Delivering IT Security and Compliance as a Service

Transcription

1 Delivering IT Security and Compliance as a Service Jason Falciola GCIH, GAWN Technical Account Manager, Northeast Qualys, Inc.

2 Agenda Technology Overview h The Problem: Delivering IT Security & Compliance h Key differentiator: Software as a Service (SaaS) approach Putting it Into Practice h Security & Compliance Solution: Key Implementation Objectives h Approximate timeframes for deployment and costs h Keys to Success: Integrating the business owners Case study: Fifth Third Bank Summary and Conclusion 2

3 The Problem to Solve Assessing IT Security and Compliance posture on a distributed scale, and complying with Data Security and Privacy Regulations is more difficult than ever: h Increased sophistication of the attacks (target the user and applications) h Overlapping set of data security and privacy regulations: (HIPAA, GLBA, Sarbanes-Oxley, FISMA, PCI) h Providing Actionable Reports to ALL constituents: Audit, Security, and Operations h Extending Security and Compliance Requirements to Suppliers and Partners Throwing more people and hardware/software at the problem is likely not the best option 3

4 A SaaS Solution to the Problem Bringing Security and Compliance Together And Delivering it as a Service The Security + Compliance Conundrum Capturing all relevant data and providing actionable reports to all constituents 4

5 A SaaS Solution to the Problem Security + Compliance Lifecycle Workflow Under this model, a system is deemed out of compliance if it is: Vulnerable to attacks, Improperly configured or in violation of internal policies or external regulations 5

6 A SaaS Solution to the Problem Bringing Security and Compliance into a Single Solution -- with no software to install and to update -- 6

7 A SaaS Solution to the Problem An extensible platform that adapts to your changing needs QualysGuard Security + Compliance Suite Vulnerability Management QG VM 6.10 PCI Compliance QG PCI 3.0 (with WAS) Policy Compliance QG PC 2.0 Web Application Scanning QG WAS SCAP Compliance Service QG SCAP 1.0 QualysGuard Secure Seal QualysGuard Malware Detection Other Security and Compliance Applications Management Services Discovery Scans Vulnerability Scans Authenticated Scans Workflow Engine Reporting XML Engine QualysGuard SaaS Platform Automatic Updates Extensible XML APIs Data Centers Remote Management Integrations with MSSP SIMS, Active Directory Helpdesk, Remediation, 7

8 Software as a Service (SaaS) Approach - Objectives h A centralized solution delivered over the Internet that accomplished objectives of Security, Audit, and Operational Teams All that is needed is a Web browser and appropriate credentials h Provide lower cost of ownership to end-user Ease of deployment and reduced maintenance requirements for solution: No servers to manage or update, no software to install or maintain h Eliminate the need for database capacity planning as assessment scope grows h Frequent and automated release cycle for vulnerability detection updates, software updates, and OS updates h Reduced complexity of application and eliminate infrastructure choices h Providing a Third-Party audit, however, enabling the end user to initiate and control the assessment 8

9 Security & Compliance Solution Key Implementation Objectives h Consider scanner locations based on network topology Scanning engine appliances avoid scanning through firewalls where possible h Begin with global network discovery Identify servers, infrastructure devices, workstations, wireless, rogue devices h Seriously consider how to architect asset groupings Platform vs. Platform (Windows vs. Unix), functional business value (Financial vs. HR) h Definition of user roles for access to the data Platform vs. Platform (Windows vs. Unix), functional business value (Financial vs. HR) h Establish realistic remediation policies Begin with critical severity risks, work way down. Consider how you generate tickets 9

10 Case Study: Fifth Third Bank One of the Largest Banks in the US Fortune 500 Bank Over 1200 Branch Offices 30,000 Employees Problem (examples): h Lack of a centralized, consistent process and solution Disparate processes and solutions h Required management of scanner software/servers across distributed networks (DMZ s and Intranet) h No way to securely perform external assessments (needed to use external DSL lines), difficult to consolidate to central database h Required third-party auditors to provide assessments for regulatory requirements, a duplicated and redundant effort h Difficulty managing the sheer size of vulnerability data being collected capacity planning of databases h No consistent and repeatable process for PCI scanning h Credibility of scan results was a problem 10

11 Case Study: Fifth Third Bank Solution: h Implemented QualysGuard Enterprise Vulnerability Management Fully deployed 20 Scanner Appliances within DMZ and intranet environments in two weeks timeframe No need to deploy external scanners Results: h Significant reduction of critical vulnerability count over 6 month time period h Maintaining compliance with third-party regulations: Self Certification for PCI Scanning h Realized soft-cost savings due to Software-as-a-Service model No need for FTE s to manage solution architecture h Automation of scanning and network discovery yields FTE time savings h Differential vulnerability reporting over time proves process is in place and is effective h Tangible results and remediation steps are automatically distributed on a weekly basis per scan schedule h Hierarchical and distributed access granted across geographically dispersed regions h Empowered organization to take ownership of security information Obtained greater Buy-in to Vulnerability Process (no longer telling people to fix vulnerabilities) 11

12 Summary Bringing Security & Compliance together and deliver it as a Service Operationalize the Information Dissemination & Remediation Process Software as a Service (SaaS) Approach to the Problem h Lower Costs: Reduction of maintenance & elimination of capacity planning h Satisfy Audit, Security, and Operations Deployment Methodology: Scanner placement, Asset Categorization, User Access, Realistic Goals for Remediation 12