Top Banner
Information Security Information Security as a Business Enabler as a Business Enabler Panos Dimitriou, MSc InfoSec, CISSP,CISM Director, Managed Security Services 2007
17

Information Security as a Business Enabler Panos Dimitriou, MSc InfoSec, CISSP,CISM Director, Managed Security Services 2007.

Dec 26, 2015

Download

Documents

Magnus Anthony
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Page 1: Information Security as a Business Enabler Panos Dimitriou, MSc InfoSec, CISSP,CISM Director, Managed Security Services 2007.

Information SecurityInformation Security

as a Business Enableras a Business Enabler

Panos Dimitriou, MSc InfoSec, CISSP,CISMDirector, Managed Security Services

2007

Page 2: Information Security as a Business Enabler Panos Dimitriou, MSc InfoSec, CISSP,CISM Director, Managed Security Services 2007.

Agenda

“Visualizing” Information Security

Information Security as a Business

Enabler...Case Studies

– e-Banking/Business Authentication

– Identity & Access Management

– Remote Access

– Outsourcing

…Epilogue

Page 3: Information Security as a Business Enabler Panos Dimitriou, MSc InfoSec, CISSP,CISM Director, Managed Security Services 2007.

“Visualizing” Information Security

You are here

Information Security

Page 4: Information Security as a Business Enabler Panos Dimitriou, MSc InfoSec, CISSP,CISM Director, Managed Security Services 2007.

Case StudiesCase Studies

Page 5: Information Security as a Business Enabler Panos Dimitriou, MSc InfoSec, CISSP,CISM Director, Managed Security Services 2007.

Internet Banking and more

Banks approach Internet Banking as a Strategic Alternative

Channel

– Cost reduction

– Customer Reach

– Bear necessity

The first approach was to secure their side (the Bank’s side) and

leave the customer’s side as “easy” as possible (i.e. username &

passwords)

However, after a series of incidents they realised that in order to

keep and extend their e-customer reach they had to secure also

the “client side”

Page 6: Information Security as a Business Enabler Panos Dimitriou, MSc InfoSec, CISSP,CISM Director, Managed Security Services 2007.

Internet Banking and more

Currently Banks give “One Time Passwords”

Authentication Tokens

– Customers are willing to pay for them!

– Customers are being less reluctant to jump on the Internet

Banking bandwagon

Some Banks are going a step further and they provide

both the good-old “ease of use” (username & passwords)

without the good-old risks, by leveraging:

– Login Risk Analytics and back-end Fraud Management

engines

and thus making the best of both worlds!

Page 7: Information Security as a Business Enabler Panos Dimitriou, MSc InfoSec, CISSP,CISM Director, Managed Security Services 2007.

Identity & Access Management Companies are leveraging ITC and they are expanding, streamlining

and optimising their business operations and functions

However, as they expand at the same time they get with

– numerous persons to manage and even more user accounts

– More applications

– More complexity

So,

– It takes them a long time to get new starters productive

– They have to utilise valuable IT resources to manage accounts and

passwords, when they could have been used in expanding your IT

capabilities

– It’s more difficult to ensure a secure operating environment

– …

Page 8: Information Security as a Business Enabler Panos Dimitriou, MSc InfoSec, CISSP,CISM Director, Managed Security Services 2007.

Identity & Access Management

Who are your users?Who are your users?

User Name:

Password:

x

What do your users have access to?What do your users have access to?

X

What are they doing with their access? What are they doing with their access? Who approved their access? Who approved their access?

• Lifecycle management of employees• Extend the reach to partners, customers, vendors• Audit & compliance

Page 9: Information Security as a Business Enabler Panos Dimitriou, MSc InfoSec, CISSP,CISM Director, Managed Security Services 2007.

Identity & Access Management

Database Servers

Systems (OS-level)

NetworkComponents

Data Store

Business Data & Services

ApplicationsSecurity

Infrastructures

User & Access Provisioning (Out-of-the-box, APIs, Custom DB Tables, Biz Logic…)

Access Profiles

Roles

Job Descriptions Workflows

Organisation

Pro

visi

on

ing

Pro

visi

on

ing

Pro

visi

on

ing

Pro

visi

on

ing

Pro

visi

on

ing

`

Users

Feeds (e.g. HR)

Page 10: Information Security as a Business Enabler Panos Dimitriou, MSc InfoSec, CISSP,CISM Director, Managed Security Services 2007.

Identity & Access Management

By using an IAM system they

– Streamline and automate the user provisioning process

– Reduce costs from

• Less help desk calls for trivial tasks (password resets)

• Less IT personnel is required for trivial tasks (provisioning)

or for resource-intensive ones (Compliance)

– Enhance User Productivity

– Are able to allocate their IT personnel to tasks that

really matter

– Achieve Business Agility

• More services to more people

• M&As with less risks and less time

Page 11: Information Security as a Business Enabler Panos Dimitriou, MSc InfoSec, CISSP,CISM Director, Managed Security Services 2007.

Remote Access

Companies need to provide Remote Access to their IT and Information

resources in order to:– Support their “road warriors” (Sales teams…)

– Resolve technical issues 24/7 in the minimum time possible

– Reduce cost from “onsite visits” from third-party service providers

– Support their teleworkers

– …

However, when they are thinking about the risks they are bit reluctant to

give such access

So, they usually:

– Minimize services available

– Introduce cumbersome manual processes

Or in other words they lose half of the benefits but not

reducing the

corresponding risks accordingly

Page 12: Information Security as a Business Enabler Panos Dimitriou, MSc InfoSec, CISSP,CISM Director, Managed Security Services 2007.

Remote Access

Advanced RAS Infrastructures can address all the

concerns:

– Ensure authorised access to only the resources allowed

– Ensure complete auditability of authorised users actions on

systems and data

– Ensure critical data containment

– …

And thus allow companies to provide the entire range of

required services

– Quickly, in a standardized fashion, securely

– And get the full potential of RAS

Page 13: Information Security as a Business Enabler Panos Dimitriou, MSc InfoSec, CISSP,CISM Director, Managed Security Services 2007.

Outsourcing

Outsourcing is a main trend for modern enterprises

– Collection Agencies

– Call Centers

– Printing Houses

– Software Development

– IT Operations

– …

However, just as in the case of RAS, when companies are

thinking about the security risks and the corresponding

regulatory compliance they get more reluctant to follow

the trend

Page 14: Information Security as a Business Enabler Panos Dimitriou, MSc InfoSec, CISSP,CISM Director, Managed Security Services 2007.

Outsourcing

Leading International companies are currently

using Data Leak Prevention systems to achieve

Accountability & Control on Outsourcers and

corresponding data access and processes

Page 15: Information Security as a Business Enabler Panos Dimitriou, MSc InfoSec, CISSP,CISM Director, Managed Security Services 2007.

Epilogue

We have to approach Information Security as a

Business Enabler

We have to see Info Sec as the “railing” at our

balcony that enable us to go (our company) to

the edge

…without being at risk of getting “crashed” by

the smallest wrong step

Page 16: Information Security as a Business Enabler Panos Dimitriou, MSc InfoSec, CISSP,CISM Director, Managed Security Services 2007.

Epilogue

Sec

urity

Ease-of-use, Flexibility…

Cost

Page 17: Information Security as a Business Enabler Panos Dimitriou, MSc InfoSec, CISSP,CISM Director, Managed Security Services 2007.

www.encodegroup.com_