4. qualityaustria Forum Upravljanje identitetom, bezbednošću i rizikom Dragutin Bošnjaković, Savetnik za bezbednost informacija Atos IT Solutions and Services d.o.o. Beograd Stvaranje mogućnosti kroz nove zahteve! g.

02-okt-134. qualityaustria Forum, Beograd2 Identity, Security & Risk Management

Agenda Introduction Atos Security Solutions Future Trends Summary/Questions

02-okt-134. qualityaustria Forum, Beograd4 Todays World Computers Everywhere Desktop computers account for less than 1% of the total embedded microprocessors globally. It is estimated that there are more than 10 billion embedded microprocessors produced annually. A typical luxury salon car today may use more than 100 megabytes of computer code spread across 50 to 70 microprocessors, researchers say Researchers from Rutgers University hacked into the computer of a car travelling at 60 mph via a wireless system used to monitor tire pressure. Microprocessors are now embedded into water control systems, nuclear power stations, the electrical grid - everything we depend on. Computerized Tire Pressure Monitor

02-okt-134. qualityaustria Forum, Beograd5 Challenges in the security area The spread of possible security threats and their effects on enterprises increases steadily. Computerized business processes will connect to customers and suppliers. Potential offenders have changed their behavior. New forms of attacks results in data losses daily. Compliance requirements will be more stringent and complex. New trends such as Cloud Computing, Social Media and Mobile Devices introduce new security risks.

02-okt-134. qualityaustria Forum, Beograd6 New threats are emerging fast…

02-okt-134. qualityaustria Forum, Beograd7 Risks: diverse and ubiquitous … Internal ThreatsComplianceExternal Threats Theft of data Cost pressure Spread of company secrets Unsatisfied employees Illegal downloads Private surfing Misconduct Industrial espionage SOX Privacy Laws Basel II/III PCI DSS Risk-Management ISO Governance Cobit HIPAA Spam Hacker Worms Trojans Denial-of-Service Industrial espionage Insecure s Phishing Data trade

02-okt-134. qualityaustria Forum, Beograd8 A paradigm shift has to take place… From: Systems To: Information From: Barriers To: Behavior From: IT To: Critical Infrastructures

9 Agenda Introduction Atos Security Solutions Future Trends Summary/Questions

02-okt-134. qualityaustria Forum, Beograd10 (GRC) Governance Risk and Compliance: Helping customers to understand and adapt to regulatory compliance issues for their specific market sector. Ensuring that governance and process controls are strategically aligned with a customers market vertical and business value drivers. (IABS) Identity, Access, Biometrics and Smart Cards: Helping customers to centrally understand and manage who has access to what and who should have access to what across the processes within their enterprise, customer and partner space. (STA) Security Technical Advisory: Allowing customers to understand and foresee their IT control risks whilst successfully integrating and refreshing security control technologies which aligned with their business needs. (MSS) Managed Security Services: Helping customers to reduce their total cost of compliance and security management by delivering Atos High Performance Security (AHPS) the worlds leading example of highly efficient effective business process and IT security. Atos ISRM Combined Portfolio: From the router to the board room GRC (Governance, Risk & Compliance) IABS (Identity and Access Management) MSS (Managed security services)

02-okt-134. qualityaustria Forum, Beograd11 ISO Family HIPAA SoX / MIFID / BASEL II NERC / CIP PCI DSS SAS70 / ISAE3402 HMG SPF/IS1 FDA Analysis Assessment Appetite Treatments Process optimisation Security Awareness Risk Management and Business Intelligence integration Oversight and workflow creation Risk dashboards Deming Cycle Role mapping & analysis Atos helps clients understand their compliance obligations and risks. Atos automates as much of GRC as possible. Atos helps you keep on course and with as little distraction as possible. Governance Risk and Compliance: Integrating governance GRC

02-okt-134. qualityaustria Forum, Beograd12 IAM Maturity assessment Project Management Design and Development Identity Management as a Service SSO as a Service Trusted Identity as a Service Provisioning Web Access Management Single Sign-On Identity Federation Privileged User Account Management Metadirectory Strong Authentication DirX Identity & Access Management ID Center – biometric authentication CardOS smart card Problem Numerous identities and multiple passwords providing access to highly valuable resources Passwords are not secure, not free and not appropriate for todays ways of working Solution Atos portfolios of Identity and Access Management products Biometrics and smart cards Single sign-on Password self service IABS Services IABS Technology IABS Products Identity, Access, Biometrics and Smart Cards : Authentication, Authorization, Administration and Audit USB token with CardOS ® Outcome Reduce costs and improve security and compliance

02-okt-134. qualityaustria Forum, Beograd13 Solution: Atos advises our clients about the costs and benefits of the latest technologies available, trying to find an optimal spend for our clients risk appetite. Effective Risk Management Strategy Business RiskMitigation Effort Security Technical Advisory Security architecture Security and compliance requirement s collection IT risk assessment Cloud security assessment Compliance gap analysis GRC as a Service Disaster recovery design Government information assurance services PEN testing PKI design services PKI Trust center services Biometric & smart card solution design Physical access control systems design STA Exposure, Cost, Problem How do I know what technology is best and most cost effective from the dozens of choices available?

02-okt-134. qualityaustria Forum, Beograd14 Endpoint Protection Services Data Encryption Services Mobile Security Security for Cloud Atos High Performance Security Malware Scanning Perimeter & Remote Access Intrusion Protection Business Partner Access Vulnerability Management Identity & Access Management Single Sign-On as a Service Identity Management as a Service Secure Directory Services Managed PKI and Biometrics Physical Access Control Systems Managed Security Services Workplace Security Infrastructure Security Identity & Access Management Problem We spend a lot of money and time on IT security and this distracts us from our core business Solution Atos Managed Security Services offers a range of services so enterprises can outsource the costs and complexities of security and compliance. Outcome Improved focus on clients business Reduced spend on security

02-okt-134. qualityaustria Forum, Beograd15 Goals – Being able to react to cyber threats in real time 24x7 as well as enable forensic analysis. – Hackers are increasingly sophisticated and their targets are increasingly valuable: AHPS helps companies defend against critical losses – Reduce security operation expenses caused by explosive growth of security threats and reactive manual approach – Achieve compliance with government and industry standards Solution – AHPS monitors the business and IT environment to see if significant incidents are occurring--24x7. Find suspicious activity while it is occurring, not after. – The Atos Secure Operating Center responds to failures of policy compliance as new security, legislative and regulatory control requirements emerge. – This service is based on our Olympic security solution which has a track record of more than 10 years. Benefits – Reducing costs by using the Atos security as a service model. – Global presence of the AHPS service. – Customer enablement to react in real time to security events. Atos Olympic Security (Atos High Performance Security) Goals – Being able to react to cyber threats in real time 24x7 as well as enable forensic analysis. – Hackers are increasingly sophisticated and their targets are increasingly valuable: AHPS helps companies defend against critical losses – Reduce security operation expenses caused by explosive growth of security threats and reactive manual approach – Achieve compliance with government and industry standards Solution – AHPS monitors the business and IT environment to see if significant incidents are occurring--24x7. Find suspicious activity while it is occurring, not after. – The Atos Secure Operating Center responds to failures of policy compliance as new security, legislative and regulatory control requirements emerge. – This service is based on our Olympic security solution which has a track record of more than 10 years. Benefits – Reducing costs by using the Atos security as a service model. – Global presence of the AHPS service. – Customer enablement to react in real time to security events. Atos Olympic Security (Atos High Performance Security)

02-okt-134. qualityaustria Forum, Beograd16 Fragmented View Integrated View Firewall IDS Server Logs Vulnerability Management By understanding our customers business rather than just the IT infrastructure we are able to understand the potential business impact of the events occurring and therefore weight the risk management response to the severity of the threat, delivering a risk driven, operating model for each of our customers.

02-okt-134. qualityaustria Forum, Beograd17 Integrated View Atos High Performance Switch logs Windows logs Client & file server logs Wireless access logs Windows domain logins Database Logs San File Access Logs VLAN Access & Control logs DHCP logs Linux, Unix, Windows OS logs Mainframe logs Oracle Financial Logs Web server activity logs Content management logs Web cache & proxy logs VA Scan logs Router logs IDS/IDP logs VPN logs Firewall logs

02-okt-134. qualityaustria Forum, Beograd18 Some Significant Cost Drivers IT Security Managers UNIX Server Managers Wintel Server Managers Network Security Managers Patch and Vulnerability Management Firewall Engineers IT Security Managers UNIX Server Managers Wintel Server Managers Network Security Managers Patch and Vulnerability Management Firewall Engineers Roles Security Policy Creation and Management PCI Compliance SOX Compliance Market Research Testing Problem Discovery Problem Resolution Audit Forensics Training Access / Authorization Reviews Security Policy Creation and Management PCI Compliance SOX Compliance Market Research Testing Problem Discovery Problem Resolution Audit Forensics Training Access / Authorization Reviews Functions Hardware Software Licenses Maintenance Fees Storage Hardware Software Licenses Maintenance Fees Storage Infrastructure The bullet points above typically represent at least $75k pa and can often exceed millions of dollars each.

02-okt-134. qualityaustria Forum, Beograd19 Our Cost Conscious Approach IT Security Managers UNIX Server Managers Wintel Server Managers Network Security Managers Patch and Vulnerability Management Firewall Engineers IT Security Managers UNIX Server Managers Wintel Server Managers Network Security Managers Patch and Vulnerability Management Firewall Engineers Roles Security Policy Creation and Management PCI Compliance SOX Compliance Market Research Testing Problem Discovery Problem Resolution Audit Forensics Training Access / Authorization Reviews Security Policy Creation and Management PCI Compliance SOX Compliance Market Research Testing Problem Discovery Problem Resolution Audit Forensics Training Access / Authorization Reviews Functions Hardware Software Licenses Maintenance Fees Storage Hardware Software Licenses Maintenance Fees Storage Infrastructure The bullet points above typically represent at least $75k pa and can often exceed millions of dollars each. AHPS can reduce a variety of these costs via external service provision, domain and delivery expertise, and concentration of functions into one delivery unit. We estimate we can save you at least 10 to 25% of your current IT compliance and security spend, and we will demonstrate this to your satisfaction before contract signing.

02-okt-134. qualityaustria Forum, Beograd20 Lifting the Performance of Security and Compliance Operations SILVER Log monitoring & storage Faster reaction to security issues and better compliance with log storage but issue management focused on obvious tactical issues Joining up the dots across the IT landscape to enable proactive IT security. Control monitoring based on IT landscape not business information landscape 360° IT Security Control monitoring and auditing based on business information landscape aligning security and compliance measures with highest value business information Business information security Alignment of security measures & spend with business information value & business impact Proactive management of digital threats and business control issues Manually driven performance based on pace of staff activity and tacit knowledge of staff Manual security / control co-ordination

02-okt-134. qualityaustria Forum, Beograd21 Operational Efficiency and Cost Reduction 90 Critical Events 1,500 Alarms 443k Correlated Events 201m Filtered Events From Beijing Olympic Games: AHPS takes millions of raw events and via intelligent processing and correlation reduces them to a few critical events. This reduces manpower requirements and improves operational efficiency, and results in zero downtime, zero business effect.

02-okt-134. qualityaustria Forum, Beograd22 AHPS for the Olympic Games, AHPS for You Beijing 2008 environment 28 Sports 302 Sport Events 70 Venues 10,000 Athletes 20,000 Journalists 230,000 Accreditations 4,000 IT team members 40,000 IT components 10,000 PCs 1,000 Servers 1,000 Network devices Pre-GamesGames Criticality Olympic Project Specifics Business Highly visible, highly critical Technology Real-time & near real-time applications Last minute massive infrastructure deployment Heterogeneous environment People Consortium of partners and suppliers High level of dependency on volunteers Requirements Availability, integrity, confidentiality Ready on time, the deadline will not move Few seconds response time, no second chance

02-okt-134. qualityaustria Forum, Beograd23 Agenda Introduction Atos Security Solutions Future Trends Summary/Questions

Future tendencies for ISRM User Owned Device Mobile Data Protection Cyber Security Atos High Performance Security Security and Compliance in a Box (GRCaaS) Cloud Single Sign-On Leverage DirX Federated IAM Next Gen AV Atos Integrated Security Cloud Encryption Cyber Threat Center GRCaaS IDaaS Atos High Performance Security

02-okt-134. qualityaustria Forum, Beograd25 Agenda Introduction Atos Security Solutions Future Trends Summary/Questions

02-okt-134. qualityaustria Forum, Beograd26 Summary The information security threat landscape is changing at a rapid pace. Organizations must prepare itself to withstand advanced targeted attacks, aiming at the intellectual property of the company. Atos has a complete portfolio in the identity, security and risk management area, covering the whole value chain, from consulting to operations. Atos has committed resources to develop in the security area to enable us to provide state of the art services. Atos is one of the few providers being able to deliver services to its customers around the globe.

Dragutin Bošnjaković, Savetnik za bezbednost informacija Atos IT Solutions and Services d.o.o. Beograd Hvala na pažnji! 4. qualityaustria Forum, Beograd