Information Security for the Future Seminar Oiva Karppinen, Chief Executive Officer NXme FZ-LLC (Nixu Middle East)

Transcription

1 Information Security for the Future Seminar Oiva Karppinen, Chief Executive Officer NXme FZ-LLC (Nixu Middle East)

2 Corporate Background NXme is a privately owned Dubai-based IT security company operating in the GCC region since 1998 Background in advanced, small, neutral country, Finland Thorough know-how of Internet and security technologies, company's reliability tested in 14 years with demanding government customers In addition NXme has provided its IT security services to a large number of demanding military, telecom and financial customers The total number of completed projects is in hundreds 13-Feb-13 Copyright NXme FZ-LLC

3 13-Feb-13 Copyright NXme FZ-LLC

4 Information Security Services NXme has Finnish roots and European experience with information security since 1988 Work and recommendations for our clients are based on widely accepted standards and founded on real world experiences Specialized in auditing and consulting all areas of information security from security management practices to technical security controls Key areas technical security audits, security management audits and security management consulting 13-Feb-13 Copyright NXme FZ-LLC

5 Information Security in Finland Finland has had a broad national information security strategy since 2003 (first in Europe) The strategy has been updated several times, the latest version was released 2011, work continues The leading consultant in the process has been Nixu - NXme's (Nixu Middle East) former mother company The strategy is extensively communicated to the general public, e.g. the Parliament is organizing widely recognized national information security days and seminars 13-Feb-13 Copyright NXme FZ-LLC

6 Long-Time Effort Shows, But 13-Feb-13 Copyright NXme FZ-LLC

7 Finland's Cyber Security Strategy Government Resolution Vital functions include The management of Government affairs International activity Finland s defense capability Internal security Functioning of the economy and infrastructure The population s income security and capacity to function Psychological resilience to crisis 13-Feb-13 Copyright NXme FZ-LLC

8 The Vision of Finland s Cyber Security Is That Finland can secure its vital functions against cyber threats in all situations Citizens, the authorities and businesses can effectively utilize a safe cyber domain and the competence arising from cyber security measures, both nationally and internationally By 2016, Finland will be a global forerunner in cyber threat preparedness and in managing the disturbances caused by these threats 13-Feb-13 Copyright NXme FZ-LLC

9 Moving to The Cloud? Cloud computing is becoming a fundamental part of information technology Globally nearly every enterprise is evaluating or deploying cloud solutions Reasons include lowering costs, streamlining staff, increasing the speed of adaption of new solutions... But how is the security handled? How to scope with concern of turning over responsibility for your application security to an unknown entity? 13-Feb-13 Copyright NXme FZ-LLC

10 Flaws and Vulnerabilities are Real Most of the cloud applications are accessed with a web browser Some reports state that over 80 percent of web applications have had at least one serious security issue These flaws expose organizations to loss of sensitive corporate or customer data, significant brand and reputation damage, and in some cases, direct financial implications A survey in 2011 estimated that there are over 350,000,000 websites in production Feb-13 Copyright NXme FZ-LLC

11 13-Feb-13 Copyright NXme FZ-LLC

12 Web Application Security Web applications are the primary attack target today But traditionally web application security has been seriously overlooked... Typically only less than 20% of IT security budgets have been allocated to web applications In most organizations application security is even not a strategic corporate initiative A change is needed as companies are moving to cloud computing 13-Feb-13 Copyright NXme FZ-LLC

13 The Abstracted Network Layer Prior to cloud computing, the key security element of any application has been a firewall "Oh, it is a behind of a firewall, it surely is secure" Today the network layer is becoming abstracted by the advent of cloud computing The network infrastructure and especially the network security is now the responsibility of somebody else Confidence -> confusion The only thing you can control: Application 13-Feb-13 Copyright NXme FZ-LLC

14 Lost Visibility of Network Security One of the main concerns is loss of visibility into attacks in progress This is particularly true with Software as a Service (SaaS) offerings Traditionally Intrusion Prevention and/or Intrusion Detection Systems have been used to give early alarms Loss of visibility, loss of control? Active communication and good understanding of the secure measures of your cloud provider required 13-Feb-13 Copyright NXme FZ-LLC

15 New Security Policies and Controls Change in infrastructure is a great time to make policy changes and setup new security controls Easier to reprioritize and reallocate budget spending Good opportunity to pull business, security and development teams together Move to cloud computing can be an excellent opportunity to institute new security policies and controls across the board 13-Feb-13 Copyright NXme FZ-LLC

16 Cloud Security and Business Goals For many organizations, application security has been an afterthought It was not as critical when the applications resided behind the firewall Cloud computing changes this - the value of the data stored in the cloud must be taken into account Accurate asset inventory and prioritization as a basis for vulnerability assessments Only then it is possible to assign value and implement an appropriate solution for the given risk level 13-Feb-13 Copyright NXme FZ-LLC

17 Security is Security, Cloud or Not Ultimately, web application security in the cloud is no different than web application security in your own environment Now it is the time to make web application security a priority Also vendors need to be hold responsible for a good-enough level of network security But still, each company remains accountable for their own data security 13-Feb-13 Copyright NXme FZ-LLC

18 Four Rules to Avoid Pitfalls 1. You can't secure what you don't know you own 2. Assign a champion - designate someone to drive web application security 3. Deploy shielding technologies to mitigate the risk of vulnerable applications 4. Shift budget from infrastructure to application security 13-Feb-13 Copyright NXme FZ-LLC

19 Thank You For more information, please contact: Mr. Oiva Karppinen, CEO, (UAE) Mr. Tapio Äijälä, COO, (KSA) - info@nxme.net "Thorough know-how of Internet and security technologies, company's reliability tested in 14 years with demanding government customers in the GCC." 13-Feb-13 Copyright NXme FZ-LLC