joseph ferracin director it security solutions globalsecurity @sita managing security
TRANSCRIPT
Joseph Ferracin
Director IT Security Solutions
GlobalSecurity@SITAGlobalSecurity@SITA
Managing SecurityManaging Security
2
A Security organization
A Security Framework – Guidelines and Policies
Company’s Management support
End-Users involvement
A security plan
A budget
Skilled Security people
In Modern Networked IT Environments
Efficient security requires
3
The organization
Create a Security OfficeThat is Independent of IT. Reports to the top management
Defines the security framework and the high level policies
Drives security Audits & Assessments
Defines the security plan & Proposes security budget
Helps in Security implementations
Create a security councilThat Includes Security Officer, Top management representative(s), IT representative(s)
Endorses Security policies
Validates Security Plan & Security budget
4
The Framework
We recommend BS7799The BS 7799 Information Security Standard is published in two parts:1. Part 2 Specification for ISO/IEC 17799 Part 1 Code of practice for Information Security Management
2. BS 7799 Information Security Management
Purchase on line:http://www.bsi-global.com/Information+Security/04_Standards_infosec/index.xhtml
BS 7799 shall be regarded as a guidance
BS 7799 certification is complex
5
Get management support
Propose a risk assessment
Company’s management is responsible for the security of Company assets
Vulnerabilities in IT security organization and in IT equipment configurations must be know.
Associated risks must be evaluated.
Suggest the necessity of a high level security policy
Suggest to develop a security plan
Costs: $100 000 <-> $600 000
6
Involve End Users
Education
Users must know and understand the security policy
They must be conscious of the value of their own data.
Avoid constraints – Try to suggest – Use flattery
Security has to be as transparent as possible
Use appropriate technology
7
Availability of Information Systems
Confidentiality & Privacy of Sensitive Information
Access control on Networks, Systems & Applications
Integrity of Transactions
Security issues: You want to guarantee
8
Assess risks
Audit implementations
Analyze vulnerabilities
Security policies
Security migration plans
Define secure architectures
Design security solutions
FirewallsEncryptionPublic key infrastructures Centralized management Anti-virusIntrusion detectionStrong authentication
FirewallsStrong authenticationIPSec VPNsDigital certificatesIntrusion detection
Security is a continuous process
9
Security on the Intranet
bbb
MainframesServers
Anti-Virus
Virus DetectionWorkstations
Strong Authentication
PKISmart Cards
Single Sign On
AuthenticationService
Kerberos V5
Role Based Authorization
Active Directory
AuthorizationService
10
Demilitarized Zone (DMZ)
No Security
Consumer
TrustedConsumer
CorporateIntranet
BusinessPartner
IPSec Encrypted VPN
SSL Encrypted Transaction
IPSec Encrypted VPN
IntegrityConfidentiality
Availability
Intrusion Detection
FirewallVPN
AccessControl
Security on the Internet
Authentication
Employee
11
Network Admin.
$65,000
Security Engineer
$109,000
Why Outsource Security?
I.T. resource shortage
“Under-staffed, under-skilled, overwhelmed. That’s the sinking feeling conveyed to us repeatedly by CIOs...”
“The Situation isn’t likely to improve any time soon.”
“For Many CIOs, The staffing crisis is an overriding concern that adds risk to every project .”- CIO Magazine
Specialized IT Security Resources are even harder to
find
12
Security Outsourcing Expenses
$0,00
$2,00
$4,00
$6,00
$8,00
$10,00
$12,00
$14,00
$16,00
1998 1999 2000 2001 2002 2003
Source: IDC, 2000
$14.8 Billion Industry in 2003 – 45% CAGRWhy Companies are outsourcing ?
Dearth of skilled security talent– Universe of CISSPs less 1,500
Sophisticated attacks beyond capability of most IT departments
– DDoS attack, Love Virus, etc. Carrier grade security SLAs unachievable by
most IT departments– Follow the sun 24x7x365 model
Security not typically a core competency of companies
– Scale, budgets, staff usually subjugated to business issues
Security intelligence missing– IT depts lack the ability to monitor hacker underworld
and global events to proactively redress vulnerabilities and attacks
Total Cost of Ownership (“TCO”)– Organizations cannot match economies of scale of a
managed security service provider
13
Professional Services
Partners foremost in Security
Managed Security Services
A portfolio of Solutions
14
Security Professional Services
… for the Winning Approach
Solutions tailored to your needs …
Risk Analysis
SolutionsImplementationSecurity Policies
definition
SecurityManagement
SecurityAudit
A Team of Security Experts
15
Managed Security Services …
IP Secure Gateway IPSec VPNs
Managed Firewall Services
Partnership with Internet Security Systems (ISS) a Leader in Security
High quality of service
Very competitive pricing for small, mid-size and big Extranet & Internet sites
Managed Intrusion Detection
Partnership with ISS
Real time protection of mid-size, big Internet and E-Commerce sites
Available on
SITA Private Network
SITA Internet Network
Remote Access
Features
Scalable Solutions
World class technology
And …Digital Certificates
Vulnerability Scanning
Content Filtering …
16
Thank You !
Q & A