Delivering IT Security and Compliance as a Service



Similar documents
The Convergence of IT Security and Compliance with a Software as a Service (SaaS) approach

IT Security & Compliance. On Time. On Budget. On Demand.

Criticial Need for Stronger Network Security. QualysGuard SaaS-based Vulnerability Management for Stronger Security and Verification of Compliance

NE T GENERATION CLOUD SECURITY PLATFORM

Introduction to QualysGuard IT Compliance SaaS Services. Marek Skalicky, CISM, CRISC Regional Account Manager for Central & Adriatic Eastern Europe

How to manage IT Risks and IT Compliance as a Service

Intro to QualysGuard IT Risk & Asset Management. Marek Skalicky, CISM, CRISC Regional Account Manager for Central & Adriatic Eastern Europe

Delivering Security & Compliance On Demand

Bringing Continuous Security to the Global Enterprise

Current IBAT Endorsed Services

Introduction to QualysGuard IT Risk SaaS Services. Marek Skalicky, CISM, CRISC Regional Account Manager for Central & Adriatic Eastern Europe

BIG SHIFT TO CLOUD-BASED SECURITY

White Paper Achieving PCI Data Security Standard Compliance through Security Information Management. White Paper / PCI

NEXPOSE ENTERPRISE METASPLOIT PRO. Effective Vulnerability Management and validation. March 2015

Rozwiązanie SaaS w zakresie bezpieczeństwa teleinformatycznego i ochrony danych dla przedsiębiorstw

HOW TO PASS AN IT AUDIT

SECURITY & COMPLIANCE IN THE CLOUD AGE

Intro to QualysGuard IT Compliance SaaS Services. Marek Skalicky, CISM, CRISC Regional Account Manager for Central & Adriatic Eastern Europe

PCI Compliance for Cloud Applications

QualysGuard WAS. Getting Started Guide Version 4.1. April 24, 2015

Using QUalysgUard to Meet sox CoMplianCe & it Control objectives

Secret Server Qualys Integration Guide

Review: McAfee Vulnerability Manager

Nine Steps to Smart Security for Small Businesses

Threat and Vulnerability Management (TVM) Protecting IT assets through a comprehensive program. Chicago IIA/ISACA

Integrated Threat & Security Management.

QRadar SIEM 6.3 Datasheet

Sample Vulnerability Management Policy

Reducing the cost and complexity of endpoint management

Cloud Security Implications for Financial Institutions By Scott Galyk Director of Software Development FIMAC Solutions, LLC

Security and Compliance Suite Rollout Guide. August 4, 2015

How To Use Qqsguard At The University Of Minneapolis

HP Application Security Center

Self-Service SOX Auditing With S3 Control

IBM Rational AppScan: enhancing Web application security and regulatory compliance.

Best Practices for Building a Security Operations Center

Enterprise Computing Solutions

Offline Scanner Appliance

Governance, Risk, and Compliance (GRC) White Paper

Qualys Scanning for PCI Devices University of Minnesota

FISMA Compliance: Making the Grade

rating of 5 out 5 stars

Proactive Vulnerability Management Using Rapid7 NeXpose

Worldwide Security and Vulnerability Management Forecast and 2008 Vendor Shares

White Paper Achieving HIPAA Compliance through Security Information Management. White Paper / HIPAA

Security management solutions White paper. IBM Tivoli and Consul: Facilitating security audit and compliance for heterogeneous environments.

WHITEPAPER. Addressing Them with Adaptive Network Security. Executive Summary... An Evolving Network Environment Adaptive Network Security...

Vulnerability Management

Security Information Lifecycle

AUTOMATING THE 20 CRITICAL SECURITY CONTROLS

CONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL

Actionable Security Intelligence: Preparing for the Next Threat with a Proactive Strategy

HP and netforensics Security Information Management solutions. Business blueprint

How To Achieve Pca Compliance With Redhat Enterprise Linux

Cyber Security RFP Template

RSA SecurID Two-factor Authentication

eeye Digital Security Product Training

Maintaining PCI-DSS compliance. Daniele Bertolotti Antonio Ricci

Infor CloudSuite. Defense-in-depth. Table of Contents. Technical Paper Plain talk about Infor CloudSuite security

White Paper. Ensuring Network Compliance with NetMRI. An Opportunity to Optimize the Network. Netcordia

OWASP Chapter Meeting June Presented by: Brayton Rider, SecureState Chief Architect

Department of Management Services. Request for Information

933 COMPUTER NETWORK/SERVER SECURITY POLICY

BEST PRACTICES RESEARCH

Enterprise Security Solutions

Vulnerability management lifecycle: defining vulnerability management

LogLogic. Application Security Use Case: PCI Compliance. Jaime D Anna Sr Dir of Product Strategy, TIBCO Software

CONSIDERATIONS BEFORE MOVING TO THE CLOUD

DMZ Gateways: Secret Weapons for Data Security

Agent or Agentless Policy Assessments: Why Choose?

Security Services. A Solution for Providing BPM of Security Services within the Enterprise Environment.

PCI-DSS Penetration Testing

Automate PCI Compliance Monitoring, Investigation & Reporting

Vulnerability. Management

IBM Security QRadar Vulnerability Manager

How To Monitor Your Entire It Environment

Secure Cloud Computing

BMC s Security Strategy for ITSM in the SaaS Environment

Customer PCI 3.0 Changes = New Opportunity For You. Giles Witherspoon-Boyd SecurityMetrics

Agenda. Agenda. Security Testing: The Easiest Part of PCI Certification. Core Security Technologies September 6, 2007

The Firewall Audit Checklist Six Best Practices for Simplifying Firewall Compliance and Risk Mitigation

Log Management How to Develop the Right Strategy for Business and Compliance. Log Management

Transcription:

Delivering IT Security and Compliance as a Service Matthew Clancy Technical Account Manager Qualys, Inc. www.qualys.com

Agenda Technology Overview The Problem: Delivering IT Security & Compliance Key differentiator: Software as a Service (SaaS) approach Putting it Into Practice Security & Compliance Solution: Key Implementation Objectives Approximate timeframes for deployment and costs Keys to Success: Integrating the business owners Case study: Fifth Third Bank Summary and Conclusion 2

The Problem to Solve Assessing IT Security and Compliance posture on a distributed scale, and complying with Data Security and Privacy Regulations is more difficult than ever: Increased sophistication of the attacks (target the user and applications) Overlapping set of data security and privacy regulations: (HIPAA, GLBA, Sarbanes-Oxley, FISMA, PCI) Providing Actionable Reports to ALL constituents: Audit, Security, and Operations Extending Security and Compliance Requirements to Suppliers and Partners Throwing more people and hardware/software at the problem is not the best option 3

A SaaS Solution to the Problem Bringing Security and Compliance Together And Delivering it as a Service The Security + Compliance Conundrum Capturing all relevant data and providing actionable reports to all constituents 4

A SaaS Solution to the Problem Security + Compliance Lifecycle Workflow Under this model, a system is deemed out of compliance if it is: Vulnerable to attacks, Improperly configured or in violation of internal policies or external regulations 5

A SaaS Solution to the Problem Bringing Security and Compliance into a Single Solution -- with no software to install and to update -- 6

QualysGuard IT Security & Compliance Suite QualysGuard Vulnerability Management - Globally Deployable, Scalable Security Risk and Vulnerability Management QualysGuard Policy Compliance - Define, Audit, and Document IT Security Compliance QualysGuard PCI Compliance - Automated PCI Compliance Validation for Merchants and Acquiring Institutions QualysGuard Web Application Scanning - Automated Web Application Security Assessment and Reporting that Scales with your Business QualysGuard Malware Detection (New) - Free Malware Detection Service for Web Sites Qualys GO SECURE (New) - Web Site Security Testing Service and Security Seal that Scans for Vulnerabilities, Malware and SSL Certificate Validation 7

Software as a Service (SaaS) Approach - Objectives Centralized solution delivered over the Internet that accomplishes objectives of Security, Audit, and Operational Teams All that is needed is a Web browser and appropriate credentials Lower cost of ownership to end-users Ease of deployment and reduced maintenance requirements for solution: No servers to manage or update, no software to install or maintain Eliminate the need for database capacity planning as assessment scope grows Frequent and automated release cycle for vulnerability detection updates, software updates, and OS updates Reduce complexity of application and eliminate infrastructure choices Provide Third-Party audit yet enabling the end user to control the assessment 8

Security & Compliance Solution Key Implementation Objectives Consider scanner locations based on network topology Scanning engine appliances avoid scanning through firewalls where possible Begin with global network discovery Identify servers, infrastructure devices, workstations, wireless, rogue devices Seriously consider how to architect asset groupings Platform vs. Platform (Windows vs. Unix), functional business value (Financial vs. HR) Definition of user roles for access to the data Platform vs. Platform (Windows vs. Unix), functional business value (Financial vs. HR) Establish realistic remediation policies Begin with critical severity risks, work way down. Consider how you generate tickets 9

Case Study: Fifth Third Bank One of the Largest Banks in the US Fortune 500 Bank Over 1200 Branch Offices 30,000 Employees Problem (examples): Lack of a centralized, consistent process and solution Disparate processes and solutions Required management of scanner software/servers across distributed networks (DMZ s and Intranet) No way to securely perform external assessments (needed to use external DSL lines), difficult to consolidate to central database Required third-party auditors to provide assessments for regulatory requirements, a duplicated and redundant effort Difficulty managing the sheer size of vulnerability data being collected capacity planning of databases No consistent and repeatable process for PCI scanning Credibility of scan results was a problem 10

Case Study: Fifth Third Bank Solution: Implemented QualysGuard Enterprise Vulnerability Management Fully deployed 20 Scanner Appliances within DMZ and intranet environments in two weeks timeframe No need to deploy external scanners Results: Significant reduction of critical vulnerability count over 6 month time period Maintaining compliance with third-party regulations: Self Certification for PCI Scanning Realized soft-cost savings due to Software-as-a-Service model (Remediating rather than scanning) Automation of scanning and network discovery yields FTE time savings Differential vulnerability reporting over time proves process is in place and is effective Tangible results and remediation steps are automatically distributed on a weekly basis per scan schedule Hierarchical and distributed access granted across geographically dispersed regions Empowered organization to take ownership of security information Obtained greater Buy-in to Vulnerability Process (no longer telling people to fix vulnerabilities) 11

Summary Bring Security & Compliance together and deliver it as a Service Operationalize the Information Dissemination & Remediation Process Software as a Service (SaaS) Approach to the Problem Lower Costs: Reduction of maintenance & elimination of capacity planning Satisfy Audit, Security, and Operations Deployment Methodology: Scanner placement, Asset Categorization, User Access, Realistic Goals for Remediation 12

Q & A Questions? Thank You! mclancy@qualys.comm 13

THANK YOU! Matthew Clancy Technical Account Manager Qualys, Inc. www.qualys.com

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information