Delivering IT Security and Compliance as a Service

Transcription

1 Delivering IT Security and Compliance as a Service Matthew Clancy Technical Account Manager Qualys, Inc.

2 Agenda Technology Overview The Problem: Delivering IT Security & Compliance Key differentiator: Software as a Service (SaaS) approach Putting it Into Practice Security & Compliance Solution: Key Implementation Objectives Approximate timeframes for deployment and costs Keys to Success: Integrating the business owners Case study: Fifth Third Bank Summary and Conclusion 2

3 The Problem to Solve Assessing IT Security and Compliance posture on a distributed scale, and complying with Data Security and Privacy Regulations is more difficult than ever: Increased sophistication of the attacks (target the user and applications) Overlapping set of data security and privacy regulations: (HIPAA, GLBA, Sarbanes-Oxley, FISMA, PCI) Providing Actionable Reports to ALL constituents: Audit, Security, and Operations Extending Security and Compliance Requirements to Suppliers and Partners Throwing more people and hardware/software at the problem is not the best option 3

4 A SaaS Solution to the Problem Bringing Security and Compliance Together And Delivering it as a Service The Security + Compliance Conundrum Capturing all relevant data and providing actionable reports to all constituents 4

5 A SaaS Solution to the Problem Security + Compliance Lifecycle Workflow Under this model, a system is deemed out of compliance if it is: Vulnerable to attacks, Improperly configured or in violation of internal policies or external regulations 5

6 A SaaS Solution to the Problem Bringing Security and Compliance into a Single Solution -- with no software to install and to update -- 6

7 QualysGuard IT Security & Compliance Suite QualysGuard Vulnerability Management - Globally Deployable, Scalable Security Risk and Vulnerability Management QualysGuard Policy Compliance - Define, Audit, and Document IT Security Compliance QualysGuard PCI Compliance - Automated PCI Compliance Validation for Merchants and Acquiring Institutions QualysGuard Web Application Scanning - Automated Web Application Security Assessment and Reporting that Scales with your Business QualysGuard Malware Detection (New) - Free Malware Detection Service for Web Sites Qualys GO SECURE (New) - Web Site Security Testing Service and Security Seal that Scans for Vulnerabilities, Malware and SSL Certificate Validation 7

8 Software as a Service (SaaS) Approach - Objectives Centralized solution delivered over the Internet that accomplishes objectives of Security, Audit, and Operational Teams All that is needed is a Web browser and appropriate credentials Lower cost of ownership to end-users Ease of deployment and reduced maintenance requirements for solution: No servers to manage or update, no software to install or maintain Eliminate the need for database capacity planning as assessment scope grows Frequent and automated release cycle for vulnerability detection updates, software updates, and OS updates Reduce complexity of application and eliminate infrastructure choices Provide Third-Party audit yet enabling the end user to control the assessment 8

9 Security & Compliance Solution Key Implementation Objectives Consider scanner locations based on network topology Scanning engine appliances avoid scanning through firewalls where possible Begin with global network discovery Identify servers, infrastructure devices, workstations, wireless, rogue devices Seriously consider how to architect asset groupings Platform vs. Platform (Windows vs. Unix), functional business value (Financial vs. HR) Definition of user roles for access to the data Platform vs. Platform (Windows vs. Unix), functional business value (Financial vs. HR) Establish realistic remediation policies Begin with critical severity risks, work way down. Consider how you generate tickets 9

10 Case Study: Fifth Third Bank One of the Largest Banks in the US Fortune 500 Bank Over 1200 Branch Offices 30,000 Employees Problem (examples): Lack of a centralized, consistent process and solution Disparate processes and solutions Required management of scanner software/servers across distributed networks (DMZ s and Intranet) No way to securely perform external assessments (needed to use external DSL lines), difficult to consolidate to central database Required third-party auditors to provide assessments for regulatory requirements, a duplicated and redundant effort Difficulty managing the sheer size of vulnerability data being collected capacity planning of databases No consistent and repeatable process for PCI scanning Credibility of scan results was a problem 10

11 Case Study: Fifth Third Bank Solution: Implemented QualysGuard Enterprise Vulnerability Management Fully deployed 20 Scanner Appliances within DMZ and intranet environments in two weeks timeframe No need to deploy external scanners Results: Significant reduction of critical vulnerability count over 6 month time period Maintaining compliance with third-party regulations: Self Certification for PCI Scanning Realized soft-cost savings due to Software-as-a-Service model (Remediating rather than scanning) Automation of scanning and network discovery yields FTE time savings Differential vulnerability reporting over time proves process is in place and is effective Tangible results and remediation steps are automatically distributed on a weekly basis per scan schedule Hierarchical and distributed access granted across geographically dispersed regions Empowered organization to take ownership of security information Obtained greater Buy-in to Vulnerability Process (no longer telling people to fix vulnerabilities) 11

12 Summary Bring Security & Compliance together and deliver it as a Service Operationalize the Information Dissemination & Remediation Process Software as a Service (SaaS) Approach to the Problem Lower Costs: Reduction of maintenance & elimination of capacity planning Satisfy Audit, Security, and Operations Deployment Methodology: Scanner placement, Asset Categorization, User Access, Realistic Goals for Remediation 12

13 Q & A Questions? Thank You! mclancy@qualys.comm 13

14 THANK YOU! Matthew Clancy Technical Account Manager Qualys, Inc.