Getting Smart with Identity Protection

Transcription

1 FEATURE PROTECTING IDENTITIES BY MARK MULLINS Getting Smart with Identity Protection 3 strategies to help seal the door from threats In the spoof 1960s TV series Get Smart and its subsequent movie adaptations, script writers took every opportunity to make light of security procedures in the world of international espionage. The protagonist, Agent Maxwell Smart, is a stickler for adhering to security regulations despite the fact that security technologies routinely fail and Smart himself tends to bungle things anyway. Most of Smart s colleagues, including the chief of the spy agency CONTROL, often bend the rules, knowing that security systems will fail anyway. But Smart insists that they be followed, with hilarious results. One area where Smart regularly encounters technology problems is identity management: doors that are supposed to open for authorized personnel don t, but impostors tend to infiltrate with no problem. These gags highlight an over-emphasis on deploying advanced tactics over strategic thinking about security. Today, security is no laughing matter. Organizations certainly can t afford to bend the rules when it comes to managing and protecting identities, but those rules and the technology backing them up need to conform to the needs of the business. Employees of an enterprise need to be able to easily access the information necessary to do their jobs, even as they re blocked from seeing data that they don t need or transmitting data to an inappropriate destination. 24 CIO Digest January 2013

2 And in today s world of everevolving threats, a company s customers need the assurance that their personal or corporate information is not compromised when doing business with a company. Identity management makes everybody s heads hurt, because it s hard, and mobile devices and cloud services make it harder, observes Rich Mogull, analyst and CEO at Securosis, a Phoenix, Arizona-based firm that consults with enterprises on security issues. But it s critically important. I tell clients all the time, If you want to do data loss prevention, develop a BYOD policy, or move to the cloud, then you ve got to get better at identity management. Two competing forces are at play: the need to simplify the user experience to maximize productivity, and the increasing complexity of the task at hand owing to the proliferation of endpoints, the explosion in data volumes, and the evolving threat landscape. In addition to Mogull at Securosis, CIO Digest checked in with three IT leaders on where their organizations stand with regard to identity protection, and where they see things headed. In these conversations, three trends came to the forefront. I meet regularly with executive management and the board, and they expect me to be forthright about security gaps as well as areas of strength. Gerasimos Moschonas, Manager of Information Security Vision and Group Information Security Officer, Alpha Bank MICHAEL BRUNETTO 1. Integrate identity and protection tools Most enterprises have many tools that use an identity component, but these solutions often don t talk to each other, resulting in significant complexity. That becomes unsustainable as companies start adopting cloud services, Mogull asserts. As with many issues, the key is to think strategically rather than only tactically, and to the extent it s possible, integration is an important principle. Gerasimos Moschonas team has been visionary in its approach Gerasimos Moschonas, Manager, Information Security Division and Group Information Security Officer, Alpha Bank symantec.com/ciodigest 25

3 PROTECTING IDENTITIES FEATURE to security since he became manager of the Infomation Security division and group information security officer at Alpha Bank, one of Greece s largest banks, in I report to the chief operations officer, one of the general managers of the bank, Moschonas relates. I meet regularly with executive management and the board, and they expect me to be forthright about security gaps as well as areas of strength. This has helped us to be creative in finding ways to address those gaps and provide a more integrated and comprehensive solution. Elsa Zavala, EVP and CIO, and Bradley Wong, VP and Network Security Manager, Citizens Business Bank Soft tokens running on a mobile device adds convenience to the security layer when our associates have to enter their user name, password, and token response. Elsa Zavala, EVP and CIO, Citizens Business Bank Each business unit at Alpha Bank has a chief security officer who is a dotted-line report to Moschonas. I coordinate with each team to get the most accurate security information, and we use that data to formulate policies and deploy the means to enforce them, he explains. This process has been a key reason that Alpha Bank is known across Europe for its cutting-edge security practices. In 2005, Alpha was the first retail bank in Europe to protect its customers transactions with Symantec Validation and ID Protection Service, says Panos Vassiliadis, managing director of ADACOM S.A., a Symantec partner that Moschonas has worked with since assuming his current position. As CISO at Duke Medicine, Chuck Kesler supports an organization whose culture values openness. Duke is one of the top 10 research hospitals in the U.S., and academic environments are very open, he says. People come and go quite frequently. There s a lot of collaboration, and a lot of expectation that one should be able to move data from one point to another without much oversight. An example of the importance of this collaboration and data movement is Dr. Robert Lefkowitz, who just won the 2012 Nobel Prize in Chemistry and is a member of our faculty. But as a healthcare provider, we also have an obligation to keep patient data safe. When Kesler arrived at Duke in 2011, the team was leaning toward purchasing a data loss prevention solution that covered the network only. While that solution might have been deployed a bit more quickly, it was getting at only a portion of the problem, he recalls. I wanted to pull that decision back and reevaluate it. Kesler s team did a thorough review of options. In the end, we selected Symantec Data Loss Prevention because we felt it was a more complete solution, he says. We had a good track record with Symantec through a successful deployment of Symantec Whole Disk Encryption [formerly PGP]. We determined that Symantec Data Loss Prevention had the best potential to give us vision across all three vectors data in motion, data at rest, and data at the endpoint. Another selling point for Data Loss Prevention was its ability to build an inventory of sensitive data that is stored across our network, and PATRICK E. SPENCER 26 CIO Digest January 2013

4 MICHAEL BRUNETTO to analyze data access rights and usage patterns. This deployment parallels Duke s migration to Epic, a solution that will replace more than 130 of Duke s clinical IT systems with a single enterprise-wide Electronic Healthcare Record (EHR) platform. One of the primary drivers for moving to Epic was to comply with the Meaningful Use (MU) requirements of the Health Information Technology for Economic and Clinical Health Act (HITECH), Kesler explains. Complying with MU can allow healthcare providers to qualify for financial incentives from the Centers for Medicare and Medicaid Services (CMS). Qualifying for those incentives also entails establishing a risk management program to evaluate and manage IT security risks on an ongoing basis. We view our Data Loss Prevention program as a crucial component to meeting those requirements. At Citizens Business Bank in southern California, security has always been a part of the corporate culture. I advise our board of directors on the subject of security, and it s becoming even more important to all of us as the threat landscape becomes more toxic, says executive vice president and CIO Elsa Zavala. Protecting identities has come to the forefront in the past few years as customer awareness of the potential for data loss increases. For Zavala s team, one strategy is to select a smaller number of strategic vendors and to form deep partnerships with them, rather than proliferating point solutions. We began using Symantec Managed Security Services in 2002, says Zavala. It would have been very expensive if we built and maintained our own Security Operations Center. Without An important aspect of identity protection is having an audit trail of user activity. CITIZENS BUSINESS BANK A FABRIC OF THE COMMUNITY Bradley Wong, VP and Network Security Manager, Citizens Business Bank In 1974, California s vast Inland Empire east of Los Angeles was in rapid transition from an agricultural economy to a major urban center. Local business leaders saw the need for a bank that specifically served commercial entities, and Citizens Business Bank was born with a single branch in rapidly-growing Chino. Today, the bank has 41 business financial centers and 5 commercial banking centers across a wide swath of southern and central California, and more than 800 employees. But for those who work there, Citizens Business Bank is still like a small company more like a family than a corporation. We have a lot of associates who have worked here for 10, 20, or 30 years, notes executive vice president and CIO Elsa Zavala, who will mark her 20 th year with the bank this year. Our employee turnover rate is much lower than the industry average. People like working here because of the relationships we build with each other. Zavala also values the relationships with her technology providers. Symantec is a strategic advisor, she says. We work with Symantec because of the high premium the company places on its customer relationships. The relationship was taken to a new level when Zavala and her team selected Symantec Managed Services in It is a critical component of our layered security approach, she explains. Over the past decade, Citizens Business Bank has added a series of additional technology solutions from Symantec such as Symantec Protection Suite, Symantec Enterprise Vault, Symantec Validation and ID Protection Service, and Symantec Mobile Management Suite. Personal and professional integrity and character are important to Citizens Business Bank. Its employees are known in the community for their volunteer service, which is encouraged by management. We have a lot of employees who give back to the community in many different ways, Zavala reports. symantec.com/ciodigest 27

5 PROTECTING IDENTITIES FEATURE Chuck Kesler, CISO, Duke Medicine Data Loss Prevention gave us vision across all three vectors data in motion, data at rest, and data at the endpoint. And it allows us to analyze who is accessing confidential data across our network, and set different policies for different identities. dedicated resources who possess necessary knowledge and expertise, we couldn t sustain anywhere near the effectiveness of what we ve achieved with Symantec. Since then, Citizens Business Bank has added many other Symantec solutions as part of a strategy of integration. Endpoint security and compliance solutions will soon be supplemented with Symantec Mobile Management Suite, which the IT team will use to manage personal and corporate-owned devices accord- Chuck Kesler, CISO, Duke Medicine ing to user roles. Citizens Business Bank also deployed soft tokens in the form of Symantec Validation and ID Protection Service to simplify authentication for internal users accessing the network from outside the office. Soft tokens running on a mobile device adds convenience to the security layer when our associates have to enter their user name, password, and token response, Zavala observes. The team plans to move customer transactions to Symantec soft tokens as well. 2. Move toward federated identity Another step of consolidation involves identities themselves. You really can t move to the cloud without getting involved with federated identity some level of coordination between authentication, authorization, access control, and entitlement management, says Securosis Mogull. With that in mind, Citizens Business Bank has a number of applications that don t allow a sufficiently complex password. Some older systems don t allow special characters or limit a password to six or eight characters, says Bradley Wong, Citizen s Business Bank s VP and network security manager. This is a real problem; Wong explains that the bank s customers often have to manage numerous passwords for various systems, and employees encounter the same challenges. The ideal solution uniformly strong password rules for all systems must wait until applications are replaced or upgraded, but identities still must be protected. Until we can replace the applications or work with the vendor to provide an update, we have to manage them on an exception basis, Wong explains. We re very clear that this is an exception, and we do other things to ensure identity protection in those applications, such as third-party applications or manual controls. Zavala s team recently began researching Symantec O 3, which provides single-sign-on identity and access control across all cloudand Web-based applications, while providing IT staff with security and management functions for those systems. We are very excited about the potential of this solution, Zavala says enthusiatically. If we choose to adopt more solutions hosted in the NICOLE BOLIN 28 CIO Digest January 2013

6 CASE STUDY PGi PODCAST Portions of the interview with Scott Schemmel and Jim Miles are available as an Executive Spotlight Podcast at go.symantec.com/ pgi-podcast. We re constantly on the move and looking for ways to drive value back to the business and customer. and as part of its efforts around PCI compliance, PGi deployed Symantec Data Loss Prevention. The solution is used to monitor and manage credit card information across the network. Data Loss Prevention helps ensure that credit card information and identities are protected, Miles says. A broader deployment of Data Loss Prevention across endpoints and storage is something Schemmel and Miles are contemplating. The starting point was our requirements around PCI compliance, Miles states. We re still developing our longer term vision for data loss prevention. Once we re ready to move forward on that front, we will simply be able to extend Data Loss Prevention to our endpoints and storage. PGi S VIRTUAL MEETING SERVICES PGi delivers a breadth of collaboration services to over 35,000 customers worldwide, including 75 percent of the FORTUNE 100. Combining video conferencing, conference calling, and social networking, imeet is a cloudbased collaboration solution that lets people meet face-to-face online from anywhere on any device. It was designed to drive more personal connections in virtual meetings and is commonly used for recruiting interviews, sales presentations, corporate training, team meetings, and more. Scott Schemmel, VP, Global IT, PGi Proactively monitoring and managing security In mid 2011, the PGi team opted to migrate from their existing security monitoring service to Symantec Managed Security Services. We are very excited about the introduction of the enterprise security monitoring we have with Symantec Managed Security Services, Miles reports. It is helping us to enhance our risk management approach. There were several reasons for the decision to move to Managed Security Services. Foremost was our ability to gain closer integration with our legacy Symantec investments from Endpoint Protection to Security Information Manager and Data Loss Prevention. Miles comments. We also have better event processing and correlation, something that my internal IT customers find quite GlobalMeet was designed to be the easiest to use, most intuitive Web conferencing product on the market, with a simple-to-navigate user interface, scalability for up to 125 users, and easy access from desktop, Web, tablets, or mobile devices. GlobalMeet Audio is PGi s traditional audio conferencing solution that is reservation-less. PGi also provides event-based services tailored to serve organizations of any size large or small. useful. They really like the more improved, actionable information that we provide them. The feature Miles is most excited about is the ability to create security logs with any of the various security tools he and his team leverage Symantec and non-symantec and to send that log data to the Symantec Security Operations Center. We can proactively address potential issues before they become a problem, he relates. Currently, the PGi team sees an average of three or four critical event alerts every week. Without some type of security monitoring and management tool in place, these are risk that could comprise information and infrastructure availability. Miles, who is a member of Symantec s Managed Security Services Customer Advisory Council, has aggressive plans in place to expand PGi s use of Managed Security Services in coming months. We are going to broaden the set of tools that we currently have sending log information to the Symantec Security Operations Center, he says. By expanding our coverage model and the amount of data for analysis, we will have better correlation points and thus better threat remediation outputs. User authentication from the cloud User authentication is another area that the PGi team sought to address with the help of Symantec. Both PGi and our customers had a strong desire to implement multifactor authentication, Miles says. We had resisted a move to it because of the cost of hard tokens and the complexity of managing them. Symantec Validation and ID Protection (VIP) Service was a very 44 CIO Digest January 2013

7 PATRICK E. SPENCER attractive option for us. Beginning in mid 2012, PGi s Corporate IT team implemented the solution across North America, with plans to roll it out globally in early The cloud-based, soft-token approach of Symantec VIP delivers a much less burdensome experience for end users as well as Global IT than would be the case with a hardtoken solution, Schemmel says. It is also cheaper to implement. With cloud solutions like Symantec VIP, instead of focusing on the plumbing aspects of the IT infrastructure, I can focus my very lean team on managing the application layer and other areas that deliver value back to the organization. Schemmel and his Global IT team have gone heavily in the direction of cloud services and managed services over the past couple years from Salesforce.com for sales management to Oracle PeopleSoft hosted by a third party for ERP. User authentication for these different cloud solutions is critical for PGi. We are looking to centralize and standardize authentication to our cloud services, Schemmel says. And Symantec O 3 is certainly something that we will be looking at as a possible solution later this year. Entrepreneurial IT: constant innovation Continual innovation and evolution is a crucial element in the entrepreneurial model PGi has embraced. This is certainly the approach of Schemmel and his Global IT team. We re constantly on the move and looking for ways to drive value back to the business and customer, Schemmel observes. We have a series of new initiatives in play that will deliver faster and better services to our customers internally and externally as well Jim Miles, Director, Information Security, PGi We can proactively address potential issues before they become a problem. as improve operational efficiencies and reduce costs. He cites a couple of different examples. We re looking at integrating E-Signature into our Salesforce.com deployment that will take out as much as six days from the sales cycle, he says. This will improve sales performance and revenue recognition. Big data is another area he and his team are exploring. Enhancing our data collection mechanisms is a starting point, he says. But then figuring out how to analyze and report on that data is the next step. There are immense benefits for PGi and our customers. Yet none of these are easy initiatives. All present significant Jim Miles, Director, Information Security, PGi challenges, Schemmel concludes. But they also offer substantial opportunities. Taking advantage of these is what entrepreneurial IT is all about. n Patrick E. Spencer (Ph.D.) is the editor in chief and publisher for CIO Digest. MANAGING RISK WITH SYMANTEC > Symantec Endpoint Protection > Symantec Managed Security Services > Symantec Validation and ID Protection Service (VIP) > Symantec Data Loss Prevention > Symantec Security Information Manager symantec.com/ciodigest 45

8 CASE STUDY Mary WAShington Healthcare From the Lab to CIO Joyce Hanscome began her career at Central Maine Healthcare as a medical technologist. She worked in the medical laboratory for a number of years, eventually being named assistant director. Looking to gain a broader background in healthcare, Hanscome completed a master s in healthcare administration and took on a new role overseeing the physician practice. This afforded me with a great opportunity, Hanscome says. I was able to get to know physicians and their habits what they like and don t like. When I started, I covered just the internal medicine and family practice about 10 doctors. The assignment had expanded to about 200 physicians when I left. I had a chance to gain experience across a breadth of different functions from acquisitions to patient services to HR to finance. In 2010, Mary Washington Healthcare, looking to transform the working relationship between IT and physicians, recruited Hanscome as director of Physician Services. She was named SVP and CIO in early 2012 when the former CIO left the organization. to managing and monitoring endpoint security in our data center environment. Proactive threat management As part of their larger phased risk management strategy, Bailey and his team wanted to create a proactive security awareness and prevention program. With this in mind, they worked in-house to implement standard dashboards that would identify and track threats and security events. But shortly after doing so, we found that this was extremely time consuming and virtually impossible for my staff of three and me to do on an ongoing basis, Bailey says. As a result, Bailey, in concert with Hanscome, determined that a managed security service would be a better option. Mary Washington Healthcare looked at several different solutions and ultimately chose Symantec Managed Security Services. We are able to focus on maturing our security and compliance strategies instead of worrying about threat detection and prevention, Bailey says. Managed Security Services allows us to focus on building out our threat management posture while delivering proactive protection of our IT environment. It has been a win-win scenario for us. Bailey and his team generate daily threat reports using Symantec DeepSight Security Intelligence that are sent to Hanscome. They also create weekly and monthly reports that are given to the IS Governance Board. But this is just the first phase of the risk management program that Mary Washington Healthcare is putting into place. The next step is to begin tracking and reporting compliance with established security standards. We re still in the process of building out all of our security standards, Hanscome reports. HIPAA and PCI are most certainly areas we ll need to address. But there are some other standards that we will be adding as we prepare to roll out our compliance initiative. Bailey s team will use Symantec Control Compliance Suite to build out compliance policies and then proactively report on them. As part of this process, we ll use the Standards Manager and Policy Manager in Control Compliance Suite to identify and create policies that map to our compliance requirements, Bailey says. Risk Manager will enable us to provide regular risk management updates to our executive management team. Once Control Compliance Suite is in place, the Mary Washington Healthcare team plans to turn their attention to data loss prevention. We re currently performing a data loss prevention assessment and will give the results to our executive management team, Bailey states. The tight integration between our current Symantec investments and Symantec Data Loss Prevention will help us move to the third phase of our risk management transformation. The broader investment in Symantec technologies will create additional value for Mary Washington Healthcare s investment in Managed Security Services at the same time. Integration between Managed Security Services and our Endpoint Protection deployment provides deeper views into our endpoint security posture, Bailey says. And we ll gain even further risk management insights as additional Symantec solutions such as Critical System Protection are deployed. Risk management to executive leadership Raising risk management to the executive level was one of the objectives Hanscome and Bailey established. It came out of a discussion that I had with our CEO, Fred Rankin, who noted that he really wanted to get a better understanding of the organization s strategic technology providers, Hanscome relates. Since 48 CIO Digest January 2013

9 The need to exchange patient data, as stipulated by the Patient Protection and Affordable Care Act, increases risk. Joyce Hanscome, SVP and CIO, Mary Washington Healthcare PATRICK E. SPENCER we consider Symantec as one of our strategic technology providers, we decided to begin with Symantec. The Symantec account team worked with Hanscome and Bailey to set up a two-hour event in the boardroom involving the entire executive leadership team. We pinpointed different areas of risk and quantified the potential risk associated with each one, Bailey says. The session raised the risk awareness of our executive leadership team and provided them with a foundation for making strategic decisions. It was very well received. User authentication User authentication is another area that the Mary Washington Healthcare team addressed. Previously, Mary Washington Healthcare maintained two remote access methods that were inefficient to manage. It was an adaptive authentication approach that granted access to inpatient systems and our physician portal to physicians, Bailey explains. Another SSL-based VPN solution was used to provide access to associates and vendors. The former had two-factor authentication but was a hard-token solution. It was expensive and difficult to manage, he adds. On the flip side, the SSLbased VPN solution did not have two-factor authentication and posed other risks. Seeking to consolidate onto one identity protection toolset, Bailey and his team examined several different solutions. After evaluating each one, they selected Symantec Validation and ID Protection (VIP) Service in late 2012 and are on track to have it fully implemented in early Symantec VIP Service proved to be extremely cost effective while providing us with additional functionality, Bailey notes. It also affords us with different multifactor options for the second form of authentication with software-based tokens available for desktop, laptop, and mobile devices. Early phases of the prescription While they have moved quickly, Hanscome, Bailey, and the rest of the Mary Washington Healthcare IT team have much left to do in Joyce Hanscome, SVP and CIO, Mary Washington Healthcare administering their IT prescription. Mobility is something we will be tackling early next year, Hanscome notes. Our physicians and caregivers want to use mobile devices to access information and services, including when meeting with patients. This presents a number of different security and compliance challenges, one that is accentuated since Mary Washington Healthcare plans Podcast to enable a bring your own device Portions of the interview with Joyce Hanscome and David (BYOD) policy. We Bailey are available as an are evaluating Executive Spotlight Podcast Symantec App Center at go.symantec.com/ marywashington-podcast. on the basis that we can create virtual containers on personal devices and manage information and services securely on them without any impact on personal applications and services they also contain, Bailey explains. symantec.com/ciodigest 49

10 CASE STUDY Mary WAShington Healthcare FROM THE PENTAGON TO HEALTHCARE While an undergraduate in college, David Bailey joined the United States Air Force ROTC program and was commissioned in He spent almost nine years in the Air Force, serving in a variety of different functions as a communications and information officer. Ordinary is not a David Bailey Manager, Security Program Office, Mary Washington Healthcare word that one would use to describe his time in the Air Force. His initial assignment was at the Pentagon. My team provided networking services as well as desktop, database, and phone support, all of the typical things you would do at an Air Force base, he recounts. The only difference is that it was at the Pentagon. After several years, he got involved as a systems analyst and then in tactical communications. He deployed to Saudi Arabia, traveling around southwest Asia conducting force protection vulnerability assessments, which included examination of communications systems. This experience helped pave the way for my security career, he relates. He returned to support the Air Force and United States Space Command as a director of Information Operations Testing. In this role he conducted vulnerability and risk assessments of mission-critical space systems. When Bailey left the Air Force, he leveraged his background and experience in security and IT risk management, serving as a consultant with classified clearance to various Federal government entities, including the Pentagon. In early 2010, his career took a completely different turn when Mary Washington Healthcare recruited him to build the Security Program Office and institute a risk management strategy from the ground up. From the standpoint of security standards, there are similarities, Bailey reflects. For example, both the Federal government and healthcare use National Institute of Standards and Technology (NIST) standards. But there are certainly differences at the same time. Bailey is thoroughly enjoying the challenges of healthcare. On average, we have 6,000 or 7,000 users accessing our systems every day, often for life-critical services. While the challenges may differ, the end result is just as critical. We were able to consolidate our different endpoint security infrastructure components into one toolset. Mike Vida, Sr. Security Analyst, Security Program Office, Mary Washington Healthcare But that is just one of many initiatives that are planned. With the first phase of our risk management strategy complete, we are rapidly moving into the second and third phases, Hanscome states. Compliance with meaningful use is at the forefront of what we re working to accomplish. Each of the steps that we ve taken and are taking will help ensure that we achieve meaningful use and thus meet both the challenges and opportunities of our rapidly evolving world of 21 st - century healthcare. Adds Bailey: And with technology partners like Symantec, we have the tools and services to help ensure that we are successful. n Patrick E. Spencer (Ph.D.) is the editor in chief and publisher for CIO Digest. Managing Risk with Symantec > Symantec Endpoint Protection > Symantec Critical System Protection > Symantec Managed Security Services > Symantec Validation and ID Protection (VIP) Service > Symantec DeepSight Security Intelligence > Symantec Data Loss Prevention > Symantec Control Compliance Suite (planned implementation) PATRICK E. SPENCER 50 CIO Digest January 2013