The Convergence of IT Security and Compliance with a Software as a Service (SaaS) approach

Transcription

1 The Convergence of IT Security and Compliance with a Software as a Service (SaaS) approach by Philippe Courtot, Chairman and CEO, Qualys Inc. Information Age Security Conference - London - September 25 th 2008

2 Agenda The Problem at hand = Simplifying Security and Compliance A Software as a Service (SaaS) Approach to bring Security and Compliance together and delivering it as a Service Why is SaaS a disruptive technology? The fears of having the data outside my enterprise and being captive to the vendors who control it What does this all mean to the security industry and professionals? Q&A

3 The Problem to Solve IT Security and Compliance on a Global Scale Assessing the Security and Compliance posture of the IT infrastructure is critical and harder than ever Increased sophistication of the attacks Accelerated technological innovation driven by the consumerization of technology Ever increasing set of data security and privacy regulations Answering the business needs to extend the enterprise Throwing software, hardware and people at the problem is not an option anymore

4 Gartner s View Enterprise Compliance and Risk Management Regulations SOX, PCI, HIPAA Control Objectives CobiT, ITIL, others Controls ISO 17799, NIST , others Policy Mapping People and Process Policies Policy Distribution & Management Identity and Access Secure Configuration Monitor and Report Vulnerability Compliance Management Define Policies Create a Baseline Assess Vulnerability Risk User Process Application Systems Compliance Reporting Eliminate Root Cause Shield and Mitigate Difficult and costly to implement and maintain with Enterprise Software

5 Automation is the Solution The Tasks at Hand Assessing the IT Security and Compliance Posture on a Global Scale is what Enterprises have been Asking for! Comprehensive and Accurate Collection of Security and Compliance information and dashboards to monitor and visualize Providing Actionable Reports to ALL constituents Automated Auditing of Remediation Extending Security and Compliance Requirements to Outsourcers, Suppliers and Partners The challenge is to identify and to audit every asset and provide actionable reports to all stakeholders

6 Security + Compliance Posture Actionable Reporting for all Stakeholders And Delivering it as a Service The Security + Compliance Conundrum Leveraging well established frameworks such as CobIT, ISO, ITIL and NIST Security & Compliance Frameworks

7 A New Paradigm: Security + Compliance Lifecycle Workflow Under this new paradigm, a system is deemed out of compliance if it is: Vulnerable to attacks, Improperly configured or in violation of internal policies or external regulations

8 Example of a Global SaaS Infrastructure Qualys SaaS Security and Compliance Scanning Infrastructure End to End Security Annual Volume of Scans: 250+ millions IP audit scans (maps and scans) with 7,000 scanner appliances in over 85 countries with 6 Sigma scanning accuracy (less than 3.4 defects per million scans) The world's largest VM enterprise deployment at a Forbes Global 50 with 223 scanner appliances deployed in 52 countries scanning 1 million IPs

9 Example of Seamless Delivery of New Functionalities with SaaS C O N F I D E N T I A L

10 Why is SaaS a disruptive Technology? Orders of magnitude more cost effective to develop, deliver and update -- It also delivers better quality Liberates enterprises from making complex and costly IT infrastructure choices and having to live with them for a long time Allows security to be built into the infrastructure and applications and allows users to better control access and distribution Allows users to try before buying and to switch vendor easily Why has such a disruptive technology taken so long to emerge and why are there still so few implementations?

11 What about the fears of having the data outside the direct control of the enterprise? This is of course a legitimate concern as controlling the security and privacy of the data is the number one job of the security professional and yet counter-intuitively the SaaS model provides for better and more measurable security and compliance

12 What does it means for the security industry and for the security professionals? We are going to see an accelerated consolidation of the high industry in general and of the security industry in particular SaaS will have a transformational impact on the role of the CIO and of the CISO

13 Q&A Thank You