Simplified IT Compliance Frameworks to Reduce Costs and Strengthen Security

Transcription

1 Copyright 2008 EMC Corporation. All rights reserved. Simplified IT Compliance Frameworks to Reduce Costs and Strengthen Security Dave Simmons EMC Corporation

2 Why is Information Security So Difficult? because sensitive information is always moving, transforming DR WAN Data warehouse WW Campuses Business Analytics Back up tape WWW WW Customers Customer Portal Production Data Disk storage WW Partners WAN Outsourced Development Staging Back up disk Remote Employees VPN Enterprise File Server Endpoint Network Applications Copyright 2008 EMC Corporation. All rights reserved. 2 Files Storage

3 Why is Information Security So Difficult? and every movement and transformation has unique risks Device Theft Media Theft WAN Unauthorized Data Activity warehouse DR Media Loss WW Campuses Business Analytics Takeover Intercept WWW Unauthorized Access Unauthorized Access Unavailability Back up tape WW Customers Eavesdropping Fraud Customer portal Production Data Corruption Disk storage Unintentional Distribution WW Partners Data Loss Device Remote Employees Loss WAN VPN Outsourced Development Unauthorized Activity Enterprise Staging Data Theft File Server Back up disk DOS Endpoint Network Applications Copyright 2008 EMC Corporation. All rights reserved. 3 Files Storage

4 Understanding Risk Risk is the combination of the probability of an event and its consequences. (ISO definition) Risk Components Assets (Information, infrastructure, etc.) Threats (Sources, Objectives & Methods) Vulnerabilities (People, Process & Technology) RSA & EMC Can Help Managing Risk Avoid Eliminate the source of the risk Control Implement controls to reduce risk Accept Be aware but take no action Ignore Refuse to acknowledge risk Transfer Assign risk to other agency Copyright 2008 EMC Corporation. All rights reserved. 4

5 Risk Aligns Security Investments to Compliance Requirements PCI SOX HIPAA Internal Reqs Partner Reqs What information is important to the business? Sensitive Information Risk What risks are we willing to accept, what risks do we need to protect against to enable the business? Where does it go? Security Incidents What bad things can happen? Endpoint Network App / DB Copyright 2008 EMC Corporation. All rights reserved. 5 FS/CMS Storage

6 Today s Agenda Compliance Landscape Frameworks for Security and Compliance Examples: Frameworks in Action RSA Solutions for Simplified IT Compliance Copyright 2008 EMC Corporation. All rights reserved. 6

7 Why We re Here Today Organizations worldwide: Spend heavily on compliance Don t see expected security improvements Have shrinking budgets Need to get better value out of investments they do make RSA has an approach to help: Reduce costs Simplify compliance Improve security Be proactive, instead of reactive Compliance landscape Industry groups Business partners Customers Internal policy Governmental Ernst & Young In 2007, compliance remained the number one driver of information security. Copyright 2008 EMC Corporation. All rights reserved. 7

8 Framework-Based Security Preparing for Ever-Changing Compliance PCI DSS HIPAA Internal Policy GLBA HSPD 12 CSB 1386 FISMA Country Privacy Laws COCOM SOX EU CDR UK RIPA Data Security Act FACTA EU Data Privacy FFIEC BASEL II J-SOX IRS NERC NISPOM Partner Rules Copyright 2008 EMC Corporation. All rights reserved. 8 ACSI 33 NIST 800 And what s next? State Privacy Laws

9 Reactive & Expensive IT Compliance PCI DSS Compliance Internal Policy Compliance Partner Policy Compliance Data Privacy Regulation Compliance Basel II Compliance Endpoint Network App / DB FS/CMS Storage Encryption Encryption Access Control Access Control Monitoring Monitoring Authentication Monitoring NAC Authentication Authentication Encryption Policy Log Management Data Leakage Monitoring Copyright 2008 EMC Corporation. All rights reserved. 9

10 Reactive & Expensive IT Compliance PCI DSS Compliance Internal Policy Compliance Partner Policy Compliance Data Privacy Regulation Compliance Basel II Compliance Endpoint Network App / DB FS/CMS Storage Encryption Monitoring Authentication Policy Access Control Encryption Access Gartner estimates that Control allocating Monitoringresources on a regulation-byregulation basis means that enterprises Authentication Authentication NAC spend an average of 150% more on compliance, Log Management largely Data Leakage due to duplication of effort! Gartner for IT Leaders Overview: The IT Compliance Professional. French Caldwell. Monitoring October 22, 2007 Monitoring Encryption Copyright 2008 EMC Corporation. All rights reserved. 10

11 Framework-Based Compliance & Security Enabling Cost-Effective Compliance PCI DSS Compliance Internal Policy Compliance Partner Policy Compliance Data Privacy Regulation Compliance Basel II Compliance Endpoint Network App / DB FS/CMS Storage Monitor, Report, Audit Authentication Access Control Encryption Key Management Encryption Encryption Encryption Encryption Encryption Data Loss Prevention Copyright 2008 EMC Corporation. All rights reserved. 11

12 The Solution: Framework-based Security & Compliance Security controls framework is: A comprehensive set of security controls (policies, procedures and technologies) Based upon industry-wide best practices Ideal for defining controls that should be applied in proactive manner Integrated into an organization s IT security policy Applied based upon how data are classified within your organization Security controls framework helps: Drive you to think about all security requirements needed Eliminate gaps in your security programs Enable more cost-effective compliance Execute your Information Risk Management strategy Most [CISOs] have realized that a principles-based framework can help them not only address multiple regulations simultaneously, but also get a more comprehensive grasp on the security universe they are responsible for. Khalid Kark Forrester Research Copyright 2008 EMC Corporation. All rights reserved. 12

13 Framework-Based Compliance & Security Laying A Foundation for Policy & Controls Many references ISO Information Technology Infrastructure Library (ITIL) Control Objectives for Information Technology (CoBIT) Committee of Sponsoring Organizations of the Treadway Commission (COSO) ISO [27002] is generally acknowledged to be the golden standard for coverage of security domain information. (Burton Group) 4. Risk Assessment and Treatment 5. Security Policy 6. Organization of Information Security 7. Asset Management 8. Human Resources Security 9. Physical Security 10. Communications and Ops Management 11. Access Control 12. Information Systems Acquisition, Development, Maintenance 13. Information Security Incident management 14. Business Continuity 15. Compliance ISO Clauses Copyright 2008 EMC Corporation. All rights reserved. 13

14 ISO & Compliance Alignment ISO Clauses Risk Assessment & Treatment Security Policy Organization of Information Security Asset Management Human Resources Management Physical & Environmental Security Communications and Operations Management Access Control NIST PCI SOX HIPAA Data Protection 12 Information Systems Acquisition, Development and Maintenance 13 Information Security Incident Management 14 Business Continuity Management 15 Compliance Copyright 2008 EMC Corporation. All rights reserved. 14

15 ISO & Compliance Alignment Key Best Practices Security policy (ISO ) Inventory of assets (ISO ) Information classification (ISO ) Physical entry control (ISO ) Segregation of duties (ISO ) Audit logging (ISO ) Monitoring system use (ISO ) User access management (ISO ) User identification and authentication (ISO ) Teleworking protection (ISO ) Cryptographic controls (ISO ) Data leakage prevention (ISO ) Compliance monitoring (ISO ) Sarbanes Oxley Copyright 2008 EMC Corporation. All rights reserved. 15

16 Framework-Based Security Communicating Security to Partners & Customers ISO and ISO 27002: Delivering a common language communicating security on a global basis Customers Outsourcers Business Partners Regulators Auditors Non-security staff Copyright 2008 EMC Corporation. All rights reserved. 16

17 Framework-Based Security Eliminating Gaps in Your Security Program Intellectual Property Health Records Financial Records Personal Information Credit Card Data Employee Records ISO Framework Patchwork Solutions Framework Based Solutions Comprehensive checklist Controls Holistic View of Security Copyright 2008 EMC Corporation. All rights reserved. 17

18 Aligning Compliance Case Study: Large Telco Result: Save Money, Time By Deploying Repeatable Controls for Multiple Requirements PCI Data Security Standard Sarbanes-Oxley Internal Policy Data Privacy Regulations Other Controls: Policies, Procedures and Technologies Access Control Logging Encryption Authentication Discover Data and Assets, and Assess Risk Based on Policy 4) Apply Controls in a Consistent and Repeatable Manner to Mitigate Risk & Manage Compliance 3) Discover Data, Assess Risk Internal Framework of Policies, Procedures & Technologies Other Security Controls Frameworks ISO ) Build a Framework of Best Practices Based Upon ISO Cardholder Data Financial Data Intellectual Property Copyright 2008 EMC Corporation. All rights reserved. 18 Personally Identifiable Info 1) Identify Sensitive Data Types

19 Components of Framework Based Compliance & Security Programs Inventory & Risk Assessment Policy & Classification Identify regulated data Analyze regulatory impact Identify high business impact data Qualify acceptable risk level for information Define information classifications Define information security policy Incorporate classification into policy Discovery Discover and document assets (people, systems & information) Discover and document current controls Implement Controls Monitor, Manage and Improve Define cross-organizational control requirements Implement controls (e.g., technologies, procedures) Monitor information environment Monitor & enforce compliance Incorporate risk analysis into mgt. processes Copyright 2008 EMC Corporation. All rights reserved. 19

20 Framework-Based Compliance & Security Why RSA? Inventory & Risk Assessment Policy & Classification Discovery Implement Controls Monitor, Manage and Improve Copyright 2008 EMC Corporation. All rights reserved. 20

21 A Process for Framework-Based Compliance RSA & EMC Solutions Inventory & Risk Assessment RSA Data Loss Prevention RSA Professional Services RSA Partners Policy & Classification RSA Professional Services RSA Partners Discovery RSA Data Loss Prevention RSA Professional Services Implement Controls Framework RSA Authentication & Authorization RSA Data Security RSA Information and Event Management EMC Information Management Solutions Monitor, Manage & Improve Copyright 2008 EMC Corporation. All rights reserved. 21 RSA Information and Event Management RSA Professional Services RSA Partners

22 ISO based Frameworks RSA Solutions Implement Controls Framework ISO Clauses 8 Human Resources Security 9 Physical & Environmental Security 11 Access Control RSA Authentication & Authorization RSA Data Security RSA Information and Event Management EMC Information Management Solutions Key ISO Best Practices Authenticate users Revoke access Control physical access Protect remote access Manage access based on policy RSA Solutions RSA SecurID RSA Access Manager RSA Card Manager RSA Digital Certificate Solutions Copyright 2008 EMC Corporation. All rights reserved. 22

23 What Do You Want for Your RSA SecurID Authenticator? Flexibility, choice, and broadest range supported applications Copyright 2008 EMC Corporation. All rights reserved. 23

24 ISO based Frameworks RSA Solutions Implement Controls Framework ISO Clauses 7 Asset Management 10 Communications & Operations Management 12 Information Systems Acquisition, Development & Maintenance 15 Compliance RSA Authentication & Authorization RSA Data Security RSA Information and Event Management EMC Information Management Solutions Key ISO Best Practices Inventory assets Classify data Prevent data leakage Manage encryption keys Enforce encryption policies Monitor for compliance RSA Solutions RSA Data Loss Prevention (DLP) Suite RSA File Security Manager RSA Key Manager for the Datacenter RSA Key Manager with Application Encryption Copyright 2008 EMC Corporation. All rights reserved. 24

25 Control Data Movement for Compliance: RSA Data Loss Prevention Suite Unified Policy Mgmt & Enforcement Incident Workflow DLP Enterprise Manager Dashboard & Reporting User & System Administration DLP Endpoint DLP Network DLP Datacenter Discover Laptops and desktops with Windows 2000 SP4 or higher OS Monitor (SMTP, IMAP), HTTP/S, FTP, P2P, IM/Chat, etc. Common Discovery Platform Discover File shares, eroom/sharepoint sites, Database files, SAN/NAS DLP Endpoint Copyright 2008 EMC Corporation. All rights reserved. 25

26 RSA DLP Comprehensive Compliance Library Acceptable Use 23 Policies including Post to Corporate Rumor Site Post to Financial Site Human Resources General Resumes Company Confidential 14 Policies including Mergers & Acquisitions Data Contracts Corporate Financials Employee Financials General Intellectual Property Protection 6 Policies including Company Intellectual Property Transmission of Intellectual Property to Competitor Patent Applications Regulatory Compliance 44 Policies including PCI-DSS (Payment Card Industry data Security Standard) PIPEDA (Personal Information Protection and Electronic Documents Act) GLBA (Gramm-Leach Bliley Act) HIPAA (Health Insurance Portability and Accountability Act) Fair Credit Reporting Act (FCRA) Privacy Protection 20 Policies including US Social Security Numbers Credit Card Numbers Credit Card Numbers - by Issuer US Drivers Licenses Canadian Social Insurance Numbers UK National Insurance Numbers Over 100+ out of the box policy templates (Blades) Copyright 2008 EMC Corporation. All rights reserved. 26

27 RSA Data Loss Prevention Suite: Enforce Compliance & Security Policy Unified Policy Mgmt & Enforcement Incident Workflow DLP Enterprise Manager Dashboard & Reporting User & System Administration DLP Endpoint DLP Network DLP Datacenter Discover Laptops and desktops with Windows 2000 SP4 or higher OS Enforce Copy, print, save, USB, burn, etc. Monitor (SMTP, IMAP), HTTP/S, FTP, P2P, IM/Chat, etc. Enforce Block, Notify, Alert, Encrypt Discover File shares, SharePoint sites, Database files, SAN/NAS Remediate Delete, quarantine, move Other DSS Enforcement Mechanisms 27 Copyright 2008 EMC Corporation. All rights reserved. 27

28 Managing Encryption for Compliance RSA Key Manager for the Datacenter Provides security over the long term Vaults and protects encryption keys Scales across the enterprise Centralized key management of encryption solutions across the IT stack Application Encryption PowerPath Encryption Connectrix Encryption Reduces cost and complexity over point key management solutions RSA Key Manager Server Tape Backup Encryption RSA File Security Manager File Encryption Database Encryption Copyright 2008 EMC Corporation. All rights reserved. 28

29 RSA Key Manager Provides Options While Reducing Complexity DR WAN Data warehouse WW Campuses Business Analytics Back up tape WWW WW Customers Customer Portal Production Data Disk storage WW Partners WAN Outsourced Development Staging Back up disk Remote Employees VPN Enterprise File Server Endpoint Network Applications Copyright 2008 EMC Corporation. All rights reserved. 29 Files Storage

30 RSA Key Manager Provides Options While Reducing Complexity WW Campuses WW Customers WW Partners Remote Employees WAN WWW WAN VPN Business Analytics RSA Key Manager Encryption Toolkit Customer Portal RSA Key Manager Encryption Toolkit Outsourced Development Enterprise DR FC SAN Encryption EMC Powerpath Data warehouse Cisco switches Brocade switches Oracle Production Data Oracle Staging FC SAN Encryption EMC Powerpath Disk storage Cisco switches Brocade switches RSA File Security File Manager Server Encrypting Tape Drives Back up tape Back up disk Endpoint Network Applications Copyright 2008 EMC Corporation. All rights reserved. 30 Files Storage

31 ISO based Frameworks RSA Solutions Implement Controls Framework ISO Clauses 10 Communications & Operations Management 13 Information Security Incident Management 15 Compliance RSA Authentication & Authorization RSA Data Security RSA Information and Event Management EMC Information Management Solutions Key ISO Best Practices Monitor IT systems Monitor systems usage Protect audit logs Protect audit tools Report & learn from security events Retain evidence of security events Monitor for compliance RSA Solution RSA envision Copyright 2008 EMC Corporation. All rights reserved. 31

32 Monitoring and Reporting for Compliance RSA envision Malicious Code Detection Spyware detection Access Control Enforcement Privileged User Management Real-Time Monitoring Troubleshooting Configuration Control Lockdown enforcement Compliance Monitoring IP Leakage False Positive Reduction User Monitoring Web server activity logs Web cache & proxy logs Content management logs SLA Monitoring Switch logs IDS/IDP logs VA Scan logs Router logs Windows domain logins Wireless access logs Oracle Financial Logs Windows logs VPN logs Firewall logs Linux, Unix, Windows OS logs Mainframe logs DHCP logs Client & file server logs San File Access Logs VLAN Access & Control logs Database Logs Copyright 2008 EMC Corporation. All rights reserved. 32

33 Security Information and Event Management Solution: RSA envision 3-in-1 Log Mgmt Platform for Compliance, Security and IT & Network Operations Copyright 2008 EMC Corporation. All rights reserved. 33

34 Security Information and Event Management Solution: RSA envision 3-in-1 Log Mgmt Platform Server Engineering Business Ops. Compliance Audit Risk Mgmt. Security Ops. Desktop Ops. Network Ops. Application & Database Baseline Report Alert/Correlation Asset Mgt. Simplify Log Mgmt. Compliance Access Control Configuration Control Malicious Software Policy Enforcements User Monitoring & Management Environmental & Transmission Security Enhance Security & Mitigate Risk Access Control Enforcement SLA Compliance Monitoring False Positive Reduction Real-time Alerts Unauthorized Network Service Detection Privileged User Monitoring All the Data Log Management Any enterprise IP device Universal Device Support (UDS) No filtering, normalizing, or data reduction Security events & operational information No agents required Forensics Optimize IT & Network Operations Incident Mgmt. Monitor network assets Troubleshoot network issues Assist with Helpdesk operations Optimize network performance Gain visibility into user behavior Build baseline of normal network activity for Compliance, Security and IT & Network Operations Copyright 2008 EMC Corporation. All rights reserved. 34

35 RSA envision Transformation of Data into Actionable Intelligence Dashboards >1100 reports for regulatory compliance & security operations >Includes ISO compliance reporting Copyright 2008 EMC Corporation. All rights reserved. 35

36 ISO based Compliance Frameworks RSA Solutions RSA envision reporting Over 20 out-of-the-box reports related to ISO 27002, including: Control of Human Resources Data (section 8.3) External Contractors Report (sections 8.1.3, ) Malicious Software Activity (section ) Password Changes and Expirations (section ) User Activity from External Domains (section ) Computer Account Logon Activity (section 11.5.B) Computer Account Status by Account (section ) Operation Change Control Report (section 11.6) Control of Operational Software (section ) Control of System Test Data (section ) Source Code Access (section ) Control of Collected Evidence (section 13.2) Control of System Audit Data (section ) Inventory & Risk Assessment Policy & Classification Discovery Implement Controls Monitor, Manage and Improve Copyright 2008 EMC Corporation. All rights reserved. 36

37 Compliance Framework Solutions Example PCI Requirements Mapped to RSA/EMC Solutions Card Data Discovery PCI Pre-Assessment & Gap Analysis Req. 1: Install and maintain a firewall Req. 2: Do not use default passwords Req. 3: Protect stored card data Req. 4: Encrypt card data in transit Req. 5: Use and update anti-virus Req. 6: Develop secure systems & apps Req. 7: Restrict access to card data Req. 8: Assign a unique ID Req. 9: Restrict physical access Req. 10: Track and monitor access Req. 11: Test security systems, processes Req. 12: Maintain an info sec policy Understanding Your PCI Compliance and Preparing for an Audit PCI Cardholder Data Discovery Service PCI Pre-Assessment & Gap Analysis Service Addressing PCI DSS Requirements EMC Smarts, EMC VoyenceControl reporting: RSA envision EMC Smarts, EMC VoyenceControl reporting: RSA envision Application Security Design and Assessment Service Reporting: EMC VoyenceControl RSA SecurID, RSA Digital Certificates reporting: RSA envision EMC Physical Security Solution, RSA Card Manager PCI Information Security Policy Service Copyright 2008 EMC Corporation. All rights reserved. 37 RSA Key Manager, RSA File Security Manager, RSA DLP Suite, Partners (e.g., Cisco) reporting: RSA envision RSA Key Manager, CipherOptics (partner), EMC VoyenceControl reporting: RSA envision reporting: RSA envision, EMC Smarts, EMC VoyenceControl RSA Access Manager, RSA File Security Manager, RSA Database Security Manager reporting: RSA envision RSA envision, EMC Symmetrix, EMC CLARiiON, EMC Centera, EMC Celera, EMC Smarts, EMC Voyence Control EMC Smarts, EMC VoyenceControl Partners: Accuvant (U.S.), Ezenta (EMEA), Integralis (EMEA, U.S.), Mnemonic (EMEA), Remington (U.S.)

38 Framework-Based Compliance & Security The Benefits Reduce costs Simplify compliance Improve security Manage information risk Questions? Direct: Thank you very much Copyright 2008 EMC Corporation. All rights reserved. 38

39