際際滷

際際滷Share a Scribd company logo

Mobility Security - A Business-Centric Approach

Omar Khawaja
Omar Khawaja

This is a deck I presented at the RSA Conference in San Francisco in 2013. The content is based on discussions with hundreds of enterprises, security experts, operations teams, vendors and regulators on 5 continents. Presentation Credit: Salahuddin Khawaja

1 of 32
Securing Mobile: A Business-Centric Approach Omar Khawaja February 2013
Mobility this week @smallersecurity Borderless networks RCS, Joyn SIP, IP MDM Monetization Means vs. End
Mobile is no longer optional @smallersecurity
1980 19901970 20102000 Difference? Have a closer look: its really not that different. @smallersecurity
Top Business Technology Trends Video Social Enterprise Big Data Enterprise Clouds High-IQ Networks M2M2P Compliance Energy Efficiency Consumerization of IT Personalization of Service @smallersecurity
Whats the common theme across top technology trends? @smallersecurity
Video Big Data Enterprise Clouds High-IQ Networks M2M2P Compliance Social Enterprise Energy Efficiency Consumerization of IT Personalization of Service DATA @smallersecurity
Mobility and Cloud fuel each of these trends. @smallersecurity
Security is about Risk ThreatsVulnerabilitiesAssetsRisk @smallersecurity
How do we secure mobile today? @smallersecurity
10 Programs and Technologies @smallersecurity
11 Programs and Technologies Risk Assessment Security Policy Organization of Info Security Asset Management Human Resources Management Physical & Environment Security Communication & Ops Mgmt Access Control Info Systems Acquisition, Dev, & Maintenance Info Security Incident Management Business Continuity Management Compliance @smallersecurity
12 Programs and Technologies App Security Anti-X Configuration Management DLP Encryption IAM, NAC Patching Policy Management Threat Management VPN Vulnerability Management @smallersecurity
13 Multiple Approaches @smallersecurity
MultipleSingle Security Technology Sets Single Multiple Security Programs App Security Anti-X Config Mgmt DLP Encryption IAM, NAC Patching Policy Mgmt Threat Mgmt VPN Vuln. Mgmt App Security Anti-X Config Mgmt DLP Encryption IAM, NAC Patching Policy Mgmt Threat Mgmt VPN Vuln. Mgmt App Security Anti-X Config Mgmt DLP Encryption IAM, NAC Patching Policy Mgmt Threat Mgmt VPN Vuln. Mgmt Risk Assessment Security Policy Organization of Info Security Asset Management Human Resources Management Physical& Environment Security Comms& OpsMgmt Access Control Info Systems Acquisition, Dev, & Maint. Info Security Incident Management Business Continuity Management Compliance Risk Assessment Security Policy Organization of Info Security Asset Management Human Resources Management Physical& Environment Security Comms& OpsMgmt Access Control Info Systems Acquisition, Dev, & Maint. Info Security Incident Management Business Continuity Management Compliance Risk Assessment Security Policy Organization of Info Security Asset Management Human Resources Management Physical& Environment Security Comms& OpsMgmt Access Control Info Systems Acquisition, Dev, & Maint. Info Security Incident Management Business Continuity Management Compliance App Security Anti-X Config Mgmt DLP Encryption IAM, NAC Patching Policy Mgmt Threat Mgmt VPN Vuln. Mgmt Risk Assessment Security Policy Organization of Info Security Asset Management Human Resources Management Physical& Environment Security Comms& OpsMgmt Access Control Info Systems Acquisition, Dev, & Maint. Info Security Incident Management Business Continuity Management Compliance Risk Assessment Security Policy Organization of Info Security Asset Management Human Resources Management Physical& Environment Security Comms& OpsMgmt Access Control Info Systems Acquisition, Dev, & Maint. Info Security Incident Management Business Continuity Management Compliance Risk Assessment Security Policy Organization of Info Security Asset Management Human Resources Management Physical& Environment Security Comms& OpsMgmt Access Control Info Systems Acquisition, Dev, & Maint. Info Security Incident Management Business Continuity Management Compliance App Security Anti-X Config Mgmt DLP Encryption IAM, NAC Patching Policy Mgmt Threat Mgmt VPN Vuln. Mgmt Risk Assessment Security Policy Organization of Info Security Asset Management Human Resources Management Physical& Environment Security Comms& OpsMgmt Access Control Info Systems Acquisition, Dev, & Maint. Info Security Incident Management Business Continuity Management Compliance App Security Anti-X Config Mgmt DLP Encryption IAM, NAC Patching Policy Mgmt Threat Mgmt VPN Vuln. Mgmt App Security Anti-X Config Mgmt DLP Encryption IAM, NAC Patching Policy Mgmt Threat Mgmt VPN Vuln. Mgmt App Security Anti-X Config Mgmt DLP Encryption IAM, NAC Patching Policy Mgmt Threat Mgmt VPN Vuln. Mgmt Risk Assessment Security Policy Organization of Info Security Asset Management Human Resources Management Physical& Environment Security Comms& OpsMgmt Access Control Info Systems Acquisition, Dev, & Maint. Info Security Incident Management Business Continuity Management Compliance Multiple Approaches Worst Case Nirvana Good Really? @smallersecurity
Heres an approach @smallersecurity
Data-Centric Approach (Follow the data) Inventory (must) Classify (must) Destroy* (ideal) Protect Monitor @smallersecurity
Data-Centric Security Model Data-centric security is business-centric security @smallersecurity
To protect the data, protect whats around it too Data-Centric Security Model @smallersecurity
GRC and Intelligence define security program Data-Centric Security Model @smallersecurity
Start with assets, end with the controls Data-Centric Security Model @smallersecurity
How do we execute? @smallersecurity
Data-Centric Security: A Recipe Implement Control Requirements Monitor Control Effectiveness Entitlement Definition Mobile Environment Definition Inventory Users Define Business Processes Destroy Data Inventory Data Categorize Data @smallersecurity
What about Apps? @smallersecurity
What about Apps? Cant impede app proliferation, but how do you know which to trust? 30 billion app downloads from Apple's App Store Apps have overtaken browsing @smallersecurity
What about the Network? (Its not just for transport) @smallersecurity
Key security imperatives: 1) Data Governance 2) Application Governance @smallersecurity
Doing things right Doing the right things Business Context Follow the data Network can help Simplify security program Apps matter @smallersecurity
Question and Answers @smallersecurity
Thank You omar.khawaja@ verizon.com
This document and any attached materials are the sole property of Verizon and are not to be used by you other than to evaluate Verizons service. This document and any attached materials are not to be disseminated, distributed, or otherwise conveyed throughout your organization to employees without a need for this information or to any third parties without the express written permission of Verizon. 息 2011 Verizon. All Rights Reserved. The Verizon and Verizon Business names and logos and all other names, logos, and slogans identifying Verizons products and services are trademarks and service marks or registered trademarks and service marks of Verizon Trademark Services LLC or its affiliates in the United States and/or other countries. All other trademarks and service marks are the property of their respective owners. PROPRIETAR Y STATEMENT @smallersecurity
Security Leadership Why Verizon? Industry Recognition Largest & highly rated MSSP (Frost & Sullivan, Gartner, Forrester) Founding and Executive Member of Open Identity Exchange Security Consulting practice recognized as a Strong Performer (Forrester) ICSA Labs is the industry standard for certifying security products (started in 1991) Credentials More PCI auditors (140+ QSAs) than any other firm in the world HITRUST Qualified CSF Assessor Actively participate in 30+ standards / certification bodies, professional organizations and vertical specific consortia Personnel hold 40+ unique industry, technology and vendor certifications Global Reach 550+ dedicated security consultants in 28 countries speak 28 languages Investigated breaches in 36 countries in 2011 7 SOCs on 4 continents manage security devices in 45+ countries Serve 77% of Forbes Global 2000 Experience Verizons SMP is the oldest security certification program in the industry Analyzed 2000+ breaches involving 1+ Billion records Manage identities in 50+ countries and for 25+ national governments Delivered 2000+ security consulting engagements in 2011 ISO 9001 ISO 17025

More Related Content

Mobility Security - A Business-Centric Approach

  • 2. Mobility this week @smallersecurity Borderless networks RCS, Joyn SIP, IP MDM Monetization Means vs. End
  • 4. 1980 19901970 20102000 Difference? Have a closer look: its really not that different. @smallersecurity
  • 5. Top Business Technology Trends Video Social Enterprise Big Data Enterprise Clouds High-IQ Networks M2M2P Compliance Energy Efficiency Consumerization of IT Personalization of Service @smallersecurity
  • 6. Whats the common theme across top technology trends? @smallersecurity
  • 7. Video Big Data Enterprise Clouds High-IQ Networks M2M2P Compliance Social Enterprise Energy Efficiency Consumerization of IT Personalization of Service DATA @smallersecurity
  • 8. Mobility and Cloud fuel each of these trends. @smallersecurity
  • 9. Security is about Risk ThreatsVulnerabilitiesAssetsRisk @smallersecurity
  • 12. 11 Programs and Technologies Risk Assessment Security Policy Organization of Info Security Asset Management Human Resources Management Physical & Environment Security Communication & Ops Mgmt Access Control Info Systems Acquisition, Dev, & Maintenance Info Security Incident Management Business Continuity Management Compliance @smallersecurity
  • 13. 12 Programs and Technologies App Security Anti-X Configuration Management DLP Encryption IAM, NAC Patching Policy Management Threat Management VPN Vulnerability Management @smallersecurity
  • 15. MultipleSingle Security Technology Sets Single Multiple Security Programs App Security Anti-X Config Mgmt DLP Encryption IAM, NAC Patching Policy Mgmt Threat Mgmt VPN Vuln. Mgmt App Security Anti-X Config Mgmt DLP Encryption IAM, NAC Patching Policy Mgmt Threat Mgmt VPN Vuln. Mgmt App Security Anti-X Config Mgmt DLP Encryption IAM, NAC Patching Policy Mgmt Threat Mgmt VPN Vuln. Mgmt Risk Assessment Security Policy Organization of Info Security Asset Management Human Resources Management Physical& Environment Security Comms& OpsMgmt Access Control Info Systems Acquisition, Dev, & Maint. Info Security Incident Management Business Continuity Management Compliance Risk Assessment Security Policy Organization of Info Security Asset Management Human Resources Management Physical& Environment Security Comms& OpsMgmt Access Control Info Systems Acquisition, Dev, & Maint. Info Security Incident Management Business Continuity Management Compliance Risk Assessment Security Policy Organization of Info Security Asset Management Human Resources Management Physical& Environment Security Comms& OpsMgmt Access Control Info Systems Acquisition, Dev, & Maint. Info Security Incident Management Business Continuity Management Compliance App Security Anti-X Config Mgmt DLP Encryption IAM, NAC Patching Policy Mgmt Threat Mgmt VPN Vuln. Mgmt Risk Assessment Security Policy Organization of Info Security Asset Management Human Resources Management Physical& Environment Security Comms& OpsMgmt Access Control Info Systems Acquisition, Dev, & Maint. Info Security Incident Management Business Continuity Management Compliance Risk Assessment Security Policy Organization of Info Security Asset Management Human Resources Management Physical& Environment Security Comms& OpsMgmt Access Control Info Systems Acquisition, Dev, & Maint. Info Security Incident Management Business Continuity Management Compliance Risk Assessment Security Policy Organization of Info Security Asset Management Human Resources Management Physical& Environment Security Comms& OpsMgmt Access Control Info Systems Acquisition, Dev, & Maint. Info Security Incident Management Business Continuity Management Compliance App Security Anti-X Config Mgmt DLP Encryption IAM, NAC Patching Policy Mgmt Threat Mgmt VPN Vuln. Mgmt Risk Assessment Security Policy Organization of Info Security Asset Management Human Resources Management Physical& Environment Security Comms& OpsMgmt Access Control Info Systems Acquisition, Dev, & Maint. Info Security Incident Management Business Continuity Management Compliance App Security Anti-X Config Mgmt DLP Encryption IAM, NAC Patching Policy Mgmt Threat Mgmt VPN Vuln. Mgmt App Security Anti-X Config Mgmt DLP Encryption IAM, NAC Patching Policy Mgmt Threat Mgmt VPN Vuln. Mgmt App Security Anti-X Config Mgmt DLP Encryption IAM, NAC Patching Policy Mgmt Threat Mgmt VPN Vuln. Mgmt Risk Assessment Security Policy Organization of Info Security Asset Management Human Resources Management Physical& Environment Security Comms& OpsMgmt Access Control Info Systems Acquisition, Dev, & Maint. Info Security Incident Management Business Continuity Management Compliance Multiple Approaches Worst Case Nirvana Good Really? @smallersecurity
  • 17. Data-Centric Approach (Follow the data) Inventory (must) Classify (must) Destroy* (ideal) Protect Monitor @smallersecurity
  • 18. Data-Centric Security Model Data-centric security is business-centric security @smallersecurity
  • 19. To protect the data, protect whats around it too Data-Centric Security Model @smallersecurity
  • 21. Start with assets, end with the controls Data-Centric Security Model @smallersecurity
  • 22. How do we execute? @smallersecurity
  • 23. Data-Centric Security: A Recipe Implement Control Requirements Monitor Control Effectiveness Entitlement Definition Mobile Environment Definition Inventory Users Define Business Processes Destroy Data Inventory Data Categorize Data @smallersecurity
  • 25. What about Apps? Cant impede app proliferation, but how do you know which to trust? 30 billion app downloads from Apple's App Store Apps have overtaken browsing @smallersecurity
  • 26. What about the Network? (Its not just for transport) @smallersecurity
  • 27. Key security imperatives: 1) Data Governance 2) Application Governance @smallersecurity
  • 28. Doing things right Doing the right things Business Context Follow the data Network can help Simplify security program Apps matter @smallersecurity
  • 31. This document and any attached materials are the sole property of Verizon and are not to be used by you other than to evaluate Verizons service. This document and any attached materials are not to be disseminated, distributed, or otherwise conveyed throughout your organization to employees without a need for this information or to any third parties without the express written permission of Verizon. 息 2011 Verizon. All Rights Reserved. The Verizon and Verizon Business names and logos and all other names, logos, and slogans identifying Verizons products and services are trademarks and service marks or registered trademarks and service marks of Verizon Trademark Services LLC or its affiliates in the United States and/or other countries. All other trademarks and service marks are the property of their respective owners. PROPRIETAR Y STATEMENT @smallersecurity
  • 32. Security Leadership Why Verizon? Industry Recognition Largest & highly rated MSSP (Frost & Sullivan, Gartner, Forrester) Founding and Executive Member of Open Identity Exchange Security Consulting practice recognized as a Strong Performer (Forrester) ICSA Labs is the industry standard for certifying security products (started in 1991) Credentials More PCI auditors (140+ QSAs) than any other firm in the world HITRUST Qualified CSF Assessor Actively participate in 30+ standards / certification bodies, professional organizations and vertical specific consortia Personnel hold 40+ unique industry, technology and vendor certifications Global Reach 550+ dedicated security consultants in 28 countries speak 28 languages Investigated breaches in 36 countries in 2011 7 SOCs on 4 continents manage security devices in 45+ countries Serve 77% of Forbes Global 2000 Experience Verizons SMP is the oldest security certification program in the industry Analyzed 2000+ breaches involving 1+ Billion records Manage identities in 50+ countries and for 25+ national governments Delivered 2000+ security consulting engagements in 2011 ISO 9001 ISO 17025

Editor's Notes

  • #2: http://gsourceg.com/images/products/product-010.jpg