Information Security Information Security as a Business Enabler as a Business Enabler Panos Dimitriou, MSc InfoSec, CISSP,CISM Director, Managed Security Services 2007
Information SecurityInformation Security
as a Business Enableras a Business Enabler
Panos Dimitriou, MSc InfoSec, CISSP,CISMDirector, Managed Security Services
2007
Agenda
“Visualizing” Information Security
Information Security as a Business
Enabler...Case Studies
– e-Banking/Business Authentication
– Identity & Access Management
– Remote Access
– Outsourcing
…Epilogue
Internet Banking and more
Banks approach Internet Banking as a Strategic Alternative
Channel
– Cost reduction
– Customer Reach
– Bear necessity
The first approach was to secure their side (the Bank’s side) and
leave the customer’s side as “easy” as possible (i.e. username &
passwords)
However, after a series of incidents they realised that in order to
keep and extend their e-customer reach they had to secure also
the “client side”
Internet Banking and more
Currently Banks give “One Time Passwords”
Authentication Tokens
– Customers are willing to pay for them!
– Customers are being less reluctant to jump on the Internet
Banking bandwagon
Some Banks are going a step further and they provide
both the good-old “ease of use” (username & passwords)
without the good-old risks, by leveraging:
– Login Risk Analytics and back-end Fraud Management
engines
and thus making the best of both worlds!
Identity & Access Management Companies are leveraging ITC and they are expanding, streamlining
and optimising their business operations and functions
However, as they expand at the same time they get with
– numerous persons to manage and even more user accounts
– More applications
– More complexity
So,
– It takes them a long time to get new starters productive
– They have to utilise valuable IT resources to manage accounts and
passwords, when they could have been used in expanding your IT
capabilities
– It’s more difficult to ensure a secure operating environment
– …
Identity & Access Management
Who are your users?Who are your users?
User Name:
Password:
x
What do your users have access to?What do your users have access to?
X
What are they doing with their access? What are they doing with their access? Who approved their access? Who approved their access?
• Lifecycle management of employees• Extend the reach to partners, customers, vendors• Audit & compliance
Identity & Access Management
Database Servers
Systems (OS-level)
NetworkComponents
Data Store
Business Data & Services
ApplicationsSecurity
Infrastructures
User & Access Provisioning (Out-of-the-box, APIs, Custom DB Tables, Biz Logic…)
Access Profiles
Roles
Job Descriptions Workflows
Organisation
Pro
visi
on
ing
Pro
visi
on
ing
Pro
visi
on
ing
Pro
visi
on
ing
Pro
visi
on
ing
`
Users
Feeds (e.g. HR)
Identity & Access Management
By using an IAM system they
– Streamline and automate the user provisioning process
– Reduce costs from
• Less help desk calls for trivial tasks (password resets)
• Less IT personnel is required for trivial tasks (provisioning)
or for resource-intensive ones (Compliance)
– Enhance User Productivity
– Are able to allocate their IT personnel to tasks that
really matter
– Achieve Business Agility
• More services to more people
• M&As with less risks and less time
Remote Access
Companies need to provide Remote Access to their IT and Information
resources in order to:– Support their “road warriors” (Sales teams…)
– Resolve technical issues 24/7 in the minimum time possible
– Reduce cost from “onsite visits” from third-party service providers
– Support their teleworkers
– …
However, when they are thinking about the risks they are bit reluctant to
give such access
So, they usually:
– Minimize services available
– Introduce cumbersome manual processes
Or in other words they lose half of the benefits but not
reducing the
corresponding risks accordingly
Remote Access
Advanced RAS Infrastructures can address all the
concerns:
– Ensure authorised access to only the resources allowed
– Ensure complete auditability of authorised users actions on
systems and data
– Ensure critical data containment
– …
And thus allow companies to provide the entire range of
required services
– Quickly, in a standardized fashion, securely
– And get the full potential of RAS
Outsourcing
Outsourcing is a main trend for modern enterprises
– Collection Agencies
– Call Centers
– Printing Houses
– Software Development
– IT Operations
– …
However, just as in the case of RAS, when companies are
thinking about the security risks and the corresponding
regulatory compliance they get more reluctant to follow
the trend
Outsourcing
Leading International companies are currently
using Data Leak Prevention systems to achieve
Accountability & Control on Outsourcers and
corresponding data access and processes
Epilogue
We have to approach Information Security as a
Business Enabler
We have to see Info Sec as the “railing” at our
balcony that enable us to go (our company) to
the edge
…without being at risk of getting “crashed” by
the smallest wrong step