CAT 02/05 Copyright © , CiRBA, Inc. All Rights Reserved. Security and Compliance: Looking Beyond the File Presented By: Andrew Hillier CTO, CiRBA Inc.

Slide 2 Copyright © , CiRBA Inc. All Rights Reserved. Abstract Many organizations employ strategies that focus on file-level tracking to address specific system security and regulatory compliance issues. At the same time, many organizations are undertaking initiatives to enhance IT service management through detailed tracking of system and application configurations. Because security and compliance are affected by many of these same areas of configuration, a convergence in the IT infrastructure to address these areas is beneficial, and perhaps even inevitable…

Slide 3 Copyright © , CiRBA Inc. All Rights Reserved. Front End Horizontal Scaling Back End Vertical Scaling Information Convergence The Problem: A gap exists between datacenter management disciplines and the ability to provide the information to fulfill on these mandates. IT Data Center Operations Mainframe Proprietary UNIX LINUX WINDOWS Asset & Inventory Management Configuration Management Change Management Release Management Capacity Management Problem Management Business Continuity Compliance Management Security

Slide 4 Copyright © , CiRBA Inc. All Rights Reserved. Front End Horizontal Scaling Back End Vertical Scaling Information Convergence The Reason: In the past, these disciplines were considered in isolation, and solutions were implemented that addressed individual areas. IT Data Center Operations Mainframe Proprietary UNIX LINUX WINDOWS Asset & Inventory Management Configuration Management Change Management Release Management Capacity Management Problem Management Business Continuity Compliance Management Security

Slide 5 Copyright © , CiRBA Inc. All Rights Reserved. Front End Horizontal Scaling Back End Vertical Scaling Information Convergence IT Data Center Operations Mainframe Proprietary UNIX LINUX WINDOWS Asset & Inventory Management Configuration Management Change Management Release Management Capacity Management Problem Management Business Continuity Compliance Management Security Asset Discovery File Scanning Resource Tracking Software Discovery Manual Inspection Homegrown Scripts The Result: A fragmented solution space and a proliferation of technologies that is not sustainable across all platforms and process areas.

Slide 6 Copyright © , CiRBA Inc. All Rights Reserved. Front End Horizontal Scaling Back End Vertical Scaling Asset & Inventory Management Configuration Management Change Management Release Management Capacity Management Problem Management Business Continuity Compliance Management Security Information Convergence The Solution - One common approach for the entire enterprise Tracking what systems and applications you have, how they are configured, how they are being used, and how they are being changed IT Data Center Operations Mainframe Proprietary UNIX LINUX WINDOWS

Slide 7 Copyright © , CiRBA Inc. All Rights Reserved. Information Requirements by Discipline Configuration Mgmt Asset Mgmt Security Mgmt Compliance Mgmt Hardware Config VM Partitioning OS Configuration Patch Levels File Attributes SW Inventory Application Config Middleware Config Database Config Environment Config

Slide 8 Copyright © , CiRBA Inc. All Rights Reserved. Implications for Security Management File and network-level security solutions are relatively common but only focus on specific aspects of security With a consolidated approach that encompasses all areas of configuration this can be taken much further: Database account and access control changes Status of security patches Changes in network shares Hardware removal USB Drive use Etc. The result is a bear hug on all vital security aspects of IT infrastructure

Slide 9 Copyright © , CiRBA Inc. All Rights Reserved. Implications for Regulatory Compliance For Sarbanes-Oxley, a consolidated approach provides a comprehensive mechanism for assuring and demonstrating a commitment to integrity at all levels: Tracking of physical assets and shared resources Credential changes that may compromise systems Activity affecting information integrity or privacy

Slide 10 Copyright © , CiRBA Inc. All Rights Reserved. Configuration-Centric View of System Changes A configuration-centric view of change activity is typically geared toward change reconciliation and fault isolation

Slide 11 Copyright © , CiRBA Inc. All Rights Reserved. Security-Centric View of System Changes A security-based view of configuration change activity can leverage the same underlying information to identify potential vulnerabilities and assure compliance

Slide 12 Copyright © , CiRBA Inc. All Rights Reserved. Security-Centric View of System Changes By isolating the subset of configuration information that is truly security-related, one infrastructure can effectively service multiple IT management disciplines

Slide 13 Copyright © , CiRBA Inc. All Rights Reserved. Information Security - Database Configuration Detailed tracking of the configurations of databases reveals changes that have direct impact in security. Many SOX strategies focus mainly on file- level security and ignore this critical aspect of compliance

Slide 14 Copyright © , CiRBA Inc. All Rights Reserved. Information Security - Schema Changes Tracking and comparing schemas not only assures compliance between internal environments (such as UAT and Prod) but also uncovers changes that may affect application security

Slide 15 Copyright © , CiRBA Inc. All Rights Reserved. System Security - Credential Changes Tracking permissions granted to users is the first step is assuring compliance and information security, as proper maintenance of credentials is the primary defense against unauthorized access and tampering

Slide 16 Copyright © , CiRBA Inc. All Rights Reserved. User Security - Directory Service Changes Detailed scrutiny of directory services uncovers suspicious activity and provides and audit trail of noteworthy events. In this example an account is being locked out due to too many bad password attempts.

Slide 17 Copyright © , CiRBA Inc. All Rights Reserved. Physical Security - Hardware Changes Even at the hardware asset level specific changes have a direct security impact. In this example a USB drive has been removed from a server, potentially taking sensitive data with it.

Slide 18 Copyright © , CiRBA Inc. All Rights Reserved. Information Security - Tracking Key Assets Protecting the integrity of data is somewhat futile if you dont even know all the places where data is stored. Effective software asset tracking is critical to information security.

Slide 19 Copyright © , CiRBA Inc. All Rights Reserved. Looking Beyond the File: The Business Value of Convergence Compelling business-level considerations Convergence = Cost Savings Benefits of business case that leverages multiple disciplines Consolidated approach addresses SOX while at the same time benefiting Operations, ITIL projects and other initiatives Allows service-oriented view of security By leveraging service models being developed in configuration management initiatives (e.g. CMDBs), security information can also be aligned with business services Provides a common language Common technology provides a common language for communication between Security, Compliance, Change Management, Problem Management and other key groups

Slide 20 Copyright © , CiRBA Inc. All Rights Reserved. You can observe a lot just by watching. Yogi Berra 322 King Street West. Suite 200 Toronto. ON. CANADA. M5V 1J2 t w. f e. Presented By: Andrew Hillier CTO, CIRBA Inc