GlobalSecurity@SITA
Managing Security
Joseph Ferracin
Director IT Security Solutions
In Modern Networked IT Environments
Efficient security requires
A Security organization
A Security Framework – Guidelines and Policies
Company’s Management support
End-Users involvement
A security plan
A budget
Skilled Security people
2
The organization
Create a Security Office
That is Independent of IT. Reports to the top management
Defines the security framework and the high level policies
Drives security Audits & Assessments
Defines the security plan & Proposes security budget
Helps in Security implementations
Create a security council
That Includes Security Officer, Top management representative(s), IT representative(s)
Endorses Security policies
Validates Security Plan & Security budget
3
The Framework
We recommend BS7799
The BS 7799 Information Security Standard is published in two parts:
1.
2.
Part 2 Specification for ISO/IEC 17799 Part 1 Code of practice for Information Security
Management
BS 7799 Information Security Management
Purchase on line:
http://www.bsi-global.com/Information+Security/04_Standards_infosec/index.xhtml
BS 7799 shall be regarded as a guidance
BS 7799 certification is complex
4
Get management support
Propose a risk assessment
Company’s management is responsible for the security of Company assets
Vulnerabilities in IT security organization and in IT equipment configurations must be know.
Associated risks must be evaluated.
Suggest the necessity of a high level security policy
Suggest to develop a security plan
Costs: $100 000 <-> $600 000
5
Involve End Users
Education
Users must know and understand the security policy
They must be conscious of the value of their own data.
Avoid constraints – Try to suggest – Use flattery
Security has to be as transparent as possible
Use appropriate technology
6
Security issues: You want to guarantee
Availability of
Information Systems
Confidentiality & Privacy of
Access control on
Integrity of
Sensitive Information
Networks, Systems & Applications
Transactions
7
Security is a continuous process
Security policies
Security migration plans
Define secure architectures
Design security solutions
Assess risks
Audit implementations
Analyze vulnerabilities
Firewalls
Encryption
Public key infrastructures
Centralized management
Anti-virus
Intrusion detection
Strong authentication
Firewalls
Strong authentication
IPSec VPNs
Digital certificates
Intrusion detection
8
Security on the Intranet
Workstations
PKI
Smart Cards
Virus Detection
Active
Directory
Kerberos V5
Strong
Authentication
bbb
Authentication
Service
Authorization
Service
Anti-Virus
Single Sign On
Mainframes
Servers
Role Based
Authorization
9
Security on the Internet
Intrusion
Detection
Consumer
Demilitarized
Zone (DMZ)
Trusted
Consumer
Access
Control
No Security
SSL Encrypted Transaction
IPSec Encrypted VPN
Corporate
Intranet
IPSec Encrypted VPN
Firewall
VPN
Integrity
Confidentiality
Authentication
Availability
Business
Partner
Employee
10
Why Outsource Security?
“Under-staffed, underskilled, overwhelmed.
That’s the sinking feeling
conveyed to us repeatedly by
CIOs...”
Specialized IT Security
Resources are even harder to
find
“The Situation isn’t likely to
improve any time soon.”
“For Many CIOs, The staffing
crisis is an overriding
concern that adds risk to
every project .”
Security
Engineer
- CIO Magazine
$109,000
Network
Admin.
$65,000
I.T. resource shortage
11
Security Outsourcing Expenses
Why Companies are outsourcing ?
$14.8 Billion Industry in 2003 – 45% CAGR
$16,00

Dearth of skilled security talent
–
$14,00

$12,00
Sophisticated attacks beyond capability of
most IT departments
–

$10,00

$6,00

–

1998
1999
Source: IDC, 2000
2000
2001
2002
2003
Scale, budgets, staff usually subjugated to
business issues
Security intelligence missing
$2,00
$0,00
Follow the sun 24x7x365 model
Security not typically a core competency of
companies
–
$4,00
DDoS attack, Love Virus, etc.
Carrier grade security SLAs unachievable by
most IT departments
–
$8,00
Universe of CISSPs less 1,500
IT depts lack the ability to monitor hacker
underworld and global events to proactively
redress vulnerabilities and attacks
Total Cost of Ownership (“TCO”)
–
Organizations cannot match economies of scale
of a managed security service provider
12
A portfolio of
Professional
Services
Partners foremost
Solutions
Managed Security
Services
in Security
13
Security Professional Services
A Team of Security
Experts
Solutions tailored to your
needs …
Solutions
Implementation
Security Policies
definition
Security
Management
Risk Analysis
Security
Audit
… for the Winning Approach
14
Managed Security Services …
IP Secure Gateway
IPSec VPNs
Managed Firewall Services
Available on
Partnership with Internet Security
Systems (ISS) a Leader in Security
SITA Private Network
SITA Internet Network
High quality of service
Remote Access
Very competitive pricing for small, midsize and big Extranet & Internet sites
Features
Scalable Solutions
World class technology
Managed Intrusion Detection
Partnership with ISS
Real time protection of mid-size, big
Internet and E-Commerce sites
And …
Digital Certificates
Vulnerability Scanning
Content Filtering …
15
Thank You !
Q&A
16