Top Banner
ERP in the Time of Breaches Protect Yourself with the Right Governance, Risk and Compliance
38
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Page 1: ERP in the Time of Breaches - Best Practices for Data Security

ERP in the Time of BreachesProtect Yourself with the Right

Governance, Risk and Compliance

Page 2: ERP in the Time of Breaches - Best Practices for Data Security

• The Role of Information

Security

• IT Security Conundrums

• Best Practices for Security

• How Providers can Alleviate

Concerns

• Q&A

Page 3: ERP in the Time of Breaches - Best Practices for Data Security

Today’s Presenter

Greg Pierce

• Chief Cloud Officer, Concerto Cloud

Services

• Pioneer in Enterprise Cloud Computing

• Veteran business leader and entrepreneur

with over 20 years experience

• Helps businesses transform through the use

of disruptive technologies

Page 4: ERP in the Time of Breaches - Best Practices for Data Security

The Role of Information Security

Page 5: ERP in the Time of Breaches - Best Practices for Data Security

Goal of Information Security

Administrative, Technical and

Physical Controls work

together to ensure the

confidentiality, integrity

and availability (CIA) of

critical systems and

confidential information

Page 6: ERP in the Time of Breaches - Best Practices for Data Security

Information

Security is a goal

- we must

continually strive for

it with no guarantee

of achievement.

IT Security Conundrum One

Page 7: ERP in the Time of Breaches - Best Practices for Data Security

Regulatory

compliance

and/or

certification ONLY serves as a

guideline.

IT Security Conundrum Two

Page 8: ERP in the Time of Breaches - Best Practices for Data Security

IT Security Conundrum Three

Spending

more (without

other security

processes) can deliver a false sense of security.

IT Security Conundrum Three

Page 9: ERP in the Time of Breaches - Best Practices for Data Security

IT Security Conundrum Four

YOU are the

target -regardless of

your industry

vertical or

company size.

Page 10: ERP in the Time of Breaches - Best Practices for Data Security

IT Security Conundrum Five

It is easy to drive the wrong behavior from your users.

Education is key and policies can’t be too restrictive.

Page 11: ERP in the Time of Breaches - Best Practices for Data Security

Information Security Domains

1. Access Control 2. Application Security 3. Business Continuity and Disaster Recovery

Planning 4. Cryptography 5. Information Security and Risk Management 6. Legal, Regulations, Compliance and

Investigations 7. Operations Security 8. Physical (Environmental) Security 9. Security Architecture and Design 10. Telecommunications and Network Security

Page 12: ERP in the Time of Breaches - Best Practices for Data Security

Security – A Year In Review

Page 13: ERP in the Time of Breaches - Best Practices for Data Security

Security Has Everyone’s Attention

APR SEPTMAY JUN JUL AUG OCT NOV DEC JAN FEB MAR APR SEPTMAY JUN JUL AUG

$70MM Records

Stolen

$40MM Credit & Debit

Nov 15 – Dec 15, 2013$56MM Credit &

Debit

Apr - Sept, 2013

$76MM of $83MM

Accounts Stolen

July14 – Sept 2014

2013 2014

$9000

Credit & Debit

Page 14: ERP in the Time of Breaches - Best Practices for Data Security

The Target Breach – How did they do it?

• Compromised HVAC contractor likely via a phishing email

– Used free version of anti-malware that lacked real-time protection

– Malware stole credentials to Target supplier portal

• Portal

– Not properly segmented on the network from other critical systems

– Lacked two-factor authentication

– Supplier/Vendor info was public, so attackers used this info for social

engineering attack (HVAC contractor)

– Supplier/Vendor ecosystem lacked security awareness training( best

practice, etc…)

• Took advantage of Monitoring system’s default username and password

– Installed “RAM Scrapping” Malware on POS System

– Disguised communications as legitimate monitoring traffic

– Exfiltration of data was sent to an FTP server in Russia of the course of two

days

Page 15: ERP in the Time of Breaches - Best Practices for Data Security

Target Breach - By the numbers

• 70 million – # of records stolen

• 40 million - # of Credit/Debit cards stolen

• 100 million - $ they will spend upgrading payment terminals

• 46% - percentage drop in profits at Target in the fourth quarter of 2013, compared with the year before

• 53.7 million - The income that hackers likely generated from the sale of 2 million cards stolen from Target and sold at the mid-range price of $26.85

• ZERO – Chief Information Security Officer (CISO) or Chief Security Officer (CSO) jobs at Target

Page 16: ERP in the Time of Breaches - Best Practices for Data Security

The Target Breach – Why they got away

“Target was certified as meeting the standard for the payment card industry (PCI) in September 2013. Nonetheless, we suffered a data breach. As a result, we are conducting an end-to-end review of our people, processes and technology to understand our opportunities to improve data security”

Gregg Steinhafel, CEO

Page 17: ERP in the Time of Breaches - Best Practices for Data Security

The Target Breach – Why they got away

• Failure or lack of established process and procedure

– Security systems rapidly detected the security event but

there was no response by IT

• Weakness in the architecture of the Supplier portal

– Insufficient oversight during the planning and implement

phase allowed logical connectivity to sensitive systems

and data– Architectural review board?

– Infrequent assessment against systems to understand

their impact on Information Security?

• Lack of security awareness training

Page 18: ERP in the Time of Breaches - Best Practices for Data Security

Users are the Common Link

• Trojans – software downloads - Kaaza

• Viruses – Emails

• Zombies or Botnets

• Phishing (Identity Theft)

• Spywaresource

http://www.pcworld.com/article/2010527/forrester-report-finds-most-data-breaches-are-caused-by-employees.html

“Application users are most often the determining factor in whether or not a security breach occurs”

Page 19: ERP in the Time of Breaches - Best Practices for Data Security

What can we learn?

A breach can happen to any company of any size and any industry –learning from others is

critical.

Page 20: ERP in the Time of Breaches - Best Practices for Data Security

Best Practices to Secure Your

ERP Solution and Organization

Page 21: ERP in the Time of Breaches - Best Practices for Data Security

Best Practice One: Holistic Planning

Security is a Holistic Program

– Process (not a project)

Never 100%

– Risk Management

Improve Security Posture

– Changing Security Landscape

Threats (motives)

Countermeasures

Page 22: ERP in the Time of Breaches - Best Practices for Data Security

Best Practice Two: Building Awareness

• Security awareness is the knowledge, skill and attitude an individual possesses

regarding the protection of information assets.

• Being Security Aware means you understand

that there is the potential for some people to

deliberately or accidentally steal, damage,

or misuse your account, computer or the

data stored on your computer.

• Awareness of the risks and available

safeguards is the first line of defense

for the security of information,

systems and networks.

“Application users are

most often the determining

factor in whether or not a

security breach occurs”– source

http://www.pcworld.com/article/2010527/forrester-

report-finds-most-data-breaches-are-caused-by-

employees.html

Page 23: ERP in the Time of Breaches - Best Practices for Data Security

Security Awareness Includes

• Information about how to

Protect

Detect

React

• Knowledge, Skill and Attitude

The What

The How

The Why

• Culture Change

Page 24: ERP in the Time of Breaches - Best Practices for Data Security

Best Practice Three: Encryption

Data in Use, Data in Motion, and Data at

Rest - Ensure encryption for ALL classes of data

Page 25: ERP in the Time of Breaches - Best Practices for Data Security

Best Practice Four: Layered Structure

A High Level Summary of Security Layers include:

• Centralized and automated anti-malware and OS patching

• Identity management

• True network segmentation and isolation from ingress to egress at layer 2 and 3

• Data in-motion encryption by default

• Multiple firewall segments operating at layer 1-7 of the OSI stack

• State-of-the-art IDPS solution monitored and managed 24x7 by a dedicated security operations center (SOC)

• Reverse Proxy services

• “Other” confidential and proprietary security mechanisms and practices

• Intelligent, multi-point syslog solution

Page 26: ERP in the Time of Breaches - Best Practices for Data Security

Best Practice Five: Triangulate

Page 27: ERP in the Time of Breaches - Best Practices for Data Security

Process, Process, Process

Page 28: ERP in the Time of Breaches - Best Practices for Data Security

Best Practice Six: Compliance Blueprint

FIPS

Page 29: ERP in the Time of Breaches - Best Practices for Data Security

How Providers Can Alleviate

Concerns

Page 30: ERP in the Time of Breaches - Best Practices for Data Security

The Market Has Gone to the Clouds

• 45% of companies

plan to move ERP

to the cloud in the

next 5 years

• Other studies state

that market is

moving even faster

than predicted here

Page 31: ERP in the Time of Breaches - Best Practices for Data Security

The Cloud Changes Everything

…Except

SecurityEnsure hosting/cloud solution

is subject to IT audit with your

IT security team.

Is your hosting/cloud solution subject to internal IT audit with your IT security team?

Page 32: ERP in the Time of Breaches - Best Practices for Data Security

Not All Clouds Are Equal

• ISC2 and CSA have partnered to offer a new Cloud Security Certification– SecurityWeek: ISC and CSA Partner for

Certification offering

• Amazon S3 Poor Configuration Puts Sensitive Data at Risk– SecurityWeek: Amazon Puts S3 Data At Risk

• Web Application Attack Challenge Cloud and On-Premise Infrastructures– SecurityWeek: Web Application Attacks Increase

• Trust in the Cloud?– SecurityWeek: Lieberman: IT Doesn't Trust the

Cloud

Page 33: ERP in the Time of Breaches - Best Practices for Data Security

What’s So Troubling About Cloud Security?

Page 34: ERP in the Time of Breaches - Best Practices for Data Security

How Cloud Providers Can Address Concerns

• Transparency/Control Over Datacenter/Data Locality/Security Audibility

• Verifiable End-to-end Encryption – Data in Transit

• Industry/Government Regulation Compliance

• Proven Tools and Control with Restricted Access

• Control Over Security/Encryption

• Dedicated Resources/Data Isolation

• Provide Proven References

• Industry Standards for Data Privacy and Security

• Explicit Contractual Responsibilities for Service Levels/Security

• Provider Certification Standards

• Region/Country Specific Datacenter Locations

Page 35: ERP in the Time of Breaches - Best Practices for Data Security

Things to Remember

Ensure the security and

privacy of your Cloud

application with:

The Right Cloud for the Right

Application

Compliance

IDS/IPS

Protection for Data at Rest

Page 36: ERP in the Time of Breaches - Best Practices for Data Security

• Simplicity for Complex Applications. Concerto was designed to

meet the toughest regulatory challenges and the most complex

demands – and has earned an industry leading customer

retention rate as a result.

• Comprehensive Channel Enablement Services. Innovative private

and hybrid cloud and business transformation services help

channel partners go to market quickly.

• Recognized Cloud Provider for Microsoft Applications. Concerto

Cloud is the go-to cloud provider for Microsoft applications and

is recognized as Microsoft’s ISV of the Year for Cloud Services.

The Cloud That’s Up to Your Challenge

Page 37: ERP in the Time of Breaches - Best Practices for Data Security

Cloud Services Quick Facts

Page 38: ERP in the Time of Breaches - Best Practices for Data Security

FOR MORE INFORMATION:(844) 760-1842

www.concertocloud.com

[email protected]