Delivering IT Security and Compliance as a Service

Delivering IT Security and Compliance

as a Service

Jason Falciola GCIH, GAWN

Technical Account Manager, Northeast

Agenda

‹

Technology Overview

hThe Problem: Delivering IT Security & Compliance

hKey differentiator: Software as a Service (SaaS) approach

‹

Putting it Into Practice

hSecurity & Compliance Solution: Key Implementation Objectives

hApproximate timeframes for deployment and costs

hKeys to Success: Integrating the business owners

‹

Case study: Fifth Third Bank

The Problem to Solve

h Increased sophistication of the attacks (target the user and applications)

h Overlapping set of data security and privacy regulations: (HIPAA, GLBA, Sarbanes-Oxley, FISMA, PCI)

h Providing Actionable Reports to ALL constituents: Audit, Security, and Operations

h Extending Security and Compliance Requirements to Suppliers and Partners

Assessing IT Security and Compliance posture on a

distributed scale, and complying with Data Security and

Privacy Regulations is more difficult than ever:

Throwing more people and hardware/software at the problem is likely not the best option

A SaaS Solution to the Problem

Bringing Security and Compliance Together

Capturing all relevant data and providing actionable reports to all constituents

The Security + Compliance Conundrum

Under this model, a system is deemed out of compliance if it is:

Vulnerable to attacks, Improperly configured or in violation of internal policies or external regulations

A SaaS Solution to the Problem

with no software to install and to update

--A SaaS Solution to the Problem

Reporting XML Engine

Discovery Scans Vulnerability Scans

Authenticated Scans Automatic Updates

Data Centers Remote Management Workflow

Engine

Management Services Extensible XML APIs Integrations with MSSP SIMS, Active Directory Helpdesk, Remediation, …

QualysGuard SaaS Platform

QualysGuard Security + Compliance Suite

Vulnerability Management QG VM 6.10 PCI Compliance QG PCI 3.0 (with WAS) Policy Compliance QG PC 2.0 Other Security and Compliance Applications SCAP Compliance Service QG SCAP 1.0 Web Application Scanning QG WAS QualysGuard Secure Seal QualysGuard Malware Detection

A SaaS Solution to the Problem

Software as a Service (SaaS) Approach

-Objectives

hA centralized solution delivered over the Internet that accomplished

objectives of Security, Audit, and Operational Teams

– All that is needed is a Web browser and appropriate credentials

hProvide lower cost of ownership to end-user

– Ease of deployment and reduced maintenance requirements for solution: No servers to manage or update, no software to install or maintain

hEliminate the need for database capacity planning as assessment scope

grows

hFrequent and automated release cycle for vulnerability detection updates,

software updates, and OS updates

hReduced complexity of application and eliminate infrastructure choices

hProviding a Third-Party audit, however, enabling the end user to initiate and

Security & Compliance Solution –

Key Implementation Objectives

hConsider scanner locations based on network topology

Scanning engine appliances – avoid scanning through firewalls where possible

hBegin with global network discovery

Identify servers, infrastructure devices, workstations, wireless, rogue devices

hSeriously consider how to architect asset groupings

Platform vs. Platform (Windows vs. Unix), functional business value (Financial vs. HR)

hDefinition of user roles for access to the data

Platform vs. Platform (Windows vs. Unix), functional business value (Financial vs. HR)

hEstablish realistic remediation policies

Case Study: Fifth Third Bank

‹ One of the Largest Banks in the US – Fortune 500 Bank

‹ Over 1200 Branch Offices

‹ 30,000 Employees

‹ Problem (examples):

h Lack of a centralized, consistent process and solution – Disparate processes and solutions

h Required management of scanner software/servers across distributed networks (DMZ’s and Intranet)

h No way to securely perform external assessments (needed to use external DSL lines), difficult to consolidate to central database

h Required third-party auditors to provide assessments for regulatory requirements, a duplicated and redundant effort

h Difficulty managing the sheer size of vulnerability data being collected – capacity planning of databases

h No consistent and repeatable process for PCI scanning

Case Study: Fifth Third Bank

‹ Solution:

h Implemented QualysGuard Enterprise Vulnerability Management

– Fully deployed 20 Scanner Appliances within DMZ and intranet environments in two weeks timeframe

– No need to deploy external scanners

‹ Results:

h Significant reduction of critical vulnerability count over 6 month time period

h Maintaining compliance with third-party regulations: Self Certification for PCI Scanning

h Realized soft-cost savings due to Software-as-a-Service model – No need for FTE’s to manage solution architecture

h Automation of scanning and network discovery yields FTE time savings

h Differential vulnerability reporting over time proves process is in place and is effective

h Tangible results and remediation steps are automatically distributed on a weekly basis per scan schedule

h Hierarchical and distributed access granted across geographically dispersed regions

h Empowered organization to take ownership of security information

Summary

‹

Bringing Security & Compliance together and deliver it as a Service

‹

Operationalize the Information Dissemination & Remediation

Process

‹

Software as a Service (SaaS) Approach to the Problem

hLower Costs: Reduction of maintenance & elimination of capacity planning

hSatisfy Audit, Security, and Operations

‹

Deployment Methodology: Scanner placement, Asset