach
 
ICT in developing world
ICT in developing worldICT in developing world
ICT in developing world
 
Greening DECC - The CIO as Champion
Greening DECC - The CIO as ChampionGreening DECC - The CIO as Champion
Greening DECC - The CIO as Champion
 

Dernier

20230202 - Introduction to tis-py
20230202 - Introduction to tis-py20230202 - Introduction to tis-py
20230202 - Introduction to tis-pyJamie (Taka) Wang
 
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UbiTrack UK
 
Machine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfMachine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfAijun Zhang
 
Comparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioComparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioChristian Posta
 
Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024SkyPlanner
 
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfIaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfDaniel Santiago Silva Capera
 
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCostKubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCostMatt Ray
 
UiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPathCommunity
 
Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.YounusS2
 
Nanopower In Semiconductor Industry.pdf
Nanopower  In Semiconductor Industry.pdfNanopower  In Semiconductor Industry.pdf
Nanopower In Semiconductor Industry.pdfPedro Manuel
 
UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6DianaGray10
 
Computer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsComputer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsSeth Reyes
 
UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7DianaGray10
 
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfUiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfDianaGray10
 
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesAI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesMd Hossain Ali
 
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAAnypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAshyamraj55
 
How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?IES VE
 
Videogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfVideogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfinfogdgmi
 
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Will Schroeder
 

Dernier (20)

20230202 - Introduction to tis-py
20230202 - Introduction to tis-py20230202 - Introduction to tis-py
20230202 - Introduction to tis-py
 
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
 
Machine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfMachine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdf
 
Comparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioComparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and Istio
 
Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024
 
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfIaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
 
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCostKubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
 
UiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation Developers
 
Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.
 
Nanopower In Semiconductor Industry.pdf
Nanopower  In Semiconductor Industry.pdfNanopower  In Semiconductor Industry.pdf
Nanopower In Semiconductor Industry.pdf
 
UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6
 
Computer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsComputer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and Hazards
 
UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7
 
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfUiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
 
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesAI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
 
20230104 - machine vision
20230104 - machine vision20230104 - machine vision
20230104 - machine vision
 
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAAnypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
 
How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?
 
Videogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfVideogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdf
 
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
 

Why physical security just isn’t enough, Sending the heavies into virtualized environments

  • 1. Alan Jenkins Chief Security Officer, T-Systems Limited - a Deutsche Telekom company
  • 2. We are a Systems Integrator & Outsource Provider Data Privacy, Risk & Compliance Other Clients include: BP, EADS, E.On, TUI ….
  • 3. Why physical security just isn’t enough - sending the `heavies’ into virtualised environments ….. whilst not neglecting the security basics. And accepting that there is always risk! Discussion & interaction welcome! NB Views expressed are not necessarily representative of either DTAG or T-Systems International Gmbh
  • 4. What does ‘Security’ mean to you and the business that you represent ? Wrong !
  • 6. What is Security’s value to your business? The strategic intent should be to deliver increased value to your business & that of your Clients through the intelligent application Co-shaping of collective Security activities . NB Not silo’ed! Individual expectations Stages in Managing Expectations Shaping Anticipatory Responsive Reactive Internally Hassle-free User- Engaging Co-Shaping oriented friendly & exciting individual experiences
  • 7. NB The strategic intent should be to deliver increased value to your business & that of your Clients through the intelligent application of collective Security activities . No silos allowed! • Apply lessons and (security aspects of) design from physical to virtual environments • Consider both logical and physical separation for boundaries • Beware of cross-domain boundary dataflows • Give more thought to protecting the data as opposed to the infrastructure • Consider enhancing Software Development Lifecycle (SDLC) efforts • “It’s the Application Layer that matters, damn it!” • Test, test and test again! • Don’t neglect dynamic reuse, decommissioning & disposal • What are your Measures of Effectiveness? • Have you linked your Security KPIs to those of your business? • NB Assumes you have KPIs …..! • What about Key Risk Indicators (KRIs)? • Look forwards as much as backwards • Benchmark with other forecasts, e.g. • Information Security Forum : Download the ISF's Threat Horizon 2013 Executive Summary
  • 9. Let’s not pretend that the Old World was perfect! • The New World – virtualised, in-house or in the Cloud (public/private/hybrid) – has advantages too: • Scalability • Resilience • Cost-effectiveness • Support model is arguably less complex • Depends upon technological mix! • Fewer staff, more automation, leads to improved Quality-of-Service • Dynamic asset, license and configuration management should incur lower maintenance effort - and therefore cost - as a result of higher automation • Consider knowledge management as opposed to data/information management • What is business value of data? Meta-data adds context ….. • Is it static, time-dependent and/or actionable? • What is asset value of information to business? Value-at-risk on balance sheet?
  • 10. Risk Management cycle: industry best practise
  • 11. Virtualisation (on premise or in Cloud) and outsourcing - caveat emptor! • Consider value to business of data and associated processes • What does the cost-benefit case mean to your business? • Conduct business impact assessments to inform criticality discussions • Due diligence is essential (reciprocal) • Don’t rely solely on generic questionnaire • Adopt a security framework, • Eg Common Assessment Assurance Model •http://common-assurance.com/resources/Common-Assurance-Maturity-Model-vision.pdf • ‘Kick the tyres’, i.e. exercise contractual right to conduct audits • Don’t neglect your Supply Chain • Take note of certifications but don’t rely on them • So, your Supplier has ISO27001 certificate ….. • What is the scope of applicability? • How much business does 3rd party auditor have with the supplier? • Regulatory compliance = security (a topic in its own right!)
  • 12. Security controls in the virtualised world • Cloud Security Alliance (CSA) Cloud Controls Matrix (CCM) v1.2 (August 2011) • Specifically designed to provide fundamental security principles to guide cloud vendors and to assist prospective cloud customers in assessing the overall security risk of a cloud provider. • CSA CCM provides a controls framework that gives detailed understanding of security concepts and principles that are aligned to the CSA guidance in 13 domains. • It has a customized relationship to other industry-accepted security standards, regulations, and controls frameworks such as the ISO 27001/27002, ISACA COBIT, PCI, NIST, Jericho Forum and NERC CIP and will augment or provide internal control direction for SAS 70 attestations provided by cloud providers. • CSA CCM provides organizations with necessary structure, detail and clarity relating to information security tailored to the cloud industry. • Strengthens existing information security control environments by emphasizing business information security control requirements, reduces and identifies consistent security threats and vulnerabilities in the cloud, provides standardize security and operational risk management, and seeks to normalize security expectations, cloud taxonomy and terminology, and security measures implemented in the cloud.
  • 13. Cloud Security Alliance Cloud Controls Matrix (CCM) v1.2 (August 2011) Cloud Controls Matrix (CCM) : Cloud Security Alliance
  • 14. Summary • Remember the Security Basics • Physical, People, Process & Technology in harmony • The New World – virtualised, in-house or in the Cloud (public/private/hybrid) – has advantages too: • Scalability • Resilience • Cost-effectiveness • Apply lessons and (security aspects of) design from physical to virtual environments • Establish your Measures of Effectiveness & associated KPIs and KRIs • Consider knowledge management as opposed to data/information management • What is business value of data? • Value-at-risk on balance sheet? • Align with an industry standard such as CAMM or CSA CCM • Regulatory compliance = security (a topic for the next CIO Event!) NB The strategic intent should be to deliver increased value to your business & that of your Clients through the intelligent application of collective Security activities . No silos allowed! NB Views expressed are not necessarily representative of either DTAG or T-Systems International Gmbh

Notes de l'éditeur

  1. How do you measure it? What metrics/KPIs do you use? What about KRIs and/or forecasting mechanisms?
  2. How do you measure it? What metrics/KPIs do you use? What about KRIs and/or forecasting mechanisms?