software asset management and cybersecurity · cyber security — almost a third ... for example,...
TRANSCRIPT
2
Document Classification: KPMG Confidential
© 2017 KPMG, an Indian Partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.C
on
ten
ts
1. SAM – evolution and complexity
2. Cybersecurity challenges
3. SAM and Cybersecurity –Inseparable components
4. Continuous compliance and Security monitoring
4
Document Classification: KPMG Confidential
© 2017 KPMG, an Indian Partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Software Asset Management
“All of the infrastructure and processes necessary for the effective management, control and protection of the software assets within an organization, throughout all stages of their lifecycle”
ITIL Best Practice guide - Software Asset Management
❖ SAM is NOT just about a tool
❖ SAM is NOT just about a one-time discovery exercise
❖ SAM is NOT just about PCs
❖ SAM is NOT just about IT
5
Document Classification: KPMG Confidential
© 2017 KPMG, an Indian Partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
How software licensing has evolved
1999 2002 2003 2006 2007-08 2011 2012 2014 2017
Salesforce.com
- Early start of SaaS model
Amazon Web Services
Microsoft and IBM started reviews
Google cloud
platform (initial
release)
Most of the
Enterprises audited
by one OEM
Cloud becomes
integral part of
organization
Cloud, BYOL and
BYOD becomes
integral part of IT
Autodesk and Adobe
started auditsEnterprise audits
started by most of
the OEMs
6
Document Classification: KPMG Confidential
© 2017 KPMG, an Indian Partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Know your challenges and opportunities …
1/3 of a company’sstrategic IT vendors
will be less than
5 years old
Vendorrelationship skills
will be a Top Fivecompetency among CIOs
<15%of vendor management
programs will leverage dataanalytics and BI – despitethis being a top priority
of CIOs
30%of enterprises will
focus on optimizingIT business value,
not just cost
>75%of IT leaders will
be prone to investingin high-risk vendors
due to lack of financialanalysis skills
40%of IT spend willbe outside theCIO’s control
Enterpriseswill spend
10x moreon software asset
management servicesthan on tools
IT assets will be
splitbetween less than
10 very large providersand many credible
regional playersglobally
Source: gartner.com/us/itam
20%of IT procurement staff will
be replaced by externalservice providers because
of budget restrictions
to drive business outcomes
8
Document Classification: KPMG Confidential
© 2017 KPMG, an Indian Partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Cyber Threat
9
Document Classification: KPMG Confidential
© 2017 KPMG, an Indian Partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Cyber Threat - Ransomware
10
Document Classification: KPMG Confidential
© 2017 KPMG, an Indian Partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Cyber Threat – Spear phishing
11
Document Classification: KPMG Confidential
© 2017 KPMG, an Indian Partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Cyber Threat – Spear phishing
12
Document Classification: KPMG Confidential
© 2017 KPMG, an Indian Partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Hacks from preventable vulnerabilities
99.9%of the exploited
vulnerabilities were compromised more than a year after theCVE was published
80%of successful attacks will
exploit well known
vulnerabilities which could
have been detected by
security monitoring
Gartner Verizon
*CVE = common vulnerabilities and exposures. A CVE list (of compromised software) is
commonly available on the publicly available National Vulnerability database.
13
Document Classification: KPMG Confidential
© 2017 KPMG, an Indian Partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Cyber securityEveryone is talking about cyber security. Organizational leaders are fretting while hackers seem to be able to ghost their way effortlessly into their systems to steal emails and secrets.
Cyber security
— Almost a third of respondents (32 per cent) reported that their organisation had been subject to a major IT security incident or cyber attack during the past 24 months
— It is concerning that less than a quarter of IT leaders feel ‘very well positioned’ to deal with IT security/ cyber attacks
— Only 40% of the respondents cited ‘insiders’ as a significant concern, however an increasingly higher proportions of cyber incidents are originating from within an organisation
14
Document Classification: KPMG Confidential
© 2017 KPMG, an Indian Partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Cloud and SAM
Cloud is no longer a choice
— IT is not the sole purchaser
of cloud solutions
— 49% of the organisations
plan to make a ‘significant’
investment in Software as a
Service in the next one to
three years, compared to
31% who were making
‘significant’ investment in
the current year
Next gen operating
models
— 59% of
organisations are
looking to
implement next gen
methods such as
Dev Ops to develop
and deliver IT
services
16
Document Classification: KPMG Confidential
© 2017 KPMG, an Indian Partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
SAM and Cyber security –Regulatory view
Corporate Governance Code 2017
Principle 5.4
The board should establish a framework for governance of enterprise IT that is aligned with the company’s business needs and priorities, stimulates business opportunities and performance, strengthens risk management, and supports the company’s objectives.
Explanation 3
— Consideration of IT risks and risk mitigation policies, plans, and measures. For example, business continuity management, IT security, incident management, and
IT asset management.
NIST’s Cybersecurity Framework
Identify – ID.AM Asset Management
The data, personnel, devices, systems, and facilities that enable the organization to achieve business purposes are identified and managed consistent with their relative importance to business objectives and organization’s risk strategy
Protect – PR.DS Data Security
Information and records (data) are managed consistent with the organization’s risk strategy to protect the confidentiality, integrity, and availability of information.
Detect – DE.CM Continuous Monitoring
The information system and assets are monitored at discrete intervals to identify cybersecurity events and verify the effectiveness of protective measures.
17
Document Classification: KPMG Confidential
© 2017 KPMG, an Indian Partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
But,
do we really
know ?
Do you know what’s running on machine
As a core principle of SAM,
▪ Organization should know what is running on each machine
▪ Which software title are patched/out of support
▪ Which users are having what level of access
▪ If machine is updated with latest AV definition or not
Most of Ransomware attacks originate because organization’s don’t know what’s running on machine
▪ We observed lot of companies are still having old/outdated systems in network
▪ Ransomwares are present in machine but not yet activated
▪ Pirated/Unlicensed software installed results into attack
▪ Media content downloaded from torrent can result into attack
18
Document Classification: KPMG Confidential
© 2017 KPMG, an Indian Partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Do we know what’s running on machine
20
Document Classification: KPMG Confidential
© 2017 KPMG, an Indian Partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
SAM AutomationThe cost of performing a manual inventory can be exceptionally high.
Annual
Savings
‘Number of
Machines
Number of
Inventories
per year
Hours required to
manually inventoryCost of IT
staff
Intangibles
(reduced liabilities,
interruption to bau,
impact of error in
management info, etc.)
21
Document Classification: KPMG Confidential
© 2017 KPMG, an Indian Partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Hot debatesShould SAM team
be held
accountable in the
event of cyber
breach?
01An increasing number of
organisation appear to be
experiencing cyber attacks. Is
cyber one of the responsibilities
of your SAM team?
— What SAM deliverables should be covered under
cyber?
— What has triggered SAM teams to start building cyber
capabilities?
— What types of tools do you use/ need to cover your
cyber responsibilities?
Some topics:
Are you managing
software assets on
Cloud?02
With deeper penetration of cloud
(Public and Private), how are you
managing SAM
— What will be impact on SAM in Public and Private
cloud?
— What will be impact on managing software assets in
BYOD/BYOL scenarios
— What types of tool do you use/need to manage
assets everywhere?
Document Classification: KPMG Confidential
© 2017 KPMG, an Indian Partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
The information contained herein is of a general nature and is not intended to address the circumstances of any particular
individual or entity. Although we endeavor to provide accurate and timely information, there can be no guarantee that such
information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act on
such information without appropriate professional advice after a thorough examination of the particular situation.
© 2017 KPMG, an n Registered Partnership and a member firm of the KPMG network of independent member firms affiliated
with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
The KPMG name and logo are registered trademarks or trademarks of KPMG International.