Cyber Security: Finding Synergy Between Industry and Government

Transcription

1 Cyber Security: Finding Synergy Between Industry and Government Tuesday, 20 Sept 2011 Jeff G. Chief, Cyber Security Architect CIA

2 Agenda Drivers Issues & Challenges Efficiencies Loss of Control What Users Want Managing the Risk Managing the Technology Factors for Consideration Risk Management Process Summary

3 Drivers EO (aka WikiLeaks) Structural Reforms to Improve the Security of Classified Networks and the Responsible Sharing and Safeguarding of Classified Information, The White House, 7 Oct 11

4 Issues and Challenges Access to more information across organizational boundaries Paradigms are shifting faster than business processes and governance can keep up i.e. retool workforce, new data steward challenges, new interorganizational collaborative processes, ICD 503 Move toward intra-organizational efficiencies o Increased demand for security services Some technologies are not mature enough Coordinating capabilities and managing dependencies o Forcing functions Budget decreases Economy Demand to use newly emerging technology

5 Efficiencies Fewer options; better provisioned Licensing, acquisition, and configuration management osignificant cost savings Security Service Model Retooled/focused workforce

6 Loss of Control A Common Concern... CIA struggles internally to resolve this issue It is critical for CIA because we handle some of the most sensitive information in the US Government Loss of Control = Loss of Lives

7 What Users Want: IT to appear on Monday exactly as it did on Sunday They want the same experience at work as they have at home Broader, faster access Modern tools Don t worry, we ll only give them so much

8 Commercial IT Wherever Possible Acceptable loss is zero Legacy organizational provisioned private IT Change takes time; Economy/Business needs demand immediate results The problem: Intelligence information/sources more valuable than commercial transactions Data value is not readily apparent Once the data is gone, you can not get it back! Restrict all as a rule

9 Managing Risk Don t sacrifice security for user convenience. You ll lose every time! Chief of Information Security, CIA

10 Need to Know vs. Need to Share Need to Know Defined by data owner; not data requestor Requires human Need to Share Defined by role-based access models Implemented with strong Identification & Authorization Governed by Authorization & Audit Policy Can be automated

11 Risk in Cloud Quantifying the cost In terms of confidentiality, integrity, and availability Often value is difficult to assess Reputation, customer confidence, and investor equity

12 Managing Technology Capabilities: Identification & Authentication Access Control Audit Encryption (as needed)

13 Security Services A Continuous Process NEW TECHNOLOGY INITIATE PROGRAM OPERATIONS Explore Research Market Survey Test Acquire Evaluate Integrate Deployed Adopt/Adapt Drive Use 3-12 months depending on funding and complexity 12 months depending on funding and complexity months depending complexity

14 What Factors need to be considered? Inherent risks: Privileged User Access Regulatory Compliance Data Location Data Segregation Recovery Investigative Support Long-term Viability

15 What Factors need to be considered? Inherent risks (cont d): Architecture o Secure Remote Access o Remote Administration o Cloud adoption o Proper use (cont d) Apply: Policy, Process, and Technology to achieve acceptable risk

16 CIA Operates a Risk Management Process Board chaired by Chief Information Security Security and CIO decide what is acceptable risk By a defined business process

17 Summary Risk Management is about Control vs. Tolerance Consistent process to consider and integrate new technology Don t sacrifice security for user convenience