Security - A Digital Transformation Enabler

Security - A Digital Transformation Enabler

• 1.
  Security - ADigital Transformation Enabler Alex Akinjayeju Head of Information & Cyber Security Operations June 2015
• 2.
  APPLICATION CATALOG IT SUPPLY CHAIN DATA CENTRE FOOTPRINT ENTERPRISE IT DESKTOPSERVICES OS & VIRTUALISATION INFRASTRUCTURE PRIVATE & HYBRID CLOUD IT SERVICE MANAGEMENT DATA MANAGEMENT APPLICATIONS INFORMATION SECURITY BYOD DATA CENTRE FACILITIES & OPERATIONS ON-PREMISE OFF-PREMISE Digital Infrastructure for the Digital Enterprise DATA CENTRE FACILITIES & OPERATIONS Transition/Transformation CLOUD SERVICES SaaS PaaS IaaS HYBRID CLOUD COLOCATION SERVICE PROVIDER MULTI-TENANT DATA CENTRE MOBILITY COLABORATION The promises of the digital new world is inextricably locked with cloud computing technologies. Cloud computing technology is central to the converging interconnecting forces of collaboration, mobility, BYOD, IoT and social enterprise. The information/data security and entitlements of users of these services and apps is bound to their identities and the contexts within which they may partake in this ecosystem. Traditional security models, information governance, identity management and role based access control don’t quite cut the mustard. However, new technologies are yet to be tested both commercially and functionally. The potential benefits to the enterprise such as seamless collaboration, agility and efficiency are too rewarding to ignore. The security industry must help organisations balance the risks and rewards.
• 3.
  Agenda • Why isSecurity Constraining adoption • Cloud computing usage • Focus on SaaS – Drivers • Focus on SaaS Risks – and the rest!! • Why IDM is Central • The Azure Identity solution for 365 – An Example • Key take Away - Get Your MOJO Back !!! 3
• 4.
  Why is Securitya Constraints? • Absence of corporate information governance framework • Lack of engagement with business • Security function is technology focused as opposed to data • Data security risk is the biggest concern in the cloud • Business needs agility not constraints • Identity federation, SSO, Access control • The context of the cloud is still unclear/immature to security.
• 5.
  Consequently Security has
• 6.
  Cloud Computing Usage *Over2100 SaaS apps service
• 7.
  Focus on SaaS– Drivers • Power shift from IT to users • Collaboration • Mobility – data anywhere, everywhere • Urgency/Immediacy of need • IT’s time to fulfil requests • Change in working culture • Procurement processes are clunky • Can’t sanction employees for doing their work efficiently and quickly 7
• 8.
  Focus on SaaSRisks – and the rest!! • Typically procured by shadow IT – No security diligence • Some service provider own data uploaded to their service • Security has no visibility of data in the cloud or who has access to them • Data is extensively shared with 3rd parties with no visibility of their JML process • Internal IDM not integrated with SaaS • Data security attributes, classification, encryption and control is lost • Enforcement of corporate security policy is not consistent across multiple SaaS apps • Issues include; Data loss is an issue, Malware; Copyright; decommissioning, monitoring etc Source: Ricoh.com
• 9.
  More on SaaSRisks – and the rest!! • Enterprise & Cloud security issues = SAME but different contexts. • Leavers still have access to data • Compliance standards PCI DSS, HIPPA, SOX, DPA, ISO 2700x, ISMS • Enterprise data ownership is not clear • Use of PaaS and IaaS are increasing and threatening established order • Vendor lockin • Physical location of data & data centres – talk about American Patriot Act & Snowden’s effect if ESn = CSn what is n?
• 10.
  Why IDM isCentral • IDM is central to users digital entitlements and access • Articulate your IDM goals/strategy, if AD is integral sort it out first! • Authentication and access must be consumable in the cloud • Federation deployments have struggled under enterprise IDM solutions. Expensive, complicated, long winded with minimal outcomes • Consider identity in the cloud • Re-assess SSO strategy, exempt highly sensitive system/application and data from SSO
• 11.
  The Azure IdentitySolution for 365 – An Example Active Directory SSO to 2200+ SaaS apps Identity
• 12.
  Key take Away- Get Your MOJO Back !!! • Security Practitioners – Guard your credibility, do not spread FUD – Engage your users & stakeholders – Understand your organisation’s business drivers and objectives – Be prepared to respond to the SO WHAT? • Embrace/Engage shadow IT • Take control – Discover and risk assess SaaS apps already in use; – Recommend appropriate & proportionate controls; – Discover data in the cloud and who has access to them; – What are the security attributes of these data?; – Keep it KISS • Develop relevant digital security policies
• 13.
  Key take Away- Get Your MOJO Back !!! • Lead the information governance debate; not all about data classification • Future proof identity management; • Consider context based access control – RBAC does work outside the enterprise!; • Simplify complexity; consider access security brokerage; • Use publicly available frameworks to assess service providers • Sort out identity management perhaps deploy a temporary tactical solution. • Consider context based access control – RBAC does work outside the enterprise! • We can no longer dictate what “End User” devices our people have, or how they connect! • Don’t forget Availability, Performance, Change Management, incident Management, Clarity of external connectivity, accountabilities, Location of data Assess Control Review Identify
• 14.
  Thank You alex@jayeju.com alex.akinjayeju@cloudsecurityalliance.org.uk