Pervasive Security Accelerator

Transcription

1

2 Pervasive Security Accelerator 2

3 Agenda Pervasive Security Accelerator Why-Trends & Opportunities Transformational Principles Charter & Goals Architecture Use Case: Engineering Governance & Operating Model Summary 3

4 Bill Bragg & Sujata Ramamoorthy Partners in keeping Cisco IT secure Bill Bragg Director, Engineering IT Responsible for product engineering and supply chain IT services, reporting through the CIO Top of mind: Using IT systems to make engineers productive while keeping Cisco profitable and safe from security threats Sujata Ramamoorthy Director, Information Security Responsible for Cisco IT security architecture and policy, reporting through the CSO Top of mind: Keeping Cisco safe through security architectures, security policy, and industry best practices 4

5 Why-Trends & Opportunities The security landscape is changing rapidly Social networking (virtual friends ) Sophisticated Cyber attacks (advance persistent threats) Cloud, XaaS (disappearing perimeter) Who I work with (collaborative IP protection) What I use to work (end point identification) Where I work from (location awareness) Securely Enable New Business Models I/PaaS Offerings New revenue streams COGS Mindset 5

6 Transformational Principles Changing the approach to security From: To: Perspective on Security Approach Technology Transformation Late in the process Not my problem Considered roadblock Perimeter/infrastructure Fragmented, virtual Capabilities Disjointed Physical, Static Manual, coarse Strategic focus/om integration Well-defined ownership (incl business) Enable the Business Focus on data & identity Integrated, end-to-end, orchestrated Service oriented Integrated architectural play Virtual (flexible/dynamic/change-ready) Automated & managed, granular 6

7 Pervasive Security Accelerator 5 Point Charter 1. Pervasively embed Security into the IT Operating Model 2. Address key security concerns visibility to security risks Protect against data loss Shifts in the threat landscape 3. Enable a new reality employee productivity, collaboration New business models: sourcing & delivery Services Review Organizational Health Architectural Reviews Strategic Investment Planning 4. Ensure architecture alignment, capability reuse & operational integrity 5. Deliver a sustainable approach to security excellence 7

8 At the end of the PSA.. We will not get compromised in the marketplace. We can secure our services without slowing down our client customers business. We are ready because we embraced security. Security does not get in the way of doing my work. I know what is expected from me. Business Leader I am responsible for the security of my IT service, and able to make datadriven decisions I know how to leverage the security capabilities needed to protect my IT service Employee We know what threats and data patterns to monitor, and how to respond IT Manager IT Architect Security Operations 8

9 Top-Level Architecture View IT Governance Service Security Prime Decision Making Model (NEW role) Security Operations Security-IT OM Integration Simplified & Unified Metrics Operational Security Excellence Policy Enforcement (Control) Behavior + Threats Compliance (Visibility) Identity & Access Foundational Identity Mgmt Access Policy Mgmt NG Strong/Adaptive AuthC Privileged Access Mgmt Secure Path / Threat Protection Secure Data Delivery Device Profiling / Posture Contextual Network Access Threat Detection/Mitigation Data Data Governance Data Visibility & Control 9

10 Program Structure Leveraging Capability to Secure Business Value Use Cases 1 2 Engineering: Infra > Data Any Device.. Cloud 4 5 Customer Network Configuration Data Services - Mobility Platform 3 Monitoring & Visibility 6 Critical Infrastructure Capabilities IT Governance Security Operations Identity & Access Secure Path Data * Assessment phase 10

11 Security Architecture Creates Engineering Value 1 Harden infra / authc 2 Virtual Access TrustSec Eng. Linux HRE BYOD Path Control : Context Based Networking TrustSec controls to provide user and device based access controls and enforce platform and HRE access policy Encrypted Authentication VDI 3 Data Governance Data Governance All access centrally authenticated Active Directory Abstracted content access Data Stewardship Identify and assess all repositories Monitoring and Auditing Secure (encrypted) Storage Secure privileged access (sudo) Engineering Content Legacy Server Decommissioning Universal Fine Grained Controls Identity and Access: Centralized and Stronger Access Management Data Focus and Governance 11

12 PSA Governance & Operating Model

13 Security is everyone s job Responsible for implementing and adhering to security policy Accountable for securing their IT service offerings IT Executive End-to-end responsible for service security: compliance, planning, exceptions, operational metrics. IT Infra, Development, Operations IT IT Manager IT Security Executive Customers, Employees, & Partners Responsible for security subject matter expertise IT Security Architect Responsible for acceptable use of systems, compliance, and enforcement of security policies and objectives. Needs security to be easy. Responsible for setting security policies and audits Infosec Team 13

14 IT should make data-driven security decisions Metrics drive behavior and accountability Unified Security Metrics Operational Process People 14

15 IT should make data-driven security decisions Metrics drive behavior and accountability Unified Security Metrics Technical Security Data 1. Data Sensitivity and exfiltration 2. Admin access - Who had privileged access within last 3 months? 3. Exposure - externally and internally to Cisco? 4. Hygiene - How is security posture maintained (patching, follow-up on vulnerabilities) 5. Incidents - Number of investigations and time spent? 6. Application Vulnerability Assessment actions - Closed, pending 'Aging? 7. Security Exceptions and status - Closed, pending 'Aging'? Operational Process People 15

16 IT should make data-driven security decisions Metrics drive behavior and accountability Unified Security Metrics Operational IT Project Lifecycle (PLC) 1. Is security embedded in the PLC? 2. Are architectural Assessments and Exceptions stored in a central repository and follow-up tracked? 3. Does the service have a risk rating and data classification captured in service catalog? 4. Are root-cause and Long Term Fix on incidents identified and tracked to closure? Process People 16

17 IT should make data-driven security decisions Metrics drive behavior and accountability Unified Security Metrics Training and awareness Operational 1. Are Security architects and executives assigned? 2. Are privileged users (developers, administrators) trained on security? 3. Is awareness created for users dealing with sensitive data? 4. Is security easy for employees, partners & customers? Process People 17

18 IT should make data-driven security decisions Metrics drive behavior and accountability Unified Security Metrics Operational Remove the grey area for IT service owners, employees & customers Share security posture by ranking people, process and technical area s red, yellow or green Process People 18

19 Service Reviews Drive Security Improvements CIO Trending and delta for all services Services Review IT Executives All Services per IT exec, top 10 vs. bottom 10 IT Managers Score cards (RYG) for service 19

20 In this hyper connected world, security needs to be pervasive. This is an area IT needs to accelerate and embed at all levels in order to succeed. My leaders and staff are integrating this in our operating model, services and operations; bringing security from the shadows to the forefront. Rebecca Jacoby Senior Vice President, Chief Information Officer 20

21 Questions and Answers 21

22 Complete Your Online Session Evaluation Give us your feedback and you could win fabulous prizes. Winners announced daily. Receive 20 Passport points for each session evaluation you complete. Complete your session evaluation online now (open a browser through our wireless network to access our portal) or visit one of the Internet stations throughout the Convention Center. Don t forget to activate your Cisco Live Virtual account for access to all session material, communities, and on-demand and live activities throughout the year. Activate your account at the Cisco booth in the World of Solutions or visit 22

23 Final Thoughts Get hands-on experience with the Walk-in Labs located in World of Solutions, booth 1042 Come see demos of many key solutions and products in the main Cisco booth 2924 Visit after the event for updated PDFs, ondemand session videos, networking, and more! Follow Cisco Live! using social media: Facebook: Twitter: LinkedIn Group: 23

24

25 PSA: Engineering Use Case

26 Pervasive Security Accelerator Identity and Access Security Challenge: Vulnerable identity systems lead to attacks/security breaches Lack of a foundational authorization store for global application subscription Deliverable: Strengthen identity systems to increase security without added user burden Adoption: Cisco Enterprise Policy Manager (CEPM): Provides fine-grained control over data access through common enterprise policy implementation Smartcard: Prioritized roll-out for physical and logical access 26

27 Pervasive Security Accelerator Secure Path Security Challenge: Emergence of BYOD and device commoditization impacts network access trust models Challenges to enable dynamic user/workload mobility & public cloud (ACL management) Deliverable: End-point profiling, unified Wired/Wireless authentication (TrustSec 802.1X) Harden/protect network path (NetThreat) Multi-tenant network and DC zones (through E2N, Cloud) Adoption: Cisco TrustSec 802.1X Cisco ISE provided policy engine to address policy governance for BYOD 27

28 Pervasive Security Accelerator Data Security Challenge: Need to scale data security policies and enforcement Mobility, Virtualization/Cloud create data classification and control security challenges Deliverable: Establish enterprise-wide data governance framework Deploy data security-as-a-service for use in IT services Adoption: Define/Capture Data Security Policies: Build holistic data governance framework with BUs Store Data Security Policies (HMP): Build data policies into policy engine Activate Data Security Policies (CEPM): Use case to control data movement to unauthorized public cloud services. 28

29 Pervasive Security Accelerator Using the capabilities to help secure Engineering Data Security Challenge: Development systems require flexibility while security intellectual property (IP) Engineers need visibility into risks and security threats. Deliverable: Improve IP controls and developer access through identity and data framework Improve device identity systems to ensure appropriate access and audit controls Use key security metrics in governance model to drive accountability 29

30 Security Prime, Role and Responsibility PAT InfoS ec Prime 1. The CSO (Chief Security Officer) of the Service 2. Every service (executive) should have a Prime 3. Primes will champion processes we measure, embed security in operations and will provide governance and advice on key initiatives 4. Primes will ensure alignment to corporate security goals, grow security talent and provide security metrics to senior staff 5. Primes will also ensure data governance as data custodian 6. Primes have a trusted partnership and mutual accountability with Partner Security Architects (PATs) and broader security staff. 30