Security as an Enabler for the Digital World - CISO Perspective

Digital Security: The CISO Perspective

Apigee

@apigee

Subra Kumaraswamy

@subrak

Randy Barr

CISO, Saba Software

youtube.com/apigee

slideshare.net/apigee

@SubrakSubra Kumaraswamy

Randy Barr

Agenda

• The changing Digital landscape

• Trends: technology and threats

• Security enablers

• Key takeaways

What’s keeping you up at night?

6

Data Theft

The Forces@Work

Source: TheFutureOrganization.com

overwhelmedemployee

Talent Challenges@Work

diversity

Trends

DevOps is growing exponentially

Node.js exploding

Breaches continue to haunt the enterprise

Source: Verizon 2014

Paradox of choice

The changing landscape

B A C K - E N D S Y S T E M S

M O B I L E S E C U R I T Y

APIs

S O C I A L A N D S A A S

Contextual & behavioral security

Encrypt everything

Identity-as-a-Service

SaaS security/identity plugin

Fraud detection

APT security analytics

E N D P O I N T S E C U R I T Y

Digital security is shifting from defense to analytics (predictive) & prevention

Technologies driving digital transformations

Mobile

DevOpsCloud

API

Digital security as an enabler

What’s the role of InfoSec in enabling digital transformation?

Top areas of CISO concern

Source: Wisegate

The role of digital security: enabling DevOps

20

• End-to-end security managed

through configuration and global policies

• Data-centric controls such as encryption,

tokenization, and key management

• Leverage API for security automation activities

including patching, user and access management,

logging, and auditing

• Security verification through tool automation,

aligned with SDLC: Dev->Stage->Prod

Enabling DevOps

Role of digital security: enabling cloud

Compliance

Trust

Architecture

Identity and Access

Availability

Incident Response

Data Protection

Governance

22

• Governance of Data and Identity

• Security Architecture standard

• Technology Services & Tools to Support:– Data Protection – Encryption/Hashing/Anonymization

– Access management – Privileged and End Users

– Threat monitoring and protection

– Compliance (PCI, HIPAA) management

– Availability Management – DDoS mitigation, Multi-region operation

– Operational Hygiene – Patching, Logging, etc

• Establish Incident Response with service provider

Enabling cloud

• Most Cloud providers leverage this as their security story

• This only covers the data centers policies, employees, standards

– CCTV

– 24x7x365 security personnel

– Entry and Exits of facility

• What about

– When a server needs to be changed, it is not covered

– When new employee at cloud provider starts it is not covered

– Security Policies, Standards apply to cloud vendor

– Monitoring of the environment

– Business Continuity / Disaster Recovery

– Incident Management

– Vulnerability Penetration Testing

– Etc.

Data center security audit/assessments

Role of digital security: enabling mobile

25

Enabling mobile

• Leveraging solutions to perform automated scans

• There are vendors that provide both automated and hands on reviews of mobile apps

• Performed once a new version is uploaded to the store

• Should perform

– Run-time scanning (Dynamic and app logic analysis)

– Network Scanning

– Serverside scanning

• Mobile security training

• Rogue App monitoring

So how does API-first architecture manifest itself?

API-first architecture

API Tier

All Apps

Analytics

App

ServersESB

Social

Apps

Web

Apps

Mobile

Apps

Backend

Services

OrchestrationPersistence Security

Internet

API services for

mobile and

cloud apps

Consistent

security

across

channels

Developers

IT security architect

Technologies driving digital transformations

Mobile

DevOpsCloud

API

Information security must be able to meet governance requirements and manage compliance when handling PCI DSS or HIPAA use cases

Top technology considerations and takeaways

• Focus on data-centric controls such as masking, encryption and hashing to protect data at rest.

• Work closely with DevOps teams to “bake in” security controls into the orchestration layer and cloud hosting systems.

• Leverage APIs to build consistent, secure and scalable mobile solutions.

• Automate security monitoring and management using APIs.

DeveloperUser APIApp API Team Backend

Security as a Enabler: Summary

• Security is a competitive differentiator

– IT security must remove barriers to enable business and developers/DevOps

• DevOps (need for speed, flexibility) and InfoSec (need for consistent protection) go hand-in-hand

• API-first architecture provides consistent security enforcement for mobile and cloud use cases

DeveloperUser APIApp API Team Backend

@SubrakSubra Kumaraswamy

Randy Barr

Questions?

Thank You

Apigee

@apigee

Identity landscape in the digital world

•What drives adoption of cloud solutions within a

company

•Selecting IT solutions are as easy as reading the

numbers off your credit card

•Small implementations can lead to adoption by

other users

•Ability for mobility is key to further adoption of the

solution

•Growth leads to managing the solution

•Security is then brought in

Choices

SECURITY TRANSPARENCY

• Reliance on Data Center Audits

• Privacy

• White papers with no details

• Reluctant to share details citing protecting their

existing customers

• Customer audits

• Cloud Controls Matrix

• Consensus Assessments Initiative Questionnaire

• Independent 3rd party report of Saba’s policies,

standards and processes

• SOC II Type II report

• DR Executive Summary

• Policies & Standards table of contents

• Independent 3rd party penetration test

• Network and Application Vulnerability executive report

within 48 hours of request

Com

plete customer visibility

Enabling the DevOps to securely expose the back-end services with necessary authentication, authorization, message security, and Auditing

Security considerations

• Authentication of Apps, APIs and Users: LDAP, active directory, SAML, OAuth, two-way TLS

• User and role management• Protect sensitive data stored and processed in the

cloud and mobile devices • Threat management (DoS, spikes, injection attacks)• Logging and auditing

Role of InfoSec