Delivering IT Security and Compliance
as a Service
Jason Falciola GCIH, GAWN
Technical Account Manager, Northeast
Agenda
Technology Overview
hThe Problem: Delivering IT Security & Compliance
hKey differentiator: Software as a Service (SaaS) approach
Putting it Into Practice
hSecurity & Compliance Solution: Key Implementation Objectives
hApproximate timeframes for deployment and costs
hKeys to Success: Integrating the business owners
Case study: Fifth Third Bank
The Problem to Solve
h Increased sophistication of the attacks (target the user and applications)
h Overlapping set of data security and privacy regulations: (HIPAA, GLBA, Sarbanes-Oxley, FISMA, PCI)
h Providing Actionable Reports to ALL constituents: Audit, Security, and Operations
h Extending Security and Compliance Requirements to Suppliers and Partners
Assessing IT Security and Compliance posture on a
distributed scale, and complying with Data Security and
Privacy Regulations is more difficult than ever:
Throwing more people and hardware/software at the problem is likely not the best option
A SaaS Solution to the Problem
Bringing Security and Compliance Together
Capturing all relevant data and providing actionable reports to all constituents
The Security + Compliance Conundrum
Under this model, a system is deemed out of compliance if it is:
Vulnerable to attacks, Improperly configured or in violation of internal policies or external regulations
A SaaS Solution to the Problem
with no software to install and to update
--A SaaS Solution to the Problem
Reporting XML Engine
Discovery Scans Vulnerability Scans
Authenticated Scans Automatic Updates
Data Centers Remote Management Workflow
Engine
Management Services Extensible XML APIs Integrations with MSSP SIMS, Active Directory Helpdesk, Remediation, …
QualysGuard SaaS Platform
QualysGuard Security + Compliance Suite
Vulnerability Management QG VM 6.10 PCI Compliance QG PCI 3.0 (with WAS) Policy Compliance QG PC 2.0 Other Security and Compliance Applications SCAP Compliance Service QG SCAP 1.0 Web Application Scanning QG WAS QualysGuard Secure Seal QualysGuard Malware Detection
A SaaS Solution to the Problem
Software as a Service (SaaS) Approach
-Objectives
hA centralized solution delivered over the Internet that accomplished
objectives of Security, Audit, and Operational Teams
– All that is needed is a Web browser and appropriate credentials
hProvide lower cost of ownership to end-user
– Ease of deployment and reduced maintenance requirements for solution: No servers to manage or update, no software to install or maintain
hEliminate the need for database capacity planning as assessment scope
grows
hFrequent and automated release cycle for vulnerability detection updates,
software updates, and OS updates
hReduced complexity of application and eliminate infrastructure choices
hProviding a Third-Party audit, however, enabling the end user to initiate and
Security & Compliance Solution –
Key Implementation Objectives
hConsider scanner locations based on network topology
Scanning engine appliances – avoid scanning through firewalls where possible
hBegin with global network discovery
Identify servers, infrastructure devices, workstations, wireless, rogue devices
hSeriously consider how to architect asset groupings
Platform vs. Platform (Windows vs. Unix), functional business value (Financial vs. HR)
hDefinition of user roles for access to the data
Platform vs. Platform (Windows vs. Unix), functional business value (Financial vs. HR)
hEstablish realistic remediation policies
Case Study: Fifth Third Bank
One of the Largest Banks in the US – Fortune 500 Bank
Over 1200 Branch Offices
30,000 Employees
Problem (examples):
h Lack of a centralized, consistent process and solution – Disparate processes and solutions
h Required management of scanner software/servers across distributed networks (DMZ’s and Intranet)
h No way to securely perform external assessments (needed to use external DSL lines), difficult to consolidate to central database
h Required third-party auditors to provide assessments for regulatory requirements, a duplicated and redundant effort
h Difficulty managing the sheer size of vulnerability data being collected – capacity planning of databases
h No consistent and repeatable process for PCI scanning
Case Study: Fifth Third Bank
Solution:
h Implemented QualysGuard Enterprise Vulnerability Management
– Fully deployed 20 Scanner Appliances within DMZ and intranet environments in two weeks timeframe
– No need to deploy external scanners
Results:
h Significant reduction of critical vulnerability count over 6 month time period
h Maintaining compliance with third-party regulations: Self Certification for PCI Scanning
h Realized soft-cost savings due to Software-as-a-Service model – No need for FTE’s to manage solution architecture
h Automation of scanning and network discovery yields FTE time savings
h Differential vulnerability reporting over time proves process is in place and is effective
h Tangible results and remediation steps are automatically distributed on a weekly basis per scan schedule
h Hierarchical and distributed access granted across geographically dispersed regions
h Empowered organization to take ownership of security information
Summary
Bringing Security & Compliance together and deliver it as a Service
Operationalize the Information Dissemination & Remediation
Process
Software as a Service (SaaS) Approach to the Problem
hLower Costs: Reduction of maintenance & elimination of capacity planning
hSatisfy Audit, Security, and Operations