simplified it compliance - emc.com · pdf file10/22/2007 · simplified it...
TRANSCRIPT
© Copyright 2008 EMC Corporation. All rights reserved.
Simplified IT ComplianceFrameworks to Reduce Costs
& Strengthen SecurityJohn McDonald, Team Lead, Security Evangelist
RSA, The Security Division of EMC
© Copyright 2008 EMC Corporation. All rights reserved. 2
Why is Information Security So Difficult?…because sensitive information is always moving and transforming
File Server
EndpointEndpoint ApplicationsApplications StorageStorageFilesFilesNetworkNetwork
Production Data
Data warehouse
DR
Staging
WW Campuses
WW Customers
WW Partners
Remote Employees
WAN
WAN
WWW
VPN
Disk storage
Back up disk
Back up tape
Outsourced Development
Enterprise email
Business Analytics
Customer Portal
© Copyright 2008 EMC Corporation. All rights reserved. 3
Why is Information Security So Difficult?…and every movement & transformation has unique risks
NetworkNetwork
Media TheftMedia TheftDevice TheftDevice Theft
TakeoverTakeover
FraudFraud
InterceptIntercept
File Server
EndpointEndpoint ApplicationsApplications StorageStorageFilesFiles
Production Data
Data warehouse
DR
Staging
WW Campuses
WW Customers
WAN
WAN
WWW
VPN
Disk storage
Back up disk
Back up tape
Outsourced Development
Enterprise email
Business Analytics
Customer portal
Media LossMedia Loss
UnauthorizedAccess
UnauthorizedAccess
DOSDOS
CorruptionCorruption
UnavailabilityUnavailability
EavesdroppingEavesdropping
Data TheftData Theft
Remote Employees
WW Partners
Data LossData Loss
Device LossDevice Loss
Unintentional Distribution
Unintentional Distribution
UnauthorizedAccess
UnauthorizedAccess
UnauthorizedActivity
UnauthorizedActivity
UnauthorizedActivity
UnauthorizedActivity
© Copyright 2008 EMC Corporation. All rights reserved. 4
Understanding Risk
“Risk is the combination of the probability of an event and its consequences.” (ISO definition)
Assets (Information, infrastructure, etc.)
Threats (Sources, Objectives & Methods)
Vulnerabilities (People, Process & Technology)
Managing RiskAvoid – Eliminate the source of the risk
Control – Implement controls to reduce risk
Accept – Be aware but take no action
Ignore – Refuse to acknowledge risk
Transfer – Assign risk to other agency
RiskComponents
RiskComponents
RSA & EMC Can Help
© Copyright 2008 EMC Corporation. All rights reserved. 5
Risk Aligns Security Investments to Compliance Requirements
PCI Partner ReqsSOX Internal ReqsHIPAA
NetworkNetworkEndpointEndpoint App / DBApp / DB StorageStorageFS/CMSFS/CMS
RiskRisk
Security IncidentsSecurity Incidents
Sensitive InformationSensitive InformationWhat
information is important to
the business?
What bad things can happen?
Where does it go?
What risks are we willing to accept, what risks do we need to
protect against to enable the business?
© Copyright 2008 EMC Corporation. All rights reserved. 6
Today’s Agenda
Compliance LandscapeFrameworks for Security and ComplianceExamples: Frameworks in ActionRSA Solutions for Simplified IT Compliance
© Copyright 2008 EMC Corporation. All rights reserved. 7
Organizations worldwide:– Spend heavily on compliance– Don’t see expected security
improvements– Have shrinking budgets– Need to get better value out of
investments they do make
RSA has an approach to help our customers:
– Reduce costs– Simplify compliance– Improve security– Be proactive, instead of reactive
Why We’re Here Today
Compliance landscape– Industry groups– Business partners– Customers– Internal policy– Governmental
Ernst & Young– “In 2007, compliance
remained the number one driver of information security.”
© Copyright 2008 EMC Corporation. All rights reserved. 8
PCIDSS HIPAA Internal
Policy GLBA HSPD 12
CSB 1386CountryPrivacyLaws
SOX EU CDR UK RIPA
FISMA COCOMData
Security Act
FACTA EU DataPrivacy
FFIEC BASEL II J-SOX IRS 97-22 NERC
NISPOM PartnerRules ACSI 33 NIST 800
StatePrivacy
Laws
And … what’s next?
Framework-Based SecurityPreparing for Ever-Changing Compliance
© Copyright 2008 EMC Corporation. All rights reserved. 9
Reactive & Expensive IT Compliance
PCI DSS Compliance
Basel IICompliance
Internal PolicyCompliance
Data Privacy RegulationCompliance
Partner PolicyCompliance
NetworkNetworkEndpointEndpoint App / DBApp / DB StorageStorageFS/CMSFS/CMS
Encryption
Monitoring
Authentication
Policy
Encryption
Monitoring
NAC
AccessControl
Authentication
Log Management
Data Leakage
AccessControl
Monitoring
Authentication
Monitoring
Encryption
© Copyright 2008 EMC Corporation. All rights reserved. 10
Reactive & Expensive IT Compliance
PCI DSS Compliance
Basel IICompliance
Internal PolicyCompliance
Data Privacy RegulationCompliance
Partner PolicyCompliance
NetworkNetworkEndpointEndpoint App / DBApp / DB StorageStorageFS/CMSFS/CMS
Encryption
Monitoring
Authentication
Policy
Encryption
Monitoring
NAC
AccessControl
Authentication
Log Management
Data Leakage
AccessControl
Monitoring
Authentication
Monitoring
Encryption
Gartner estimates that allocating resources on a regulation-by-regulation basis means that enterprises
spend an average of 150% more on compliance,
largely due to duplication of effort!“Gartner for IT Leaders Overview: The IT Compliance Professional.” French Caldwell. October 22, 2007
© Copyright 2008 EMC Corporation. All rights reserved. 11
NetworkNetworkEndpointEndpoint App / DBApp / DB StorageStorageFS/CMSFS/CMS
Encryption Key Management
Encryption Encryption Encryption Encryption Encryption
Data Loss Prevention
Monitor, Report, Audit
PCI DSS Compliance
Basel IICompliance
Internal PolicyCompliance
Data Privacy RegulationCompliance
Partner PolicyCompliance
Authentication
Access Control
Framework-Based Compliance & SecurityEnabling Cost-Effective Compliance
© Copyright 2008 EMC Corporation. All rights reserved. 12
The Solution: Framework-based security & compliance
“Most [CISOs] have realized that a
principles-based framework can help
them not only address multiple regulations simultaneously, but
also get a more comprehensive grasp
on the security universe they are responsible for.”
Khalid KarkForrester Research
A security controls framework is …– A comprehensive set of security controls (policies, procedures
and technologies)– Based upon industry-wide best practices– Ideal for defining controls that should be applied in proactive
manner– Integrated into an organization’s IT security policy– Applied based upon how data are classified within your
organization
A security controls framework helps …– Drive you to think about all security requirements they need– Eliminate gaps in your security programs– Enable more cost-effective compliance– Execute your Information Risk Management strategy
© Copyright 2008 EMC Corporation. All rights reserved. 13
‘ISO [27002] is generally acknowledged to be the golden standard for coverage of
security domain information.’(Burton Group)
Framework-Based Compliance & SecurityLaying A Foundation for Policy & Controls
Many references– ISO 27002– Information Technology
Infrastructure Library (ITIL)– Control Objectives for
Information Technology (CoBIT)
– Committee of Sponsoring Organizations of the Treadway Commission (COSO)
4. Risk Assessment and Treatment 5. Security Policy 6. Organization of Information Security 7. Asset Management 8. Human Resources Security 9. Physical Security 10. Communications and Ops Management 11. Access Control 12. Information Systems Acquisition,
Development, Maintenance 13. Information Security Incident
management 14. Business Continuity 15. Compliance
ISO 27002 ClausesISO 27002 ClausesISO 27002 Clauses
© Copyright 2008 EMC Corporation. All rights reserved. 14
ISO 27002 & Compliance Alignment
HIPAAData
ProtectionSOXPCINISTISO 27002 Clauses
Compliance15
Business Continuity Management14
Information Security Incident Management13
Information Systems Acquisition, Development and Maintenance12
Access Control11
Communications and Operations Management10
Physical & Environmental Security9
Human Resources Management8
Asset Management7
Organization of Information Security6
Security Policy5
Risk Assessment & Treatment4
© Copyright 2008 EMC Corporation. All rights reserved. 15
Key Best Practices– Security policy (ISO 27002 5)– Inventory of assets (ISO 27002 7.1.1)– Information classification (ISO 27002 7.2)– Physical entry control (ISO 27002 9.1.2)– Segregation of duties (ISO 27002 10.1.3)– Audit logging (ISO 27002 10.10.1)– Monitoring system use (ISO 27002 10.10.2)– User access management (ISO 27002 11.2)– User identification and authentication (ISO 11.5.2)– Teleworking protection (ISO 27002 11.7.2)– Cryptographic controls (ISO 27002 12.3.1)– Data leakage prevention (ISO 27002 12.5.4)– Compliance monitoring (ISO 27002 15.2)
ISO 27002 & Compliance Alignment
SarbanesOxley
© Copyright 2008 EMC Corporation. All rights reserved. 16
Framework-Based SecurityCommunicating Security to Partners & Customers
ISO 27001 and ISO 27002:
Delivering a common language communicating security on a global basis
– Customers– Outsourcers– Business Partners– Regulators– Auditors– Non-security staff
© Copyright 2008 EMC Corporation. All rights reserved. 17
Framework-Based SecurityEliminating Gaps in Your Security Program
Framework Based SolutionsComprehensive checklistControlsHolistic View of Security
ISO27002
Framework
ISO27002
Framework
Financial Records
PersonalInformation
Intellectual Property
Employee Records
Patchwork Solutions
Credit Card Data
Health Records
© Copyright 2008 EMC Corporation. All rights reserved. 18
Aligning ComplianceA Case Study: Large Telco
2) Build a Framework of Best Practices Based Upon
ISO 27002
1) Identify Sensitive Data Types
IntellectualProperty
Financial Data
CardholderData
PersonallyIdentifiable Info
4) Apply Controls in a Consistent and Repeatable Manner to Mitigate Risk &
Manage Compliance
Result: Save Money, Time By Deploying Repeatable Controls for Multiple Requirements
Internal Framework of Policies, Procedures & Technologies
AuthenticationEncryption
LoggingAccess Control
Other Controls: Policies, Procedures and Technologies
Other Security Controls FrameworksOther Security Controls Frameworks
ISO 27002ISO 27002
Internal PolicySarbanes-OxleyPCI DataSecurity Standard
Data PrivacyRegulations
Discover Data and Assets, and Assess Risk Based on Policy 3) Discover Data, Assess Risk
© Copyright 2008 EMC Corporation. All rights reserved. 19
Components of Framework Based Compliance & Security Programs
Inventory & Risk AssessmentInventory & Risk AssessmentIdentify regulated dataAnalyze regulatory impactIdentify high business impact dataQualify acceptable risk level for information
Policy & ClassificationPolicy & ClassificationDefine information classificationsDefine information security policyIncorporate classification into policy
DiscoveryDiscoveryDiscover and document assets (people, systems & information)Discover and document current controls
Implement ControlsImplement ControlsDefine cross-organizational control requirementsImplement controls (e.g., technologies, procedures)
Monitor, Manage and ImproveMonitor, Manage and ImproveMonitor information environment Monitor & enforce complianceIncorporate risk analysis into mgt. processes
© Copyright 2008 EMC Corporation. All rights reserved. 20
Framework-Based Compliance & SecurityWhy RSA?
Policy & Classification
Inventory & Risk AssessmentInventory & Risk Assessment
Monitor, Manage and Improve
Implement Controls
Discovery
© Copyright 2008 EMC Corporation. All rights reserved. 21
A Process for Framework-Based Compliance RSA & EMC Solutions
Inventory & Risk AssessmentInventory & Risk AssessmentRSA Data Loss PreventionRSA Professional ServicesRSA Partners
Policy & ClassificationPolicy & ClassificationRSA Professional ServicesRSA Partners
DiscoveryDiscoveryRSA Data Loss PreventionRSA Professional Services
Implement Controls FrameworkImplement Controls FrameworkRSA Authentication & AuthorizationRSA Data SecurityRSA Information and Event ManagementEMC Information Management Solutions
Monitor, Manage & ImproveMonitor, Manage & Improve RSA Information and Event ManagementRSA Professional ServicesRSA Partners
© Copyright 2008 EMC Corporation. All rights reserved. 22
Implement Controls FrameworkImplement Controls FrameworkRSA Authentication & AuthorizationRSA Data SecurityRSA Information and Event ManagementEMC Information Management Solutions
Key ISO 27002 Best Practices – Authenticate users
– Revoke access
– Control physical access
– Protect remote access
– Manage access based on policy
RSA Solutions– RSA SecurID
– RSA Access Manager
– RSA Card Manager
– RSA Digital Certificate Solutions
ISO 27002 ClausesISO 27002 Clauses
8 Human Resources Security9 Physical & Environmental
Security11 Access Control
ISO 27002-based FrameworksRSA Solutions
© Copyright 2008 EMC Corporation. All rights reserved. 23
What Do You Want for Your RSA SecurID Authenticator?Flexibility, choice, and the broadest range of supported applications
© Copyright 2008 EMC Corporation. All rights reserved. 24
Implement Controls FrameworkImplement Controls FrameworkRSA Authentication & AuthorizationRSA Data SecurityRSA Information and Event ManagementEMC Information Management Solutions
Key ISO 27002 Best Practices– Inventory assets
– Classify data
– Prevent data leakage
– Manage encryption keys
– Enforce encryption policies
– Monitor for compliance
RSA Solutions– RSA Data Loss Prevention (DLP) Suite
– RSA File Security Manager
– RSA Key Manager for the Datacenter
– RSA Key Manager with Application Encryption
7 Asset Management10 Communications &
Operations Management12 Information Systems
Acquisition, Development & Maintenance
15 Compliance
ISO 27002 ClausesISO 27002 Clauses
ISO 27002-based FrameworksRSA Solutions
© Copyright 2008 EMC Corporation. All rights reserved. 25
Control Data Movement for Compliance:RSA Data Loss Prevention Suite
Common Discovery Platform
DLP Endpoint
DLPEnterprise Manager Dashboard
& ReportingIncident Workflow
User & System Administration
Unified Policy Mgmt & Enforcement
DiscoverFile shares, eRoom/SharePoint sites, Database files, SAN/NAS
DLP Datacenter
MonitorEmail (SMTP, IMAP), HTTP/S, FTP, P2P, IM/Chat, etc.
DLP Network
DiscoverLaptops and desktops with Windows 2000 SP4 or higher OS
DLP Endpoint
© Copyright 2008 EMC Corporation. All rights reserved. 26
RSA DLP Comprehensive Compliance Library
Acceptable Use– 23 Policies including
Post to Corporate Rumor SitePost to Financial SiteHuman Resources – GeneralResumes
Company Confidential– 14 Policies including
Mergers & Acquisitions DataContractsCorporate FinancialsEmployee Financials – General
Intellectual Property Protection– 6 Policies including
Company Intellectual PropertyTransmission of Intellectual Property to CompetitorPatent Applications
Regulatory Compliance– 44 Policies including
PCI-DSS (Payment Card Industry data Security Standard)PIPEDA (Personal Information Protection and Electronic Documents Act)GLBA (Gramm-Leach Bliley Act)HIPAA (Health Insurance Portability and Accountability Act)Fair Credit Reporting Act (FCRA)
Privacy Protection– 20 Policies including
US Social Security NumbersCredit Card NumbersCredit Card Numbers - by IssuerUS Drivers LicensesCanadian Social Insurance NumbersUK National Insurance Numbers
Over 100+ out of the box policy templates (Blades)
© Copyright 2008 EMC Corporation. All rights reserved. 2727
RSA Data Loss Prevention Suite:Enforce Compliance & Security Policy
DiscoverFile shares, SharePoint sites, Database files, SAN/NAS
DLP Datacenter
MonitorEmail (SMTP, IMAP), HTTP/S, FTP, P2P, IM/Chat, etc.
DLP Network
DiscoverLaptops and desktops with Windows 2000 SP4 or higher OS
DLP Endpoint
DLPEnterprise Manager Dashboard
& ReportingIncident Workflow
User & System Administration
Unified Policy Mgmt & Enforcement
RemediateDelete, quarantine, move
EnforceBlock, Notify, Alert, Encrypt
EnforceCopy, print, save, USB, burn, etc.
Other DSS Enforcement Mechanisms
© Copyright 2008 EMC Corporation. All rights reserved. 28
Managing Encryption for ComplianceRSA Key Manager for the Datacenter
PowerPathEncryption
ConnectrixEncryption
Tape BackupEncryption
FileEncryption
DatabaseEncryption
RSA File SecurityManager
RSA Key Manager
Server
Provides security over the long term– Vaults and protects encryption keys
Scales across the enterprise– Centralized key management of encryption
solutions across the IT stack
Reduces cost and complexity over point key management solutions
ApplicationEncryption
© Copyright 2008 EMC Corporation. All rights reserved. 29
RSA Key Manager Provides OptionsWhile Reducing Complexity
File Server
EndpointEndpoint ApplicationsApplications StorageStorageFilesFilesNetworkNetwork
Production Data
Data warehouse
DR
Staging
WW Campuses
WW Customers
WW Partners
Remote Employees
WAN
WAN
WWW
VPN
Disk storage
Back up disk
Back up tape
Outsourced Development
Enterprise email
Business Analytics
Customer Portal
OracleOracle
EncryptingEncryptingTapeTape
DrivesDrives
FC SAN EncryptionFC SAN Encryption•• EMC PowerpathEMC Powerpath•• Cisco switchesCisco switches•• Brocade switchesBrocade switches
RSA FileRSA FileSecuritySecurityManagerManager
FC SAN EncryptionFC SAN Encryption•• EMC PowerpathEMC Powerpath•• Cisco switchesCisco switches•• Brocade switchesBrocade switches
RSA KeyRSA KeyManagerManager
EncryptionEncryptionToolkitToolkit
RSA KeyRSA KeyManagerManager
EncryptionEncryptionToolkitToolkit
OracleOracle
© Copyright 2008 EMC Corporation. All rights reserved. 30
Implement Controls FrameworkImplement Controls FrameworkRSA Authentication & AuthorizationRSA Data SecurityRSA Information and Event ManagementEMC Information Management Solutions
Key ISO 27002 Best Practices – Monitor IT systems
– Monitor systems usage
– Protect audit logs
– Protect audit tools
– Report & learn from security events
– Retain evidence of security events
– Monitor for compliance
RSA Solution – RSA enVision
ISO 27002 ClausesISO 27002 Clauses
10 Communications & Operations Management
13 Information SecurityIncident Management
15 Compliance
ISO 27002-based FrameworksRSA Solutions
© Copyright 2008 EMC Corporation. All rights reserved. 31
Router logs
IDS/IDP logs
VPN logs
Firewall logs
Switch logs
Windows logs
Client & file server logs
Wireless access logs
Windows domain logins
Oracle Financial Logs
San File Access Logs
VLAN Access & Control
logs
DHCP logs
Linux, Unix, Windows OS logs
Mainframe logs
Database Logs
Web server activity logs
Content management logs
Web cache & proxy logs
VA Scan logs
Compliance MonitoringIP Leakage
Configuration ControlLockdown enforcement
False Positive Reduction
Access Control EnforcementPrivileged User Management
Malicious Code DetectionSpyware detection
Real-Time MonitoringTroubleshooting
User Monitoring SLA Monitoring
Monitoring and Reporting for Compliance RSA enVision
© Copyright 2008 EMC Corporation. All rights reserved. 32
Security Information and Event Management (SIEM) Solution: RSA enVisionA 3-in-1 Log Management Platform…
…for Compliance, Security and IT & Network Operations
© Copyright 2008 EMC Corporation. All rights reserved. 33
Security Information and Event Management (SIEM) Solution: RSA enVisionA 3-in-1 Log Management Platform…Server Engineering Business Ops. Compliance Audit Application & DatabaseNetwork Ops.Risk Mgmt. Security Ops. Desktop Ops.
…for Compliance, Security and IT & Network Operations
Log ManagementAny enterprise IP device – Universal Device Support (UDS)
No filtering, normalizing, or data reductionSecurity events & operational information
No agents required
Simplify ComplianceAccess Control
Configuration ControlMalicious Software
Policy EnforcementsUser Monitoring & ManagementEnvironmental & Transmission
Security
Enhance Security & Mitigate Risk
Access Control EnforcementSLA Compliance Monitoring
False Positive ReductionReal-time Alerts
Unauthorized Network Service Detection
Privileged User Monitoring
Optimize IT & Network OperationsMonitor network assetsTroubleshoot network issuesAssist with Helpdesk operationsOptimize network performanceGain visibility into user behaviorBuild baseline of normal network activity
All the Data
ReportAlert/Correlation
Incident Mgmt.Log Mgmt.
Asset Mgt. Forensics
Baseline
© Copyright 2008 EMC Corporation. All rights reserved. 34
>1100 reports forregulatory compliance& security operations>Includes ISO 27002 compliance reporting
Dashboards
RSA enVisionTransformation of Data into Actionable Intelligence
© Copyright 2008 EMC Corporation. All rights reserved. 35
Implement Controls
Discovery
Inventory & Risk Assessment
Policy & Classification
RSA enVision reporting– Over 20 out-of-the-box reports related to
ISO 27002, including:Control of Human Resources Data (section 8.3)External Contractors Report (sections 8.1.3, 10.7.3)Malicious Software Activity (section 10.4.1)Password Changes and Expirations (section 11.3.1) User Activity from External Domains (section 11.4.2)Computer Account Logon Activity (section 11.5.B)Computer Account Status by Account (section 11.5.1)Operation Change Control Report (section 11.6)Control of Operational Software (section 12.4.1)Control of System Test Data (section 12.4.2)Source Code Access (section 12.4.3)Control of Collected Evidence (section 13.2)Control of System Audit Data (section 15.3.2)
Monitor, Manage and ImproveMonitor, Manage and Improve
ISO 27002-based Compliance FrameworksRSA Solutions
© Copyright 2008 EMC Corporation. All rights reserved. 36PCI Information Security Policy Service Req. 12: Maintain an info sec policy
EMC Smarts, EMC VoyenceControl
Partners: Accuvant (U.S.), Ezenta (EMEA), Integralis (EMEA, U.S.), Mnemonic (EMEA), Remington (U.S.)
Req. 11: Test security systems, processes
RSA enVision, EMC Symmetrix, EMC CLARiiON, EMC Centera, EMC Celera, EMC Smarts, EMC Voyence Control
Req. 10: Track and monitor access
EMC Physical Security Solution, RSA Card ManagerReq. 9: Restrict physical access
RSA SecurID, RSA Digital Certificates
reporting: RSA enVision
Req. 8: Assign a unique ID
RSA Access Manager, RSA File Security Manager, RSA Database Security Manager
reporting: RSA enVision
Req. 7: Restrict access to card data
Application Security Design and Assessment Service
Reporting: EMC VoyenceControl
Req. 6: Develop secure systems & apps
reporting: RSA enVision, EMC Smarts, EMC VoyenceControlReq. 5: Use and update anti-virus
RSA Key Manager, CipherOptics (partner), EMC VoyenceControl
reporting: RSA enVision
Req. 4: Encrypt card data in transit
RSA Key Manager, RSA File Security Manager, RSA DLP Suite, Partners (e.g., Cisco)
reporting: RSA enVision
Req. 3: Protect stored card data
EMC Smarts, EMC VoyenceControl
reporting: RSA enVision
Req. 2: Do not use default passwords
EMC Smarts, EMC VoyenceControl
reporting: RSA enVision
Req. 1: Install and maintain a firewall
Addressing PCI DSS Requirements
PCI Pre-Assessment & Gap Analysis ServicePCI Pre-Assessment & Gap Analysis
PCI Cardholder Data Discovery ServiceCard Data Discovery
Understanding Your PCI Compliance and Preparing for an Audit
Compliance Framework Solutions: ExamplePCI Requirements mapped to RSA/EMC Solutions
© Copyright 2008 EMC Corporation. All rights reserved. 37
Framework-Based Compliance & SecurityThe Benefits
Reduce costs Simplify complianceImprove securityManage information risk
[email protected]: +1.773.484.8000Thank you very much.