Security as an Enabler for the Digital World - CISO Perspective
Download as PPTX, PDF3 likes4,212 views
The document discusses the evolving landscape of digital security, emphasizing the need for data-centric controls and automated security processes to protect against increasing threats during digital transformation. It highlights the role of security in enabling DevOps and cloud compliance, advocating for API-first architecture to maintain consistent security across platforms. Key takeaways include integrating security into operational layers, leveraging automation, and the importance of collaboration between IT security and development teams.
Security as an Enabler for the Digital World - CISO Perspective
- 1. Digital Security: The CISO Perspective Apigee @apigee Subra Kumaraswamy @subrak Randy Barr CISO, Saba Software
- 5. Agenda • The changing Digital landscape • Trends: technology and threats • Security enablers • Key takeaways
- 6. What’s keeping you up at night? 6 Data Theft
- 9. Trends
- 10. DevOps is growing exponentially
- 12. Breaches continue to haunt the enterprise Source: Verizon 2014
- 14. The changing landscape B A C K - E N D S Y S T E M S M O B I L E S E C U R I T Y APIs S O C I A L A N D S A A S Contextual & behavioral security Encrypt everything Identity-as-a-Service SaaS security/identity plugin Fraud detection APT security analytics E N D P O I N T S E C U R I T Y Digital security is shifting from defense to analytics (predictive) & prevention
- 15. Technologies driving digital transformations Mobile DevOpsCloud API
- 16. Digital security as an enabler
- 17. What’s the role of InfoSec in enabling digital transformation?
- 18. Top areas of CISO concern Source: Wisegate
- 19. The role of digital security: enabling DevOps
- 20. 20 • End-to-end security managed through configuration and global policies • Data-centric controls such as encryption, tokenization, and key management • Leverage API for security automation activities including patching, user and access management, logging, and auditing • Security verification through tool automation, aligned with SDLC: Dev->Stage->Prod Enabling DevOps
- 21. Role of digital security: enabling cloud Compliance Trust Architecture Identity and Access Availability Incident Response Data Protection Governance
- 22. 22 • Governance of Data and Identity • Security Architecture standard • Technology Services & Tools to Support: – Data Protection – Encryption/Hashing/Anonymization – Access management – Privileged and End Users – Threat monitoring and protection – Compliance (PCI, HIPAA) management – Availability Management – DDoS mitigation, Multi- region operation – Operational Hygiene – Patching, Logging, etc • Establish Incident Response with service provider Enabling cloud
- 23. • Most Cloud providers leverage this as their security story • This only covers the data centers policies, employees, standards – CCTV – 24x7x365 security personnel – Entry and Exits of facility • What about – When a server needs to be changed, it is not covered – When new employee at cloud provider starts it is not covered – Security Policies, Standards apply to cloud vendor – Monitoring of the environment – Business Continuity / Disaster Recovery – Incident Management – Vulnerability Penetration Testing – Etc. Data center security audit/assessments
- 24. Role of digital security: enabling mobile
- 25. 25 Enabling mobile • Leveraging solutions to perform automated scans • There are vendors that provide both automated and hands on reviews of mobile apps • Performed once a new version is uploaded to the store • Should perform – Run-time scanning (Dynamic and app logic analysis) – Network Scanning – Serverside scanning • Mobile security training • Rogue App monitoring
- 26. So how does API-first architecture manifest itself?
- 27. API-first architecture API Tier All Apps Analytics App Servers ESB Social Apps Web Apps Mobile Apps Backend Services OrchestrationPersistence Security Internet API services for mobile and cloud apps Consistent security across channels Developers IT security architect
- 28. Technologies driving digital transformations Mobile DevOpsCloud API
- 29. Information security must be able to meet governance requirements and manage compliance when handling PCI DSS or HIPAA use cases
- 30. Top technology considerations and takeaways • Focus on data-centric controls such as masking, encryption and hashing to protect data at rest. • Work closely with DevOps teams to “bake in” security controls into the orchestration layer and cloud hosting systems. • Leverage APIs to build consistent, secure and scalable mobile solutions. • Automate security monitoring and management using APIs. DeveloperUser APIApp API Team Backend
- 31. Security as a Enabler: Summary • Security is a competitive differentiator – IT security must remove barriers to enable business and developers/DevOps • DevOps (need for speed, flexibility) and InfoSec (need for consistent protection) go hand-in-hand • API-first architecture provides consistent security enforcement for mobile and cloud use cases DeveloperUser APIApp API Team Backend
- 34. Identity landscape in the digital world
- 35. •What drives adoption of cloud solutions within a company •Selecting IT solutions are as easy as reading the numbers off your credit card •Small implementations can lead to adoption by other users •Ability for mobility is key to further adoption of the solution •Growth leads to managing the solution •Security is then brought in Choices
- 36. SECURITY TRANSPARENCY • Reliance on Data Center Audits • Privacy • White papers with no details • Reluctant to share details citing protecting their existing customers • Customer audits • Cloud Controls Matrix • Consensus Assessments Initiative Questionnaire • Independent 3rd party report of Saba’s policies, standards and processes • SOC II Type II report • DR Executive Summary • Policies & Standards table of contents • Independent 3rd party penetration test • Network and Application Vulnerability executive report within 48 hours of request Completecustomervisibility
- 37. Enabling the DevOps to securely expose the back- end services with necessary authentication, authorization, message security, and Auditing
- 38. Security considerations • Authentication of Apps, APIs and Users: LDAP, active directory, SAML, OAuth, two-way TLS • User and role management • Protect sensitive data stored and processed in the cloud and mobile devices • Threat management (DoS, spikes, injection attacks) • Logging and auditing
- 39. Role of InfoSec
Editor's Notes
- #2: Presenter: Tim - Introduce myself; have Subra introduce himself (names & titles only here) - Thank you for joining us today….. - We do want your questions, which we will take at the end Creative Commons Attribution-Share Alike 3.0 United States License
- #3: Presenter: Tim Numerous videos about APIs on our YouTube channel
- #4: Presenter: Tim Numerous presentations about APIs available on SlideShare
- #5: Presenter: Tim - Subra – ‘Tell our audience’ something about your background / experience, and your role here at Apigee - Tim to follow with the same (i.e., something about my background / experience, and my role here at Apigee)
- #6: Presenter: Tim
- #7: Community Health breached and 4.5 million patient records stolen by Chinese cyberspies. Heartbleed was used
- #8: http://www.thefutureorganization.com/five-trends-shaping-future-work/ And perhaps the most significant change that we’re all dealing with is that the work itself and the skills required everyday keep changing – in fact, 47% of today’s jobs won’t even exist in 20 years, and new jobs, requiring new skills will emerge. And all these challenges and changes have to be addressed over and above the day-to-day work of attracting, developing and retaining talent.
- #9: Based on recent research report from Deloitte University, Learning and Talent professionals are dealing with a myriad of challenges including leadership development, employee engagement, diversity and inclusion, collaboration, compliance, and certification. But one of the biggest challenges organizations face today is “overwhelmed” employees. Employees are faced with information overload, too many tools, and too many choices. This is negatively impacting their productivity and effectiveness.
- #10: Presenter: Tim ‘That said, let’s jump into API architecture considerations’
- #11: Main Points: The path to securing the Digital World is along the Mobile Value Chain. Script: Let’s start with the architecture. A typical API-centric architecture is comprised of two tiers: The API infrastructure service, or “service exposure,” tier - Composed of API service providers (internal backend services and external partner services); services that securely transform existing backend capabilities into APIs; and new data services that power apps (mobile, social, web, and partner) and are aided by self-service API and management portals. The API developer service, or “API consumption,” tier - Includes services that enable developers to build and deploy apps in a secure way; engage with a developer community; and help manage application life cycles via self-service API and developer portals. Why is this view important? One of the key tenets that enable "defense in depth" security practices within an enterprise is “separation of concerns.” This design principle will make it easier to design security into the architecture and facilitate strong security management such as “separation of duties” between the service providers (the IT architect, IT security, and business) and service consumers (developers and end users). The key benefit of following a separation of concerns principle is that developers can continue to innovate and iterate with an app-centric security model while IT security architects and operations teams can safely expose the APIs without compromising on the enterprise security standards (authentication, authorization, message security, threat mitigation, logging, and auditing).
- #12: Main Points: The path to securing the Digital World is along the Mobile Value Chain. Script: Let’s start with the architecture. A typical API-centric architecture is comprised of two tiers: The API infrastructure service, or “service exposure,” tier - Composed of API service providers (internal backend services and external partner services); services that securely transform existing backend capabilities into APIs; and new data services that power apps (mobile, social, web, and partner) and are aided by self-service API and management portals. The API developer service, or “API consumption,” tier - Includes services that enable developers to build and deploy apps in a secure way; engage with a developer community; and help manage application life cycles via self-service API and developer portals. Why is this view important? One of the key tenets that enable "defense in depth" security practices within an enterprise is “separation of concerns.” This design principle will make it easier to design security into the architecture and facilitate strong security management such as “separation of duties” between the service providers (the IT architect, IT security, and business) and service consumers (developers and end users). The key benefit of following a separation of concerns principle is that developers can continue to innovate and iterate with an app-centric security model while IT security architects and operations teams can safely expose the APIs without compromising on the enterprise security standards (authentication, authorization, message security, threat mitigation, logging, and auditing).
- #13: Main Points: The path to securing the Digital World is along the Mobile Value Chain. Script: Let’s start with the architecture. A typical API-centric architecture is comprised of two tiers: The API infrastructure service, or “service exposure,” tier - Composed of API service providers (internal backend services and external partner services); services that securely transform existing backend capabilities into APIs; and new data services that power apps (mobile, social, web, and partner) and are aided by self-service API and management portals. The API developer service, or “API consumption,” tier - Includes services that enable developers to build and deploy apps in a secure way; engage with a developer community; and help manage application life cycles via self-service API and developer portals. Why is this view important? One of the key tenets that enable "defense in depth" security practices within an enterprise is “separation of concerns.” This design principle will make it easier to design security into the architecture and facilitate strong security management such as “separation of duties” between the service providers (the IT architect, IT security, and business) and service consumers (developers and end users). The key benefit of following a separation of concerns principle is that developers can continue to innovate and iterate with an app-centric security model while IT security architects and operations teams can safely expose the APIs without compromising on the enterprise security standards (authentication, authorization, message security, threat mitigation, logging, and auditing).
- #14: And this problem doesn’t only exist in the talent management arena. We are faced with the paradox of choice in all areas of our lives. On the one hand, we love having choices; on the hand, information overload is truly overwhelming and frustrating. This is hardly a new dilemma. In the area of consumer products, vendors have largely solved this problem by applying machine learning and intelligent recommendation technologies. For example, Netflix gets better at recommending movies to you every time you select one. Amazon does the same thing with books and technology. The Google self-driving car is actually a better driver than a human, because it processes more data faster. [optional proof point: as of April 2014, Google self-driving cars had driven over 700k miles without an accident.] What does it mean for Talent Management?
- #15: 75% of organizations are using at least one cloud service 70% of of CISOs are concerned about cloud and mobile security
- #16: Let’s talk about the major technology drivers
- #17: Presenter: Tim ‘That said, let’s jump into API architecture considerations’
- #18: Presenter: Tim - ‘Now lets begin our discussion of how to actually achieve those API security goals’ - ‘Subra, let’s start with explaining our two sided approach involving consumption and exposure’
- #19: Main Points: The path to securing the Digital World is along the Mobile Value Chain. Script: Let’s start with the architecture. A typical API-centric architecture is comprised of two tiers: The API infrastructure service, or “service exposure,” tier - Composed of API service providers (internal backend services and external partner services); services that securely transform existing backend capabilities into APIs; and new data services that power apps (mobile, social, web, and partner) and are aided by self-service API and management portals. The API developer service, or “API consumption,” tier - Includes services that enable developers to build and deploy apps in a secure way; engage with a developer community; and help manage application life cycles via self-service API and developer portals. Why is this view important? One of the key tenets that enable "defense in depth" security practices within an enterprise is “separation of concerns.” This design principle will make it easier to design security into the architecture and facilitate strong security management such as “separation of duties” between the service providers (the IT architect, IT security, and business) and service consumers (developers and end users). The key benefit of following a separation of concerns principle is that developers can continue to innovate and iterate with an app-centric security model while IT security architects and operations teams can safely expose the APIs without compromising on the enterprise security standards (authentication, authorization, message security, threat mitigation, logging, and auditing).
- #20: Presenter: Tim - ‘Now lets begin our discussion of how to actually achieve those API security goals’ - ‘Subra, let’s start with explaining our two sided approach involving consumption and exposure’
- #21: My goal is to define a hierarchy of features that provides both convenient “roll-ups” that can be used by Sales (for example) and also a level of detail that allows for things like bug classification, etc.”
- #22: Presenter: Tim - ‘Now lets begin our discussion of how to actually achieve those API security goals’ - ‘Subra, let’s start with explaining our two sided approach involving consumption and exposure’
- #23: My goal is to define a hierarchy of features that provides both convenient “roll-ups” that can be used by Sales (for example) and also a level of detail that allows for things like bug classification, etc.”
- #25: Presenter: Tim - ‘Now lets begin our discussion of how to actually achieve those API security goals’ - ‘Subra, let’s start with explaining our two sided approach involving consumption and exposure’
- #26: My goal is to define a hierarchy of features that provides both convenient “roll-ups” that can be used by Sales (for example) and also a level of detail that allows for things like bug classification, etc.”
- #27: Presenter: Tim - ‘Now lets begin our discussion of how to actually achieve those API security goals’ - ‘Subra, let’s start with explaining our two sided approach involving consumption and exposure’
- #28: Presenter: Subra Be sure to also cover: API tier allows decoupling of security models and creates loose coupling between applications consuming API and backend services Consumption tier demands support for agile security functions for app developers as well as flexible security mechanism for various API consumer types. For e.g. Your mobile app accessing your employee data will have different security requirements from your application that is developed by a 3rd party developed apps available and distributed via android marketplace or Apple store. Exposure tier on the other hand focus consistently enforcing security irrespective of what apps are connecting to the backend. Exposure tier needs to be concerned about fine granular authorization to the API functions by the apps Northbound / Southbound APIs are not SOA E: So that’s why we talk about API-first D: Is this a new term? E: The idea is that you use your API tier to deliver the same services to all related apps
- #29: Let’s talk about the major technology drivers
- #30: Presenter: Tim
- #31: Presenter: Tim
- #32: Presenter: Tim
- #33: Presenter: Tim - Subra – ‘Tell our audience’ something about your background / experience, and your role here at Apigee - Tim to follow with the same (i.e., something about my background / experience, and my role here at Apigee)
- #34: Presenter: Tim
- #38: Presenter: Tim - “Architect” on this slide
- #39: Presenter: Tim - Security “administrator” this slide
- #40: Presenter: Tim ‘That said, let’s jump into API architecture considerations’