security - a digital transformation enabler
TRANSCRIPT
Security - A Digital Transformation
EnablerAlex AkinjayejuHead of Information & Cyber Security Operations
June 2015
APPLICATION
CATALOG
IT SUPPLY
CHAIN
DATA CENTRE
FOOTPRINT
ENTERPRISE
IT
DESKTOP SERVICES
OS & VIRTUALISATION
INFRASTRUCTURE
PRIVATE & HYBRID CLOUD
IT SERVICE MANAGEMENT
DATA MANAGEMENT
APPLICATIONS
INFORMATION SECURITY
BYOD
DATA CENTRE
FACILITIES &
OPERATIONSON-PREMISE OFF-PREMISE
Digital Infrastructure for the Digital Enterprise
DATA CENTRE
FACILITIES &
OPERATIONS
Transition/Transformation
CLOUD
SERVICES
SaaS
PaaS
IaaS
HYBRID CLOUD
COLOCATION
SERVICE PROVIDER
MULTI-TENANT DATA CENTRE
MOBILITY
COLABORATION
The promises of the digital new world is
inextricably locked with cloud computing
technologies.
Cloud computing technology is central to the
converging interconnecting forces of
collaboration, mobility, BYOD, IoT and social
enterprise.
The information/data security and entitlements
of users of these services and apps is bound to
their identities and the contexts within which
they may partake in this ecosystem.
Traditional security models, information
governance, identity management and role
based access control don’t quite cut the
mustard.
However, new technologies are yet to be tested
both commercially and functionally.
The potential benefits to the enterprise such as
seamless collaboration, agility and efficiency
are too rewarding to ignore. The security
industry must help organisations balance the
risks and rewards.
Agenda
• Why is Security Constraining adoption
• Cloud computing usage
• Focus on SaaS – Drivers
• Focus on SaaS Risks – and the rest!!
• Why IDM is Central
• The Azure Identity solution for 365 – An Example
• Key take Away - Get Your MOJO Back !!!
3
Why is Security a Constraints?
• Absence of corporate information governance framework
• Lack of engagement with business
• Security function is technology focused as opposed to data
• Data security risk is the biggest concern in the cloud
• Business needs agility not constraints
• Identity federation, SSO, Access control
• The context of the cloud is still unclear/immature to security.
Consequently Security has
Cloud Computing Usage *Over 2100 SaaS apps service
Focus on SaaS – Drivers
• Power shift from IT to users
• Collaboration
• Mobility – data anywhere, everywhere
• Urgency/Immediacy of need
• IT’s time to fulfil requests
• Change in working culture
• Procurement processes are clunky
• Can’t sanction employees for doing their work efficiently and quickly
7
Focus on SaaS Risks – and the rest!!• Typically procured by shadow IT – No security
diligence
• Some service provider own data uploaded to their service
• Security has no visibility of data in the cloud or who has access to them
• Data is extensively shared with 3rd parties with no visibility of their JML process
• Internal IDM not integrated with SaaS
• Data security attributes, classification, encryption and control is lost
• Enforcement of corporate security policy is not consistent across multiple SaaS apps
• Issues include; Data loss is an issue, Malware; Copyright; decommissioning, monitoring etc
Source: Ricoh.com
More on SaaS Risks – and the rest!!
• Enterprise & Cloud security issues = SAME but different contexts.
• Leavers still have access to data
• Compliance standards PCI DSS, HIPPA, SOX, DPA, ISO 2700x, ISMS
• Enterprise data ownership is not clear
• Use of PaaS and IaaS are increasing and threatening established order
• Vendor lockin
• Physical location of data & data centres – talk about American Patriot Act & Snowden’s effect
if ESn = CSn what is n?
Why IDM is Central
• IDM is central to users digital entitlements and access
• Articulate your IDM goals/strategy, if AD is integral sort it out first!
• Authentication and access must be consumable in the cloud
• Federation deployments have struggled under enterprise IDM solutions. Expensive, complicated, long winded with minimal outcomes
• Consider identity in the cloud
• Re-assess SSO strategy, exempt highly sensitive system/application and data from SSO
The Azure Identity Solution for 365 – An Example
Active Directory
SSO to 2200+
SaaS apps
Identity
Key take Away - Get Your MOJO Back !!!• Security Practitioners
– Guard your credibility, do not spread FUD
– Engage your users & stakeholders
– Understand your organisation’s business drivers and objectives
– Be prepared to respond to the SO WHAT?
• Embrace/Engage shadow IT
• Take control
– Discover and risk assess SaaS apps already in use;
– Recommend appropriate & proportionate controls;
– Discover data in the cloud and who has access to them;
– What are the security attributes of these data?;
– Keep it KISS
• Develop relevant digital security policies
Key take Away - Get Your MOJO Back !!!• Lead the information governance debate; not all about data
classification
• Future proof identity management;
• Consider context based access control – RBAC does work outside the enterprise!;
• Simplify complexity; consider access security brokerage;
• Use publicly available frameworks to assess service providers
• Sort out identity management perhaps deploy a temporary tactical solution.
• Consider context based access control – RBAC does work outside the enterprise!
• We can no longer dictate what “End User” devices our people have, or how they connect!
• Don’t forget Availability, Performance, Change Management, incident Management, Clarity of external connectivity, accountabilities, Location of data
Assess
Control
Review
Identify
