Скачать презентацию How to Tell the IBM Security Story Robin Скачать презентацию How to Tell the IBM Security Story Robin

2f9a430b0ceff5d1bfdf1e440eb2c06b.ppt

  • Количество слайдов: 25

How to Tell the IBM Security Story Robin Hogan February 12, 2009 Securing a How to Tell the IBM Security Story Robin Hogan February 12, 2009 Securing a Dynamic Infrastructure © 2009 IBM Corporation

Securing a Dynamic Agenda Infrastructure § Positioning security in the Smarter Planet Theme/Dynamic Infrastructure Securing a Dynamic Agenda Infrastructure § Positioning security in the Smarter Planet Theme/Dynamic Infrastructure Imperative § IBM – Securing a Dynamic Infrastructure 2 © 2009 IBM Corporation

Securing a Dynamic Infrastructure A dynamic infrastructure: addressing the needs of a smarter planet Securing a Dynamic Infrastructure A dynamic infrastructure: addressing the needs of a smarter planet A dynamic infrastructure… . …delivers superior business and IT services with agility and speed 3 © 2009 IBM Corporation

Securing a Dynamic Infrastructure: Dynamic. Infrastructure Helping you manage and mitigate risk…. BUSINESS RESILIENCY Securing a Dynamic Infrastructure: Dynamic. Infrastructure Helping you manage and mitigate risk…. BUSINESS RESILIENCY across globally integrated systems. NEW POSSIBILITIES. NEW RISKS. COMPLIANCE SOLUTIONS for exploding data volumes and complex regulatory environments. SECURITY FRAMEWORK Spanning physical, IT, mobile and “smart” assets. …providing the end-to-end approach needed in an instrumented, interconnected and intelligent world. 4 4 © 2009 IBM Corporation

IBM Secures a Dynamic Infrastructure …. Securing a Dynamic Infrastructure IBM can help you IBM Secures a Dynamic Infrastructure …. Securing a Dynamic Infrastructure IBM can help you to strategically manage risk end-to-end across all security domains. IBM’s framework-based security offerings provide the solutions and expertise you need to confidently: • Enable business change through a foundation of flexible security controls • Deliver improved agility and cost–effective control over your risk posture • Reduce the complexity of security controls • Protect against internal and external threats • Meet operational requirements to address compliance measures 5 © 2009 IBM Corporation

Welcome to the smart planet… and a smarter infrastructure Globalization and Globally Securing a Welcome to the smart planet… and a smarter infrastructure Globalization and Globally Securing a Dynamic Infrastructure Available Resources Billions of mobile devices accessing the Web Access to streams of information in the Real Time New Forms of Collaboration 6 New possibilities. New complexities. New risks. © 2009 IBM Corporation

With these new opportunities come new risks Securing a Dynamic Infrastructure Emerging technology n With these new opportunities come new risks Securing a Dynamic Infrastructure Emerging technology n Virtualization and cloud computing increase infrastructure complexity. n Applications are a vulnerable point for breaches and attack. Data and information explosion n Data volumes are doubling every 18 months. n Storage, security, and discovery around information context is becoming increasingly important. Wireless world n Mobile platforms are developing as new means of identification. n Security technology is many years behind the security used to protect PCs. Supply chain n The chain is only as strong as the weakest link… partners need to shoulder their fair share of the load for compliance and the responsibility for failure. Clients expect privacy n An assumption or expectation now exists to integrate security into the infrastructure, processes and applications. Compliance fatigue n Organizations are trying to maintain a balance between investing in both the security and compliance postures. 7 © 2009 IBM Corporation

Securing a Dynamic Infrastructure Not all risks are created equal Frequency of Occurrences Per Securing a Dynamic Infrastructure Not all risks are created equal Frequency of Occurrences Per Year Virus Data Corruption frequent Data Leakage Worms 1, 000 System Availability Failures 100 1 Lack of governance Failure to meet Compliance Mandates 1/10 infrequent Application Outage Network Problem 10 Failure to meet Industry standards Terrorism/Civil Unrest Workplace inaccessibility Natural Disaster 1/100 Regional Power Failures 1/1, 000 Building Fire 1/10, 000 1/100, 000 $1 $10 low 8 Disk Failure Pandemic $100 $1, 000 $10 k $100 k $1 M $10 M Consequences (Single Occurrence Loss) in Dollars per Occurrence $100 M high © 2009 IBM Corporation

§ Find a balance between effective security and cost – The axiom… never spend § Find a balance between effective security and cost – The axiom… never spend $100 dollars on a fence to protect a $10 horse § Studies show the Pareto Principle (the 80 -20 rule) applies to IT security* Pressure Securing a Dynamic Infrastructure Neither are all Security solutions… Cost Complexity Effectiveness – 87% of breaches were considered avoidable through reasonable controls § Small set of security controls provide a disproportionately high amount of coverage – Critical controls address risk at every layer of the enterprise – Organizations that use security controls have significantly higher performance* Agility Time *Sources: W. H. Baker, C. D. Hylender, J. A. Valentine, 2008 Data Breach Investigations Report, Verizon Business, June 2008 ITPI: IT Process Institute, EMA December 2008 9 © 2009 IBM Corporation

IBM provides the business answers you need in uncertain times with solutions for all IBM provides the business answers you need in uncertain times with solutions for all IT domains Securing a Dynamic Infrastructure § IBM is the only security vendor in the market today with end-to-end coverage of critical controls § IBM Proof Points – – 3, 000+ security & risk management patents – 200+ security customer references and 50+ published case studies – 40+ years of proven success securing the System z environment – Already managing more than 2. 5 B security events per day for clients – 10 15, 000 researchers, developers and SMEs on security initiatives IBM Security Framework IBM Security: Improving service, managing risk and reducing the cost of Security without compromise © 2009 IBM Corporation

IBM Internal Use Only – Not Client Facing Securing a Dynamic Infrastructure Expanded Focus IBM Internal Use Only – Not Client Facing Securing a Dynamic Infrastructure Expanded Focus for Security in the Dynamic Infrastructure… IBM Global Business Services IBM Systems Group 11 © 2009 IBM Corporation IBM Systems Group

Securing Dynamic Infrastructure IBMa Security offerings and capabilities. Security, compliance, and risk management solutions Securing Dynamic Infrastructure IBMa Security offerings and capabilities. Security, compliance, and risk management solutions and proven expertise to reduce the cost and complexity of securing the enterprise, enable trusted connections, supporting the transformation to a dynamic infrastructure… IBM SECURITY OFFERINGS § Identity & access management. § Trusted identity offerings. § Data and Information security offerings. § Application security offerings. § Policy management/enforcement solutions. § Network, Server and Endpoint security offerings. § Security compliance and risk management offerings. § Self-encrypting storage and key management solutions. § Security assessment, planning and implementation services. § Managed security services. § Education and training offerings. IBM LEADERSHIP § The only security vendor in the market with endto-end coverage of the security foundation. § 15, 000 researchers, developers and SMEs on security initiatives. § 3, 000+ security & risk management patents. 12 § 40+ years of proven success securing the System z environment. § Industry's only Guaranteed Protection SLA for managed security services. § Global managed security reach in over 133 countries. © 2009 IBM Corporation

Securing a Dynamic Infrastructure – Security Dynamic. Infrastructure Smart is: End to end industry Securing a Dynamic Infrastructure – Security Dynamic. Infrastructure Smart is: End to end industry customized governance, risk management and compliance solutions. Provide end-to-end risk management Reduce the cost of security Adopt a business-driven strategic approach to security. Meet changing business needs. § Prioritize security risks by criticality to key business processes. § Enable business change via a foundation of flexible controls. § Meet operational needs to address compliance requirements. § Leverage smart security solutions to lower overall cost § Explore a mix of in-house and managed solutions § Embed security into projects and infrastructure to enhance effectiveness. Ensure secure service delivery Respond with speed and agility Effectively manage risk for key business services. Gain control over risk posture and incident response. § Meet operational needs to address security requirements. § Protect business and IT assets to improve confidentiality, integrity and availability. § Build in automation to respond to market needs, reduce cost and compliance fatigue. 13 § Ensure risk posture meets policies and regulations. § Improve incident response processes. § Derive insight via dashboards, alerts and reporting. © 2009 IBM Corporation

Client requirements IBM Security solutions can address Securing a Dynamic Infrastructure • Identify, monitor, Client requirements IBM Security solutions can address Securing a Dynamic Infrastructure • Identify, monitor, manage, and mitigate risks and reduce costs of regulatory and industry compliance • Enable secure transactions and collaboration through effective identity and access lifecycle management • Protect sensitive data and information at rest or in transit from intruders and privileged internal users • Embed security capabilities to mitigate increasing risk of application-level vulnerabilities • Mitigate, monitor and manage the latest security threats and vulnerabilities • Lower the costs of applying the latest security expertise, processes and technologies Smarter organizations effectively manage risk to support the secure and resilient transformation to a dynamic infrastructure 14 © 2009 IBM Corporation

Securing a Dynamic Infrastructure PEOPLE AND IDENTITY Issues Manage Identities and Access “How can Securing a Dynamic Infrastructure PEOPLE AND IDENTITY Issues Manage Identities and Access “How can my business benefit from management of digital identity? ” § § IBM Security Offerings Cost of administering users and identities in-house Privileged user activity unmonitored Dormant IDs or shared identities being used to inappropriately access resources § Failing an audit § Identity Lifecycle Management: Tivoli Identity and Access Management solutions, § High-Assurance Digital Identities: Trusted Identity Initiative § Identity Audit: Tivoli Security Compliance Insight Manager, Tivoli z. Secure Audit § Identity & Access Design and Implementation Services § Understanding the identity risk gap ISS Managed Identity Services Values § Reduces the cost, increases efficiency and enables audit-ability of managing flow of users entering, using, and leaving the organization § Decreases risk of internal fraud, data leak, or operational outage § Supports globalization of operations § Enables shift from traditional brick & mortar sales to delivery of on-line services to customers and partners across the globe § Improves end-user experience with Web-based business applications by enabling such activities such as single sign-on 15 © 2009 IBM Corporation

Securing a Dynamic Infrastructure DATA AND INFORMATION Issues IBM Security Offerings § Data stored Securing a Dynamic Infrastructure DATA AND INFORMATION Issues IBM Security Offerings § Data stored on removable media that can be lost/stolen ISS Data Security and Data Loss Prevention solution § § § Data stored or transmitted in the clear is easily accessible Protect Data and Information § § Inconsistent data policies Data Encryption: Tivoli Key Lifecycle Manager, encrypted tape and disk drives § Data Classification: Info. Sphere Information Analyzer, Cognos, Enterprise Content Management, Discovery and Classification “How can I reduce the cost and pain associated with tracking and controlling who touched what data when? How do I assure that my data is available to the business, today and tomorrow? ” § § Costs of data breaches, notification, brand value § Unstructured Data Security: Tivoli Access Manager, Web. Sphere MQ Extended Security Edition, Web. Sphere Data. Power SOA Appliances § Data Privacy and Masking: Optim Data Privacy Solution § ISS Professional Security Services Legal, regulatory and ethical exposure for the organization Failing an audit Values § § § 16 Unstructured data SIEM: Tivoli Compliance Insight Manager, ISS Site. Protector, ISS Managed Security Services Reduces the cost, increases ability to meet audit and compliance mandates Provides a cost-effective way to meet legal discovery, hold and retention requirements Assures data is available to the right people, at the right time Assures data is not deliberately or inadvertently taken, leaked, or damaged Decreases number and complexity of controls integrated within the enterprise © 2009 IBM Corporation

Securing a Dynamic Infrastructure APPLICATION AND PROCESS Issues § 17 Applications are deployed with Securing a Dynamic Infrastructure APPLICATION AND PROCESS Issues § 17 Applications are deployed with vulnerabilities 80% of development costs spent on identifying and fixing defects § “How can my business benefit from management of application security? ” § § Secure Web Applications Web applications #1 target of hackers seeking to exploit vulnerabilities Real and/or private data exposed to anyone with access to development and test environments, including contractors and outsourcers IBM Security Offerings Poor security configs expose clients to business loss PCI regulatory requirements mandate application security § Application Vulnerabilities: Rational App. Scan, § Application Access Controls: Tivoli Access § Messaging Security: Lotus Domino Messaging, § Security for SOA: Web. Sphere Data. Power SOA ISS Managed Security Services, ISS Application Risk Assessment services, Web. Sphere Data. Power SOA Appliances Manager Web. Sphere MQ Extended Security Edition, IBM ISS Mail security solutions Appliances, Tivoli Security Policy Manager, Tivoli Federated Identity Manager Values § § § Reduce risk of outage, defacement or data theft associated with web applications Assess and monitor enterprise-wide security policy compliance Improve compliance with industry standards and regulatory requirements (e. g. , PCI, GLBA, HIPAA, FISMA…) Improve ability to securely integrate business critical applications Automated testing and governance throughout the development lifecycle reducing long-term security costs , © 2009 IBM Corporation

NETWORK, SERVER AND END POINT Securing a Dynamic Infrastructure Issues § § § Systems NETWORK, SERVER AND END POINT Securing a Dynamic Infrastructure Issues § § § Systems Storage Virtual Network “How does my business benefit from infrastructure security protection? ” Parasitic, stealthier, more damaging attacks § § Weak application controls § Compounding cost of managing an ever increasing array of security technologies § Manage Infrastructure Security Mass commercialization and automation of threats Undetected breaches due to privilege access misuse and downtime from incidents § Inability to establish forensic evidence or demonstrate compliance IBM Security Offerings Poor understanding of risks in new technologies and applications, including virtualization and cloud Lack of skills to monitor and manage security inputs § Threat Mitigation: ISS Network, Server and Endpoint Intrusion Detection and Prevention products powered by X-Force®, Managed Intrusion Prevention and Detection, Network Mail Security, Managed firewall services, Vulnerability Management and Scanning, Web. Sphere Data. Power SOA Appliances § SIEM: Tivoli Compliance Insight Manager, Security Event and Log Management services § Security Governance: Regulatory assessments and remediation solutions, Security architecture and policy development § Incident Response: Incident Management and Emergency Response services § Consulting and Professional Security Services: Security Intelligence and Advisory Services Values Reduces cost of ongoing management of security operations § § 18 § § Increases productivity by decreasing risk of virus, worm and malcode infestation Improves operational availability and assures performance against SLA, backed by industry’s only guaranteed SLA for managed protection services Decreases volume of incoming spam Drill down on specific violations to quickly address resolution Readily show status against major regulations © 2009 IBM Corporation

IBMa. Professional Security Services Securing Dynamic Infrastructure Proven integrated lifecycle methodology that delivers ongoing IBMa. Professional Security Services Securing Dynamic Infrastructure Proven integrated lifecycle methodology that delivers ongoing security solutions Phase 5. Education Phase 1. Assessment • IBM ISS Product Courses • Application Security Assessments • Information Security Assessments – On-site & off-site classes • PCI Assessments • Penetration Testing • ISO 17799/27002 Gap Assessments • Supervisory Control And Data Acquisition (SCADA) Phase 4. Management and Support Phase 2. Design • Staff Augmentation • Policy Development • Emergency Response Service • Incident Response Planning • Standards and Procedures Development • Forensic Analysis • Implementation Planning Phase 3. Deployment • Implementation and Optimization • Migration Services 19 © 2009 IBM Corporation

IBMa. ISS Managed Security Services Offerings Securing Dynamic Infrastructure Our open-vendor architecture enables IBM IBMa. ISS Managed Security Services Offerings Securing Dynamic Infrastructure Our open-vendor architecture enables IBM ISS to deliver a consolidated security view through an industry-leading, single unified system through a high impact Web-based management portal. 20 © 2009 IBM Corporation

Securing a Dynamic Infrastructure – Security Next Steps Dynamic. Infrastructure End-to-end risk management Reduce Securing a Dynamic Infrastructure – Security Next Steps Dynamic. Infrastructure End-to-end risk management Reduce the cost of security Adopt a business-driven strategic approach to security. Meet changing business needs. § Start with a security risk assessment. § Leverage IBM’s leading security offerings and unique expertise combining business and security know-how. § Implement security controls to holistically address compliance requirements. § Start with TCO challenge offering, security standards and process assessments and design. § Deploy products and outsourced services to reduce cost and risks from people and identities, data and information, applications and infrastructure Ensure secure service delivery Respond with speed and agility Effectively manage risk for key business services. Gain control over risk posture and incident response. § Start with security policy, standards and procedures development. § Implement threat and vulnerability management solutions. § Automate security and compliance administration, management and reporting. 21 § Start with a regulatory compliance assessment. § Deploy automated incident response products or services. § Implement SIEM products or managed services to drive improved insight. © 2009 IBM Corporation

IBM Security Accolades Securing a Dynamic Infrastructure “Security has become a C-level conversation, and IBM Security Accolades Securing a Dynamic Infrastructure “Security has become a C-level conversation, and enterprises are looking for reputable vendors with the capability to help customers manage risks and reduce complexity. IDC believes IBM has recognized this trend and has created comprehensive security packages that leverage various products to provide for multiple layers of security to customers. ” November 2008, IDC Insight “… there is a profound transition in the way organizations assess security needs, acquire security technologies, measure risk, and conduct security operations. All of these trends shift the balance of power from security point tool vendors to larger firms with broad security services and product offerings. IBM’s combination of products, services, customer reach, and rich resources give it a unique position in the security industry. IBM and a few others can help any sized customer with security, regardless of whether they need help securing their business, implementing an enterprise security initiative, or fixing a big security problem. ” Finalist in eight categories, including “Best Security Company”… a record high number of nominations for any vendor November 2008, Enterprise Strategy Group 22 © 2009 IBM Corporation

IBM a. Global Security Reach Securing Dynamic Infrastructure IBM has the unmatched global and IBM a. Global Security Reach Securing Dynamic Infrastructure IBM has the unmatched global and local expertise to deliver complete solutions – and manage the cost and complexity of security 23 © 2009 IBM Corporation

Only IBM Security is Backed by the IBM X-Force® Research Team Securing a Dynamic Only IBM Security is Backed by the IBM X-Force® Research Team Securing a Dynamic Infrastructure Research Original Vulnerability Research Public Vulnerability Analysis Malware Analysis Threat Landscape Forecasting Protection Technology Research Technology Solutions X-Force Protection Engines § Extensions to existing engines § New protection engine creation X-Force XPU’s § Security Content Update Development § Security Content Update QA X-Force Intelligence § X-Force Database § Feed Monitoring and Collection § Intelligence Sharing The X-Force team delivers reduced operational complexity – helping to build integrated technologies that feature “baked-in” simplification 24 © 2009 IBM Corporation

Securing a Dynamic Infrastructure 25 © 2009 IBM Corporation Securing a Dynamic Infrastructure 25 © 2009 IBM Corporation