How to manage IT Risks and IT Compliance as a Service in complex IS environment The Road Ahead in the Cloud Marek Skalický, CISM, CRISC Regional Account Manager for CAEE For SECURE 2012 Warsaw
Agenda IT/Security Management in the age of cyber-wars / APT Cloud approach to current IT/Security challenges IT all STARTS and ENDS with ASSETS! Can we measure and monitor IT Risk on-time? Can we audit and report IT Compliance on-demand? Can we run integrated web-site prevention and protection? Qualys provider of Security as a Service QualysGuard Integrated Security & Compliance Suite 2
IT/Security Management in cyber-wars / APT Current Challenges of IT/Security Management: - Highly Distributed & highly Diversified IT infrastructure In-house / Traveling / Hosted / Outsourced IT, Services and Applications Enterprise / Private_Cloud / Public_Cloud IT, Services and Apps Availability (SLA) versus Security (Risk Management) requirements Growing number of IT Vulnerabilities, Threats (Hacker attacks, Malware, APT) Very limited resources (HR, financial and time) & Virtualization Compliance requirements (ITIL, ISMS, BCM, ISO 2700X, Cobit, CIS) and EVERYTHING CHANGES IN TIME!!! Asset Value SaaS PaaS / IaaS Traveling Mobile devices Threat Public Clouds Private Clouds Internet In-house Enterprise ICT 3 Hosted IT Outsourced IT Vulnerability
Cloud approach to IT/Security challenges Cover maximum types of Assets, IT services and applications Cover maximum types of IT services Delivery Models Global scalability and flexibility Centralized Management Centralized Maintenance Centralized Database Centralized Reporting No HW/SW/HR investment No maintenance costs Delivered as Service On-demand and On-Schedule High level of automation Fast development-cycle Fast implementation process Intelligence & Result correlation Flexible in time and scope PaaS / IaaS SaaS Traveling Mobile devices Public Clouds Internet Hosted IT Private Clouds In-house Outsourced IT Enterprise ICT 4
IT ALL starts and ends with ASSETS Discover, Manage and Search IT Assets in Global infrastructure - Network layer - Application layer - Virtualization layer Organize ICT Assets using Tags - Static and Dynamic asset tagging - Hierarchical asset tagging - Automatic Tags self-updating Tagging/Searching/Reporting based - On platforms, applications, services - Asset responsibility and ownership - Based on Business Processes - Based on Business Value - Based on Localities, Purpose, 5
Can we measure & monitor IT Risk on-time? 6
Can we audit & report IT Compliance on-demand? 7
Can we run integrated web prevention-protection? 8
Qualys provider of Security as a Service Qualys in glance: - Founded 1999, on market since 2001 - Market Leader since 2008 - (Gartner, Forrester, IDC Analysis) - 5500+ customers in 90 countries - 51% of Fortune 100 companies Qualys performed in 2010-2011: - Over 600 million IP Vulnerability scans - Over 10 million Web Application scans - over 3 million Internet Browser checks audits - Over 2 million Web Applications SSL audits - Reached Six-Sigma scanning accuracy 9
QualysGuard Cloud Suite of Integrated Security & Compliance Solutions 10
Delivering a Global and Continuous View of Security and Compliance Device & Application Security The QualysGuard Cloud Platform and Suite of Integrated Solutions allow enterprises to discover and catalog all IT assets, and provides them with a continuous view of their security and compliance posture on a global scale. Benefits Fully automated continuous asset discovery, security & compliance assessments. Up-to-date security intelligence with no software to install and maintain. 11
Delivering a Global and Continuous View of Security and Compliance Integration with IT-GRC The QualysGuard Cloud Platform and Suite of Integrated Solutions automate the collection of security and compliance data with customizable policies, questionnaires and workflows, helping organizations to expedite compliance, and reduce cost. Benefits Agent-less compliance auditing supporting multiple regulatory mandates. Customizable questionnaires and workflows to evaluate controls, gather evidence and validate compliance. Seamless integration with enterprise GRC solutions. 12
Thank You mskalicky@qualys.com