Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
COMPUTING (TC) IN AN
ENTERPRISE Ramesh Shanmuganathan
Executive Vice President / Group CIO
John Keells Group
How do I ensure that the people who are accessing the domain are the
people who have been authorized to do so?
Natural
Human Threats
Disasters
Malicious Non-
Malicious
Trojan Horses
Unused Services
Left On
Un-patched
Web Server
Network Denial of
Spoofing Service
Excessive privileges
Poisons
No (Packets, DNS,
Policies etc.) Packet Sniffing
ADDRESS THE EXTERNAL THREATS THAT’S
OBVIOUS!
Organizational
Attacks
Attackers
Automated
Restricted Data Attacks
DoS
Accidental
Breaches Connection Fails
In Security Denial of
Viruses, Service (DoS)
Trojan Horses,
and Worms
ADDRESS THE INTERNAL THREAT THAT’S
OBLIVIOUS!
MANAGE THE VIRTUAL DYNAMICS
Attacker needs to understand only one vulnerability
Defender needs to secure all entry points
Attackers have unlimited time
Defender works with time and cost constraints
Attackers vs. Defenders
Do I
need
users and management think that security does not add any
security business value
…
Addressing vulnerabilities before it becomes a disaster
Security As an Afterthought
BALANCE THE ACT
Principles , Framework & Architecture of TC
ENDORSE IT/IS GOVERNANCE AS
BASELINE
It’s not security through Obscurity
It’s an alignment of business objectives/needs with IT investments and
services
It is as vital and important as Corporate / business governance
It needs commitment/endorsement from the C-level to be successful!
B T
U Business / Technology E
IT
S User perspective & C
Perspective & POLICY MANAGEMENT Integration
H
I Process management
N
N Management
User Security Systems O
E
Management Management Management L
S
Applications Infrastructure O
S
G
ICT Infrastructure Y
USE REGULATION AND STANDARDS AS A
GUIDELINE IN CONTEXT
SEC Regs
Sarbanes-Oxley
FISMA
Development tools
for secure code
Policy, Code (Identity,
Updates)
Isolation
(Firewall, Quarantine)
ENABLE BUSINESS IN A SECURE
CONTEXT
Business Agility
Embracing IT enabled delivery channels
360 view of customers - knowledge is power!
Effective roll-out of corporate/business
strategies
Better time to market
Return on Investment
Insurance analogy – security is a necessary evil?
Risk Management =F (Fear, Uncertainty, Doubt)?
Confidentiality-Integrity-Availability(CIA) vs
Disclosure-Alteration-Distruction (DAD)
SIMPLIFY, STANDARDIZE & OPTIMIZE
Reduce
Objective React Manage complexity Agility
High, As
Resource Unknown Known, poor Optimized needed
Utilization
Processes Policy-
Ad hoc Defined Mature based
& Automation
Monitor &
Evaluate Plan &
CoBIT Organize
Business drivers
Security Policy
Physical Security
Can I have
updates? Ongoing policy
updates to Network
May I have access? Policy Server
Requesting access. Should this client be
Here’s my current
Here’s my new restricted based
health status.
health status. on its health?
According to
You are given policy, the client is Network
Client Network
restricted access notto
up update.
to date. Policy
until fix-up. Access
Quarantine client, Server
Device
request
Grant
(DHCP, VPN) Client access.
it to access to full intranet.
is granted
update.
TRUSTWORTHY COMPUTING
SCENARIO #1: BLOCKING NETWORK ATTACKS
Host IPS
Spyware Removal
Personal Firewalls and
Scan and Block Systems
Personal AntiVirus
RootKit Detection and
Removal
TRUSTWORTHY COMPUTING
SCENARIO #3: ELIMINATING SECURITY VULNERABILITIES
Vulnerability
Management and
Penetration Testing
Patch and
Configuration
Management and
Compliance
Application Security
Testing
TRUSTWORTHY COMPUTING
SCENARIO #4: SAFELY SUPPORTING AUTHORIZED
USERS
Customer
Need
Q&A
A parting thought……….
Contact: ramesh@keells.com