Asset Management In A Consumerized World

Transcription

1 Asset Management In A Consumerized World Generously sponsored by: August 28, 2012 Start Time: 9 AM US Pacific, Noon US Eastern, 5 pm London

2 Welcome Conference Moderator Allan Wall ISSA Web Conference Committee 2

3 Agenda Speakers William Perry - Chief Information Security Officer, California State University, Chancellor's Office Michael A. Panico - Vice President, Seattle Office, Stroz Friedberg, LLC Don Gray - Chief Security Strategist, Solutionary Open Panel with Audience Q&A Closing Remarks 3

4 IT Asset Management Making the case for ITAM automation William Perry 4

5 What is IT Asset Management (ITAM) A set of business practices that incorporate IT assets across the business units within the organization. Joins the financial, inventory, and contractual responsibilities to manage the overall life cycle, which includes tactical and strategic decision-making. Assists firms in making intelligent business decisions The IT asset manager maximizes benefits while minimizing risk from IT assets in their organization. 5

6 Benefits of Automating ITAM For any organization with more than 250 managed devices, IT Asset Management (ITAM) can be a massive headache. Where assets are managed manually through the use of spreadsheets, information can quickly become out-of-date and the effort to keep it accurate can be enormous, especially in geographically dispersed organizations. And often the expense and effort of an audit is wasted as the information does not get used beyond the initial purpose of the audit. Asset management allows a firm to maximize savings on hardware and software procurement It is important to find the balance between requirements for full automation and 100% accuracy with the cost of achieving these states. In reality, 95% automation with 90% accuracy may be good enough. Choose features that will provide the maximum coverage for a reasonable price, and ensure that integration of ITAM tools is appropriate for the benefits it will provide. 6

7 Implementing an ITAM Automation Tool Short list and prioritize your requirements. Understand capabilities and important functions of an ITAM tool. Choose the right tool for your environment. Follow an implementation methodology. Timing will be anywhere from a few days to several months Educate Key users Understand vendor s service level agreements 7

8 Making the Case for the Executive Team Automated tools can offer up to 30% savings on software, 15% on hardware, and up to 20% in efficiencies through integration with the helpdesk. 8 Savings Automation can lead to up to 30% savings in software through license harvesting and redeployment and 15% savings in hardware through redeployment and reduction of lost hardware assets. Avoid paying penalties from late contract renewals, late or missed lease returns. Use notification features for expiry and renewal information to manage warranties and cost justify all maintenance and support contracts. Risk mitigation The potential risks associated with data loss are estimated to be $50,000 to $185,000 per computer depending on the data and whether it is considered high or low risk. Lower the risk of audit by regularly monitoring software compliance. Changes to license status will be reported immediately and will enable action to be taken to regain compliance. Keep software compliant to put you in a stronger negotiating position with vendors. Efficiencies Automated discovery can reduce the inventory time and increase accuracy exponentially over a manual process. Link assets directly to the service desk for managing tickets, creating workflows, automation of tasks and reporting. Access asset configuration data for troubleshooting without having to visit the workstation is a huge timesaver for helpdesk staff.

9 Getting the Right Solution Getting the right tool does not necessarily mean that you need the most expensive option. In some scenarios, purchasing a tool that is good enough can be better than spending money on an expensive, complicated tool. Integration with ERP, Financial, Purchasing, Service Desk, and Systems Management tools can provide great extended functionality, but will increase complexity of implementation as well as costs. Advanced license management capabilities for complex licensing scenarios such as IBM PVU, Adobe Suites, Oracle, and Engineering applications will solve a great number of license management challenges, but if it is for just a small number of instances, the prices of these features may outweigh the costs of manually managing. If you are anticipating growing complexity to your environment, consider a solution that takes a modular approach to grow with your organization. 9

10 Summary Without dedicated people and formalized processes, the benefits of automated tools for asset management will not be achieved. Solutions can start as simple inventory tools, but need to have the capability to manage contracts and link licenses to discovered assets. Without the ability to link contracts, licenses and assets, a great deal of manual work will need to be completed. Ensure that minimum requirements can be met, then look to see what advanced features will make your job easier and more effective. The initial set up will be time consuming and challenging, but the benefits will far outweigh the efforts. Once this process is started, regular maintenance will enable you to keep IT asset costs at a reasonable level. 10

11 Question and Answer William Perry Chief Information Security Officer, California State University, Chancellor's Office

12 Digital Investigations and BYOD Legal and Forensic Challenges Michael A. Panico Insert Photo Here 12

13 Impact on Investigations Digital Investigations Internal Investigations of Personnel Incident Response to Cyber Attacks ediscovery 13

14 Legal Challenges Disclaimer Security and Privacy Security vs. Privacy Personal data is now collected and preserved by the enterprise with its attendant responsibilities City of Ontario v. Quon Protocols for review ediscovery Europe/DPD 14

15 Operational/Logistical Challenges Retrieval of Devices Passwords Remote Wiping Can go both ways! Device Isolation is one of the first steps Impact on Productivity and Personnel Device seizure Wiping personal information Loss of control of data 15

16 Technical Forensic Challenges Cell phone forensics is a new and growing discipline Multitude of platforms, devices, OS, apps, carriers Results of digital forensic examinations vary widely based on these factors Preservation/collection is generally global Targeted, logical, physical dumps, backups Examination Preserve privacy of individual Court ordered protocols 16

17 Forensics continued Want to do work IN THE LAB Isolate from the network Bluetooth, WiFi, Cellular lots of ways to touch that phone Airplane mode, Faraday bags, etc. Requires special tools Multiple acquisitions Removable media Can be very involved and take as much time to collect and examine a phone as it would an entire server Data should be collected in multiple ways to ensure a thorough investigation 17

18 Cyber Attack: As Vector Malware can target: Data Keystrokes Access to corporate network Geolocation, etc. Attack surface is broadened Client-side attacks are highly effective , poisoned hyperlinks, etc. Cloud backup Home computers Hack of user s personal accounts gives them access to devices (Wired author) 18

19 Personal Devices Exfiltration vehicle for valuable IP (data leakage) Cloud connections/backup Webmail, dropbox, icloud, etc. Camera Text Video and Voice Recording Settings Connections to Wireless networks 19

20 Cyber Attacks: Device as Target Theft/Loss of device Significant % of data breach incidents Time to Wipe? How much exposure? Executive travel and economic espionage Hack of user s account How hard is it to steal and hide a phone? 20

21 Implications for Strategy Well authored and comprehensive policies AUPs MDM Addresses some, but not all concerns for BYOD Passwords Encryption Application of common-sense security controls NAC Updates/patches AV? 21

22 Contact Information Michael A. Panico Vice President Stroz Friedberg, LLC Seattle Branch

23 Question and Answer Michael A. Panico Vice President, Seattle Office, Stroz Friedberg, LCC

24 Integrating Mobile Assets Into Your Security Program Don Gray Chief Security Strategist, Solutionary Insert Photo Here 24

25 The Goal A single view Everything the same A sense of control 25

26 The Reality BYOD or not these devices have your data Uncontrolled threat profile caused by usage BYON, jail-breaking, rooting Legal / Privacy limitations There s an App for that! Mobile Malware FakeInst SMSZombie NotCompatible Android.Bmaster LuckyCat 26

27 Getting a Grip Respect both the organization s culture and regulatory requirements If it s not locked down in a datacenter, it s hostile Clear, concise mobile device policy User awareness cannot be understated Combination of NAC & MDM Keep out those that don t abide Remote wipe those that get lost or stolen Focused on hindering loss or theft of data 27

28 Mobile Security ios & Android are the market trying to include others will be a challenge Provisioning needs to be self-service! NAC is back! Re-acquaint yourself with NAC Explore the mobile clients now available MDM Still fairly immature, technology is evolving quickly Consider using a provider if possible 28

29 Security Program Considerations The threat must equal the risk, maybe NAC first to exclude, then MDM later to control Who on my staff is going to manage this new infrastructure / applications / incidents? What s our monitoring strategy / capability? How can I get as close to that single pane of glass as possible? How can I identify my mobile assets and create appropriate analytics / rules / signatures for them to enable efficient response? 29

30 Some Resources ISSA Excellent presentation about cellular eavesdropping, tower spoofing, content/uploads/2011/04/jeff-stern-issa- Presentation.pdf ISACA Solid foundation for implementing controls Securing Mobile Devices Whitepaper Mobile Computing Security Audit/Assurance Program 30

31 Question and Answer Don Gray Chief Security Strategist, Solutionary

32 Open Panel with Audience Q&A William Perry - Chief Information Security Officer, California State University, Chancellor's Office Michael A. Panico - Vice President, Seattle Office, Stroz Friedberg, LLC Don Gray - Chief Security Strategist, Solutionary 32

33 Closing Remarks Thank you to our Sponsor Thank you to Citrix for donating this Webcast service Online Meetings Made Easy 33

34 CPE Credit Within 24 hours of the conclusion of this webcast, you will receive a link via to a post Web Conference quiz. After the successful completion of the quiz you will be given an opportunity to PRINT a certificate of attendance to use for the submission of CPE credits. 34