Digital Security: The CISO Perspective Apigee @apigee Subra Kumaraswamy @subrak Randy Barr CISO, Saba Software
Jul 12, 2015
Digital Security: The CISO Perspective
Apigee
@apigee
Subra Kumaraswamy
@subrak
Randy Barr
CISO, Saba Software
Agenda
• The changing Digital landscape
• Trends: technology and threats
• Security enablers
• Key takeaways
The changing landscape
B A C K - E N D S Y S T E M S
M O B I L E S E C U R I T Y
APIs
S O C I A L A N D S A A S
Contextual & behavioral security
Encrypt everything
Identity-as-a-Service
SaaS security/identity plugin
Fraud detection
APT security analytics
E N D P O I N T S E C U R I T Y
Digital security is shifting from defense to analytics (predictive) & prevention
20
• End-to-end security managed
through configuration and global policies
• Data-centric controls such as encryption,
tokenization, and key management
• Leverage API for security automation activities
including patching, user and access management,
logging, and auditing
• Security verification through tool automation,
aligned with SDLC: Dev->Stage->Prod
Enabling DevOps
Role of digital security: enabling cloud
Compliance
Trust
Architecture
Identity and Access
Availability
Incident Response
Data Protection
Governance
22
• Governance of Data and Identity
• Security Architecture standard
• Technology Services & Tools to Support:– Data Protection – Encryption/Hashing/Anonymization
– Access management – Privileged and End Users
– Threat monitoring and protection
– Compliance (PCI, HIPAA) management
– Availability Management – DDoS mitigation, Multi-region operation
– Operational Hygiene – Patching, Logging, etc
• Establish Incident Response with service provider
Enabling cloud
• Most Cloud providers leverage this as their security story
• This only covers the data centers policies, employees, standards
– CCTV
– 24x7x365 security personnel
– Entry and Exits of facility
• What about
– When a server needs to be changed, it is not covered
– When new employee at cloud provider starts it is not covered
– Security Policies, Standards apply to cloud vendor
– Monitoring of the environment
– Business Continuity / Disaster Recovery
– Incident Management
– Vulnerability Penetration Testing
– Etc.
Data center security audit/assessments
25
Enabling mobile
• Leveraging solutions to perform automated scans
• There are vendors that provide both automated and hands on reviews of mobile apps
• Performed once a new version is uploaded to the store
• Should perform
– Run-time scanning (Dynamic and app logic analysis)
– Network Scanning
– Serverside scanning
• Mobile security training
• Rogue App monitoring
API-first architecture
API Tier
All Apps
Analytics
App
ServersESB
Social
Apps
Web
Apps
Mobile
Apps
Backend
Services
OrchestrationPersistence Security
Internet
API services for
mobile and
cloud apps
Consistent
security
across
channels
Developers
IT security architect
Information security must be able to meet governance requirements and manage compliance when handling PCI DSS or HIPAA use cases
Top technology considerations and takeaways
• Focus on data-centric controls such as masking, encryption and hashing to protect data at rest.
• Work closely with DevOps teams to “bake in” security controls into the orchestration layer and cloud hosting systems.
• Leverage APIs to build consistent, secure and scalable mobile solutions.
• Automate security monitoring and management using APIs.
DeveloperUser APIApp API Team Backend
Security as a Enabler: Summary
• Security is a competitive differentiator
– IT security must remove barriers to enable business and developers/DevOps
• DevOps (need for speed, flexibility) and InfoSec (need for consistent protection) go hand-in-hand
• API-first architecture provides consistent security enforcement for mobile and cloud use cases
DeveloperUser APIApp API Team Backend
•What drives adoption of cloud solutions within a
company
•Selecting IT solutions are as easy as reading the
numbers off your credit card
•Small implementations can lead to adoption by
other users
•Ability for mobility is key to further adoption of the
solution
•Growth leads to managing the solution
•Security is then brought in
Choices
SECURITY TRANSPARENCY
• Reliance on Data Center Audits
• Privacy
• White papers with no details
• Reluctant to share details citing protecting their
existing customers
• Customer audits
• Cloud Controls Matrix
• Consensus Assessments Initiative Questionnaire
• Independent 3rd party report of Saba’s policies,
standards and processes
• SOC II Type II report
• DR Executive Summary
• Policies & Standards table of contents
• Independent 3rd party penetration test
• Network and Application Vulnerability executive report
within 48 hours of request
Com
plete customer visibility
Enabling the DevOps to securely expose the back-end services with necessary authentication, authorization, message security, and Auditing
Security considerations
• Authentication of Apps, APIs and Users: LDAP, active directory, SAML, OAuth, two-way TLS
• User and role management• Protect sensitive data stored and processed in the
cloud and mobile devices • Threat management (DoS, spikes, injection attacks)• Logging and auditing