data center security trends 2014 - ise...
TRANSCRIPT
1
Security and the Data Center – 4 Trends that Could Change Everything
Jerry L. Bowman, RCDD, RTPM, CISSP, CPP, CDCDPPresident / CEO InfraGard National
Past-President BICSI
2
Attendee Annoucements
Seminar Raffle – Be sure to drop your raffle ticket in the drum at today’s Keynote located in the Mile High
Ballroom. You have a chance to win a $250 American Express Gift Card. One winner will be drawn at the Opening Keynote and the Closing Keynote. You must be present to win.
Seminar Evaluations – All attendees will be receiving an email with regards to the seminar and we
encourage you to respond to the surveys. The survey results will be compiled by ISE EXPO team members, summarized, and will be shared with the seminar speakers. The seminar feedback is an important aspect of continually improving ISE EXPO.
Seminar Certificates – Attendees will be able to log into the Attendee Resource Center (ARC) using their first
name, last name, and their Badge ID (this number will appear on the badge and also on any registration confirmations) to view/print their seminar certificates. If a certificate is needed on-site, the attendee may visit the ISE EXPO registration counter between the hours of 1 PM – 3 PM September 21 & September 22 and ask for a certificate to be printed. Attendees will be able to access the ARC website up to 2 – 3 months after the event to print CEC certificates.
Subscribe – ISE magazine is the most trusted educational and solutions resource for 21,000 professionals across
the ICT industry. Each month, ISE delivers 20+ educational articles and showcases leading technology solutions in an approachable and interesting format, available in both print and digital. Visit http://www.isemag.com/subscriptions/ to begin or renew your subscription.
4 4
5
InfraGard Members By Sector
6
Disruptive Innovation
A disruptive innovation is an innovation that
helps create a new market and value network, and
eventually disrupts an existing market and value
network (over a few years or decades), displacing
an earlier technology.
7
Disruptive Innovation• Procter & Gamble’s Crest® Whitestrips® - created an
entirely new market by targeting nonconsumers: those who find it too inconvenient or expensive to go to the dentist for teeth whitening.
• Walmart (discount retailers) exemplify a disruptive approach that targets consumers overshot by existing offerings, in this case, department stores.
• Others;– POTS vs. Cellular
– Mainframe vs. PC/Laptop
– Doctor’s Office vs. Minute Clinic
– Wired vs. Wireless
8
Disruptive Innovation Trends
• Cyber Security Horizontal Expansion
• Cloud Computing
• Accreditation
• Outsourcing
9
Disruptive Innovation #1:Horizontal Expansion of
Cybersecurity
10
Cyber Threat Continuum
• 1970s: Phreaking – Free long distance calls
• 1980s: Computer Clubs / First Virus (1988)
• 1990s: Birth of Modern InfoSec Industry
• 2000s: Hacking/malware move to major criminal
enterprise
• 2010’s: Attacks move to connected systems as
backdoor to data networks (Target)
11
12
Protecting the Data Center
TODAY
Multi-National Enterprise Footprint
Terrorism
Global political implications
International power grid failure
Data worms & hackers
Third party liability
Regulatory Compliance
Cascading Events
Non-IT Backdoors
Managing assets and dependencies
Handle unexpected disasters …without downtime and without a list
THE OLD DAYS(20 Years Ago)
Simple Backups
24 Hour Replacement Contracts
Dial Up Bulletin Boards
Disaster Recovery
-fire, flood, tornado
Sabotage
Physical 1:1 equipment relationships
Disaster By Checklist – Be ready for the list.
13
Executive Order 13636
“Improving Critical Infrastructure Cybersecurity” It is the Policy of the United States to enhance the security and resilience of the Nation’s critical infrastructure and to maintain a cyber environment that encourages efficiency, innovation, and economic prosperity while promoting safety, security, business confidentiality, privacy, and civil liberties.”
14
Cybersecurity Business Outcomes
National and economic security of the United States
depends on the reliable functioning of critical
infrastructure
Cybersecurity threats exploit the increased
complexity and connectivity of critical infrastructure
Cybersecurity risk affects a company’s bottom line.
It can drive up costs and impact revenue
It can harm an organization’s ability to innovate
It can harm an organization’s ability to gain and maintain
customers
NIST – 2014 Framework for Improving Critical Infrastructure Cybersecurity
15
NIST Cyber Framework Core
16
NIST Cyber Framework Profiles
1. Partial - Organizational cyber-security risk management practices for this subcategory are not formalized, and risk is managed in an ad hoc and sometimes reactive manner.
2. Risk Informed - Risk management practices are approved by management but may not be established as organizational-wide policy.
3. Repeatable - The organization’s risk management practices are formally approved and expressed as policy.
4. Adaptive - The organization adapts its cyber-security practices based on lessons learned and predictive indicators derived from previous and current cyber-security activities.
17
How Long Would It Take to Find a Server?
A) Within minutes
B) Within 4 hours
C) Within a day
D) More than a day
E) They can’t be found
18
How Long Would It Take To Find a Server?
19
ID: How can you protect an asset if you
don’t know you have it?
A data center can contain thousands of assets, from
servers, storage, network devices, and cabling to power
and cooling infrastructure equipment
The majority of organizations still manage configuration
and asset data using spreadsheets
Common practice involves reverse engineering the
location and connectivity of assets during a service issue
Change is often the cause of as much as 80% of system
downtime
80% of mean time to repair (MTTR) is used trying to
determine what changed
20
How can you protect it if you can’t get to it?
21
How can you protect it if you don’t know the
dependencies?
Source: AssetGen
22
ID Function
The activities in the Identify Function are
foundational for effective use of the Framework.
23
Asset Management Subcategories
24
NIST Cyber Framework: CCS CSC
25
What is the cost of a Day 2 inventory?
Individual Task Areas EquipmentCount
Unit Total Cost
Duration
Collect readily visible data* 8,000 $15 $120,000 40 Man Weeks
Detailed information* 8,000 $60 $600,000 200 Man Weeks
Physical Layer (E to E) 400 Racks $840 $336,000 120 Man Weeks
Based on 400 Rack Data Center enterprise data center – 20 devices per rack
*Source: Data Center Knowledge Guide to DCIM
Complete Site Audit EquipmentCount
Unit Total Cost Duration
Collect detailed information* 8,000 $60 $600,000 200 Man Weeks
Physical Layer (E to E) 400 Racks $840 $336,000 120 Man Weeks
CMDB & Configuration (Layer 1)** 12,000 Total Devices
$12.50 $150,000 5 Man Weeks
Estimated Total $1,086,000 325 M Weeks
Includes reverse engineering of undocumented infrastructure
**Source: AssetGen
26
Disruptive Innovation #2
Cloud Computing
27
Types of Clouds
28
Shifts Emphasis To Data In Motion
Source: Wikimedia
29
CIA Triad
30
Pressure on Passive Infrastructure
31
Emphasis on Capacity Management• One of five components in the ITIL Service Delivery area• Proactive rather than reactive in nature • Ensures that business needs and service definitions are fulfilled using a minimum of
computing resources• Ensures that capacity exists
Capacity Management activities include: • Monitoring, analyzing, tuning, and implementing necessary changes in resource
utilization • Managing demand for computing resources, which requires an understanding of business
priorities • Modeling to simulate infrastructure performance and understand future resource needs • Application sizing to ensure required service levels can be met • Storing capacity management data • Producing a capacity plan that documents current utilization and forecasted
requirements, as well as support costs for new applications or releases • Building the annual infrastructure growth plan with input from other teams
32
2014 Sky High Networks Report
• 1 million users across more than 40 EU companies spanning the financial services, healthcare, high technology, manufacturing, media, and professional service industries
• Quantified the use of cloud services and the security risk that they pose to enterprises
• Overall findings:– Enterprises used an average of 588 cloud services.
– Only 9% of the cloud services in use provide enterprise-grade security capabilities
– The remaining 91% (more than 9 out of 10) pose medium to high security risks
• Data privacy and data residency – Only 1% of the cloud services in use both offer enterprise-grade security
capabilities and store data in Europe’s jurisdictional boundaries
– The remaining 99%, either store data in countries where data privacy laws are less stringent
33
Key Findings of Sky High Report
Key findings from the report include:
• Only 5% of cloud services in Europe are ISO 27001 certified, posing compliance issues for those organizations unaware that their employees are using uncertified services
• 25 of the top 30 cloud services in the collaboration, content sharing, and file sharing categories were based in countries (United States, Russia, China) where the privacy laws are less stringent compared to Europe.
• 49 different services in use are tracking the browsing behavior of employees on the Internet. This exposes organizations to the increasingly prevalent watering hole attack.
34
M&M Security Doesn’t Work With Clouds
Physical Security Perimeters Network Security Perimeters
Deter potential intruders Distinguish authorized from
unauthorized people Delay, frustrate and ideally prevent
intrusion attempts Detect intrusions and monitor/record
intruders Trigger appropriate incident responses
How do I establish a
perimeter if the data
center isn’t under my
control?
35
Disruptive Innovation #3
Accreditation
36
Data Center Security Accreditations?
Courtesy Isaak Technologies Inc.
37
The Cost of Accreditation
38
39
Disruptive Innovation #4
Outsourcing
40
Who will you be working for in 5 years?
41
Types of Outsourcing
42
Outsourcing Report Card
Source: Insights from Deloitte’s 2012 Global Outsourcing and
Insourcing Survey 2014 NAOP Survey
43
Shadow ITDisruptive Innovation2
BYOD
Disruptive Technology
Internet of Things
Wearables
Implantables
M2M
IPv6
iPhones
iPad
Tablets
Social
Activation
Cloud-to-Cloud
Smart Watch
Google Glass
IP Home
Locks
The Pebble
W200
Anyone
Anything
Anytime Anyplace
Any Service
Any
Network
44
First, Make it mobile
Next, Make it wearable
Finally, Make it implantable
44
Google Glass
Smart Tattoo
iPhone 5c
Disruptive Innovation Roadmap?
45
Final Thoughts
1. The consequences of not managing the transformational trends in the data center could be profound.
2. Exponential growth or change is no longer an excuse for not documenting and managing what you have.
3. Users won’t wait for IT anymore - internal customers will spend more of their IT budgets elsewhere, and could eventually bypass the IT organization entirely.
4. The Cloud is redefining the concept of perimeters.
5. The virtual world has no police jurisdictions –countermeasures can not rely on clear venue.
6. Data centers (virtual world) create blind spots for traditional security designers and managers – cybersecurity is driving an entirely new workforce.
New Cybersecurity Problem With Clouds
Accreditation Shadow IT
46
47
Contact Info:Jerry L. Bowman, RCDD, RTPM, CISSP, CPP, CDCDP
Chief Business Officer, IMTAS
President BICSI 2012 - 2014
President / CEO InfraGard
Phone: (202) 962-0000
Email: [email protected]
Thank You