making security work—implementing a transformational security program
TRANSCRIPT
Making Security Work—Implementing a Transformational Security Program
Brent Comstock
SCT06S
SECURITY
Group Vice President – Identity, Access and Data Protection StrategySunTrust Banks
2 COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED#CAWORLD #NOBARRIERS
© 2017 CA. All rights reserved. All trademarks referenced herein belong to their respective companies.
The content provided in this CA World 2017 presentation is intended for informational purposes only and does not form any type of warranty. The information provided by a CA partner and/or CA customer has not been reviewed for accuracy by CA.
For Informational Purposes Only Terms of this Presentation
3 COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED#CAWORLD #NOBARRIERS
Abstract
Recent newsworthy data breaches have business and IT leaders asking, “Are we learning from the mistakes of others?” In an ever-increasing threat environment, security leaders face mounting pressures to deliver effective security capabilities that protect business assets while balancing budgets, security risks and regulatory issues.
SunTrust has started the journey of transforming security capabilities. This session will explore the driving factors that resulted in SunTrust re-evaluating its identity, access and information security program. Furthermore, it will explore the key inputs and building blocks of what it is looking to establish in its program and people, processes and technologies that will be required to achieve this vision.
Brent ComstockSunTrust BanksGroup VP -Identity, Access and Data Protection Strategy
The thoughts, views and opinions I express are my own. None of these statements should be considered to represent my employer, SunTrust Banks, Inc. in any way.
4 COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED#CAWORLD #NOBARRIERS
Why I’m Here Today
THE WEATHER OUTSIDE IS FRIGHTFUL…
WE’RE NOT IN KANSAS ANYMORE
BREAK THE MOLD
THE FORK IN THE ROAD
FROM THE INSIDE OUT
1
2
3
4
5
6 COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED#CAWORLD #NOBARRIERS
*2017 Verizon Data Breach Investigations Report
Exploited privileged user accounts are the common thread of most data breaches*
“Looking back at the breaches that have happened in the recent past and looking ahead to GDPR, …. it’s clear that security continues to be critically important.”
Mike Gregoire, Q2 2018 Earnings Conference Call, October 25, 2017
9 COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED#CAWORLD #NOBARRIERS
The Problem:There are large numbers of users, environments and end points to patch, secure & manage, all with changing security profiles over time.
The work load is overwhelming.
10 COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED#CAWORLD #NOBARRIERS
After CA World, You Return Home…
Enlightened…
Energized…
Enthused…
And pretty freaked out!
14 COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED#CAWORLD #NOBARRIERS
We protect what’s important to us.
How we provide that protection has to change.
17 COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED#CAWORLD #NOBARRIERS
Level of effort?Budget?Time?
• Align with Significant Company Initiatives
• Establish Security capabilities quickly
• “Fix” existing platforms• Upgrade • Address Process gaps
Can current technology and processes be adequately improved?
19 COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED#CAWORLD #NOBARRIERS
FORMULAFOR CHANGE
Discover & unlock WHY
Impact LeadershipExecute with Advocates
Organizational Culture Change
20 COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED#CAWORLD #NOBARRIERS
IAM – Focus & ObjectivesCreation of Identity credentials, knowledge of high risks assets and associated Access grants & controls are essential to effective Security in this time of unprecedented threats. IAM and Data Protection capabilities are highly interdependent.
Mitigate enterprise cyber risks and transition to proactive detection of control failures by implementing effective capabilities & controls for access to company assets:
Focus
Objectives
The top areas of IAM focus include: a) acquire modern identity management capabilities, b) gain visibility into movement of data and usage of cloud services c) gain insights into users' behavior d) define roles and responsibilities and e) adhere to regulatory requirements
Ø Simplify, standardize and automate IAM functions across the enterprise Ø Utilize asset risk scoring to focus on securing highest risk assets firstØ Invest in people, processes, and technologies to better monitor and detect malicious activityØ Define and implement roles and responsibilities for IAM framework execution including increased
Business engagement and accountabilityØ Secure privileged accounts: servers, databases, applications, domains, devices, service accts Ø Integrate user behaviors associated with access and data movement with all our environments to detect
threats and suspicious behaviorsØ Enhance capabilities to secure connections & data movement to the cloud and 3rd parties
Discover & Unlock WHY
21 COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED#CAWORLD #NOBARRIERS
IAM & Data Protection Scope Given the growth of cyber threats, the value of the data and transactions that we protect continues to increase. We must evolve our IAM practices to include deeper partnership and a “One Team” approach for “Modern IAM” that is much more intelligent, agile and transparent.
Cloud & Emerging Technologies ‘Modern IAM’ is a foundational tenet to enable the business to benefit from emerging technologies such as the Cloud and Internet of Things (IOT). Modern IAM capabilities are faster, more secure and more efficient in transitioning applications and infrastructure to the cloud.
Asset TypeApplications enable business functions and meet access risk objectives through roles, entitlements, and permissions. They are managed by traditional IAM solutions and are the company asset type that have the most mature access controls.
End Users and Devices are at the center of business functions. Ease of use must be balanced by the necessity to protect company assets. The increased scale from the growing use of mobile devices stretches traditional IAM practices and capabilities.
Data is stored in a variety of formats and locations, and is growing rapidly. This growth is compounded by End User compute environments (e.g., file shares, SharePoint) which are not currently managed and protected using traditional IAM practices and capabilities.
Big Data (i.e. Atlas Data Lake) environments combine data from numerous sources. The complexity of defining access permissions to voluminous, diverse, and sensitive information environments is not scalable using currently available IAM access models and technology.
IAM Scope
Impact Leadership
22 COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED#CAWORLD #NOBARRIERS
Why Are Advocates Essential?
§ With limited resources and reach, you can tap into the energy of passionate employees. They have knowledge and insight
§ These employees become the eyes and ears on the ground and help to drive change from within their teams
§ This feeling of ownership, responsibility and influence creates engagement across the organization
§ By building direct relationships with different parts of the business, you can find out so much more through two way communications
§ By keeping our advocates informed of the latest news and views around security –you make them smarter and also by proxy –their teams too!
Security is a team sport…engage the rest of the team
Execute With Advocates
23 COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED#CAWORLD #NOBARRIERS
Analytics Enablement• Facilitate Onboarding & Data Access• Document & Maintain Role Definition • Request Data Group Setup
Provisioning Facilitator
Data Lake Domain Work Area (Zone 2)
Domain Role
Security Group
Data Asset
Data Asset
Data Asset
Domain Users
Domain Team Manager
• “Owns” Domain• Requests New Domain Roles• Designate Role Champion• Develop Data Source Access Requirements *
Domain Owner
Domain Role Owner• Approve User Access to Role• Attest to Role and User Access Annually• Validation of Role Data Source Access Annually
Role Champion
Source Data Owner(s) • Approve Role Creation• Approve Data (not user) Access for Role
Data Access Owner
Data Management Manager or Analyst • Identify & Validate Sensitive Data for Data SourcesData SME
Data Lake Operations • Configure user on Data Lake• Configure data access
Data LakeSetup
Security Team Tasks
Organizational Culture ChangeEngage the Team (Example)
24 COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED#CAWORLD #NOBARRIERS
None of us is as smart as all of us.
People cannot help but resist change. It’s in our DNA to want to remain with known approaches.
Those who resist improved security aren’t crazy, they’re human.
Landing the Plane
“People don’t buy what you do, they buy why you do it.”
SIMON SINEK
No one can tell us what “right” looks like, because of experience & perspectives.Your Advocates will help fuel the cultural change. Empower them.
26 COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED#CAWORLD #NOBARRIERS
Stay connected at communities.ca.com
Thank you.