delivering it security and compliance as a service
TRANSCRIPT
Delivering IT Security and Compliance as a Service
Matthew ClancyTechnical Account Manager
Qualys, Inc.
www.qualys.com
Agenda
Technology Overview
The Problem: Delivering IT Security & Compliance
Key differentiator: Software as a Service (SaaS) approach
Putting it Into Practice
Security & Compliance Solution: Key Implementation Objectives
Approximate timeframes for deployment and costs
Keys to Success: Integrating the business owners
Case study: Fifth Third Bank
Summary and Conclusion
2
C O M P A N Y C O N F I D E N T I A L
C O M P A N Y C O N F I D E N T I A L
3
The Problem to Solve
Increased sophistication of the attacks (target the user and applications)
Overlapping set of data security and privacy regulations: (HIPAA, GLBA, Sarbanes-Oxley, FISMA, PCI)
Providing Actionable Reports to ALL constituents: Audit, Security, and Operations
Extending Security and Compliance Requirements to Suppliers and Partners
Assessing IT Security and Compliance posture on a
distributed scale, and complying with Data Security and
Privacy Regulations is more difficult than ever:
Throwing more people and hardware/software at the problem is not the best option
C O M P A N Y C O N F I D E N T I A L
4
A SaaS Solution to the ProblemBringing Security and Compliance Together
Capturing all relevant data and providing actionable reports to all constituents
The Security + Compliance Conundrum
And Delivering it as a Service
Under this model, a system is deemed out of compliance if it is: Vulnerable to attacks, Improperly configured or in violation of internal
policies or external regulations
A SaaS Solution to the ProblemSecurity + Compliance Lifecycle Workflow
5
C O M P A N Y C O N F I D E N T I A L
C O M P A N Y C O N F I D E N T I A L
6
-- with no software to install and to update --
A SaaS Solution to the ProblemBringing Security and Compliance into a Single Solution
QualysGuard IT Security & Compliance Suite
QualysGuard Vulnerability Management
- Globally Deployable, Scalable Security Risk and Vulnerability Management
QualysGuard Policy Compliance
- Define, Audit, and Document IT Security Compliance
QualysGuard PCI Compliance
- Automated PCI Compliance Validation for Merchants and Acquiring Institutions
QualysGuard Web Application Scanning
- Automated Web Application Security Assessment and Reporting that Scales with your Business
QualysGuard Malware Detection (New)
- Free Malware Detection Service for Web Sites
Qualys GO SECURE (New)
- Web Site Security Testing Service and Security Seal that Scans for Vulnerabilities, Malware and SSL Certificate Validation
C O M P A N Y C O N F I D E N T I A L
7
Software as a Service (SaaS) Approach -Objectives
Centralized solution delivered over the Internet that accomplishes objectives of Security, Audit, and Operational Teams
– All that is needed is a Web browser and appropriate credentials
Lower cost of ownership to end-users
– Ease of deployment and reduced maintenance requirements for solution: No servers to manage or update, no software to install or maintain
Eliminate the need for database capacity planning as assessment scope grows
Frequent and automated release cycle for vulnerability detection updates, software updates, and OS updates
Reduce complexity of application and eliminate infrastructure choices
Provide Third-Party audit yet enabling the end user to control the assessment
8
C O M P A N Y C O N F I D E N T I A L
C O M P A N Y C O N F I D E N T I A L
9
Security & Compliance Solution –Key Implementation Objectives
Consider scanner locations based on network topologyScanning engine appliances – avoid scanning through firewalls where possible
Begin with global network discoveryIdentify servers, infrastructure devices, workstations, wireless, rogue devices
Seriously consider how to architect asset groupingsPlatform vs. Platform (Windows vs. Unix), functional business value (Financial vs. HR)
Definition of user roles for access to the dataPlatform vs. Platform (Windows vs. Unix), functional business value (Financial vs. HR)
Establish realistic remediation policies Begin with critical severity risks, work way down. Consider how you generate tickets
Case Study: Fifth Third Bank
One of the Largest Banks in the US – Fortune 500 Bank
Over 1200 Branch Offices
30,000 Employees
Problem (examples):
Lack of a centralized, consistent process and solution – Disparate processes and solutions
Required management of scanner software/servers across distributed networks (DMZ’s and Intranet)
No way to securely perform external assessments (needed to use external DSL lines), difficult to consolidate to central database
Required third-party auditors to provide assessments for regulatory requirements, a duplicated and redundant effort
Difficulty managing the sheer size of vulnerability data being collected – capacity planning of databases
No consistent and repeatable process for PCI scanning
Credibility of scan results was a problem
10
C O M P A N Y C O N F I D E N T I A L
Case Study: Fifth Third Bank
Solution:
Implemented QualysGuard Enterprise Vulnerability Management
– Fully deployed 20 Scanner Appliances within DMZ and intranet environments in two weeks timeframe
– No need to deploy external scanners
Results:
Significant reduction of critical vulnerability count over 6 month time period
Maintaining compliance with third-party regulations: Self Certification for PCI Scanning
Realized soft-cost savings due to Software-as-a-Service model (Remediating rather than scanning)
Automation of scanning and network discovery yields FTE time savings
Differential vulnerability reporting over time proves process is in place and is effective
Tangible results and remediation steps are automatically distributed on a weekly basis per scan schedule
Hierarchical and distributed access granted across geographically dispersed regions
Empowered organization to take ownership of security information
– Obtained greater Buy-in to Vulnerability Process (no longer telling people to fix vulnerabilities)
11
C O M P A N Y C O N F I D E N T I A L
Summary
Bring Security & Compliance together and deliver it as a Service
Operationalize the Information Dissemination & Remediation Process
Software as a Service (SaaS) Approach to the Problem
Lower Costs: Reduction of maintenance & elimination of capacity planning
Satisfy Audit, Security, and Operations
Deployment Methodology: Scanner placement, Asset Categorization, User Access, Realistic Goals for Remediation
12
C O M P A N Y C O N F I D E N T I A L
Q & A
13
C O M P A N Y C O N F I D E N T I A L
Questions?
Thank You!
THANK YOU!
Qualys, Inc.
www.qualys.com
Matthew ClancyTechnical Account Manager