Information Security for the Future Seminar 28.3.2012 Tapio Äijälä, Chief Operating Officer NXme FZ-LLC (Nixu Middle East)
Corporate Background NXme is a privately owned Dubai-based IT security company operating in the GCC region since 1998 Background in advanced, small, neutral country, Finland Thorough know-how of Internet and security technologies, company's reliability tested in 14 years with demanding government customers In addition NXme has provided its IT security services to a large number of demanding military and financial customers The total number of completed projects is in hundreds 28-Mar-12 Copyright NXme FZ-LLC 2012 2
Information Security Services NXme has Finnish roots and European experience with information security since 1988 Work and recommendations for our clients are based on widely accepted standards and founded on real world experiences Specialized in auditing and consulting all areas of information security from security management practices to technical security controls Key areas technical security audits, security management audits and security management consulting 28-Mar-12 Copyright NXme FZ-LLC 2012 4
Information Security in Finland Finland has had a broad national information security strategy since 2003 (first in Europe) The strategy has been updated several times, the latest version was released 2011 The leading consultant in the process has been Nixu - NXme's (Nixu Middle East) former mother company The strategy is extensively communicated to the general public, e.g. the Parliament is organizing widely recognized national information security days and seminars 28-Mar-12 Copyright NXme FZ-LLC 2012 5
28-Mar-12 Copyright NXme FZ-LLC 2012 6
Moving to The Cloud? Cloud computing is becoming a fundamental part of information technology Globally nearly every enterprise is evaluating or deploying cloud solutions Reasons include lowering costs, streamlining staff, increasing the speed of adaption of new solutions... But how is the security handled? How to scope with concern of turning over responsibility for your application security to an unknown entity? 28-Mar-12 Copyright NXme FZ-LLC 2012 7
Flaws and Vulnerabilities are Real Most of the cloud applications are accessed with a web browser Some reports state that over 80 percent of web applications have had at least one serious security issue These flaws expose organizations to loss of sensitive corporate or customer data, significant brand and reputation damage, and in some cases, direct financial implications A survey in 2011 estimated that there are over 350,000,000 websites in production... 28-Mar-12 Copyright NXme FZ-LLC 2012 8
28-Mar-12 Copyright NXme FZ-LLC 2012 9
Web Application Security Web applications are the primary attack target today But traditionally web application security has been seriously overlooked... Typically only less than 20% of IT security budgets have been allocated to web applications In most organizations application security is even not a strategic corporate initiative A change is needed as companies are moving to cloud computing 28-Mar-12 Copyright NXme FZ-LLC 2012 10
The Abstracted Network Layer Prior to cloud computing, the key security element of any application has been a firewall "Oh, it is a behind of a firewall, it surely is secure" Today the network layer is becoming abstracted by the advent of cloud computing The network infrastructure and especially the network security is now the responsibility of somebody else Confidence -> confusion The only thing you can control: Application 28-Mar-12 Copyright NXme FZ-LLC 2012 11
Lost Visibility of Network Security One of the main concerns is loss of visibility into attacks in progress This is particularly true with Software as a Service (SaaS) offerings Traditionally Intrusion Prevention and/or Intrusion Detection Systems have been used to give early alarms Loss of visibility, loss of control? Active communication and good understanding of the secure measures of your cloud provider required 28-Mar-12 Copyright NXme FZ-LLC 2012 12
New Security Policies and Controls Change in infrastructure is a great time to make policy changes and setup new security controls Easier to reprioritize and reallocate budget spending Good opportunity to pull business, security and development teams together Move to cloud computing can be an excellent opportunity to institute new security policies and controls across the board 28-Mar-12 Copyright NXme FZ-LLC 2012 13
Cloud Security and Business Goals For many organizations, application security has been an afterthought It was not as critical when the applications resided behind the firewall Cloud computing changes this - the value of the data stored in the cloud must be taken into account Accurate asset inventory and prioritization as a basis for vulnerability assessments Only then it is possible to assign value and implement an appropriate solution for the given risk level 28-Mar-12 Copyright NXme FZ-LLC 2012 14
Security is Security, Cloud or Not Ultimately, web application security in the cloud is no different than web application security in your own environment Now it is the time to make web application security a priority Also vendors need to be hold responsible for a good-enough level of network security But still, each company remains accountable for their own data security 28-Mar-12 Copyright NXme FZ-LLC 2012 15
Four Rules to Avoid Pitfalls 1. You can't secure what you don't know you own 2. Assign a champion - designate someone to drive web application security 3. Deploy shielding technologies to mitigate the risk of vulnerable applications 4. Shift budget from infrastructure to application security 28-Mar-12 Copyright NXme FZ-LLC 2012 16
Thank You For more information, please contact: Mr. Oiva Karppinen, CEO, +971 50 6558180 (UAE) Mr. Tapio Äijälä, COO, +966 56 9219884 (KSA) www.nxme.net - info@nxme.net "Thorough know-how of Internet and security technologies, company's reliability tested in 14 years with demanding government customers" 28-Mar-12 Copyright NXme FZ-LLC 2012 17