digital strategy and information security

399 vues

Publié le

lecture given At ICHEC Brussels management school in MArch 2017

Publié dans : Formation
  • Soyez le premier à commenter

digital strategy and information security

  1. 1. Jacques Folon www.folon.com Partner Edge Consulting Professeur ICHEC Maître de conférences Université de Liège Professeur invité Université Saint Louis (BXL) Université de Lorraine ESC Rennes School of Business Digital strategy Information security Identity Access Management
  2. 2. table of content 1.Introduction 2.information security definition 3.Risk analysis 4.Myth of cybersecurity 5.Identity access management 6.Cloud computing 7.the weakest link: the employee 8.E-Discovery 9.Conclusion
  3. 3. 1.introduction
  4. 4. The value of information goes beyond the written words, numbers and images: knowledge, concepts, ideas and brands are examples of intangible forms of information. In an interconnected world, information and related processes, systems, networks and personnel involved in their operation, handling and protection are assets that, like other important business assets, are valuable to an organization’s business and consequently deserve or require protection against various hazards. ISO/IEC 27002:2013 2. DEFINITION
  5. 5. Source : https://www.britestream.com/difference.html.
  6. 6. www.intertek.com Information Security Overview Issue 2 © Intertek QATAR www.intertek.com 9 11 WHAT IS OF INFORMATION ?
  7. 7. www.intertek.com Information Security Overview Issue 2 © Intertek QATAR www.intertek.com 10 Availability – the property of being accessible and usable upon demand by an authorised entity The elements of information security 12CQIMC LA PPT 2 Ver 0.2
  8. 8. www.intertek.com Information Security Overview Issue 2 © Intertek QATAR www.intertek.com 11 CQIMC LA PPT 2 Ver 0.2 13 act of informing – ✓what is conveyed or represented by a particular arrangement or sequence of things. ✓data as processed, stored, or transmitted by a computer. ✓facts provided or learned about something or someone.
  9. 9. www.intertek.com Information Security Overview Issue 2 © Intertek QATAR www.intertek.com 12 Where is information residing .? 14 Information – is of value to the organization, consequently requires adequate protection! Information needs to be protected !
  10. 10. www.intertek.com Issue 2 © Intertek QATAR www.intertek.com Information Security Overview www.intertek.comIssue 1 © Intertek QATAR www.intertek.com ISO 27001 : 2013 OVERVIEW 15 ISO 27001 : 2013
  11. 11. 3. Risk analysis
  12. 12. Risk analysis
  13. 13. exemple of cyber attack
  14. 14. 4. Myths and cybersecurity
  15. 15. 5. Identity Access Management (IAM)
  16. 16. Provisioning Single Sign On PKIStrong Authentication Federation Directories Authorization Secure Remote Access Password Management Web Services Security Auditing & Reporting Role based Management DRM Source: Identity and Access Management: OverviewRafal Lukawiecki - Strategic Consultant, Project Botticelli Ltd rafal@projectbotticelli.co.uk

  17. 17. 5 Questions 
 to ask your CISO
  18. 18. Q: What’s posted on this monitor? a – password to financial application b – phone messages c – to-do’s
  19. 19. Q: What determines your employee’s access? a – give Alice whatever Wally has b – roles, attributes, and requests c – whatever her manager says
  20. 20. Q: Who is the most privileged user in your enterprise? a – security administrator b – CFO c – the summer intern who is now working for your competitor
  21. 21. Q: How secure is your
 identity data? a – It is in 18 different secured stores b – We protect the admin passwords c – Privacy? We don’t hold credit card numbers
  22. 22. Q: How much are manual compliance controls costing your organization? a – nothing, no new headcount b – don’t ask c – don’t know
  23. 23. Today’s IT Challenges More Agile Business • More accessibility for employees, customers and partners • Higher level of B2B integrations • Faster reaction to changing requirements More Secured Business • Organized crime • Identity theft • Intellectual property theft • Constant global threats More Compliant Business • Increasing regulatory demands • Increasing privacy concerns • Business viability concerns
  24. 24. State Of Security In Enterprise • Incomplete • Multiple point solutions from many vendors • Disparate technologies that don’t work together • Complex • Repeated point-to-point integrations • Mostly manual operations • ‘Non-compliant’ • Difficult to enforce consistent set of policies • Difficult to measure compliance with those policies
  25. 25. Identity Management Values • Trusted and reliable security • Efficient regulatory compliance • Lower administrative and development costs • Enable online business networks • Better end-user experience
  26. 26. 15 IAM MEANS MANAGING THE EMPLOYEES LIFECYCLE (HIRING, RECRUITING, PROMOTION, CHANGE, LEAVING) AND THE IMPACTS ON THE INFORMATION MANAGEMENT SYSTEM source clusif IAM is a legal obligation !
  27. 27. • IAM IS DEFINED BY THE BUSINESS (RH, SCM, ETC.) • AND • FOLLOWING THE LEGAL FRAMEWORK • AND • TECHNICALLY IMPLEMENTED 16 IAM IS BUSINESS & ICT + LEGAL source clusif
  28. 28. 17 IAM INCLUDES • DATABASE OF ALL AND EVERY USER •DATABASE OF ALL TYPE OF PROFILES & ROLES •DEFINITION BEFOREHAND •DEFINE WICH ROLE FOR WICH EMPLOYEE •DEFINITION OF LOGIN & PASSWORDS •AUDIT •REPORTING •ACCESS CONTROL source clusif
  29. 29. • What is Identity Management ? “Identity management is the set of business processes, and a supporting infrastructure, for the creation, maintenance, and use of digital identities.” The Burton Group (a research firm specializing in IT infrastructure for the enterprise) • Identity Management in this sense is sometimes called “Identity and Access Management” (IAM) Définition
  30. 30. IAM AT ICHEC… • “MY NAME IS JULIE AND I AM A STUDENT.” (Identity) • “this is my password.” (Authentification) • “I want an access to my account” (Authorization ok) • “I want to adapt my grade.” (Autorization rejected)
  31. 31. What are the questions ? • is this person the one she said she is? • Is she a member of our group ? • Did she receive the necessary authorization ? • Is data privacy OK?
  32. 32. Type of questions for a newcomer – Which kind of password? – Which activities are accepted? – Which are forbidden? – To which category this person belongs? – When do we have to give the authorization?? – What control do we need ? – Could we demonstrate in court our procedure?
  33. 33. 24 IAM triple A Authentication WHO ARE YOU? Authorization / Access Control WHAT CAN YOU DO? Audit WHAT HAVE YOU DONE? 24
  34. 34. Components of IAM • Administration – User Management – Password Management – Workflow – Delegation • Access Management – Authentication – Authorization • Identity Management – Account Provisioning – Account Deprovisioning – Synchronisation Reliable Identity Data Administration Authorization Authentication Source: Identity and Access Management: OverviewRafal Lukawiecki - Strategic Consultant, Project Botticelli Ltd rafal@projectbotticelli.co.uk

  35. 35. Context in 2017
  36. 36. 28 various identity co-exists
  37. 37. 29 IRL & virtual identity
  38. 38. • Internet is based on IP identification • everybody has different profiles • Each platform has a different authentification system • Users are the weakest link • Cybercrime increases • Controls means identification • Data privacy imposes controls & security • e-discovery imposes ECM Welcome to a digital world
  39. 39. Explosion of IDs Pre 1980’s 1980’s 1990’s 2000’s # of Digital IDs Time Applications Mainframe Client Server Internet Business Automation Company (B2E) Partners (B2B) Customers (B2C) Mobility Source: Identity and Access Management: OverviewRafal Lukawiecki - Strategic Consultant, Project Botticelli Ltd rafal@projectbotticelli.co.uk

  40. 40. The Disconnected Reality • “Identity Chaos” – Many users – Many ID – Many log in & passwords – Multiple repositories of identity information – Multiple user IDs, multiple passwords Enterprise Directory HR Infra Application Office In-House Application External app Finance employee Application •Authentication •Authorization •Identity Data •Authentication •Authorization •Identity Data •Authentication •Authorization •Identity Data •Authentication •Authorization •Identity Data •Authorization •Identity Data •Authentication •Authentication •Authorization •Identity Data •Authentication •Authorization •Identity Data Source: Identity and Access Management: OverviewRafal Lukawiecki - Strategic Consultant, Project Botticelli Ltd rafal@projectbotticelli.co.uk

  41. 41. Your COMPANY and
 your EMPLOYEES Your SUPPLIERS Your PARTNERSYour REMOTE and
 VIRTUAL EMPLOYEES Your CUSTOMERS Customer satisfaction & customer intimacy Cost competitiveness Reach, personalization Collaboration Outsourcing Faster business cycles; process automation Value chain M&A Mobile/global workforce Flexible/temp workforce Multiple Contexts Source: Identity and Access Management: OverviewRafal Lukawiecki - Strategic Consultant, Project Botticelli Ltd rafal@projectbotticelli.co.uk

  42. 42. Trends Impacting Identity Increasing Threat Landscape Identity theft costs banks and credit card issuers $1.2 billion in 1 yr •$250 billion lost from exposure of confidential info Maintenance Costs Dominate IT Budget On average employees need access to 16 apps and systems •Companies spend $20-30 per user per year for PW resets Deeper Line of Business Automation and Integration One half of all enterprises have SOA under development •Web services spending growing 45% Rising Tide of Regulation and Compliance SOX, HIPAA, GLB, Basel II, 21 CFR Part 11, … •$15.5 billion spend on compliance (analyst estimate) Data Sources: Gartner, AMR Research, IDC, eMarketer, U.S. Department. of Justice
  43. 43. 37
  44. 44. Business
 Owner End UserIT Admin Developer Security/ Compliance Too expensive to reach new partners, channels Need for control Too many passwords Long waits for access to apps, resources Too many user stores and account admin requests Unsafe sync scripts Pain Points Redundant code in each app Rework code too often Too many orphaned accounts Limited auditing ability Source: Identity and Access Management: OverviewRafal Lukawiecki - Strategic Consultant, Project Botticelli Ltd rafal@projectbotticelli.co.uk

  45. 45. Why do we need IAM? •Security •Compliance •Cost control •Audit support •Access control
  46. 46. Source: ftp://ftp.boulder.ibm.com/software/uk/productnews/tv/vh_-_access_and_identity_management.pdf
  47. 47. cost reduction • Directory Synchronization “Improved updating of user data: $185 per user/year” “Improved list management: $800 per list” - Giga Information Group • Password Management “Password reset costs range from $51 (best case) to $147 (worst case) for labor alone.” – Gartner • User Provisioning “Improved IT efficiency: $70,000 per year per 1,000 managed users” “Reduced help desk costs: $75 per user per year” - Giga Information Group
  48. 48. Can We Just Ignore It All? • Today, average corporate user spends 16 minutes a day logging on • A typical home user maintains 12-18 identities • Number of phishing sites grew over 1600% over the past year • Corporate IT Ops manage an average of 73 applications and 46 suppliers, often with individual directories • Regulators are becoming stricter about compliance and auditing • Orphaned accounts and identities lead to security problems Source: Microsoft’s internal research and Anti-phishing Working Group
  49. 49. IAM Benefits Benefits to take you forward (Strategic) Benefits today (Tactical) Save money and improve operational efficiency Improved time to deliver applications and service Enhance Security Regulatory Compliance and Audit New ways of working Improved time to market Closer Supplier, Customer, Partner and Employee relationships Source: Identity and Access Management: OverviewRafal Lukawiecki - Strategic Consultant, Project Botticelli Ltd rafal@projectbotticelli.co.uk

  50. 50. IAM to do list • Automatic account management • Archiving • Data privacy • Compliance • Securiry VS Risks • user identification • E-business • M2M
  51. 51. 6. Cloud computing
  52. 52. First, What the heck is Cloud Computing First, what the heck is Cloud Computing? …in simple, plain English please! Andy Harjanto I’m cloud confused http://www.andyharjanto.com
  53. 53. Let’s use a simple analogy Say you just moved to a city, and you’re looking for a nice place to live Andy Harjanto I’m cloud confused http://www.andyharjanto.com
  54. 54. You can either Build a house or Rent an apartment Andy Harjanto I’m cloud confused http://www.andyharjanto.com
  55. 55. If you build a house, there are a few important decisions you have to make… Andy Harjanto I’m cloud confused http://www.andyharjanto.com
  56. 56. How big is the house? are you planning to grow a large family? Andy Harjanto I’m cloud confused http://www.andyharjanto.com
  57. 57. Remodel, addition typically cost a lot more once the house is built Andy Harjanto I’m cloud confused http://www.andyharjanto.com
  58. 58. But, you get a chance to customize it Roof Andy Harjanto I’m cloud confused http://www.andyharjanto.com
  59. 59. Once the house is built, you’re responsible for maintenance Hire Landscaper Electrician Plumber Pay property tax Electricity Water Gutter Cleaning Heating and Cooling House Keeping Andy Harjanto I’m cloud confused http://www.andyharjanto.com
  60. 60. How about renting?
  61. 61. Consider a builder in your city builds a Huge number of apartment units Andy Harjanto I’m cloud confused http://www.andyharjanto.com
  62. 62. A unit can easily be converted into a 2,3,4 or more units Andy Harjanto I’m cloud confused http://www.andyharjanto.com
  63. 63. You make a fewer, 
 simpler decisions You can start with one unit and grow later, or downsize Andy Harjanto I’m cloud confused http://www.andyharjanto.com
  64. 64. But… You do not have a lot of options to customize your unit Andy Harjanto I’m cloud confuse d http://www.andyharjanto.com
  65. 65. However, builders provide you with 
 very high quality infrastructure high speed Internet high capacity electricity triple pane windows green materials
  66. 66. No need to worry about maintenance Andy Harjanto I’m cloud confused http://www.andyharjanto.com
  67. 67. Just pay your rent and utilities Pay as You Go Andy Harjanto I’m cloud confused http://www.andyharjanto.com
  68. 68. Let’s translate to Cloud Computing?
  69. 69. As an end-consumer, believe it or not you’ve been using Cloud for long times Andy Harjanto I’m cloud confused http://www.andyharjanto.com
  70. 70. most of them are Free
  71. 71. In return, you’re willing to give away your information for ads and other purposes
  72. 72. But you’ve been enjoying High Reliability Service Limited Storage Connecting, Sharing
  73. 73. OK, Now tell that to the business owner Give up your data, then you can use this infrastructure for free
  74. 74. Are You crazy? will answer the CEO
  75. 75. My Business Needs… Security Privacy Reliability High Availability
  76. 76. Building Enterprise Software Stone Wall Fire-proof Moat Army Death Hole is like…. Medieval Castle Andy Harjanto I’m cloud confused http://www.andyharjanto.com
  77. 77. Let’s Hire an Army of IT Engineers Software Upgrade Support Backup/Restore Service Pack Development Network issues Andy Harjanto I’m cloud confused http://www.andyharjanto.com
  78. 78. Let’s Build Huge Data Center Capacity Planning Disaster Plan Cooling Management Server Crashes Andy Harjanto I’m cloud confused http://www.andyharjanto.com
  79. 79. Your data is replicated 3 or 4 times in their data center High Availability
  80. 80. Adding “servers” is a click away. Running in just minutes, not days HighTraffic?
  81. 81. It can even load balance your server traffic
  82. 82. Expect your Cloud Network is always up
  83. 83. Yes, you can even pick where your data and “servers” reside Don’t forget data privacy issues
  84. 84. So we know what Cloud is and the choice we have
  85. 85. Cloud Computing: Definition • No Unique Definition or General Consensus about what Cloud Computing is … • Different Perspectives & Focuses (Platform, SW, Service Levels…) • Flavours: ✦Computing and IT Resources Accessible Online ✦Dynamically Scalable Computing Power ✦Virtualization of Resources ✦Abstraction of IT Infrastructure ✦ ! No need to understand its implementation: use Services & their APIs ✦Some current players, at the Infrastructure & Service Level: ✦ SalesfoRce.com, Google Apps, Amazon, Yahoo, Microsoft, IBM, HP, etc. 
 
 The Future of Identity in the Cloud: Requirements, Risks & OpportunitiesMarco Casassa Mont marco.casassa-mont@hp.com HP Labs Systems Security Lab Bristol, UK - EEMA e-Identity Conference, 2009
 

  86. 86. Cloud Computing: Implications • Enterprise: Paradigm Shift from “Close & Controlled” IT Infrastructures and Services to Externally Provided Services and IT Infrastructures • Private User: Paradigm Shift from Accessing Static Set of Services to Dynamic & Composable Services • General Issues: – Potential Loss of Control (on Data, Infrastructure, Processes, etc.) – Data & Confidential Information Stored in The Clouds – Management of Identities and Access (IAM) in the Cloud – Compliance to Security Practice and Legislation – Privacy Management (Control, Consent, Revocation, etc.) – New Threat Environments – Reliability and Longevity of Cloud & Service Providers
 
The Future of Identity in the Cloud: Requirements, Risks & OpportunitiesMarco Casassa Mont marco.casassa-mont@hp.com HP Labs Systems Security Lab Bristol, UK - EEMA e-Identity Conference, 2009
 

  87. 87. Identity in the Cloud: Enterprise Case Issues and Risks [1/2] 
 • Potential Proliferation of Required Identities & Credentials to Access Services ! Misbehaviours when handling credentials (writing down, reusing, sharing, etc.) • Propagation of Identity and Personal Information across Multiple Clouds/Services ! Privacy issues (e.g. compliance to multiple Legislations, Importance of Location, etc.) ! Exposure of business sensitive information (employees’ identities, roles, organisational structures, enterprise apps/services, etc.) ! How to effectively Control this Data? • Delegation of IAM and Data Management Processes to Cloud and Service Providers ! How to get Assurance that these Processes and Security Practice are Consistent with Enterprise Policies? ! How to deal with overall Compliance and Governance issues? 
The Future of Identity in the Cloud: Requirements, Risks & OpportunitiesMarco Casassa Mont marco.casassa-mont@hp.com HP Labs Systems Security Lab Bristol, UK - EEMA e-Identity Conference, 2009
 

  88. 88. Identity in the Cloud: Enterprise Case Issues and Risks [2/2] • Migration of Services between Cloud and Service Providers ! Management of Data Lifecycle • Threats and Attacks in the Clouds and Cloud Services ! Cloud and Service Providers can be the “weakest links” in Security & Privacy ! Reliance on good security practice of Third Parties 
 
The Future of Identity in the Cloud: Requirements, Risks & OpportunitiesMarco Casassa Mont marco.casassa-mont@hp.com HP Labs Systems Security Lab Bristol, UK - EEMA e-Identity Conference, 2009
 

  89. 89. 7. the weakest link : the employee
  90. 90. need to check
  91. 91. legal limits
  92. 92. data controller responsibility
  93. 93. teleworking
  94. 94. data theft
  95. 95. 124
  96. 96. data transfer
  97. 97. • limitation of control • Private email • penalties • who controls
  98. 98. • security is mandatory !
  99. 99. • technical security – Risk analysis – Back-up – desaster recovery – identity management – Strong login & passwords
  100. 100. • legal security – information in the employment contracts – Contracts with subcontractors – Code of conduct – Compliance – Control of the employees
  101. 101. Control ?
  102. 102. 8. E-discovery
  103. 103. Definition of e-discovery • Electronic discovery (or e-discovery) refers to discovery in civil litigation which deals with information in electronic format also referred to as Electronically Stored Information (ESI). • It means the collection, preparation, review and production of electronic documents in litigation discovery. • Any process in which electronic data is sought, located, secured, and searched with the intent of using it as evidence in a civil or criminal legal case • This includes e-mail, attachments, and other data stored on a computer, network, backup or other storage media. e-Discovery includes metadata.
  104. 104. Recommandations Organizations should update and/or create information management policies and procedures that include: – e-mail retention policies, On an individual level, employees tend to keep information on their hard drives “just in case” they might need it. – Work with users to rationalize their storage requirements and decrease their storage budget. – off-line and off-site data storage retention policies, – controls defining which users have access to which systems andunder what circumstances, – instructions for how and where users can store data, and • backup and recovery procedures. – Assessments or surveys should be done to identify business functions, data repositories, and the systems that support them. – Legal must be consulted. Organizations and their legal teams should work together to create and/or update their data retention policies and procedures for managing litigation holds.
  105. 105. • Information security is a legal question, not only business & IT • compliance is important • More security due to – Cloud computing – Virtualisation – Data privacy – archiving • Transparency • E-discovery
  106. 106. IAM could be an opportunity • Rethink security • risks reduction • costs reduction • precise roles & responsibilities
  107. 107. conclusion
  108. 108. Any question?
  109. 109. Jacques Folon Jacques.folon@ichec.be
  110. 110. credits M. Martins: https://fr.slideshare.net/MarceloMartinsCISSPC/information-security-strategic-management? qid=17d48b57-2499-4fc4-9801-b6e96a036ddc&v=&b=&from_search=2 Business continuity institute : https://fr.slideshare.net/TheBCEye/risk-based-cyber-security? qid=8057ce87-091d-4364-a0f3-ff24e44bb913&v=&b=&from_search=4 W. Brown: https://fr.slideshare.net/whbrown5/how-secure-is-your-business-fraud-risk-analysis-and- security-management?qid=59280de3-32f9-4260-94e4-38989615b7f4&v=&b=&from_search=8 PECB : https://fr.slideshare.net/PECBCERTIFICATION/check-if-you-are-ready-for-isms-implementation? qid=cfac8544-a584-4fe4-b752-0d5cacabd8ea&v=&b=&from_search=14 N.Rao: https://fr.slideshare.net/NareshRao3/iso-27001-2013-isms-final-overview? qid=7c622233-05ea-489b-88e5-30751c3ee08b&v=&b=&from_search=8 VERIZON: https://fr.slideshare.net/VerizonEnterpriseSolutions/2016-data-breach-investigations-report- dbir-cybersecurity-on-slideshare?qid=1f9f7d1a-7a0e-431e-b7fb-98bcb94c935b&v=&b=&from_search=2 ACCENTURE: https://fr.slideshare.net/AccentureOperations/the-state-of-cybersecurity-and-digital- trust-2016?qid=1f9a736f-882d-4b3b-82b1-87b447f9b2ea&v=&b=&from_search=11

×