Security solutions for a smarter planet

Security Solutions for a Smarter Planet: IBM Directions in Security Jason Burn

Welcome to the smarter planet 162 million Almost 162 million smart phones were sold in 2008, surpassing laptop sales for the first time. 90% Nearly 90% of innovation in automobiles is related to software and electronics systems. 1 trillion Soon, there will be 1 trillion connected devices in the world, constituting an “internet of things.” The planet is getting more Instrumented , Interconnected and Intelligent .

Protection of sensitive and large volumes of data, shared globally Protection of sensors and actuators in the wild Protection of digital identities With the smarter planet opportunities come new security and privacy risks

Additional security and privacy risks impacting customers Addressing compliance complexity Adoption of virtualization and cloud computing Addressing the new cyber threat landscape Expectation of privacy

So how can security help us take advantage of opportunities on the smarter planet? Enables safe adoption of new forms of technology like cloud computing and virtualization Enables new business models like outsourcing and teleworking Addresses emerging compliance constructs , while decreasing IT operations costs Assures the quality, availability and integrity of information required for real time decision making Addresses consumer expectation of privacy by assuring “trusted brand” status Security enables us to take risks and innovate confidently . Virtualization Tele Working Outsourcing Cloud Computing

“ Secure by design” A new model for building a smarter planet Security cannot solely be the job of regulators or a stand-alone corporate department In an interdependent world, security has become both a necessity and a collective responsibility – one that we must take on as an intentional plan, not as an afterthought. We need to build solutions where security is factored into the initial design and is intrinsic to the business processes, product development lifecycle and daily operations. Securely and safely adopt new technology and business models Increase innovation and shorten time to market Reduce security costs … IBM can help

IBM’s security strategy Delivering secure products and services Providing end-to-end coverage across all security domains 15,000 researchers, developers and SMEs on security initiatives Data Security Steering Committee Security Architecture Board Secure Engineering Framework 3,000+ security & risk management patents Implemented 1000s of security projects 40+ years of proven success securing the zSeries environment Managing over 7 Billion security events per day for clients 200+ security customer references and more than 50 published case studies IBM Security Solutions. Secure by Design.

So where do we start? …… many scenarios to plan for… External Threats Insider Threats Inadvertent Deliberate Power failures Malware Denial of service Sophisticated, organized attacks Natural disasters Economic upheaval Unpatched systems Code and application vulnerabilities Lack of change control Human error or carelessness Developer-created back door Information theft Insider fraud

“ Foundational Controls” = seatbelts and airbags Find a balance between effective security and cost The axiom… never spend $100 dollars on a fence to protect a $10 horse Studies show the Pareto Principle (the 80-20 rule) applies to IT security * 87% of breaches were considered avoidable through reasonable controls Small set of security controls provide a disproportionately high amount of coverage Critical controls address risk at every layer of the enterprise Organizations that use security controls have significantly higher performance* Focus on building security into the fabric of the business “ Bolt on” approaches after the fact are less effective and more expensive Use the small set of security controls as a starting point when designing a system * Sources: W.H. Baker, C.D. Hylender, J.A. Valentine, 2008 Data Breach Investigations Report, Verizon Business, June 2008 ITPI: IT Process Institute, EMA December 2008 Cost Effectiveness Agility Time Complexity Pressure

“ Foundational Controls” represent a hygienic process… “ From the attacker’s perspective, the rationale is simple: When foundational controls fail or do not exist, why seek a more challenging target? Neglecting the fundamentals makes an organization an easy—and hence preferred—target .” (EMA, 2009) Controls provide a solid foundation for IT Security Management Identity and Access Management Data and Information Protection Release Management Change and Configuration Management Threat and Vulnerability Management Problem and Incident Management Security Information and Event Management High performers adhere to “Plan–Do–Check–Act” philosophy N etwork, Server, and End Point P hysical Infrastructure P eople and Identity D ata and Information A pplication and Process Control Govern and secure complex infrastructure and ensure regulatory compliance Understand health and performance of services across your infrastructure Drive down cost, minimize human error and increase productivity Visibility Automation Adherence to ITIL (ITSM) sets apart highest performers in security management

… And “Foundational Controls” provide an effective approach for dealing with the growing compliance landscape Organizations face a growing number and complexity of compliance initiatives, many of which are evolving Foundational controls directly affect an organization’s information security posture. Prevalent compliance initiatives contain additional domains and control sets that fall under IT Management For e.g., data backup/recovery processes, physical facility security, etc. affect an organization’s compliance posture, but are not considered foundational in terms of Information Security.

IBM Security Framework supports Integrated Service Management helping you assess and manage risk DATA AND INFORMATION Understand, deploy, and properly test controls for access to and usage of sensitive data PEOPLE AND IDENTITY Mitigate the risks associated with user access to corporate resources APPLICATION AND PROCESS Keep applications secure, protected from malicious or fraudulent use, and hardened against failure NETWORK, SERVER AND END POINT Optimize service availability by mitigating risks to network components PHYSICAL INFRASTRUCTURE Provide actionable intelligence on the desired state of physical infrastructure security and make improvements GOVERANCE, RISK MGMT AND COMPLIANCE Ensure comprehensive management of security activities and compliance with all security mandates GRC

IBM security portfolio Overview = Professional Services = Products = Cloud-based & Managed Services Identity and Access Management Mainframe Security Virtual System Security Database Monitoring and Protection Encryption and Key Lifecycle Management App Vulnerability Scanning Access and Entitlement Management Web Application Firewall Data Loss Prevention App Source Code Scanning SOA Security Intrusion Prevention System Messaging Security Data Masking Infrastructure Security E-mail Security Application Security Web/URL Filtering Vulnerability Assessment Firewall, IDS/IPS, MFS Mgmt. Identity Management Data Security Access Management GRC Physical Security Security Governance, Risk and Compliance SIEM and Log Management Web / URL Filtering Security Event Management Threat Assessment

How we add value: IBM leverages our skills to help meet your goals IBM has industry’s broadest Security Solutions portfolio IBM understands Security & Risk are business problems first, technical problems second IBM has deep industry expertise IBM has a huge ecosystem of leading security partners IBM has the client success stories to demonstrate results

ONE voice for security . IBM SECURITY SOLUTIONS INNOVATIVE products and services . IBM SECURITY FRAMEWORK COMMITTED to the vision of a Secure Smarter Planet . SECURE BY DESIGN

Trademarks and disclaimers Intel, Intel logo, Intel Inside, Intel Inside logo, Intel Centrino, Intel Centrino logo, Celeron, Intel Xeon, Intel SpeedStep, Itanium, and Pentium are trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States and other countries./ Linux is a registered trademark of Linus Torvalds in the United States, other countries, or both. Microsoft, Windows, Windows NT, and the Windows logo are trademarks of Microsoft Corporation in the United States, other countries, or both. IT Infrastructure Library is a registered trademark of the Central Computer and Telecommunications Agency which is now part of the Office of Government Commerce. ITIL is a registered trademark, and a registered community trademark of the Office of Government Commerce, and is registered in the U.S. Patent and Trademark Office. UNIX is a registered trademark of The Open Group in the United States and other countries. Java and all Java-based trademarks are trademarks of Sun Microsystems, Inc. in the United States, other countries, or both. Other company, product, or service names may be trademarks or service marks of others. Information is provided "AS IS" without warranty of any kind. The customer examples described are presented as illustrations of how those customers have used IBM products and the results they may have achieved. Actual environmental costs and performance characteristics may vary by customer. Information concerning non-IBM products was obtained from a supplier of these products, published announcement material, or other publicly available sources and does not constitute an endorsement of such products by IBM. Sources for non-IBM list prices and performance numbers are taken from publicly available information, including vendor announcements and vendor worldwide homepages. IBM has not tested these products and cannot confirm the accuracy of performance, capability, or any other claims related to non-IBM products. Questions on the capability of non-IBM products should be addressed to the supplier of those products. All statements regarding IBM future direction and intent are subject to change or withdrawal without notice, and represent goals and objectives only. Some information addresses anticipated future capabilities. Such information is not intended as a definitive statement of a commitment to specific levels of performance, function or delivery schedules with respect to any future products. Such commitments are only made in IBM product announcements. The information is presented here to communicate IBM's current investment and development activities as a good faith effort to help with our customers' future planning. Performance is based on measurements and projections using standard IBM benchmarks in a controlled environment. The actual throughput or performance that any user will experience will vary depending upon considerations such as the amount of multiprogramming in the user's job stream, the I/O configuration, the storage configuration, and the workload processed. Therefore, no assurance can be given that an individual user will achieve throughput or performance improvements equivalent to the ratios stated here. Prices are suggested U.S. list prices and are subject to change without notice. Starting price may not include a hard drive, operating system or other features. Contact your IBM representative or Business Partner for the most current pricing in your geography. Photographs shown may be engineering prototypes. Changes may be incorporated in production models. © IBM Corporation 1994-2010. All rights reserved. References in this document to IBM products or services do not imply that IBM intends to make them available in every country. Trademarks of International Business Machines Corporation in the United States, other countries, or both can be found on the World Wide Web at http://www.ibm.com/legal/copytrade.shtml.

Security solutions for a smarter planet

More Related Content

What's hot (20)

Viewers also liked (8)

Similar to Security solutions for a smarter planet (20)

More from Vincent Kwon (20)

Recently uploaded (20)

Security solutions for a smarter planet

Editor's Notes