Presentation is loading. Please wait.

Presentation is loading. Please wait.

CAT 02/05 Copyright © 2002-2005, CiRBA, Inc. All Rights Reserved. Security and Compliance: Looking Beyond the File Presented By: Andrew.

Published byRylee Profit Modified over 10 years ago

Similar presentations

Presentation on theme: "CAT 02/05 Copyright © 2002-2005, CiRBA, Inc. All Rights Reserved. Security and Compliance: Looking Beyond the File Presented By: Andrew."— Presentation transcript:

1 http://www.cirba.com CAT 02/05 Copyright © 2002-2005, CiRBA, Inc. All Rights Reserved. Security and Compliance: Looking Beyond the File Presented By: Andrew Hillier CTO, CiRBA Inc.

2 Slide 2 Copyright © 2002-2005, CiRBA Inc. All Rights Reserved. Abstract Many organizations employ strategies that focus on file-level tracking to address specific system security and regulatory compliance issues. At the same time, many organizations are undertaking initiatives to enhance IT service management through detailed tracking of system and application configurations. Because security and compliance are affected by many of these same areas of configuration, a convergence in the IT infrastructure to address these areas is beneficial, and perhaps even inevitable…

3 Slide 3 Copyright © 2002-2005, CiRBA Inc. All Rights Reserved. Front End Horizontal Scaling Back End Vertical Scaling Information Convergence The Problem: A gap exists between datacenter management disciplines and the ability to provide the information to fulfill on these mandates. IT Data Center Operations Mainframe Proprietary UNIX LINUX WINDOWS Asset & Inventory Management Configuration Management Change Management Release Management Capacity Management Problem Management Business Continuity Compliance Management Security

4 Slide 4 Copyright © 2002-2005, CiRBA Inc. All Rights Reserved. Front End Horizontal Scaling Back End Vertical Scaling Information Convergence The Reason: In the past, these disciplines were considered in isolation, and solutions were implemented that addressed individual areas. IT Data Center Operations Mainframe Proprietary UNIX LINUX WINDOWS Asset & Inventory Management Configuration Management Change Management Release Management Capacity Management Problem Management Business Continuity Compliance Management Security

5 Slide 5 Copyright © 2002-2005, CiRBA Inc. All Rights Reserved. Front End Horizontal Scaling Back End Vertical Scaling Information Convergence IT Data Center Operations Mainframe Proprietary UNIX LINUX WINDOWS Asset & Inventory Management Configuration Management Change Management Release Management Capacity Management Problem Management Business Continuity Compliance Management Security Asset Discovery File Scanning Resource Tracking Software Discovery Manual Inspection Homegrown Scripts The Result: A fragmented solution space and a proliferation of technologies that is not sustainable across all platforms and process areas.

6 Slide 6 Copyright © 2002-2005, CiRBA Inc. All Rights Reserved. Front End Horizontal Scaling Back End Vertical Scaling Asset & Inventory Management Configuration Management Change Management Release Management Capacity Management Problem Management Business Continuity Compliance Management Security Information Convergence The Solution - One common approach for the entire enterprise Tracking what systems and applications you have, how they are configured, how they are being used, and how they are being changed IT Data Center Operations Mainframe Proprietary UNIX LINUX WINDOWS

7 Slide 7 Copyright © 2002-2005, CiRBA Inc. All Rights Reserved. Information Requirements by Discipline Configuration Mgmt Asset Mgmt Security Mgmt Compliance Mgmt Hardware Config VM Partitioning OS Configuration Patch Levels File Attributes SW Inventory Application Config Middleware Config Database Config Environment Config

8 Slide 8 Copyright © 2002-2005, CiRBA Inc. All Rights Reserved. Implications for Security Management File and network-level security solutions are relatively common but only focus on specific aspects of security With a consolidated approach that encompasses all areas of configuration this can be taken much further: Database account and access control changes Status of security patches Changes in network shares Hardware removal USB Drive use Etc. The result is a bear hug on all vital security aspects of IT infrastructure

9 Slide 9 Copyright © 2002-2005, CiRBA Inc. All Rights Reserved. Implications for Regulatory Compliance For Sarbanes-Oxley, a consolidated approach provides a comprehensive mechanism for assuring and demonstrating a commitment to integrity at all levels: Tracking of physical assets and shared resources Credential changes that may compromise systems Activity affecting information integrity or privacy

10 Slide 10 Copyright © 2002-2005, CiRBA Inc. All Rights Reserved. Configuration-Centric View of System Changes A configuration-centric view of change activity is typically geared toward change reconciliation and fault isolation

11 Slide 11 Copyright © 2002-2005, CiRBA Inc. All Rights Reserved. Security-Centric View of System Changes A security-based view of configuration change activity can leverage the same underlying information to identify potential vulnerabilities and assure compliance

12 Slide 12 Copyright © 2002-2005, CiRBA Inc. All Rights Reserved. Security-Centric View of System Changes By isolating the subset of configuration information that is truly security-related, one infrastructure can effectively service multiple IT management disciplines

13 Slide 13 Copyright © 2002-2005, CiRBA Inc. All Rights Reserved. Information Security - Database Configuration Detailed tracking of the configurations of databases reveals changes that have direct impact in security. Many SOX strategies focus mainly on file- level security and ignore this critical aspect of compliance

14 Slide 14 Copyright © 2002-2005, CiRBA Inc. All Rights Reserved. Information Security - Schema Changes Tracking and comparing schemas not only assures compliance between internal environments (such as UAT and Prod) but also uncovers changes that may affect application security

15 Slide 15 Copyright © 2002-2005, CiRBA Inc. All Rights Reserved. System Security - Credential Changes Tracking permissions granted to users is the first step is assuring compliance and information security, as proper maintenance of credentials is the primary defense against unauthorized access and tampering

16 Slide 16 Copyright © 2002-2005, CiRBA Inc. All Rights Reserved. User Security - Directory Service Changes Detailed scrutiny of directory services uncovers suspicious activity and provides and audit trail of noteworthy events. In this example an account is being locked out due to too many bad password attempts.

17 Slide 17 Copyright © 2002-2005, CiRBA Inc. All Rights Reserved. Physical Security - Hardware Changes Even at the hardware asset level specific changes have a direct security impact. In this example a USB drive has been removed from a server, potentially taking sensitive data with it.

18 Slide 18 Copyright © 2002-2005, CiRBA Inc. All Rights Reserved. Information Security - Tracking Key Assets Protecting the integrity of data is somewhat futile if you dont even know all the places where data is stored. Effective software asset tracking is critical to information security.

19 Slide 19 Copyright © 2002-2005, CiRBA Inc. All Rights Reserved. Looking Beyond the File: The Business Value of Convergence Compelling business-level considerations Convergence = Cost Savings Benefits of business case that leverages multiple disciplines Consolidated approach addresses SOX while at the same time benefiting Operations, ITIL projects and other initiatives Allows service-oriented view of security By leveraging service models being developed in configuration management initiatives (e.g. CMDBs), security information can also be aligned with business services Provides a common language Common technology provides a common language for communication between Security, Compliance, Change Management, Problem Management and other key groups

20 Slide 20 Copyright © 2002-2005, CiRBA Inc. All Rights Reserved. You can observe a lot just by watching. Yogi Berra 322 King Street West. Suite 200 Toronto. ON. CANADA. M5V 1J2 t. +1 416.260.8462 w. www.cirba.com f. +1 416.260.5921 e. info@cirba.com Presented By: Andrew Hillier CTO, CIRBA Inc ahillier@cirba.com

Download ppt "CAT 02/05 Copyright © 2002-2005, CiRBA, Inc. All Rights Reserved. Security and Compliance: Looking Beyond the File Presented By: Andrew."

Similar presentations

Conducting your own Data Life Cycle Audit

Conducting your own Data Life Cycle Audit
© Copyright 2007 Exempler Telecom Test Automation System Exempler - We pride ourselves with providing lightweight robust engineering solutions.

© Copyright 2007 Exempler Telecom Test Automation System Exempler - We pride ourselves with providing lightweight robust engineering solutions.
VCS 5.0 for VMware ESX.

VCS 5.0 for VMware ESX.
Slide 1 Configuration Management. Slide 2 Goal – Primary Objective To provide a logical model of the IT infrastructure by identifying,controlling, maintaining.

Slide 1 Configuration Management. Slide 2 Goal – Primary Objective To provide a logical model of the IT infrastructure by identifying,controlling, maintaining.
IT Service Continuity Management

IT Service Continuity Management
Info to Enterprise Migration Implementation Case Study: SBC Corporation Presented to the Crystal Decisions Regional Users Group for the Bay Area on October.

Info to Enterprise Migration Implementation Case Study: SBC Corporation Presented to the Crystal Decisions Regional Users Group for the Bay Area on October.
1 Senn, Information Technology, 3 rd Edition © 2004 Pearson Prentice Hall James A. Senns Information Technology, 3 rd Edition Chapter 7 Enterprise Databases.

1 Senn, Information Technology, 3 rd Edition © 2004 Pearson Prentice Hall James A. Senns Information Technology, 3 rd Edition Chapter 7 Enterprise Databases.
CRM Technology.

CRM Technology.
Chapter 14 Intranets & Extranets. Awad –Electronic Commerce 1/e © 2002 Prentice Hall 2 OBJECTIVES Introduction Technical Infrastructure Planning an Intranet.

Chapter 14 Intranets & Extranets. Awad –Electronic Commerce 1/e © 2002 Prentice Hall 2 OBJECTIVES Introduction Technical Infrastructure Planning an Intranet.
TACTICAL/OPERATIONAL PLANNING

TACTICAL/OPERATIONAL PLANNING
1 Capability Set - Detail. 2 Common Content Problems Content Mayhem –File management and storage confusion Content Multiplication –Editing déjà vu - same.

1 Capability Set - Detail. 2 Common Content Problems Content Mayhem –File management and storage confusion Content Multiplication –Editing déjà vu - same.
The 4 T’s of Test Automation:

The 4 T’s of Test Automation:
1 Copyright © 2010, Elsevier Inc. All rights Reserved Fig 2.1 Chapter 2.

1 Copyright © 2010, Elsevier Inc. All rights Reserved Fig 2.1 Chapter 2.
1 Copyright © 2013 Elsevier Inc. All rights reserved. Chapter 38.

1 Copyright © 2013 Elsevier Inc. All rights reserved. Chapter 38.
1 Chapter 40 - Physiology and Pathophysiology of Diuretic Action Copyright © 2013 Elsevier Inc. All rights reserved.

1 Chapter 40 - Physiology and Pathophysiology of Diuretic Action Copyright © 2013 Elsevier Inc. All rights reserved.
September, 2005What IHE Delivers 1 Joe Auriemma Siemens Medical Solutions, Health Services Senior Director, Integration Engineering Siemens Medical Solutions.

September, 2005What IHE Delivers 1 Joe Auriemma Siemens Medical Solutions, Health Services Senior Director, Integration Engineering Siemens Medical Solutions.
Business Transaction Management Software for Application Coordination 1 www.choreology.com Business Processes and Coordination.

Business Transaction Management Software for Application Coordination 1 Business Processes and Coordination.
Pennsylvania Banner Users Group 2008 Fall Conference Campus Identity Management in a Banner World.

Pennsylvania Banner Users Group 2008 Fall Conference Campus Identity Management in a Banner World.
18 Copyright © 2005, Oracle. All rights reserved. Distributing Modular Applications: Introduction to Web Services.

18 Copyright © 2005, Oracle. All rights reserved. Distributing Modular Applications: Introduction to Web Services.
Data Architecture at CIA Dave Roberts Chief Technical Officer Application Services, CIO CIA

Data Architecture at CIA Dave Roberts Chief Technical Officer Application Services, CIO CIA

Similar presentations

Ads by Google