BCS SAM and Info Sec - Intersections and Interactions

Transcription

1 14 April 2016 BCS SAM and Info Sec - Intersections and Interactions Using Configuration Management to provide a spotlight on Software Compliance and Information Security

2 Presenters Nick Waring Senior Business Consultant HPE Software Services Nick is an experienced Configuration Management and Software Asset Management practitioner who works with customers across the Public and Private sectors. Matt Beavis Solution Architect HPE Software Services Hands on delivery consultant with Global experience across Networks, Servers, Monitoring, Event Management, Incident Management and Configuration Management

3 Topics we ll cover Configuration Management: - Business Challenges - CMDB - Value & Benefits Information Security: - 20 Critical Cyber Controls - Configuration Management Response Software Asset Management: - Software Inventory vs Configuration Management - Configuration Management Value

4 Business Challenges for Configuration Management Which systems & software assets do I have in my estate, and what services they support? Is my DR capability in line with the Live service? We need to reduce outages with more accurate Change impact assessment, and change verification. We need to know which critical business services are impacted and fix the most important problems faster. I need to save costs on software and hardware, and stay compliant Critical services IT infrastructure Cost savings data driven

5 Configuration Management System CMDB: The heart of the Configuration Management System Event CMDB Single Version of Truth Incident, Change, Problem & Request Integrate / Federate Discover Normalize, Enrich, Reconcile Service / System Modeling Enable Asset Management Project and Portfolio Management IT Environment Standardization, Change Control, and Business Continuity IT service / application that relies on IT data Business Functions (e.g. Security & Architecture)

6 Information Security: The Critical Security Controls for Effective Cyber Defence Critical Control Critical Control 1 Inventory of Authorized and Unauthorized Devices 11 Limitation and Control of Network Ports, Protocols, and Services 2 Inventory of Authorized and Unauthorized Software 12 Controlled Use of Administrative Privileges 3 Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers 13 Boundary Defence 4 Continuous Vulnerability Assessment and Remediation 14 Maintenance, Monitoring, and Analysis of Audit Logs 5 Malware Defences 15 Controlled Access Based on the Need to Know 6 Application Software Security 16 Account Monitoring and Control 7 Wireless Access Control 17 Data Protection 8 Data Recovery Capability 18 Incident Response and Management 9 Security Skills Assessment and Appropriate Training to Fill Gaps 19 Secure Network Engineering 10 Secure Configurations for Network Devices such as Firewalls, Routers, and Switches 20 Penetration Tests and Red Team Exercises Center for Internet Security 6

7 Information Security: The Critical Security Controls for Effective Cyber Defence Critical Control Critical Control 1 Inventory of Authorized and Unauthorized Devices 11 Limitation and Control of Network Ports, Protocols, and Services 2 Inventory of Authorized and Unauthorized Software 12 Controlled Use of Administrative Privileges 3 Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers 13 Boundary Defence 4 Continuous Vulnerability Assessment and Remediation 14 Maintenance, Monitoring, and Analysis of Audit Logs 5 Malware Defences 15 Controlled Access Based on the Need to Know 6 Application Software Security 16 Account Monitoring and Control 7 Wireless Access Control 17 Data Protection 8 Data Recovery Capability 18 Incident Response and Management 9 Security Skills Assessment and Appropriate Training to Fill Gaps 19 Secure Network Engineering 10 Secure Configurations for Network Devices such as Firewalls, Routers, and Switches Establish, implement and actively Actively manage (inventory, track, and Continuously manage the security acquire, configuration assess and take of correct) Manage correct) all software all the hardware security on the lifecycle devices network of on all so the in that laptops, action servers on new and information workstations in order using to a house only network authorised developed so that software only and authorised acquired installed software devices and in rigorous identify configuration vulnerabilities, management remediate and are can order given execute to access, prevent, and that and detect unauthorised and correct and change minimise control the window process of in opportunity order to prevent for unmanaged security devices software weaknesses are is found and attackers from attackers exploiting vulnerable prevented prevented from from installation gaining or access execution services and settings 20 Penetration Tests and Red Team Exercises Center for Internet Security 7

8 Configuration Management Value Critical Controls Inventory of Authorized and Unauthorized Devices Inventory of Authorized and Unauthorized Software Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers Continuous Vulnerability Assessment and Remediation 6 Application Software Security Configuration Management Response Detection of new devices being connected to the network. Regular discovery of device configuration. Identify un-authorised devices. Detection of new software on your devices Software Details and Software Usage Identify un-authorised software installation Detection of hardware and software changes in your estate Identify unauthorised changes and security risks Regular discovery of your estate Identify location of new/existing vulnerabilities Intelligent vulnerability detection Track remediation work. Regular discovery of your estate Identify location of susceptible software versions Intelligent vulnerability detection Track remediation work. 8

9 Software Asset Management & Configuration Management Is an asset a configuration item? Is a configuration item an asset? Lifespan: Whilst in Operational use Stewardship: Who is responsible for managing it Relationship: To other CIs and services Risk: What is role / importance of the item in the production environment Financial: Opex Configuration Management Performance: Availability, performance, and contribution to other service-level objectives Software Asset Management Lifespan: Request to Disposal Ownership: Who owns it Relationship: To contracts & support agreements Risk: Legal and commercial compliance Financial: Depreciation & Capital Assets Performance: Vendor performance during contract period In the case where an IT component is important to delivering an IT service, you must manage it and also track ownership, value, and access; it is both an asset and a configuration item. So why do organisations think of, discover and manage assets and Cis separately, especially when they refer to the same IT components? 9

10 Configuration Management System & SAM Let s look again at the CMDB & Configuration Management System Event Incident, Change, Problem & Request Integrate / Federate Normalize, Enrich, Reconcile Enable Software Asset Management Discover Service / System Modeling Project and Portfolio Management IT Environment Business Functions & IT services that depend on data 10

11 Value of Configuration Management to SAM Improved decision making through better data. SAM inventory data enriched with multiple sources of data Modelled Systems inform SAM which business applications software is supporting Defined business owners of applications / systems support cross charging and TCO analysis Ability to consider what if scenarios using Impact Assessment use cases 11

12 Closing Thoughts Configuration Management principles Authoritative: The Single Version of the Truth Trusted: Automatic discovery improves data quality Efficient: Collect Once, re-use many times Relevant: Only store what is needed With Context: Apply business context to IT data Accessible: Easily accessed to encourage adoption Compliant: Providing governance and oversight to the configuration of Live Services Consumed: Used across a broad range of processes, capabilities and teams

13

14 Configuration Management value: Authoritative, trusted data to support business decision making Reduced business and operational risks by having end-to-end impact assessment Improved service delivery by using data dependency and modeling capabilities Enhanced Change, Asset and availability management Faster service discovery and modeling Improved service quality and data accuracy

15 Typical CMS use cases and process enablement Service modeling and application mapping Governance / Compliance / Standardization Incident resolution Processes Change impact analysis Software license management Change control, unplanned changes Hardware Asset Management Service impact analysis (event management) SACM CLIP

16 The Benefits of Configuration Management System Understand Change Impact Avoid service Disruptions Authorize changes wisely Transparency and close loop Understand the impact of an infrastructure change on your business services. Is this change critical? Which services might be impacted? Learn what might be the reason for a service disruption. Disruptions usually occur due to change Which configuration changes might have caused cause disruption? Plan your changes based on accurate maps Don t just assume things are out there Drill from services to infrastructure including networks and storage Share data among your processes Use the same service definitions for all your processes including change and monitoring