Download Taking Lessons From End Users, Convergence Rises

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

Document related concepts
no text concepts found
Transcript
Taking Lessons from End Users,
“Convergence” Rises from the Ashes
Bassam Al-Khalidi
Co-CEO and Principal Consultant
Axiad IDS
ISCW April 6, 2017 (10:00-11:00am PT)
1
Convergence: A New Day
•
•
•
•
•
“Convergence”: what has changed
Why we need convergence more than ever
What went wrong
Lessons learned are the new benchmarks
IT & Corporate Security are in this together: Impacting success or failure
–
–
–
–
Issuance and personalization
Lifecycle events leading to success or failure
Policies
Bandwidth/Skills and Resources
• From Understanding to Action
CONVERGENCE
 Lots of buzz
 Deployment teams didn’t embrace
 Adoption failed
 A negative experience for all
 Skepticism abounds
3
ALIVE OR DEAD?
Is the convergence of physical
and logical identity credentials
just a relic of the past?
4
Convergence is
NOT dead.
We’ve learned many
lessons.
The way it was
delivered didn’t work.
We’ve been listening.
And the stakes
are higher.
A New Reality
We can’t ignore it.
Convergence is
NOT dead.
We’ve learned many
lessons.
The way it was
delivered didn’t work.
We’ve been listening.
Align with Corporate
& IT security needs
and today’s risks.
A lot has changed and
the stakes got higher.
A lot has changed:
The stakes are higher
Broader
avenues
of attack
No
Industry is
immune
• Everything is connected (IoT)
• Mobile-everything
• 24/7 web connections
The Usuals: Brand | Financial | Identity | Legal
Troublesome
consequences
Auto
New
breed:
Engine and dash
computer systems
Healthcare
Medical devices
Government
Financial
Cyber terrorism
Point of Sale
A lot has changed:
We need converged solutions
more than ever
People AND connected devices
must be protected…across the
physical and logical spectrum.
Where did we go wrong?
IT had misconceptions
• IT vision of ‘leapfrogging’ to a
converged solution wasn’t achievable
(software upgrades not the same for PACS)
• Functional silos led to security gaps
• Issuance and personalization impacted
10
LEGAL
HR
IT
SECURITY
What round 1 taught us
Round 1 challenges
Lessons learned = new benchmarks
1
Frustrated both Corporate Security
and IT Security functions
The experience of deployment team matters
2
Gaps in Security
Must address gaps and frustrations
• One size fits all
• Piecemeal
• Infrastructure not considered
• Customized
• Comprehensive
• Match skill set/resources
3
Complex to install, upgrade, maintain
Less complex – more manageable
4
Inefficient lifecycle management
Maintainable across the lifecycle
5
Security business objectives not met
Must achieve multiple business objectives
• Reduced costs & inefficiencies
• Improved controls
• Compliance
11
Elements of an Integrated Solution
12
SECURE
MONITOR
NOTIFY
EVERYTHING
EVERYTHING
EVERYTHING
Recap: State of Convergence
New
reality
Higher
stakes
Affects all
industries
IT and Corporate Security: Shared Concerns
Security: Reduce risk of breach
Cost-effective: Implement and manage a mix of user credentials
Flexibility: Choose from a range of assurance and authentication levels
Customized: Map to unique needs (protection, workflow, reporting, policies)
Business value: Prove security to stakeholders
Compliant: Meet compliance needs and mandates
Unified: Approach as a single organization (HR, Legal, IT, Facilities)
Efficient: Leverage limited cyber-expert resources and skills
Decisions Impacting
Success or Failure:
•
•
•
•
15
Policies
Issuance & Personalization
Lifecycle Management
Bandwidth and Skill Sets
A New Vision for Issuance and Personalization
IT approach must integrate
with Corporate Security
reality
• Credentials must be futureproofed to upgrade with
Corporate Security changes
Must align with processes
and procedures
INTEGRATION
IT and Corporate Security must each
have control over day to day domains
• Don’t want disruptions/ownership
questions (provisioning/de-provisioning)
• Compliance needs differ
• Each needs proper tools
ALIGNMENT
RESPECTING
FUNCTIONAL
ROLES
• must align with business
objectives/ compliance needs
of organization
Lifecycle Management Impacts Success or Failure
FUTURE PROOFING
Is the platform extensible?
ENABLEMENT
Have all uses been considered?
(PKI @ the door wasn’t fully
analyzed . . not fast enough)
ASSESSMENT
Understand current
situation and future needs?
METHODOLOGY | PLANNING
• Strategy - use best-of-breed products or
single solution?
• Bandwidth/skill set – host in-house or
prefer hosted solution?
Converged Project Approach
BUSINESS
ANALYSIS
18
OPERATIONAL
ASSESSMENT
PROGRAM
DEFINITION
DEPLOYMENT
ONGOING
SERVICES
Policies and Compliance
External
Policies
• HIPAA
• 800-171
• 800-53
• PCI
Internal
Policies
Access rights,
permissions,
data retention
etc.
Obtain
Support
Across all
stakeholders
Find
Balance
Realize ties
between internal
and external what’s achievable
Enforce
Policies
Deploy solutions.
Internal training
Audit and
Accountability
Access
Control
Configuration
Management
Maintenance
Personnel
Security
Security
Assessment
Identification and
Authentication
CONTROL
Physical
Protection
System and
Communication
Protection
Awareness
and Training
Incident
Response
Media
Protection
Risk
Assessment
System and
Information
Security
From Understanding to Action
STILL NEED to refine
• Understand the benefits of a converged approach and position it to your
executive team
• Determine the effort and investment required for your organization
• Look at the value vs complexity of a converged program and understand
trade-offs for your organization
• Map out a phased approach on the back-end
• Embrace best practices that help ensure success; and avoid common
pitfalls that undermine projects
Thank You
22